MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as a legacy Excel formula macro virus, specifically mentioning 'Poppy by VicodinES' and 'Narkotic Network'. The embedded VBA macros, while truncated, contain code that manipulates sheet protection and inserts/clears data, consistent with a macro-based threat. The presence of these markers and macro code strongly suggests an attempt to execute arbitrary commands or download additional malicious content.
Heuristics 2
-
Legacy Excel formula macro virus marker critical OLE_XLS_FORMULA_MACRO_VIRUSWorkbook stream contains self-identifying legacy Excel formula macro virus markers. This indicates the document carries formula macro virus content even when no VBA project or modern XLM macro-sheet structure is present.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3138 bytes |
SHA-256: 435643a0be0684c751a7482a7812f71ee77ad1b078ede0b19d2e92722358ce44 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "模块1"
Sub 新增1行()
Attribute 新增1行.VB_Description = "宏由 cwzg 录制,时间: 2013-10-30"
Attribute 新增1行.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 新增1行 Macro
' 宏由 patrick(戴和辉) 录制,时间: 2013-10-30
'
'
ActiveSheet.Unprotect Password:="daihepin"
Range("XZYH").Select
Selection.Insert Shift:=xlDown
Selection.FillDown
Range("PAT").Offset(-1, 15).Select
Selection.ClearContents
Range("PAT").Offset(-1, 16).Select
Selection.ClearContents
Range("PAT").Offset(-1, 18).Select
Selection.ClearContents
Range("PAT").Offset(-1, 19).Select
Selection.ClearContents
Range("PAT").Offset(-1, 20).Select
Selection.ClearContents
Range("PAT").Offset(-1, 0).Select
Selection.ClearContents
ActiveSheet.Protect Password:="daihepin"
End Sub
Sub 锁定明细表()
Attribute 锁定明细表.VB_Description = "宏由 cwzg 录制,时间: 2013-10-30"
Attribute 锁定明细表.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 锁定明细表 Macro
' 宏由 patrick(戴和辉) 录制,时间: 2013-10-30
'
'
Dim i As Integer
For i = 1 To Range("B5").Value
Sheets(Trim(Str(i))).Protect Password:="daihepin"
Next
Sheets("样").Select
ActiveSheet.Protect Password:="daihepin"
Sheets("目录").Select
Range("G6").Select
End Sub
Sub 明细表解锁()
Attribute 明细表解锁.VB_Description = "宏由 cwzg 录制,时间: 2013-10-30"
Attribute 明细表解锁.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 明细表解锁 Macro
' 宏由 cwzg 录制,时间: 2013-10-30
'
'
Dim i As Integer
For i = 1 To Range("B5").Value
Sheets(Trim(Str(i))).Unprotect Password:="daihepin"
Next
Sheets("样").Select
ActiveSheet.Unprotect Password:="daihepin"
Sheets("目录").Select
Range("G6").Select
End Sub
Attribute VB_Name = "模块2"
Sub 收列()
Attribute 收列.VB_Description = "宏由 cwzg 录制,时间: 2013-11-5"
Attribute 收列.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 收列 Macro
' 宏由 patrick(戴和辉) 录制,时间: 2013-11-5
'
'
ActiveSheet.Unprotect Password:="daihepin"
ActiveSheet.Outline.ShowLevels RowLevels:=0, ColumnLevels:=1
ActiveSheet.Protect Password:="daihepin"
Range("G6").Select
End Sub
Sub 开列()
Attribute 开列.VB_Description = "宏由 cwzg 录制,时间: 2013-11-5"
Attribute 开列.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 开列 Macro
' 宏由 cwzg 录制,时间: 2013-11-5
'
'
ActiveSheet.Unprotect Password:="daihepin"
ActiveSheet.Outline.ShowLevels RowLevels:=0, ColumnLevels:=2
ActiveSheet.Protect Password:="daihepin"
Range("G6").Select
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.