MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Excel document containing a Workbook_Open macro that executes VBA code. This code utilizes CreateObject and CallByName functions, indicative of malicious intent. The script attempts to download and execute a second-stage payload from URLs like 'http://ws.meteofrance.com/ws/getLieux/'. The presence of the Workbook_Open macro and the obfuscated VBA code strongly suggests a macro-based downloader, likely delivered via spearphishing.
Heuristics 8
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/drawings/_rels/drawing1.xml.rels: file:///D:\Xl\Json\Img\ciel-voile.png
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.prevision-meteo.ch/style/images/icon/eclaircies.png OOXML external relationship
- https://www.prevision-meteo.ch/style/images/icon/nuit-legerement-voilee.pngOOXML external relationship
- https://www.prevision-meteo.ch/style/images/icon/nuit-nuageuse.pngOOXML external relationship
- https://www.prevision-meteo.ch/style/images/icon/ciel-voile.pngOOXML external relationship
- https://www.prevision-meteo.ch/style/images/icon/nuit-avec-averses.pngOOXML external relationship
- https://www.prevision-meteo.ch/style/images/icon/nuit-claire.pngOOXML external relationship
- https://www.prevision-meteo.ch/style/images/icon/ensoleille.pngOOXML external relationship
- https://www.prevision-meteo.ch/style/images/icon/nuit-claire-et-stratus.pngOOXML external relationship
- https://www.prevision-meteo.ch/services/json/OOXML external relationship
- https://excel-malin.comOOXML external relationship
- https://excel-malin.com/codes-sources-vba/vba-trouver-hauteur-largeur-image/OOXML external relationship
- https://www.prevision-meteo.ch/services/json/r`�*OOXML external relationship
- http://tatiak.canalblog.com/OOXML external relationship
- http://ws.meteofrance.com/ws/getLieux/OOXML external relationship
- http://ws.meteofrance.com/ws/getDetail/france/OOXML external relationship
- http://arkham46.developpez.com/articles/ofNdfe/ofNdfeweb/?page=page_5OOXML external relationship
- http://ws.meteofrance.com/ws/getLieux/����OOXML external relationship
- http://ws.meteofrance.com/ws/getDetail/france/`�*OOXML external relationship
- http://ws.meteofrance.com/ws/getLieux/�OOXML external relationship
- http://ws.meteofrance.com/ws/getDetail/france/�OOXML external relationship
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14929 bytes |
SHA-256: 3b2feee07c36d4ea9332bb20e2ce9e4c63710f0b78b4f2fe74665030c563dadc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
' ***********************************************************************
' ***** *****
' ***** CODE PierreP56 : http://tatiak.canalblog.com/ *****
' ***** *****
' ***********************************************************************
Private Sub Workbook_Open()
Init_Combo
End Sub
Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ComboBox1, 4, 0, MSForms, ComboBox"
Option Explicit
Attribute VB_Name = "Accueil"
Option Explicit
' ***********************************************************************
' ***** *****
' ***** CODE PierreP56 : http://tatiak.canalblog.com/ *****
' ***** *****
' ***********************************************************************
Public Const M_fr1 = "http://ws.meteofrance.com/ws/getLieux/"
Public Const M_fr2 = "http://ws.meteofrance.com/ws/getDetail/france/"
Public Const Url = "https://www.prevision-meteo.ch/services/json/"
Sub Cherche_code(Optional x As Byte)
Dim DataSet As Object, Data As Object, elem As Object, S As String
Set DataSet = oRecordSet(M_fr1 & Sheets(2).Range("A1").Value & ".json")
Set Data = VBA.CallByName(DataSet, "result", VbGet)
For Each elem In VBA.CallByName(Data, "france", VbGet)
Debug.Print VBA.CallByName(elem, "nom", VbGet) & " => " & VBA.CallByName(elem, "indicatif", VbGet)
S = S & VBA.CallByName(elem, "nom", VbGet) & " => " & VBA.CallByName(elem, "indicatif", VbGet) & vbCrLf
Next elem
MsgBox S
Set DataSet = Nothing
Set Data = Nothing
End Sub
Sub Prev_Meteo_France(Optional x As Byte)
Dim DataSet As Object, Fcst As Object
Dim Prev As Object, Prev_J As Object, Prev_48 As Object
Dim i As Integer, j As Integer, lg As Integer
Dim Clef1 As Variant, Clef2 As Variant
Clef1 = Array("_matin", "_midi", "_soir", "_nuit")
Clef2 = Array("_01-04", "_04-07", "_07-10", "_10-13", "_13-16", "_16-19", "_19-22", "_22-01")
RAZ 2
Application.ScreenUpdating = False
On Error Resume Next
With Sheets(2)
Set DataSet = oRecordSet(M_fr2 & .Range("A2").Value & ".json")
Set Fcst = VBA.CallByName(DataSet, "result", VbGet)
lg = 3
.Range("A" & lg).Value = "Prévisions à 48 h"
.Range("B" & lg).Value = Date
Set Prev = VBA.CallByName(Fcst, "previsions48h", VbGet)
For i = 0 To 1
For j = 0 To UBound(Clef2)
Set Prev_48 = VBA.CallByName(Prev, i & Clef2(j), VbGet)
If j = 0 Then .Range("B" & lg).Value = DateAdd("d", VBA.CallByName(Prev_48, "jour", VbGet), Date)
.Range("C" & lg).Value = "'" & VBA.CallByName(Prev_48, "moment", VbGet)
.Range("D" & lg).Value = VBA.CallByName(Prev_48, "temperatureMin", VbGet)
.Range("E" & lg).Value = VBA.CallByName(Prev_48, "temperatureMax", VbGet)
.Range("F" & lg).Value = Int(VBA.CallByName(Prev_48, "vitesseVent", VbGet) / 1.852)
.Range("G" & lg).Value = VBA.CallByName(Prev_48, "directionVent", VbGet)
.Range("H" & lg).Value = VBA.CallByName(Prev_48, "description", VbGet)
If Not .Range("C" & lg).Value = "" Then lg = lg + 1
Next j
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 85504 bytes |
SHA-256: 46df52c5a1a8d05201354a23756a019c17dc5033e3be5a22db3726f0ccb1d534 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 4496 bytes |
SHA-256: c011c340d7785a087392fb98e87435b47064d159669fd4fe429d35406a087865 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.