MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Excel file containing a Workbook_Open VBA macro that executes code. The macro utilizes CreateObject and XMLHTTP, indicating it likely attempts to download and execute a second-stage payload from a remote source. The document body contains Russian text related to regional data and reporting, suggesting a targeted lure. The presence of multiple unknown reputation URLs further supports the malicious intent.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fstrf.ru/regions/region/showlist In document text (OLE body)
- http://eias.ru/files/shablon/manual_loading_through_monitoring.pdf#In document text (OLE body)
- http://eias.ru/?page=show_templates›In document text (OLE body)
- http://support.eias.ru/index.php?a=add&catid=5In document text (OLE body)
- http://eias.ru/?page=show_distrsIn document text (OLE body)
- http://eias.ru/?page=show_templates�In document text (OLE body)
- https://tariff.eias.ru/procwsxls/In document text (OLE body)
- https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
- https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
- https://eias.fstrf.ru/procwsxls/�In document text (OLE body)
- https://eias.fstrf.ru/procwsxls/vIn document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=�In document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=In document text (OLE body)
- http://www.eias.ru/templates/In document text (OLE body)
- https://eias.fstrf.ru/procwsxls/In document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 226964 bytes |
SHA-256: ae1d5b7cea36f76ea58ad2176a29f0859fd7d504c069f9ee6f8f135bbed841ab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "xlsBook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Const SAVE_STATUS_CRITICAL_IMPACT_WARNING As String = "Шаблон сохранен, но НЕ БУДЕТ ПРИНЯТ к рассмотрению из-за невыполнения ОБЯЗАТЕЛЬНЫХ условий. См. лист 'Проверка'!"
Private Const SAVE_STATUS_SUCCESS As String = "Шаблон готов к сохранению без замечаний"
Private Const SAVE_STATUS_LOW_IMPACT_WARNING As String = "Шаблон будет принят к рассмотрению, но обратите внимание на сообщения на листе 'Проверка'"
Private Const SAVE_MESSAGE_TITLE As String = "Результат проверки"
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Application.Calculate
Application.ReferenceStyle = xlA1
' Если не выбран регион - нечего проверять
If Len(CStr(Me.Names("region_name").RefersToRange.cells(1, 1).Value)) = 0 Then
Exit Sub
End If
modListProv.WarningsBeforeSaving Me
If modGlobals.glngCriticalImpactWarningsCounter > 0 Then
Me.CustomDocumentProperties("Status") = 1 'ТРАНС
MsgBox SAVE_STATUS_CRITICAL_IMPACT_WARNING, vbCritical + vbOKOnly, SAVE_MESSAGE_TITLE
Me.Worksheets(gstrCheckSheetName).Activate
Me.Worksheets(gstrCheckSheetName).cells(1, 1).Activate
ElseIf modGlobals.glngLowImpactWarningsCounter > 0 Then
Me.CustomDocumentProperties("Status") = 1 'ТРАНС
MsgBox SAVE_STATUS_LOW_IMPACT_WARNING, vbExclamation + vbOKOnly, SAVE_MESSAGE_TITLE
Me.Worksheets(gstrCheckSheetName).Activate
Me.Worksheets(gstrCheckSheetName).cells(1, 1).Activate
Else 'ТРАНС
Me.CustomDocumentProperties("Status") = 2 'ТРАНС
MsgBox SAVE_STATUS_SUCCESS, vbInformation, SAVE_MESSAGE_TITLE
End If
On Error GoTo ErrHandler
Dim status As Integer
status = Me.CustomDocumentProperties("Status")
If status > 2 Then
MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
Cancel = True
Exit Sub
End If
Exit Sub
ErrHandler:
MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name
End Sub
Private Sub Workbook_Open()
Application.Calculation = xlCalculationAutomatic ' чтобы пересчет формул осуществлялся автоматически
Application.ReferenceStyle = xlA1 ' стиль ссылок - A1
Dim wsSheet As Worksheet
blnMsgBoxActualVersion = False
If modServiceModule.blnIsDocumentProperty(Me, "Status") = True Then
Me.CustomDocumentProperties("Status") = 1 'ТРАНС
End If
' Для обновления
If modServiceModule.IsNameExists(Me, "chkGetUpdatesValue") = True Then
If Me.Names("chkGetUpdatesValue").RefersToRange.cells(1, 1).Value = "y" Then
modUpdTemplMain.Check_Update_Execution Me
End If
End If
End Sub
Attribute VB_Name = "modUpd_Templ_Caller"
Option Explicit
Option Base 1
' Запросить описание последней версии по коду шаблона
Public Function Query_Last_Version_Info(ByVal strTemplateCode As String, _
Optional blnShowMessage As Boolean = True) As TVersionInfo
On Error GoTo ErrHandler
Dim strXMLTagNames(4) As String
If Len(strTemplateCode) = 0 Then
GoTo CleanUp
End If
strXMLTagNames(1) = "VERSION"
strXMLTagNames(2) = "DESCRIPTION_UPDATE"
strXMLTagNames(3) = "FILE_UPDATE_SIZE"
strXMLTagNames(4) = "NEW_VERSION_URL"
Query_Last_Version_Info = modUpd_Templ_HTTP_Request.tviQuery_Update_Info(strXMLTagNames, strTemplateCode, blnShowMessage)
GoTo CleanUp
ErrHandler:
GoTo CleanUp
CleanUp:
End Function
' Запросить файл обновления
Public Function Query_Update(ByVal strTempFileName As String, _
ByVal strTemplateCode As String, _
ByVal strVersion As String) As String
On Error GoTo ErrHandler
If Len(strTemplateCode) = 0 Or _
Len(strVersion) = 0 Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.