MALICIOUS
268
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
The OOXML document contains a Workbook_Open VBA macro that utilizes WScript.Shell and cmd.exe to execute arbitrary code. This macro is designed to download and execute a second-stage payload, as indicated by the critical OLE_VBA_SHELL and OLE_VBA_WSCRIPT heuristic firings. The VBA code is obfuscated and truncated, preventing a full analysis of its actions, but the intent to execute external code is clear.
Heuristics 7
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
log "C:\WINDOWS\prelog.log", "启动..." Shell "taskkill /f /im presdisp.exe", vbHide -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
'Set yx = CreateObject("WScript.Shell") 'yx.Run "D:\急诊药房发药20160615\提示修改配方人.xlsm", vbHide -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
'Set yx = CreateObject("WScript.Shell") 'yx.Run "D:\急诊药房发药20160615\提示修改配方人.xlsm", vbHide -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
'运行发药系统,运行发药系统,直接运行presdisp.exe不会一起运行合理用药系统,vbhide运行,不然会出现黑框 Shell "cmd /c" & PathName & "\pres.lnk" & "&&taskkill /f /im cmd.exe", vbHide log "C:\WINDOWS\prelog.log", "使用默认配方人配置--彩蛋" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() 'Application.DisplayFullScreen = True
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7665 bytes |
SHA-256: f6a9fec87896329f1c8ee1bbb1eea17b742fc6fc0382b1ccbaeb6964c897f5a6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
'Application.DisplayFullScreen = True
Call show
Call test
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Private Sub CommandButton1_Click()
'Call xlen
Call info
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "模块1"
Option Explicit
Dim Peifangren
Dim PathName As String
Dim PrescriptPath As String
Public Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" _
(ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As String, ByVal ReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long
Public Declare Function WritePrivateProfileString Lib "kernel32" Alias "WritePrivateProfileStringA" _
(ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpString As Any, ByVal lpFileName As String) As Long
Public Const MAXCOUNT As Long = 256
Public Function ReadStringFromIni(ByVal FileName As String, ByVal Section As String, ByVal Key As String) As String
Dim x As Long
Dim xBuff As String * MAXCOUNT
GetPrivateProfileString Section, Key, "", xBuff, MAXCOUNT, FileName
x = InStr(xBuff, Chr(0))
ReadStringFromIni = Trim(Left(xBuff, x - 1))
End Function
Public Sub WriteStringToIni(ByVal FileName As String, ByVal Section As String, ByVal Key As String, ByVal Value As String)
Dim xBuff As String * MAXCOUNT
xBuff = Value + Chr(0)
WritePrivateProfileString Section, Key, xBuff, FileName
End Sub
Function IsFileExists(ByVal strFileName As String) As Boolean
'判断文件或目录是否存在
If Dir(strFileName, 16) <> Empty Then
IsFileExists = True
Else
IsFileExists = False
End If
End Function
Function isPureHanzi(ByVal Str As String) As Boolean
'判断字符患是否为纯汉字
Dim i As Integer
Dim SigleChar As String
isPureHanzi = True
For i = 1 To Len(Str)
SigleChar = Mid(Str, i, 1)
If (LenB(StrConv(SigleChar, vbFromUnicode)) Mod 2) = 1 Then
'MsgBox SigleChar
isPureHanzi = False
Exit For
End If
Next i
End Function
Function log(ByVal FilePath As String, ByVal Str As String)
'日志
'Open FilePath For Input As #100
'Close #100
Open FilePath For Append As #100
Print #100, Date & " " & Time & " **** "; Str
Close #100
End Function
Sub test()
log "C:\WINDOWS\prelog.log", "启动..."
Shell "taskkill /f /im presdisp.exe", vbHide
PathName = Application.ThisWorkbook.Path '把本excel文件放在发药系统同一目录,在桌面建立本文件的快捷方式即可
If IsFileExists(PathName & "\presdisp.ini") And IsFileExists(PathName & "\presdisp.exe") Then
MsgBox "当前配药人是:" & ReadStringFromIni(PathName & "\presdisp.ini", "DEPARTMENT", "drug_maker_str"), vbOKOnly, "急诊药房-power by vba"
coin:
Peifangren = Application.InputBox("请输入配药人姓名(中文):", "急诊药房发药系统-配药人信息", "")
If Peifangren = "/d" Then '输入命令"/d"则默认不更改配方人
'运行发药系统,运行发药系统,直接运行presdisp.exe不会一起运行合理用药系统,vbhide运行,不然会出现黑框
Shell "cmd /c" & PathName & "\pres.lnk" & "&&taskkill /f /im cmd.exe", vbHide
log "C:\WINDOWS\prelog.log", "使用默认配方人配置--彩蛋"
Application.Quit
Else
If Peifangren = "" Then
MsgBox "配药人姓名不能为空!", vbCritical, "急诊药房提醒您!"
log "C:\WINDOWS\prelog.log", "姓名为空"
GoTo coin
Else
If Peifangren = "False" Then
MsgBox "必须输入配药人姓名,不能取消!", vbCritical, "急诊药房提醒您!"
log "C:\WINDOWS\prelog.log", "取消动作"
GoTo coin
Else
If isPureHanzi(Peifangren) = False Then
MsgBox "请输入正确的配药人姓名且必须为中文", vbCritical, "急诊药房提醒您!"
log "C:\WINDOWS\prelog.log", "输入带有半角字符XXX " & Peifangren & " XXX"
GoTo coin
Else
If LenB(StrConv(Peifangren, vbFromUnicode)) < 4 Or LenB(StrConv(Peifangren, vbFromUnicode)) > 6 Then
MsgBox "配药人姓名字数错误!", vbCritical, "急诊药房提醒您!"
log "C:\WINDOWS\prelog.log", "配方人字数不对"
GoTo coin
End If
End If
End If
End If
Call WriteStringToIni(PathName & "\presdisp.ini", "DEPARTMENT", "drug_maker_str", Peifangren & ";")
'运行发药系统,运行发药系统,直接运行presdisp.exe不会一起运行合理用药系统,vbhide运行,不然会出现黑框
Shell "cmd /c" & PathName & "\pres.lnk" & "&&taskkill /f /im cmd.exe", vbHide
log "C:\WINDOWS\prelog.log", "+++成功更改配方人姓名为[" & Peifangren & "]并运行"
Application.Quit
End If
Else
MsgBox "本Excel文件不在发药系统目录下," & Chr(13) & "请移至发药系统目录下才可使用!", vbOKOnly, "急诊药房提醒您!"
log "C:\WINDOWS\prelog.log", "不在发药系统目录下运行"
Application.Quit
End If
End Sub
Sub show()
Application.Visible = False
End Sub
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'Rem Hide Run File
'Rem for presdisp.exe create lnk "pres.lnk" at directory
'建立vbs文件隐藏excel程序启动过程
'Set yx = CreateObject("WScript.Shell")
'yx.Run "D:\急诊药房发药20160615\提示修改配方人.xlsm", vbHide
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Sub xlen() 'test sub
Dim i
Dim a As Long
i = Asc(Mid("agb", 2, 1))
For a = 1 To 5
MsgBox a
Next
End Sub
Sub info() 'test sub
Dim i As String
i = "a在df"
MsgBox StrPtr(i)
'MsgBox isPureHanzi("方是a")
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 40448 bytes |
SHA-256: 144e4f48470dce0b3d97a1b8b1b5fccbb5d997f3c1028fe2bed1232f3ed474d1 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2684 bytes |
SHA-256: 270b02e7e2ea6b5a4f66f9181561204112794729a062f03afb34a0b080f6d65e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.