MALICIOUS
298
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1036 Masquerading
T1204.002 Malicious File
The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macro downloads a file from an HTTP URL and saves it to disk. The 'Workbook_Open' subroutine and the 'CreateObject' call, along with obfuscated code, suggest an automated execution flow. The macro attempts to download a payload from 'http://127.0.0.1:8000/api/get_hashes', which is then likely executed.
Heuristics 9
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
aBody = .responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
With CreateObject("ADODB.Stream") -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.DeleteLines 1, .CountOfLines -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("ADODB.Stream") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
GetWorkDir = Environ("Temp") & "\macroav" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://127.0.0.1:8000/api/get_hashes Referenced by macro
- http://127.0.0.1:8000/api/get_hashes�Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 13317 bytes |
SHA-256: eddbe01b05da73b19cc6818a9845b001754b6c36329060e4646691be43bf0863 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Private Sub Workbook_Open()
AppEventsInit
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "MacroAV"
' Version 2.6
Public AppEvent As New wbCloser
Const user_feedback As Boolean = False
Const debug_mode As Boolean = False
Const use_cloud As Boolean = False
Const cloud_address As String = "http://127.0.0.1:8000/api/get_hashes"
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr)
Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As LongPtr, ByVal dwSize As LongPtr, ByVal flNewProtect As LongPtr, lpflOldProtect As LongPtr) As LongPtr
Private Declare PtrSafe Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Function DialogBoxParam Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As LongPtr, ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
Dim HookBytes(0 To 11) As Byte
Dim OriginBytes(0 To 11) As Byte
Dim pFunc As LongPtr
Dim Flag As Boolean
Private Function GetPtr(ByVal Value As LongPtr) As LongPtr
GetPtr = Value
End Function
Private Sub RecoverBytes()
If Flag Then MoveMemory ByVal pFunc, ByVal VarPtr(OriginBytes(0)), 12
End Sub
Private Function Hook() As Boolean
Dim TmpBytes(0 To 11) As Byte
Dim p As LongPtr, osi As Byte
Dim OriginProtect As LongPtr
Hook = False
#If Win64 Then
osi = 1
#Else
osi = 0
#End If
pFunc = GetProcAddress(GetModuleHandleA("user32.dll"), "DialogBoxParamA")
If VirtualProtect(ByVal pFunc, 12, PAGE_EXECUTE_READWRITE, OriginProtect) <> 0 Then
MoveMemory ByVal VarPtr(TmpBytes(0)), ByVal pFunc, osi + 1
If TmpBytes(osi) <> &HB8 Then
MoveMemory ByVal VarPtr(OriginBytes(0)), ByVal pFunc, 12
p = GetPtr(AddressOf MyDialogBoxParam)
If osi Then HookBytes(0) = &H48
HookBytes(osi) = &HB8
osi = osi + 1
MoveMemory ByVal VarPtr(HookBytes(osi)), ByVal VarPtr(p), 4 * osi
HookBytes(osi + 4 * osi) = &HFF
HookBytes(osi + 4 * osi + 1) = &HE0
MoveMemory ByVal pFunc, ByVal VarPtr(HookBytes(0)), 12
Flag = True
Hook = True
End If
End If
End Function
Private Function MyDialogBoxParam(ByVal hInstance As LongPtr, _
ByVal pTemplateName As LongPtr, ByVal hWndParent As LongPtr, _
ByVal lpDialogFunc As LongPtr, ByVal dwInitParam As LongPtr) As Integer
If pTemplateName = 4070 Then
MyDialogBoxParam = 1
Else
RecoverBytes
MyDialogBoxParam = DialogBoxParam(hInstance, pTemplateName, _
hWndParent, lpDialogFunc, dwInitParam)
Hook
End If
End Function
Sub UnlockVBAProject()
If Hook Then
MsgBox "VBA Project is unlocked!", vbInformation, "*****"
End If
End Sub
Sub AppEventsInit()
Set AppEvent.App = Application
End Sub
Private Function VBComponentExists(VBCompName As String, Optional VBProj As VBIDE.VBProject = Nothing) As Boolean
If debug_mode = 0 Then
On Error Resume Next
End If
Dim VBP As VBIDE.VBProject
If VBProj Is Nothing Then
Set VBP = ActiveWorkbook.VBProject
Else
Set VBP = VBProj
End If
VBComponentExists = CBool(Len(VBP.VBComponents(VBCompName).Name))
End Function
Private Function GetFileBytes(strPath As String) As Byte()
With CreateObject("ADODB.Stream")
.Type = 1 ' adTypeBinary
.Open
.LoadFromFile (strPath)
GetFileBytes = .Read()
End With
End Function
Private Function GetWorkDir() As String
GetWorkDir = Environ("Temp") & "\macroav"
End Function
Private Function GetSignaturesDir() As String
GetSignaturesDir = Environ("Temp") & "\macroav\signatures.xml"
End Function
Private Function FileToSHA1Hex(sFileName As String) As String
On Error GoTo ErrorHandler
Dim enc
Dim bytes
Dim outstr As String
Dim pos As Integer
Set enc = CreateObject("System.Security.Cryptography.SHA1CryptoServiceProvider")
'Convert the string to a byte array and hash it
bytes = GetFileBytes(sFileName)
bytes = enc.ComputeHash_2((bytes))
'Convert the byte array to a hex string
For pos = 1 To LenB(bytes)
outstr = outstr & LCase(Right("0" & Hex(AscB(MidB(bytes, pos, 1))), 2))
Next
FileToSHA1Hex = outstr 'Returns a 40 byte/character hex string
Set enc = Nothing
Exit Function
ErrorHandler:
MsgBox ("MACROAV - An error occurred during hash extraction. This usually means that .NET 3.5 was not succesfully installed. Please enable it by Windows Start Button ==> Type - Turn Windows Features On or Off ==> Enable the checbox for .NET Framework 3.5 ==> Click OK")
Err.Clear
Exit Function
End Function
Private Sub create_work_folder()
Dim workfolder_ As String
workfolder_ = GetWorkDir()
If Dir(workfolder_, vbDirectory) = "" Then
MkDir workfolder_
End If
End Sub
Private Function get_hashes_from_cloud(sURL As String, sPath As String)
Dim aBody() As Byte
With CreateObject("MSXML2.XMLHTTP")
.Open "GET", sURL, False
.send
aBody = .responseBody
End With
With CreateObject("ADODB.Stream")
.Type = 1 ' adTypeBinary
.Open
.Write aBody
.SaveToFile sPath, 2 ' adSaveCreateOverWrite
.Close
End With
End Function
Sub export_hashes()
If debug_mode = 0 Then
On Error Resume Next
End If
Dim Sheet As Worksheet
Dim I As Integer
I = 2
Set Sheet = ActiveWorkbook.Sheets.Add(After:=ActiveWorkbook.Worksheets(ActiveWorkbook.Worksheets.Count))
Sheet.Name = "Exported Hashes"
Sheet.Range("A1").Value = "Name"
Sheet.Range("B1").Value = "Hash"
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule
Set VBProj = ActiveWorkbook.VBProject
For Each VBComp In VBProj.VBComponents
Sheet.Range("A" & I).Value = VBComp.Name
VBComp.Export GetWorkDir() & "\tempfile"
Hash = FileToSHA1Hex(GetWorkDir() & "\tempfile")
Sheet.Range("B" & I).Value = Hash
I = I + 1
Next VBComp
End Sub
Private Function is_this_bad_hash(hash_to_check As String) As Boolean
Dim objXML As MSXML2.DOMDocument60
Dim intResult As Integer
Set objXML = New MSXML2.DOMDocument60
objXML.async = False
objXML.validateOnParse = True
If Not objXML.Load(GetSignaturesDir()) Then
Err.Raise objXML.parseError.ErrorCode, , objXML.parseError.reason, objXML.parseError.srcText
End If
Dim entry_point As IXMLDOMNode
Set entry_point = objXML
Dim myNodes As IXMLDOMNodeList
Dim myElement As IXMLDOMElement
Dim childNode As IXMLDOMNode
Dim node As IXMLDOMNode
Set myNodes = entry_point.SelectNodes("//django-objects/object")
For Each node In myNodes
If (StrComp(hash_to_check, node.FirstChild.Text, vbTextCompare) = 0) Then
is_this_bad_hash = True
Exit For
End If
Next node
End Function
Private Sub DeleteFile(ByVal FileToDelete As String)
If (Dir(FileToDelete) <> "") Then
' First remove readonly attribute, if set
SetAttr FileToDelete, vbNormal
' Then delete the file
Kill FileToDelete
End If
End Sub
Private Sub LogInformation(LogMessage As String)
Dim LogFileName As String
LogFileName = GetWorkDir() & "\macroav.log"
Dim FileNum As Integer
FileNum = FreeFile ' next file number
Open LogFileName For Append As #FileNum ' creates the file if it doesn't exist
Print #FileNum, Now, LogMessage ' write information at the end of the text file
Close #FileNum ' close the file
End Sub
Sub Scan_for_malware()
If debug_mode = 0 Then
On Error Resume Next
End If
Call create_work_folder
If use_cloud Then
get_hashes_from_cloud cloud_address, GetSignaturesDir()
End If
Dim VBProj As VBIDE.VBProject
Dim VBComp As VBIDE.VBComponent
Dim CodeMod As VBIDE.CodeModule
Dim Hash As String
Dim bad_hash As Boolean
Dim I As Integer
'Kangtang Hashes
KangtangHashes = Array("ED2C44F08ED36175CFAEBC529341061D8D4C01A7", "533358B092E82BDDFC145B7A74470DB8ACDE22CA", "61B75553FBB4E12E506D16E02561674431111A28", "62CA8149A8387B6B99EE420C17DF187B80533558", "612798E6C2A04B9D1E418BBD0C7AC99964ED04C8", "4028808E37AFA9E299358B2D696CCCD180247E20", "75746FA1E6311DBCB28223C66677279BD6F60FCD", "F7BF683AD5FDD2CA2E9FB30059D64720437880D9", "30FF169D0F593F242EFE55C6FFA00C433B17C693", "C8B981FEEC8A8FDCDFAC47EBE2EC0257F75FBB31", "01B48CB5D637C452606E96CE6F6398D4ECECF73E", "b33d87ef0b1d475d2c3bd0984ed08f8ef5494bff", "2bc4f3ddee495291378531e1505efcd562ecb098", "64a67ccaad7094ef2c7d96ea8c1f197e614d4d69", "c89bd60780b4daeb4c33ab594a158ac9d51c2aee", "32f3458371f8d89e744c10611ce2a2a4ac27797a", "d620b0f84643e155b8b6e1352a5c8e4f4bad380a", "fba1d92d34e545bb40a8b48adcde3c9c3ab5187a", "d173133c1cbbf07047ba224e429a3d0c720c2575")
'ToDole Hashes
TodoleHashes = Array("0A452A9D8A2CC0B3BDF69151C6ED1343C3BD4673", "B7003D25B59AF47F30FCC2CA6E57DE64442B02EC", "7B1AF4843E3B5EEE2F674702DA87DCC4F1E6285A", "74c9b7396ec04a2fd63a8c0e586bc7eb5f87fd7f")
'Results.xl Hashes
ResultzHashes = Array("0FD53FC8AE6F66DDC9788C0EE8F644CB1C1EA0A7")
'KING.xls Hashes
KingHashes = Array("bc77ab7e5340d07d2a3d48325f2f44daaf7ce029")
LogInformation ("Scanning workbook " & ActiveWorkbook.Name & " residing in " & ActiveWorkbook.Path)
Set VBProj = ActiveWorkbook.VBProject
For Each VBComp In VBProj.VBComponents
bad_hash = False
If Not VBComp Is Nothing Then
VBComp.Export GetWorkDir() & "\tempfile"
Hash = FileToSHA1Hex(GetWorkDir() & "\tempfile")
If VBComp.Name = "ToDOLE" Or VBComp.Name = "ToDole" Then
If user_feedback Then
MsgBox ("Found ToDole Module ! Removing it")
End If
LogInformation ("Found ToDole Module ! Removing it")
Workbooks("k4.xls").Close SaveChanges:=False
DeleteFile (Application.StartupPath & "\k4.xls")
VBProj.VBComponents.Remove VBComp
Else
If use_cloud Then
bad_hash = is_this_bad_hash(Hash)
' Kangtang Malware
ElseIf Not IsError(Application.Match(Hash, KangtangHashes, 0)) Then
bad_hash = True
Workbooks("mypersonnel.xls").Close SaveChanges:=False
DeleteFile (Application.StartupPath & "\mypersonnel.xls")
' ToDole Malware
ElseIf Not IsError(Application.Match(Hash, TodoleHashes, 0)) Then
bad_hash = True
Workbooks("k4.xls").Close SaveChanges:=False
DeleteFile (Application.StartupPath & "\k4.xls")
' Resultz Malware
ElseIf Not IsError(Application.Match(Hash, ResultzHashes, 0)) Then
bad_hash = True
Workbooks("RESULTS.xls").Close SaveChanges:=False
DeleteFile (Application.StartupPath & "\RESULTS.xls")
' KING Malware
ElseIf Not IsError(Application.Match(Hash, KingHashes, 0)) Then
bad_hash = True
Workbooks("KING.xls").Close SaveChanges:=False
DeleteFile (Application.StartupPath & "\KING.xls")
End If
If bad_hash Then
If user_feedback Then
MsgBox ("Found Malicious Macro with Hash - " & Hash & " inside " & VBComp.Name & "! Removing it.")
End If
LogInformation ("Found Malicious Macro with Hash - " & Hash & " inside " & VBComp.Name & "! Removing it")
If VBComp.Type = vbext_ct_StdModule Then
VBProj.VBComponents.Remove VBComp
Else
Set CodeMod = VBComp.CodeModule
With CodeMod
.DeleteLines 1, .CountOfLines
End With
End If
End If
End If
End If
Next VBComp
End Sub
Attribute VB_Name = "wbCloser"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Private Sub App_WorkbookBeforeClose(ByVal wb As Workbook, Cancel As Boolean)
Call Scan_for_malware
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 36864 bytes |
SHA-256: a5c53ced51fb2be4925cb77f9eb6948fa744c8db651c29f4b0d408f5f76769c0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.