MALICIOUS
82
Risk Score
Heuristics 3
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
If .Lines(ligne, 1) = "Sub imprim()" Then .InsertLines ligne + 1, ordre: Exit For -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/sharepoint/v3/contenttype/forms In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.microsoft.com/sharepoint/eventsIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/contentTypeIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributesIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/metadata/propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchemaIn document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v3In document text (OLE body)
- http://schemas.microsoft.com/sharepoint/v3/fieldsIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/documentManagement/typesIn document text (OLE body)
- http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://purl.org/dc/terms/In document text (OLE body)
- http://schemas.microsoft.com/office/internal/2005/internalDocumentationIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsdIn document text (OLE body)
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsdIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7559 bytes |
SHA-256: 93c2236033b6405cb206c87d3d20744000b6520993edc2f9a94006b4c9e7f891 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Inserer_activité()
Attribute Inserer_activité.VB_Description = "Macro enregistrée le 17/09/2009 par Le Floch"
Attribute Inserer_activité.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Inserer_activité Macro
' Macro enregistrée le 17/09/2009 par Le Floch
'
'
ligne_active = ActiveCell.Row
colonne_active = ActiveCell.Column
Rows(ActiveCell.Row & ":" & ActiveCell.Row).Select
Selection.Insert Shift:=xlDown
ActiveWindow.SmallScroll Down:=-45
Rows("6:6").Select
Selection.Copy
ActiveWindow.SmallScroll Down:=33
Range("A" & ligne_active).Select
ActiveSheet.Paste
End Sub
Sub Inserer_étape()
'
' Inserer_étape Macro
' Macro enregistrée le 17/09/2009 par Le Floch
'
'
ligne_active = ActiveCell.Row
colonne_active = ActiveCell.Column
Rows(ActiveCell.Row & ":" & ActiveCell.Row).Select
Selection.Insert Shift:=xlDown
ActiveWindow.SmallScroll Down:=-45
Rows("5:5").Select
Selection.Copy
ActiveWindow.SmallScroll Down:=33
Range("A" & ligne_active).Select
ActiveSheet.Paste
End Sub
Sub Inserer_phase()
'
' Inserer_phase Macro
' Macro enregistrée le 17/09/2009 par Le Floch
'
'
ligne_active = ActiveCell.Row
colonne_active = ActiveCell.Column
Rows(ActiveCell.Row & ":" & ActiveCell.Row).Select
Selection.Insert Shift:=xlDown
ActiveWindow.SmallScroll Down:=-45
Rows("4:4").Select
Selection.Copy
ActiveWindow.SmallScroll Down:=33
Range("A" & ligne_active).Select
ActiveSheet.Paste
End Sub
Sub Inserer_lot()
'
' Inserer_lot Macro
' Macro enregistrée le 17/09/2009 par Le Floch
'
'
ligne_active = ActiveCell.Row
colonne_active = ActiveCell.Column
Rows(ActiveCell.Row & ":" & ActiveCell.Row).Select
Selection.Insert Shift:=xlDown
ActiveWindow.SmallScroll Down:=-45
Rows("3:3").Select
Selection.Copy
ActiveWindow.SmallScroll Down:=33
Range("A" & ligne_active).Select
ActiveSheet.Paste
End Sub
Sub Inserer_Ligne()
'
' Inserer_Ligne Macro
' Macro enregistrée le 17/09/2009 par Le Floch
'
'
Rows("61:61").Select
Selection.Insert Shift:=xlDown
ActiveWindow.SmallScroll Down:=-45
End Sub
Sub lance_imp()
For S = 2 To Sheets.Count
Sheets(S).PageSetup.FitToPagesWide = 1
Next S
Dim ordre As String, ligne As Long
ordre = "Sheets(Array("
For i = 1 To Sheets.Count - 1
If i > 1 Then ordre = ordre & ","
ordre = ordre & Chr(34) & Sheets(i).Name & Chr(34)
Next i
ordre = ordre & ")).PrintOut"
With ThisWorkbook.VBProject.VBComponents("gw_imp").CodeModule
For ligne = 1 To .CountOfLines
If .Lines(ligne, 1) = "Sub imprim()" Then .InsertLines ligne + 1, ordre: Exit For
Next ligne
Call imprim
.DeleteLines ligne + 1, 1
End With
Sheets("Garde").Visible = False
Sheets("Paramètres").Visible = False
Application.ScreenUpdating = True
End Sub
Sub imprim()
End Sub
Sub Test()
Sheets(Array("FEP1", "FEP2", "FEP3", "Synthèse financière", "Annexe Financiere", "Invest & Refact", "Fonctionnement")).PrintOut
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Sub Inserer_article_3()
Attribute Inserer_article_3.VB_Description = "Macro enregistrée le 16/11/2009 par Le Floch"
Attribute Inserer_article_3.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Inserer_article_3 Macro
' Macro enregistrée le 16/11/2009 par Le Floch
'
'
Rows("19:19").Select
Selection.Insert Shift:=xlDown
Rows("6:6").Select
Selection.Copy
Rows("19:19").Select
ActiveSheet.Paste
End Sub
Attribute VB_Name = "Feuil6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub CheckBox3_Click()
End Sub
Attribute VB_Name = "Feuil10"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil12"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.