MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The VBA macro utilizes the URLDownloadToFile function to download a file from a remote source and ShellExecuteA to execute it. This indicates a downloader or droppper functionality, aiming to fetch and run a secondary payload. The presence of WScript.Shell and CreateObject calls further supports the execution of arbitrary code.
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set oShell = CreateObject("Wscript.Shell") -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Declare PtrSafe Function URLDownloadToFile Lib "urlmon.dll" Alias "URLDownloadToFileA" _ -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
myURL = WinHttpReq.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set XMLhttp = CreateObject("MSXML2.ServerXMLHTTP") -
External hyperlinks (16) low OOXML_EXTERNAL_HYPERLINKSDocument contains 16 external hyperlinks — clickable URLs are stored as external relationships. First target: https://endic.naver.com/enkrIdiom.nhn?idiomId=bae20a8e61a543eea230739ac50bb18b&query=ride+a+bike
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://some.web.address/ Referenced by macro
- https://endic.naver.com/enkrIdiom.nhn?idiomId=bae20a8e61a543eea230739ac50bb18b&query=ride+a+bikeReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=1600b3d6e64943479b20fa251af8e5a9&query=cafeteriaReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=935a3ad1252b485dadee63586491a2dd&query=expressReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=4f488a8363354e8c99daebada370592a&query=crosswalkReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=75c0745f90104e5c9feb5d49c4540305&query=caterpillarReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=4ceef5c751254152b7bf662bcd9ddaec&query=defenderReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=da00e929669f4fc298b71296129c9133&query=devastateReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=4816e71ce85f4ff5bed0693ce760bdd2&query=achievementReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=4e6234ea9a0246d78368d8be41270666&query=safetyReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=aa3741149f0b49799ccebc003dab2b48&query=learnReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=9fdbeecefd644d6389fa112e4266df0e&query=wornReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=8ec9d977d25849c1963ab104567eaabd&query=americaReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=ed602497c0444c34928cdbb0d8cbc4c4&query=pedestrian+crossingReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=a7f0470341374cd099a664b1276ac2a2&query=diversityReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=f953fafb6f33494e8654ce891d5a96ee&query=hazardReferenced by macro
- https://endic.naver.com/enkrEntry.nhn?entryId=501f8e2b9ea74aee80c5503df4b7ac46&query=spaghettiReferenced by macro
- https://endic.naver.com/search.nhn?sLn=kr&query=Referenced by macro
- https://endic.naver.comReferenced by macro
- https://YourWebSite.com/?your_query_parametersReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10456 bytes |
SHA-256: 19dfa5a79eb81d7f222ea0c8181bc944b17bd76c754986da60759154ed792521 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "현재_통합_문서"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_FollowHyperlink(ByVal Target As Hyperlink)
Dim TargetF As String
Application.ScreenUpdating = False
Mp3AlPha = True
If Target.Range.Column = 3 Then 'MsgBox Target.SubAddress
TargetF = ActiveWorkbook.Path & "\" & MP3PATH & "\"
If Mp3AlPha Then
TargetF = TargetF & Left(Sheet1.Range(Target.SubAddress).Offset(, -1).Value, 1) & "\"
End If
TargetF = TargetF & Sheet1.Range(Target.SubAddress).Offset(, -1).Value & ".mp3"
If Len(Dir(TargetF)) Then MCIAudioPlay TargetF
End If
Application.ScreenUpdating = True
End Sub
Attribute VB_Name = "Module1"
Option Explicit
#If VBA7 Then
Declare PtrSafe Function URLDownloadToFile Lib "urlmon.dll" Alias "URLDownloadToFileA" _
(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, _
ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Declare PtrSafe Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal hwnd As Long, ByVal lpszOp As String, _
ByVal lpszFile As String, ByVal lpszParams As String, _
ByVal LpszDir As String, ByVal FsShowCmd As Long) _
As Long
Declare PtrSafe Function MCISendString Lib "winmm.dll" Alias _
"mciSendStringA" (ByVal lpstrCommand As String, ByVal _
lpstrReturnString As Any, ByVal uReturnLength As Long, ByVal _
hwndCallback As Long) As Long
#Else
Declare Function URLDownloadToFile Lib "urlmon.dll" Alias "URLDownloadToFileA" _
(ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, _
ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal hwnd As Long, ByVal lpszOp As String, _
ByVal lpszFile As String, ByVal lpszParams As String, _
ByVal LpszDir As String, ByVal FsShowCmd As Long) _
As Long
Declare Function MCISendString Lib "winmm.dll" Alias _
"mciSendStringA" (ByVal lpstrCommand As String, ByVal _
lpstrReturnString As Any, ByVal uReturnLength As Long, ByVal _
hwndCallback As Long) As Long
#End If
Public MCIPlay As Long
Public Mp3AlPha As Boolean ' True이면 알파벳별로 Mp3를 Mp3\a, Mp3\b, Mp3\c ...에 저장
Public Const MP3PATH = "Mp3"
Sub GetWordList()
Dim sht As Worksheet
Dim i As Long
Dim LastRow As Long
Dim Rng As Range
Dim XMLhttp As Object 'ServerXMLHTTP 'WinHttpRequest
Dim Html As HTMLDocument, Html2 As HTMLDocument
Dim Result As IHTMLElementCollection
Dim Url As String, str As String
Dim wordlist As Object
Dim TargetUrl As String, LocalFile As String, LocalPath As String
Set XMLhttp = CreateObject("MSXML2.ServerXMLHTTP")
'Set XMLhttp = CreateObject("Microsoft.XMLHTTP")
'Set XMLhttp = New ServerXMLHTTP ' WinHttpRequest
Set Html = New HTMLDocument
Set Html2 = New HTMLDocument
On Error Resume Next
Mp3AlPha = True '알파벳 폴더에 저장
Set sht = ActiveSheet
sht.Hyperlinks.Delete
'UserForm1.Show vbModeless 'progress bar
'Application.ScreenUpdating = False
LastRow = sht.Cells(sht.Rows.Count, 2).End(xlUp).Row
For Each Rng In sht.Range("B2:B" & LastRow)
str = vbNullString
Url = "https://endic.naver.com/search.nhn?sLn=kr&query=" & Rng.Value
With XMLhttp
.Open "Get", Url
.setRequestHeader "User-Agent", "Mobile"
.send
.WaitForResponse
Html.body.innerHTML = .responseText
End With
'인덱스
i = i + 1
Rng.Offset(, -1).Value = i
'단어에 웹링크
Set Result = Html.getElementsByClassName("fnt_e30")
If Result.Length Then
'str = Html.getElementsByClassName("N=a:wrd.entry")(0).getAttribute("href")
Html2.body.innerHTML = Result(0).innerHTML
str = Html2.getElementsByTagName("a")(0).getAttribute("href")
str = Replace(str, "about:/", "/") 'about: 삭제
sht.Hyperlinks.Add anchor:=Rng, _
Address:="https://endic.naver.com" & str, _
ScreenTip:="단어검색(외부브라우저)"
Rng.Font.Underline = xlUnderlineStyleNone
Rng.Font.Color = rgbDarkBlue
Rng.Font.Bold = True
End If
'폴더가 없을 때 생성
LocalPath = ActiveWorkbook.Path & "\" & MP3PATH
If Len(Dir(LocalPath, vbDirectory)) = 0 Then MkDir LocalPath
'알파벳첫글자 폴더에 저장
If Mp3AlPha Then
LocalPath = LocalPath & "\" & Left(Rng.Value, 1)
If Len(Dir(LocalPath, vbDirectory)) = 0 Then MkDir LocalPath
End If
'발음파일
Set Result = Html.getElementsByClassName("btn_side_play _soundPlay")
If Result.Length Then
TargetUrl = Result(0).getAttribute("playlist")
LocalFile = LocalPath & "\" & Rng.Value & ".mp3"
'DownloadFile TargetUrl, LocalFile
URLDownloadToFile 0, TargetUrl, LocalFile, 0, 0
'발음기호
Rng.Offset(, 1).Value = Html.getElementsByClassName("fnt_e25")(0).innerText
'발음파일에 하이퍼링크 추가
sht.Hyperlinks.Add anchor:=Rng.Offset(, 1), _
Address:="", _
SubAddress:=Rng.Offset(, 1).Address, _
ScreenTip:=LocalFile
Rng.Offset(, 1).Font.Underline = xlUnderlineStyleNone
'Rng.Offset(, 1).Font.Color = rgbBlack
'뜻
Rng.Offset(, 2).Value = Html.getElementsByClassName("fnt_k05")(0).innerText
'예문
Rng.Offset(, 3).IndentLevel = 1
Rng.Offset(, 3).Value = Html.getElementsByClassName("fnt_e07")(0).innerText
Rng.Offset(, 3).ShrinkToFit = True '셀크기에 맞게 글자 줄이기
'예문해석
Rng.Offset(, 4).IndentLevel = 1
Rng.Offset(, 4).Value = Html.getElementsByClassName("fnt_k10")(0).innerText
Rng.Offset(, 4).ShrinkToFit = True
End If
Application.StatusBar = "(" & i & "/ " & (LastRow - 1) & ") " & _
CInt(i * 100 / (LastRow - 1)) & " %"
'UserForm1.Caption = "Processing " & i & "/ " & (LastRow - 1) & "..."
'UserForm1.ProgressBar1.Value = CInt(i * 100 / (LastRow - 1))
Next Rng
Set Html2 = Nothing
Set Html = Nothing
Set XMLhttp = Nothing
Application.StatusBar = False
'Unload UserForm1
'Application.ScreenUpdating = True
End Sub
'//not used
Sub DownloadFile(myURL As String, saveFILE As String)
'myURL = "https://YourWebSite.com/?your_query_parameters"
'saveFILE = "C:\file.csv"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", myURL, False, "username", "password"
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Dim oStream As Object
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
oStream.SaveToFile saveFILE, 2 ' 1 = no overwrite, 2 = overwrite
oStream.Close
End If
End Sub
Sub URLDownload(myURL As String, DownloadFile As String)
Dim LocalFilename$
'DownloadFile$ = "someFile.ext" 'here the name with extension
'Url$ = "http://some.web.address/" & DownloadFile 'Here is the web address
LocalFilename$ = "C:\Some\Path" & DownloadFile
'here the drive and download directory
MsgBox "Download Status : " & URLDownloadToFile(0, myURL, LocalFilename, 0, 0) = 0
End Sub
'//not used
Function killHyperlinkWarning()
Dim oShell As Object
Dim strReg As String
strReg = "Software\Microsoft\Office\11.0\Common\Security\DisableHyperlinkWarning"
Set oShell = CreateObject("Wscript.Shell")
oShell.RegWrite "HKCU\" & strReg, 1, "REG_DWORD"
End Function
'// Not used
Public Sub ShellEx(ByVal Path As String, Optional ByVal Parameters As String, Optional ByVal HideWindow As Boolean)
If Dir(Path) > "" Then
ShellExecute 0, "open", Path, Parameters, "", IIf(HideWindow, 0, 1)
End If
End Sub
Sub MCIAudioPlay(TargetFile As String)
'If MusicOff Then Exit Sub
'TargetFile should not include any space like "program files\~"
'send the audio start signal
MCIPlay = MCISendString("close myAudio", Nothing, 0, 0)
'MCIPlay = mciSendString("play " & Track, 0&, 0, 0)
MCIPlay = MCISendString("open " & Chr$(34) & TargetFile & Chr$(34) & " alias myAudio wait", Nothing, 0, 0)
MCIPlay = MCISendString("setaudio myWAudio volume to 150", Nothing, 0, 0)
MCIPlay = MCISendString("play myAudio", Nothing, 0, 0) ' repeat
End Sub
Sub MCIAudioStop()
If MCIPlay Then
MCIPlay = MCISendString("stop myAudio", Nothing, 0, 0)
MCIPlay = MCISendString("close myAudio", Nothing, 0, 0)
End If
End Sub
'// not used
'Sub RemoveReference()
' Dim refs As References
' Dim rf As Reference
'
' Set refs = ThisWorkbook.VBProject.References
' On Error Resume Next
' Set rf = refs("MSForms")
' Err.Clear
' If Not rf Is Nothing Then refs.Remove rf
'
'End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 44032 bytes |
SHA-256: 12b81fe0f1493f4f632f01adb2be58ff774accc72c5c189336931e3c93e105e0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.