MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is an Excel document containing VBA macros. The macros primarily manipulate row visibility within the spreadsheet, suggesting a potential lure or preparation for a malicious action. The presence of a CreateObject call and an external relationship pointing to a local file path indicates suspicious activity, though no direct payload execution or network communication was observed in the provided script.
Heuristics 4
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///C:\Users\Paul\Infinity Control Solutions\Stuart King - Quotes\01 Quotation Info\Distech\EclypseSelection_v1_22.x
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/2000/svg OOXML external relationship
- http://www.w3.org/1999/xlinkOOXML external relationship
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12474 bytes |
SHA-256: 48a749747ac18080d8bdd77bc2fe0d3bfb48ff59d4e7ba2f1c7c7fecfa2314ff |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub sbCHP()
Rows("3:182").EntireRow.Hidden = True
Rows("211:1000").EntireRow.Hidden = True
End Sub
Sub sbUnHideAll()
Rows("3:1000").EntireRow.Hidden = False
End Sub
Sub sbMetering()
Rows("3:519").EntireRow.Hidden = True
Rows("556:1000").EntireRow.Hidden = True
End Sub
Sub sbFCU()
Rows("3:668").EntireRow.Hidden = True
Rows("709:1000").EntireRow.Hidden = True
End Sub
Sub sbHomePage()
Rows("1:32").EntireRow.Hidden = False
Rows("34:108").EntireRow.Hidden = True
End Sub
Sub sbPriceOverview()
Rows("34:109").EntireRow.Hidden = False
Rows("43:54").EntireRow.Hidden = True
Rows("62:72").EntireRow.Hidden = True
Rows("79:89").EntireRow.Hidden = True
Rows("96:106").EntireRow.Hidden = True
Rows("1:32").EntireRow.Hidden = True
End Sub
Sub sbSummaryController()
Rows("34:109").EntireRow.Hidden = False
Rows("62:72").EntireRow.Hidden = True
Rows("79:89").EntireRow.Hidden = True
Rows("96:106").EntireRow.Hidden = True
Rows("1:32").EntireRow.Hidden = True
End Sub
Sub sbHoneywellFD()
Rows("62:72").EntireRow.Hidden = False
End Sub
Sub sbHoneywellHide()
Rows("55:72").EntireRow.Hidden = True
End Sub
Sub sbDistechFD()
Rows("79:89").EntireRow.Hidden = False
End Sub
Sub sbDistechHide()
Rows("73:89").EntireRow.Hidden = True
End Sub
Sub sbTrendFD()
Rows("96:106").EntireRow.Hidden = False
End Sub
Sub sbTrendHide()
Rows("90:106").EntireRow.Hidden = True
End Sub
Sub sbTaskBreakDownHide()
Rows("43:54").EntireRow.Hidden = True
End Sub
Sub sbTaskBreakDownShow()
Rows("43:54").EntireRow.Hidden = False
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Sub GetFileNames()
Dim xRow As Long
Dim xDirect$, xFname$, InitialFoldr$
InitialFoldr$ = "C:\"
With Application.FileDialog(msoFileDialogFolderPicker)
.InitialFileName = Application.DefaultFilePath & "\"
.Title = "Please select a folder to list Files from"
.InitialFileName = InitialFoldr$
.Show
If .SelectedItems.Count <> 0 Then
xDirect$ = .SelectedItems(1) & "\"
xFname$ = Dir(xDirect$, 7)
Do While xFname$ <> ""
ActiveCell.Offset(xRow) = xFname$
xRow = xRow + 1
xFname$ = Dir
Loop
End If
End With
End Sub
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub EquipHide()
LastRow = 200 'Let's say you have 500 rows in the data
For i = 15 To LastRow 'Now we loop through each row and check for required criteria
'to hide all the rows with the values as 0 in Column A
If Range("E" & i) = 0 Then Rows(i).EntireRow.Hidden = True
Next
End Sub
Sub EquipUnHideAll()
Rows("1:200").EntireRow.Hidden = False
End Sub
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-000
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 66048 bytes |
SHA-256: dca7989fa2fa7f8153e40b0d82d44fc00076d92d2c583b1b290fca6aa0bd40f5 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2660 bytes |
SHA-256: 6861e8ecad0087c2410567fb84f735d5d19e6804ee7d8ebc68dd4065cd5ef809 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 2676 bytes |
SHA-256: 19c8a237a9e648c68fd5abac0e5b0c07ac8e0811527405e8f8417a3b359a9304 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.