MALICIOUS
236
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set WshShell = CreateObject("WScript.Shell") -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Command = "cmd.exe /c powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fso = CreateObject("Scripting.FileSystemObject") -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
Command = "cmd.exe /c powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & _ -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
userName = Environ$("USERNAME") -
External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKSDocument contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: javascript:void(0)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9531 bytes |
SHA-256: dbf778c35bf933d6df06c4206b2bae13387b83a981f7d161d478e5b5795fe35d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Option Explicit
Const LOG_FOLDER As String = "\\AER-DC15\Warranty logs"
Const LOG_FILE As String = "\\AER-DC15\Warranty logs\Warranty_Print_Log.csv"
Sub Print_Chenault()
PrintWarrantyRequest_Zebra_Verified "Chenault"
End Sub
Sub Print_3420_Warranty()
PrintWarrantyRequest_Zebra_Verified "3420"
End Sub
Sub PrintWarrantyRequest_Zebra_Verified(locationName As String)
Dim ws As Worksheet
Dim logWs As Worksheet
Dim nextRow As Long
Dim claimNo As String
Dim partSer As String
Dim userName As String
Dim computerName As String
Dim printerName As String
Dim printerIP As String
Dim beforeResult As String
Dim afterResult As String
Dim beforeParts() As String
Dim afterParts() As String
Dim beforeCounter As Long
Dim afterCounter As Long
Dim labelsPrinted As Long
Dim finalStatus As String
Dim statusMessage As String
Set ws = ActiveSheet
Set logWs = GetOrCreateLogSheet()
claimNo = ws.Range("B3").Value
partSer = ws.Range("B4").Value
userName = Environ$("USERNAME")
computerName = Environ$("COMPUTERNAME")
If locationName = "Chenault" Then
printerName = "2004 Chenault"
printerIP = "10.1.33.1"
ElseIf locationName = "3420" Then
printerName = "ZDesigner ZT411-203dpi ZPL write up"
printerIP = "192.168.70.132"
Else
MsgBox "Unknown printer location. Please contact IT.", vbCritical, "Printer Error"
Exit Sub
End If
On Error GoTo PrintError
beforeResult = GetZebraLabelCounter(printerIP)
beforeParts = Split(beforeResult, "|")
If UBound(beforeParts) < 1 Or beforeParts(0) <> "SUCCESS" Then
MsgBox "Cannot read Zebra label counter before printing." & vbCrLf & vbCrLf & _
"Printer: " & printerName & vbCrLf & _
"Result: " & beforeResult & vbCrLf & vbCrLf & _
"Please Contact IT", vbCritical, "Printer Counter Error"
Exit Sub
End If
beforeCounter = CLng(beforeParts(1))
ws.PrintOut Copies:=1, ActivePrinter:=printerName
Application.Wait Now + TimeValue("00:00:05")
afterResult = GetZebraLabelCounter(printerIP)
afterParts = Split(afterResult, "|")
If UBound(afterParts) < 1 Or afterParts(0) <> "SUCCESS" Then
finalStatus = "FAILED"
statusMessage = "After-counter could not be read: " & afterResult
afterCounter = beforeCounter
labelsPrinted = 0
Else
afterCounter = CLng(afterParts(1))
labelsPrinted = afterCounter - beforeCounter
If labelsPrinted >= 1 Then
finalStatus = "VERIFIED PRINTED"
statusMessage = "Warranty Parts Printed Successfully"
Else
finalStatus = "NOT PRINTED"
statusMessage = "Label counter did not increase"
End If
End If
nextRow = logWs.Cells(logWs.Rows.Count, 1).End(xlUp).Row + 1
logWs.Cells(nextRow, 1).Value = Now
logWs.Cells(nextRow, 2).Value = claimNo
logWs.Cells(nextRow, 3).Value = partSer
logWs.Cells(nextRow, 4).Value = userName
logWs.Cells(nextRow, 5).Value = computerName
logWs.Cells(nextRow, 6).Value = printerName
logWs.Cells(nextRow, 7).Value = printerIP
logWs.Cells(nextRow, 8).Value = beforeCounter
logWs.Cells(nextRow, 9).Value = afterCounter
logWs.Cells(nextRow, 10).Value = labelsPrinted
logWs.Cells(nextRow, 11).Value = finalStatus
logWs.Cells(nextRow, 12).Value = statusMessage
LogToSharedCSV claimNo, partSer, userName, computerName, printerName, printerIP, _
beforeCounter, afterCounter, labelsPrinted, finalStatus, statusMessage
If finalStatus = "VERIFIED PRINTED" Then
MsgBox "Warranty Parts Printed Successfully" & vbCrLf & vbCrLf & _
"Claim #: " & claimNo & vbCrLf & _
"Printer: " & printerName, vbInformation, "Print Successful"
Else
MsgBox "Printer Issue Detected" & vbCrLf & vbCrLf & _
"Claim #: " & claimNo & vbCrLf & _
"Printer: " & printerName & vbCrLf & vbCrLf & _
"Please Contact IT", vbCritical, "Print Failed"
End If
Exit Sub
PrintError:
MsgBox "Printer Issue Detected" & vbCrLf & vbCrLf & _
"Claim #: " & claimNo & vbCrLf & _
"Printer: " & printerName & vbCrLf & vbCrLf & _
"Please Contact IT", vbCritical, "Print Failed"
End Sub
Function GetZebraLabelCounter(printerIP As String) As String
Dim WshShell As Object
Dim Command As String
Dim TempFile As String
Dim fso As Object
Dim ts As Object
Dim Output As String
TempFile = Environ$("TEMP") & "\zebra_counter_" & Replace(printerIP, ".", "_") & ".txt"
Set fso = CreateObject("Scripting.FileSystemObject")
If fso.FileExists(TempFile) Then
On Error Resume Next
fso.DeleteFile TempFile, True
On Error GoTo 0
End If
Command = "cmd.exe /c powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & _
Environ$("USERPROFILE") & "\Desktop\Warranty Parts Pick\Check_Zebra_Status.ps1"" """ & _
printerIP & """ > """ & TempFile & """"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run Command, 0, True
If fso.FileExists(TempFile) Then
Set ts = fso.OpenTextFile(TempFile, 1)
Output = Trim(ts.ReadAll)
ts.Close
Else
Output = ""
End If
If Output = "" Then
GetZebraLabelCounter = "FAILED|No response"
Else
GetZebraLabelCounter = Output
End If
End Function
Function GetOrCreateLogSheet() As Worksheet
Dim ws As Worksheet
On Error Resume Next
Set ws = ThisWorkbook.Sheets("Print_Log")
On Error GoTo 0
If ws Is Nothing Then
Set ws = ThisWorkbook.Sheets.Add
ws.Name = "Print_Log"
ws.Range("A1").Value = "Date/Time"
ws.Range("B1").Value = "Claim#"
ws.Range("C1").Value = "Part/Ser"
ws.Range("D1").Value = "User"
ws.Range("E1").Value = "Computer"
ws.Range("F1").Value = "Printer"
ws.Range("G1").Value = "Printer IP"
ws.Range("H1").Value = "Counter Before"
ws.Range("I1").Value = "Counter After"
ws.Range("J1").Value = "Labels Printed"
ws.Range("K1").Value = "Final Status"
ws.Range("L1").Value = "Message"
ws.Columns("A:L").AutoFit
End If
Set GetOrCreateLogSheet = ws
End Function
Sub LogToSharedCSV(claimNo As String, partSer As String, userName As String, computerName As String, _
printerName As String, printerIP As String, beforeCounter As Long, _
afterCounter As Long, labelsPrinted As Long, finalStatus As String, _
statusMessage As String)
Dim fso As Object
Dim ts As Object
Dim lineText As String
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FolderExists(LOG_FOLDER) Then Exit Sub
If Not fso.FileExists(LOG_FILE) Then
Set ts = fso.CreateTextFile(LOG_FILE, True)
ts.WriteLine "DateTime,Claim#,Part/Ser,User,Computer,Printer,Printer IP,Counter Before,Counter After,Labels Printed,Final Status,Message"
ts.Close
End If
Set ts = fso.OpenTextFile(LOG_FILE, 8, True)
lineText = """" & Format(Now, "yyyy-mm-dd hh:nn:ss") & """," & _
"""" & Replace(claimNo, """", "'") & """," & _
"""" & Replace(partSer, """", "'") & """," & _
"""" & Replace(userName, """", "'") & """," & _
"""" & Replace(computerName, """", "'") & """," & _
"""" & Replace(printerName, """", "'") & """," & _
"""" & printerIP & """," & _
"""" & beforeCounter & """," & _
"""" & afterCounter & """," & _
"""" & labelsPrinted & """," & _
"""" & finalStatus & """," & _
"""" & Replace(statusMessage, """", "'") & """"
ts.WriteLine lineText
ts.Close
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 32768 bytes |
SHA-256: a36650b39afc6dc47e49b09eaf33bde5f495ef9a21d854f702d1be27f50629f2 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.