MALICIOUS
450
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample contains a Workbook_Open VBA macro that is obfuscated and uses CreateObject and Shell calls. This macro is designed to download and execute a second-stage payload from a URL, as indicated by the 'Obfuscated VBA Shell command with URL' heuristic. The primary URL observed is http://bb.2ba.nl/dataUpload.aspx, which is likely used to fetch the malicious payload.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-6584643-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6584643-0
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://bb.2ba.nl/dataUpload.aspx Referenced by macro
- http://www.2ba.nlReferenced by macro
- http://bb.2ba.nl/downloads/virtual_/CRL/Relaties/relatie.xlsReferenced by macro
- http://bb.2ba.nl/downloads/virtual_/CRL/Relaties/PAB200/relatie.txtReferenced by macro
- http://bb.2ba.nl/CRL/Relaties/relatie.xlsReferenced by macro
- http://bb.2ba.nl/CRL/Relaties/relatie.xlsxReferenced by macro
- http://www.2ba.nl/documentatie/bestandsuitwisseling/bestandsformaten/attachments/Referenced by macro
- https://bb.2ba.nl/CRL/Downloads/Attachments%20tool/versie.txtReferenced by macro
- https://www.2ba.nl/documentatie/tools/attachmentindexReferenced by macro
- http://bb.2ba.nl/dataUpload.aspxA@�Referenced by macro
- http://bb.2ba.nl/CRL/Relaties/relatie.xlsx�Referenced by macro
- http://www.w3.org/2001/XMLSchemaReferenced by macro
- http://www.w3.org/2001/XMLSchema-instanceReferenced by macro
- https://coderwall.com/p/pbxsyw/vba-web-requestsReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 96220 bytes |
SHA-256: 8c7be71879eba155e2ee19332cbc31e0222431642f22d63c2e1b97e5d3199976 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
On Error Resume Next
If BL_AttachmentIndex.Shapes("Knop 36").Visible = True Then BL_AttachmentIndex.Shapes("Knop 36").Visible = False
BL_AttachmentIndex.Shapes("Knop 36").Visible = (GetSetting("2BA", "InvoerSheet", "Username", "Gebruikersnaam") Like "*@2ba.nl")
BL_Artikelen.Visible = (GetSetting("2BA", "InvoerSheet", "Username", "Gebruikersnaam") Like "*@2ba.nl")
BL_AttachmentIndex.LB_INFO_tekst
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
WBSluiten
End Sub
Private Sub Workbook_Deactivate()
WBSluiten
End Sub
Private Sub WBSluiten()
On Error Resume Next
If BL_AttachmentIndex.Shapes("Knop 36").Visible = True Then BL_AttachmentIndex.Shapes("Knop 36").Visible = False
End Sub
Private Sub Workbook_Open()
Admin_Or_Not
End Sub
Attribute VB_Name = "BL_AttachmentIndex"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Compare Text
Public LB_INFO As Shape
Public ExportAtt As Boolean
Public ExportAtt_Type As String 'C of M
Public ForUser As String
Public Username2BA As String
Public SendReportToEmail As String
Dim FSO As Object
Dim fldr, O_AttachmentIndex, O_Parameter
Function LB_INFO_tekst(Optional Tekst As String) As String
If FSO Is Nothing Then Set FSO = CreateObject("scripting.filesystemobject")
Set LB_INFO = BL_AttachmentIndex.Shapes("Rectangle 1")
'nieuwe tekst
If Tekst > "" Then LB_INFO.TextFrame.Characters.Text = Tekst
With LB_INFO
.Top = 6
.Left = 195
If Not FSO.FolderExists(LB_INFO.TextFrame.Characters.Text) Then
' .BackColor.RGB = RGB(225, 0, 0) ' rood
LB_INFO.Fill.ForeColor.RGB = RGB(225, 0, 0) ' rood
Else
' .BackColor.RGB = RGB(0, 225, 0) 'Groen
.Fill.ForeColor.RGB = RGB(0, 225, 0) ' Groen
End If
End With
LB_INFO_tekst = LB_INFO.TextFrame.Characters.Text
End Function
Private Sub ExporterenAtt()
If FSO Is Nothing Then Set FSO = CreateObject("scripting.filesystemobject")
'eerst controleren of alles wel is gevuld
If WorksheetFunction.CountBlank(BL_AttachmentIndex.UsedRange.Columns("A:F")) > 5 Then
MsgBox "Er zijn nog velden niet gevuld! Deze eerst controleren voor aanmaken attachment index bestand", vbExclamation, ""
FRM_INFO_BestandenComtroleren.Show
End If
FRM_ExportAtt.Show
If ExportAtt = False Then Exit Sub
If ExportAtt_Type = "" Then Exit Sub
If Contr = True Then BestandenControleren
FolderAanmaken LB_INFO_tekst
CreateAttindex ExportAtt_Type
If FRM_ExportAtt.CheckBoxOnline Then
OpenIE "http://bb.2ba.nl/dataUpload.aspx"
ElseIf FRM_ExportAtt.CheckBoxFTP Then
OpenFTP
End If
Call Shell("explorer.exe " & CStr(LB_INFO_tekst), vbNormalFocus)
Unload FRM_ExportAtt
End Sub
Private Sub OpenIE(Site As String)
Dim IEo As Object
Set IEo = CreateObject("InternetExplorer.Application")
IEo.Navigate Site
IEo.Visible = True
Set IEo = Nothing
End Sub
Private Sub OpenFTP()
FRM_FTP_Login.Show
Call Shell("explorer.exe ftp://ftp.2ba.nl", vbNormalFocus)
End Sub
Function Contr() As Boolean
Dim RIJ, COL: Contr = False
RIJ = WorksheetFunction.Max(2, Me.UsedRange.Rows.Count)
For Each COL In Split("1;2;3;5;6", ";")
Contr = (WorksheetFunction.CountBlank(Me.Range(Me.Cells(2, Val(COL)), Me.Cells(RIJ, Val(COL)))) > 0)
If Contr Then Exit For
Next COL
End Function
Private Sub WissenVraag()
If (MsgBox("alles wissen?", vbYesNo + vbCritical, "") = vbYes) Then AllesWissen
End Sub
Function AllesWissen(Optional Wissen As Boolean)
On Error Resume N
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 527360 bytes |
SHA-256: b39a26cc8f1aca8184213c60766efa64aee0ee3f6bcab5cdf5ba54c70da046f6 |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6584643-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.