MALICIOUS
236
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The Excel document contains critical heuristics indicating the presence of a Workbook_Open macro that leverages ActiveX events to launch a decoded Excel4 macro. This mechanism is commonly used to download and execute further malicious content. The VBA code also includes calls to Shell() and Environ(), suggesting attempts to interact with the operating system and potentially retrieve configuration data.
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERThe compiled VBA p-code (identifier table) references an auto-firing ActiveX/control event together with ExecuteExcel4Macro, while the decompressed source does not — the VBA-stomping shape of the ActiveX-event XLM stager. The control event bridges into XLM formula execution to call Win32 / drop payloads, hidden from source-level scanners.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 22492 bytes |
SHA-256: 3c5ddea9f97c36c77d639f85c3fc45e43cda71d793ad2cab290ab5796d155df0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
'declare virtual key event listener
Private Declare PtrSafe Function GetAsyncKeyState Lib "user32" _
(ByVal vKey As Long) As Integer
#Else
'declare virtual key event listener
Private Declare Function GetAsyncKeyState Lib "user32" _
(ByVal vKey As Long) As Integer
#End If
Private Const VK_F9 = &H78
'INTERESSANTE PER DISATTIVARE O ATTIVARE IL RIGHT CLICK SULLE CELLE
' Re: Enable Right Click Menu
' Open up the VBE (Alt+F11), open up the Immediate Window (if it isn't enabled) - Ctrl+G and type in there:
'Code:
' Application.CommandBars("Cell").Enabled = True
' and hit return. L'HO MESSO IN CELASVELARIBBON !
Private Sub Workbook_Activate()
'''' errato! non funzionano più i files di testo !!! IndiceFogliScoperti
'ActiveWorkbook.Protect Password:="28421284" 'NON SO PERCHE' MA FUNZIONA SOLO QUI IN ALTO! importantissima: SE PROTEGGO LA CARTELLA DI LAVORO DA MENU DI EXCEL E SALVO NON FUNZIONANO PIU' LE MACRO
'DoEvents
Application.DisplayAlerts = False 'importantissima: evita di vedere l'avviso che non si collega al file esterno perchè il csv se non è aperto non fornisce dati
'SERVE PER FARE IN MODO CHE PREMENDO ctrl + pausa non si interrompa il codice
Application.EnableCancelKey = xlDisabled
'FINE SERVE PER TASTO
DoEvents
' NON METTERE MAI QUESTO COMANDO ALTRIMENTI NON VANNO PIU' I BILANCI TXT VAI A SAPERE PERCHE'.... MA E' COSI' Application.MoveAfterReturn = False
'però dicono i forum che non funziona in vari casi e pure qui sembra non funzionare!!
'RemoveToolbars
Application.OnKey "{ESCAPE}", ""
Application.OnKey "%^+{RIGHT}", "CelaSvelaRibbon"
Application.OnKey "^{F3}", "fainiente"
Application.OnKey "^{F4}", "fainiente"
Application.OnKey "^{F6}", "fainiente"
Application.OnKey "^{F8}", "fainiente"
Application.OnKey "+{F3}", "fainiente"
Application.OnKey "{F3}", "stampare"
'Application.OnKey "{F4}", "stampareport"
'per disattivare il right click sulle etichette col nome dei fogli
Application.CommandBars("Ply").Enabled = False
Application.OnKey "+{PGUP}", ""
Application.OnKey "+{PGDN}", ""
Application.OnKey "^{PGUP}", "zoomup"
Application.OnKey "^{PGDN}", "zoomdown"
Application.OnKey "^{RIGHT}", "windowsdx"
Application.OnKey "^{LEFT}", "windowssx"
Application.OnKey "^{UP}", "windowsup"
Application.OnKey "^{DOWN}", "windowsdown"
Application.OnKey "^{HOME}", "centrafinestre"
Application.OnKey "{F6}", "VISUALIZZARE"
opendachiuso = "no"
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
Application.DisplayAlerts = False
Application.ThisWorkbook.Saved = True
Call Shell("TaskKill /F /PID " & CStr(lPid))
DoEvents
Call Shell("TaskKill /F /PID " & CStr(lPid2))
DoEvents
ThisWorkbook.Saved = True
'in modulo1 ho messo la sub auto_close che impedisce venga chiesto il salvataggio in chiusura
'HO TOLTO I RIPRISTINI IN QUANTO METTO NELL'EXE CHE EXCEL SIA IN SESSIONE AUTONOMA
'ALTRIMENTI SE UNO FA ANNULLA IN CHIUSURA RIAPPARE IL MENU
'SERVE PER RIPRISTINARE IL NORMALE USO DEL TASTO F9
''''With Application
''''.OnKey "{ESCAPE}"
''''.OnKey "^{F3}"
''''.OnKey "+{F3}"
''''.OnKey "{F3}"
''''.OnKey "%^+{RIGHT}"
'''' .OnKey "{F8}"
'''' .OnKey "{F9}"
'''' .OnKey "^{BREAK}"
''''End With
' RestoreToolbars
''''CelaSvelaRibbon
End Sub
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
'If Sheets("INPUT Statement").Range("o50000") > 0 Or Sheets("INPUT Statement").Range("P50000") > 0 Then
'Cancel = True
'MsgBox "Non salvo perchè ci sono numeri in INPUT Statement"
'Exit Sub
'End If
MsgBox "Hai aggior
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 88576 bytes |
SHA-256: c25043dc5444d1759c3e8621f4e51a535deb949dd3626f909bc463a310912c27 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2744 bytes |
SHA-256: 90c1f253e323b61eda889148da2594f313f950c64fd8c9cb055f14decb895f0d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.