MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Xls.Malware.Valyria-10032137-0. Static analysis revealed the presence of VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of hidden worksheets further suggests an attempt to conceal malicious components.
Heuristics 4
-
ClamAV: Xls.Malware.Valyria-10032137-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10032137-0
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 12 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 362345 bytes |
SHA-256: 9f2e17c77d7c52e2ef3c2e2b6fc17abf59a3f36ede5501a5b61d013898e57f7b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "shtScreenCommon"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
'******************************************************************************
'*** 変更履歴
'*** Ver9.99 yyyy/mm/dd name 追加/変更/削除 NNNNNNNNNN
'*** Ver2.10 2019/03/03 tsutsumi 変更 改元対応
'******************************************************************************
'------------------------------------------------------------------------------
'
' ボタン押下
'
'------------------------------------------------------------------------------
'
'入力内容チェック
Public Sub ButtonClick_CheckInput()
'前処理
Call BeforeProcessing
'入力チェック
Call CheckInputMain(False)
'後処理
Call AfterProcessing
End Sub
'明細入力画面へ
Public Sub ButtonClick_TransitionInputIndividual()
'前処理
Call BeforeProcessing
'保護解除
Call SheetUnProtection(shtScreenIndividual)
'入力チェック+画面遷移
Call CheckInputMain(True)
'保護設定
Call SheetProtection(shtScreenIndividual)
'後処理
Call AfterProcessing
End Sub
'メニュー画面へ
Public Sub ButtonClick_TransitionMenu()
'前処理
Call BeforeProcessing
'メニュー画面へ
Call ScreenTransition(shtScreenCommon, shtScreenMenu)
'後処理
Call AfterProcessing
End Sub
'------------------------------------------------------------------------------
'
' メイン処理
'
'------------------------------------------------------------------------------
'
'入力チェックメイン
Private Sub CheckInputMain(transition As Boolean)
On Error GoTo ErrRtn
'入力チェック
If CheckInput = False Then Exit Sub
'明細入力画面へ(個別項目入力)
If transition = True Then
'初期処理
Call shtScreenIndividual.Init
'画面遷移
Call ScreenTransition(shtScreenCommon, shtScreenIndividual)
'ボタン文言設定
Call shtScreenIndividual.SetButtonString
End If
Exit Sub
ErrRtn:
MsgBox (GOTO_ERROR_MSG & vbCrLf & Err.Number & Err.Description)
End Sub
'------------------------------------------------------------------------------
'
' Public関数
'
'------------------------------------------------------------------------------
'
'データセット
Public Sub SetData()
Dim tmp As String
Dim l As Long
'証券番号
shtScreenCommon.Range(SHT_COMMON_RG_証券番号).Value = _
"証券番号:" & shtDataSystem.Range(SHT_SYSTEM_RG_証券番号).Value
'契約者名
shtScreenCommon.Range(SHT_COMMON_RG_契約者名).Value = _
"契約者名:" & shtDataSystem.Range(SHT_SYSTEM_RG_契約者名).Value
'保険期間・払込方法
shtScreenCommon.Range(SHT_COMMON_RG_保険期間_払込方法).Value = _
"保険期間:" & shtDataSystem.Range(SHT_SYSTEM_RG_保険期間).Value & GetPayment
'満期日
tmp = shtDataContract.Cells(enSHT_CONTRACT_RW.e共通, enSHT_CONTRACT_COM_CL.e満期).Value
'Ver02.20 2019/03/22 TSUTUSMI Add S
'Ver02.10 2019/03/03 TSUTUSMI Add S
' l = CLng(Mid$(tmp, 1, 4))
' l = l - 1988
tmp = Mid$(tmp, 1, 4) & Mid$(tmp, 5, 2) & Mid$(tmp, 7, 2)
tmp = ChangeDateSlash(tmp)
If IsDate(tmp) = True Then
tmp = Format$(tmp, "geemmdd")
'tmp = Format$(tmp, "gemmdd")'
End If
'Ver02.10 2019/03/03 TSUTUSMI Add E
'Ver02.20 2019/03/22 TSUTUSMI Add E
shtScreenCommon.Range(SHT_COMMON_RG_満期日).Value = tmp
' shtScreenCommon.Range(SHT_COMMON_RG_満期日).Value = _
' Trim$(Right$(Space(6) & shtDataContract.Cells(enSHT_CONTRACT_RW.e共通, _
' enSHT_CONTRACT_COM_CL.e満期).Value, 6))
'期末一括精算区分
shtScreenCommon.Range(SHT_COMMON_RG_期末一括精算区分).Value = _
shtDataContract.Cells(enSHT_CONTRACT_RW.e共通, enSHT_CONTRACT_COM_CL.e期末一括精算区分).Value
If Trim$(shtScreenCommon.Range(SHT_COMMON_RG_期末一括精算区分).Value) = "1" Then
shtScreenCommon.Range(SHT_COMMON_RG_期末一括精算区分).Value = "2"
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 595968 bytes |
SHA-256: 307c869ec5212b8cf21701dccb3b902311b25b41babddab1eed3e4a8b76f80f3 |
|||
|
Detection
ClamAV:
Xls.Malware.Valyria-10032137-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.