MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is a malicious Excel document exploiting CVE-2012-0158. It contains a Workbook_Open VBA macro that uses CreateObject to likely download and execute a second-stage payload from one of the embedded URLs. The macro's use of XMLHTTP further suggests network communication for payload retrieval. The document body contains text related to regional data and organizational information, likely a lure.
Heuristics 6
-
MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158MSCOMCTL.ListView — CVE-2012-0158
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fstrf.ru/regions/region/showlist In document text (OLE body)
- http://support.eias.ru/index.php?a=add&catid=5In document text (OLE body)
- http://eias.ru/?page=show_distrsYIn document text (OLE body)
- http://eias.ru/files/shablon/manual_loading_through_monitoring.pdfKIn document text (OLE body)
- http://eias.ru/?page=show_templatesIn document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=2489989f-9e14-469c-8297-7d763de6837dQIn document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=0fb783a3-49a7-427c-a72f-32bb779b56b3QIn document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=35b1e472-ed84-489f-8bf8-b278f31742b7QIn document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=91f5407c-bc42-47d5-8ed2-2ded693048edQIn document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=54137b5a-0521-44be-9971-f6bcc5253a46�In document text (OLE body)
- https://tariff.eias.ru/procwsxls/2In document text (OLE body)
- https://appsrv02.eias.ru/procwsxls/�In document text (OLE body)
- https://appsrv01.eias.ru/procwsxls/In document text (OLE body)
- https://tariff.eias.ru/procwsxls/In document text (OLE body)
- https://appsrv02.eias.ru/procwsxls/In document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=In document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=�In document text (OLE body)
- https://eias.fstrf.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXIn document text (OLE body)
- http://www.eias.ru/templates/In document text (OLE body)
- https://tariff.eias.ru/disclo/get_file?p_guid=In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 405494 bytes |
SHA-256: 44eb26b496d03ad2991d07ad537e1db43caa111205a3d52b34a1ed6bf441ffd1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "xlsBook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
modThisWorkbook.Workbook_BeforeSave_Handler SaveAsUI, Cancel, Me
On Error GoTo ErrHandler
Dim status As Integer
status = Me.CustomDocumentProperties("Status")
If status > 2 Then
MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
Cancel = True
Exit Sub
End If
Exit Sub
ErrHandler:
MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name
End Sub
Private Sub Workbook_Open()
modThisWorkbook.Workbook_Open_Handler Me
End Sub
Attribute VB_Name = "modHTTPServerCaller"
Option Explicit
Option Base 1
' Для реестров
' Для реестров
Public Const STR_REESTR_TYPE As String = "FULL_OWNER"
''Public Const STR_REESTR_TYPE As String = "FULL"
' FULL - полная версия
' REDU_Y - без МР/МО/ОКТМО с видом деятельности
' REDU_N - без МР/МО/ОКТМО без вида деятельности
' STAT - статистика
' ENER - энергетика
' FULL_OWNER - полная версия с МР/МО регистрации
Public Const STR_ACTIVITY_SPHERE As String = "HOT_VS"
'--------------
'-----FULL-----
'--------------
' ALL
' VS
' VO
' TBO
' HOT_VS
' VS_VO
' VS_VO_TBO
' EE
' GAS
' JKH_EE
' WARM
'--------------
'-----REDU-----
'--------------
' WARM
' VS
' HOT_VS
' VS_VO
' VO
' TBO
' EE
'--------------
Public Const STR_ADDITIONAL_REGIONS As String = "" 'дополнительные субъекты через ;
Public Const STR_REESTR_MR_MO_TYPE As String = "MRMO"
Public Const STR_RANGE_NAME As String = "REESTR_ORG_RANGE"
Public Const STR_REESTR_SHEET_NAME As String = "REESTR_ORG"
Public STR_REESTR_MO_SHEET_NAME As String
''Public Const STR_REESTR_MO_SHEET_NAME As String = "REESTR_MO"
' Адреса DNS, именно в этом порядке производится опрос
Public Const STR_HTTP_REQUEST_BASE_URL_1 As String = "https://tariff.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_2 As String = "https://appsrv02.eias.ru/procwsxls/"
Public Const STR_HTTP_REQUEST_BASE_URL_3 As String = "https://appsrv01.eias.ru/procwsxls/" ' TBD
Public Const STR_HTTP_REQUEST_BASE_URL_4 As String = "https://tariff.eias.ru/procwsxls/" ' TBD
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_NAME As String = "MO_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_MR_MO_OKTMO_PARAM_2 As String = "p_TC="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL As String = "ORG_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_3 As String = "p_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_4 As String = "p_TC="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER As String = "ORG_REESTR_OWNER?"
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_3 As String = "p_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_FULL_OWNER_4 As String = "p_TC="
Public Const STR_HTTP_REQUEST_PROC_ORG_STAT As String = "ORG_STAT_REESTR?"
Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_STAT_2 As String = "p_TC="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU As String = "ORG_REESTR_REDUCED?"
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_1 As String = "p_NSRF="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_2 As String = "p_AS="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_3 As String = "P_INCL_VDET="
Public Const STR_HTTP_REQUEST_PROC_ORG_REDU_4 As String = "p_TC="
Public
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.