MALICIOUS
276
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an OOXML document containing a Workbook_Open VBA macro. This macro is designed to execute automatically when the document is opened, attempting to hide the Excel application window and display a UserForm. This behavior suggests a phishing or social engineering lure, where the UserForm likely presents deceptive content to the user. The use of WScript.Shell and CreateObject indicates attempts to interact with the operating system, potentially to download and execute further payloads.
Heuristics 8
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Private Sub CommandButton3_Click() 'afficher option de l'imprimante Set oShell_printer = CreateObject("WScript.Shell") 'afficher option de l'imprimante oShell_printer.Run "RUNDLL32.EXE PRINTUI.DLL,PrintUIEntry /e /n " + ComboBox1.Text, 1, False -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set oShell_printer = CreateObject("WScript.Shell") 'afficher option de l'imprimante oShell_printer.Run "RUNDLL32.EXE PRINTUI.DLL,PrintUIEntry /e /n " + ComboBox1.Text, 1, False End Sub -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Private Sub CommandButton3_Click() 'afficher option de l'imprimante Set oShell_printer = CreateObject("WScript.Shell") 'afficher option de l'imprimante oShell_printer.Run "RUNDLL32.EXE PRINTUI.DLL,PrintUIEntry /e /n " + ComboBox1.Text, 1, False -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject("winmgmts:" & _ "{impersonationLevel=impersonate}!\\" & nomPC & "\root\cimv2") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Set MyFile = fso.GetFile(sPath + "\SAP_PRINT.exe") sPath = Environ("Temp") 'USER temp MyFile.Copy sPath + "\SAP_PRINT.exe"
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15875 bytes |
SHA-256: ca5699a1e45b1694b64f93160bd3265882f6f7d8ff8c1c58a77c6110111dc190 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Application.ThisWorkbook.Saved = True 'Permet d'empecher l'enregistrement
End Sub
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Cancel = True 'Permet d'empecher l'enregistrement
End Sub
Private Sub Workbook_Open()
Application.Wait (Now + TimeValue("0:00:02"))
Application.WindowState = xlMinimized
Application.Visible = False
Load UserForm1
UserForm1.StartUpPosition = 2
'UserForm1.Show
UserForm1.Show Modal
Application.Visible = True
Application.EnableCancelKey = xlInterrupt ' permet de stopper le programme avec touche Echap.
End Sub
Attribute VB_Name = "Feuil1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Feuil3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{205BFDCC-E0D5-479B-B7A2-E757059DF6CD}{99A32100-C717-4144-A4C4-4C7D8EB8E88B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Option Explicit => non obligé de déclarer toutes les variables
'Permet d'ajouter minimize / maximize to your userform
Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" _
(ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function DrawMenuBar Lib "user32" (ByVal hWnd As Long) As Long
Private Declare Function ShowWindow Lib "user32" _
(ByVal hWnd As Long, ByVal nCmdShow As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" _
(ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" _
(ByVal hWnd As Long, ByVal nIndex As Long) As Long
Private Const WS_MINIMIZEBOX As Long = &H20000
Private Const WS_MAXIMIZEBOX As Long = &H10000
Private Const GWL_STYLE As Long = (-16)
Private Const WS_SYSMENU As Long = &H80000
Private Const SW_SHOWMAXIMIZED = 3
Private Sub CommandButton3_Click() 'afficher option de l'imprimante
Set oShell_printer = CreateObject("WScript.Shell") 'afficher option de l'imprimante
oShell_printer.Run "RUNDLL32.EXE PRINTUI.DLL,PrintUIEntry /e /n " + ComboBox1.Text, 1, False
End Sub
Private Sub UserForm_Activate()
Dim Ret As Long, styl As Long
Ret = FindWindow("ThunderDFrame", Me.Caption)
styl = GetWindowLong(Ret, GWL_STYLE)
styl = styl Or WS_SYSMENU
styl = styl Or WS_MINIMIZEBOX
styl = styl Or WS_MAXIMIZEBOX
SetWindowLong Ret, GWL_STYLE, (styl)
DrawMenuBar Ret
End Sub
'fin minimize / maximize to your userform
Private Sub CommandButton2_Click()
On Error Resume Next
Unload Me
If Application.Workbooks.Count = 1 Then
'ThisWorkbook.Close
Application.Quit
Else
ThisWorkbook.Close
End If
End
End Sub
Public Sub UserForm_Initialize()
'Me.StartUpPosition = 2
Dim strCount As String
Dim objWMIService As Object, colInstalledPrinters As Object, objPrinter As Object
Dim nomPC As String, Resultat As String
nomPC = "."
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!\\" & nomPC & "\root\cimv2")
Set colInstalledPrinters = objWMIService.execQuery("Select * from Win32_Printer")
For Each objPrinter In colInstalledPrinters
Resultat = Resultat & objPrinter.Name & " imprimante active : " & objPrinter.Default & vbLf
ComboBox1.AddItem objPrinter.Name
If objPrinter.Default Then
ComboBox1.Text = objPrinter.Name
End If
Next
'MsgBox Resultat
End Sub
Private Sub UserForm_QueryClose(Cancel As Integer, CloseMode As Integer)
On Error Resume Next
Unload Me
If CloseMode = 0 Then
'MsgBox "Formulaire fermé par le x de la barre de titre."
If Application.Workbooks.Count = 1 Then
Application.Quit
Else
ThisWorkbook.Close
End If
End If
End Sub
'SAP GUI
Private Sub CommandButton1_Click()
Set oShell = CreateObject("WScript.Shell")
sPath = Application.ThisWorkbook.Path
sName = Application.ThisWorkbook.Name
'MsgBox (sPath)
'Voir si l'exécution du fichier "SAP_PRINT.exe" est sur un réseau si oui copier le fichier dans le répertoir temp
If InStr(1, sPath, "\\") Then
Set fso = CreateObject("Scripting.FileSystemObject")
Set MyFile = fso.GetFile(sPath + "\SAP_PRINT.exe")
sPath = Environ("Temp") 'USER temp
MyFile.Copy sPath + "\SAP_PRINT.exe"
End If
If Dir(sPath + "\SAP_PRINT.exe") = "" Then
MsgBox ("Erreur : Attention le Fichier SAP_PRINT.EXE n'est pas trouvé !")
Exit Sub
End If
chemin_PDF = ""
ZLD8_ID = ""
ZLDR_ID = ""
ZQC2_ID = ""
ZCI1_ID = ""
run_printer = "go"
'printer_name = "\\dc01\PRTTLN10"
printer_name = ComboBox1.Value
'Mode d'impression
output_doc = "locl"
If InStr(1, printer_name, "PDF") Or InStr(1, printer_name, "Microsoft") Then
output_doc = "LP01"
TextBox2.Value = 1
TextBox3.Value = 1
TextBox4.Value = 1
TextBox5.Value = 1
If Dossier_PDF.Value Then 'Dossier PDF automatique
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.BrowseForFolder(&H0&, "Choisir un répertoire pour l'enregistrement du ou des fichiers PDF...", &H1&)
On Error Resume Next
Set oFolderItem = objFolder.Items.Item
chemin_PDF = oFolderItem.Path
MsgBox ("Vos fichiers PDF vont être enregistrés dans " + chemin_PDF)
End If
End If
On Error Resume Next
Application.DisplayAlerts = False
If Not CheckBox1.Value And Not CheckBox2.Value And Not CheckBox3.Value And Not CheckBox4.Value Then
MsgBox ("Merci de sélectionner au moins un CR à générer")
Exit Sub
End If
If CheckBox5.Value Then
'run_printer = "test"
run_printer = "non"
End If
'MsgBox (Replace(sPath, " ", Chr(32)))
'MsgBox ("""" + sPath + "\SAP_PRINT.exe"" " + """" + printer_name + """ " + TextBox2.Value + " " + run_printer)
If Not IsObject(SAP_Application) Then
Set SapGuiAuto = GetObject("SAPGUI")
Set SAP_Application = SapGuiAuto.GetScriptingEngine
End If
If Not IsObject(Connection) Then
Set Connection = SAP_Application.Children(0)
End If
If Not IsObject(session) Then
Set session = Connection.Children(0)
End If
If IsObject(WScript) Then
WScript.ConnectObject session, "on"
WScript.ConnectObject Application, "on"
End If
If IsEmpty(session.findById("wnd[0]/tbar[0]/okcd")) Then
MsgBox ("Merci de vous loguer sous SAP avant d'utiliser le script !")
'WScript.Quit (errornumber)
Exit Sub
End If
nomquelconque = TextBox1.Text
'InputBox("N° BL à imprimer", "N° BL à imprimer", "80163158")
If CheckBox6.Value Then
session.findById("wnd[0]").iconify
Else
session.findById("wnd[0]").maximize
End If
'session.findById("wnd[0]").resizeWorkingPane 193, 38, False
session.findById("wnd[0]/tbar[0]/okcd").Text = "/nvl03n"
session.findById("wnd[0]").sendVKey 0
'verification des variables
session.findById("wnd[0]/usr/ctxtLIKP-VBELN").Text = nomquelconque
session.findById("wnd[0]/mbar/menu[0]/menu[6]").Select
session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").getAbsoluteRow(1).Selected = True
If IsEmpty(session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL")) Then
MsgBox ("Problème de recherche de BL! Revoir votre numéro de BL...")
'session.findById("wnd[0]").resizeWorkingPane 193, 38, False
session.findById("wnd[0]/tbar[0]/okcd").Text = "/n"
session.findById("wnd[0]").sendVKey 0
Exit Sub
End If
'Set Table = session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").Children
'MsgBox (session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").Children(1).DisplayedText)
'MsgBox ("ici")
For SAP_recherche = 0 To session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").Children.Count() - 1
If CheckBox1.Value Then
If session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").Children(CInt(SAP_recherche)).DisplayedText = "ZLD8" Then
ZLD8_ID = CInt(SAP_recherche)
End If
End If
If CheckBox2.Value Then
If session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").Children(CInt(SAP_recherche)).DisplayedText = "ZLDR" Then
ZLDR_ID = CInt(SAP_recherche)
End If
End If
If CheckBox3.Value Then
If session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").Children(CInt(SAP_recherche)).DisplayedText = "ZQC2" Then
ZQC2_ID = CInt(SAP_recherche)
End If
End If
If CheckBox4.Value Then
If session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").Children(CInt(SAP_recherche)).DisplayedText = "ZCI1" Then
ZCI1_ID = CInt(SAP_recherche)
End If
End If
Next
If Not ZLD8_ID = "" Then
'BL
session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").getAbsoluteRow(ZLD8_ID).Selected = True
session.findById("wnd[1]/tbar[0]/btn[6]").press
session.findById("wnd[2]/usr/chkNAST-DIMME").Selected = True
session.findById("wnd[2]/usr/ctxtNAST-LDEST").Text = output_doc
session.findById("wnd[2]/usr/txtNAST-TDCOVTITLE").Text = nomquelconque + "_DN"
session.findById("wnd[2]/usr/chkNAST-DIMME").SetFocus
session.findById("wnd[2]/tbar[0]/btn[0]").press
session.findById("wnd[1]/tbar[0]/btn[86]").press
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + printer_name + """ " + TextBox2.Value + " " + run_printer, 1, True
If output_doc = "LP01" Then
If chemin_PDF <> "" Then
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_DN"" PDF_SAVE " + """" + chemin_PDF + """", 1, True 'SAVE_PDF"
Else
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_DN"" PDF", 1, True 'Renommer le fichier dans PDFCreator 1.72
End If
End If
'Exit Sub
Else
If CheckBox1.Value Then
MsgBox ("Problème de recherche ZLD8 BL")
End If
End If
If Not ZLDR_ID = "" Then
'Report
session.findById("wnd[0]/mbar/menu[0]/menu[6]").Select
session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").getAbsoluteRow(ZLDR_ID).Selected = True
'session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL/txtNAST-KSCHL[0,ZLDR_ID]").SetFocus
'session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL/txtNAST-KSCHL[0,ZLDR_ID]").caretPosition = 0
session.findById("wnd[1]/tbar[0]/btn[6]").press
session.findById("wnd[2]/usr/chkNAST-DIMME").Selected = True
session.findById("wnd[2]/usr/ctxtNAST-LDEST").Text = output_doc
session.findById("wnd[2]/usr/txtNAST-TDCOVTITLE").Text = nomquelconque + "_RR"
session.findById("wnd[2]/usr/chkNAST-DIMME").SetFocus
session.findById("wnd[2]/tbar[0]/btn[0]").press
session.findById("wnd[1]/tbar[0]/btn[86]").press
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + printer_name + """ " + TextBox3.Value + " " + run_printer, 1, True
If output_doc = "LP01" Then
If chemin_PDF <> "" Then
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_RR"" PDF_SAVE " + """" + chemin_PDF + """", 1, True 'SAVE_PDF"
Else
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_RR"" PDF", 1, True 'Renommer le fichier dans PDFCreator 1.72
End If
End If
Else
If CheckBox2.Value Then
MsgBox ("Problème de recherche ZLDR REPORT")
End If
End If
If Not ZQC2_ID = "" Then
'Coc
session.findById("wnd[0]/mbar/menu[0]/menu[6]").Select
session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").getAbsoluteRow(ZQC2_ID).Selected = True
'session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL/txtNAST-KSCHL[0,ZQC2_ID]").SetFocus
'session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL/txtNAST-KSCHL[0,ZQC2_ID]").caretPosition = 0
session.findById("wnd[1]/tbar[0]/btn[6]").press
session.findById("wnd[2]/usr/chkNAST-DIMME").Selected = True
session.findById("wnd[2]/usr/ctxtNAST-LDEST").Text = output_doc
session.findById("wnd[2]/usr/txtNAST-TDCOVTITLE").Text = nomquelconque + "_CoC"
session.findById("wnd[2]/usr/chkNAST-DIMME").SetFocus
session.findById("wnd[2]/tbar[0]/btn[0]").press
session.findById("wnd[1]/tbar[0]/btn[86]").press
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + printer_name + """ " + TextBox4.Value + " " + run_printer, 1, True
If output_doc = "LP01" Then
If chemin_PDF <> "" Then
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_CoC"" PDF_SAVE " + """" + chemin_PDF + """", 1, True 'SAVE_PDF"
Else
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_CoC"" PDF", 1, True 'Renommer le fichier dans PDFCreator 1.72
End If
End If
Else
If CheckBox3.Value Then
MsgBox ("Problème de recherche ZQC2 COC")
End If
End If
If Not ZCI1_ID = "" Then
'Coc
session.findById("wnd[0]/mbar/menu[0]/menu[6]").Select
session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL").getAbsoluteRow(ZCI1_ID).Selected = True
'session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL/txtNAST-KSCHL[0,ZQC2_ID]").SetFocus
'session.findById("wnd[1]/usr/tblSAPLVMSGTABCONTROL/txtNAST-KSCHL[0,ZQC2_ID]").caretPosition = 0
session.findById("wnd[1]/tbar[0]/btn[6]").press
session.findById("wnd[2]/usr/chkNAST-DIMME").Selected = True
session.findById("wnd[2]/usr/ctxtNAST-LDEST").Text = output_doc
session.findById("wnd[2]/usr/txtNAST-TDCOVTITLE").Text = nomquelconque + "_Proforma"
session.findById("wnd[2]/usr/chkNAST-DIMME").SetFocus
session.findById("wnd[2]/tbar[0]/btn[0]").press
session.findById("wnd[1]/tbar[0]/btn[86]").press
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + printer_name + """ " + TextBox5.Value + " " + run_printer, 1, True
If output_doc = "LP01" Then
If chemin_PDF <> "" Then
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_Proforma"" PDF_SAVE " + """" + chemin_PDF + """", 1, True 'SAVE_PDF"
Else
oShell.Run """" + sPath + "\SAP_PRINT.exe"" " + """" + nomquelconque + "_Proforma"" PDF", 1, True 'Renommer le fichier dans PDFCreator 1.72
End If
End If
Else
If CheckBox4.Value Then
MsgBox ("Problème de recherche ZCI1 Proforma")
End If
End If
Application.Visible = True
If chemin_PDF <> "" Then 'ouverture du dossier
oShell.Run """" + chemin_PDF + """", 1, False
End If
MsgBox ("Fin de l'impression :)")
session.findById("wnd[0]").resizeWorkingPane 193, 38, False
session.findById("wnd[0]/tbar[0]/okcd").Text = "/n"
session.findById("wnd[0]").sendVKey 0
End Sub
Attribute VB_Name = "Classe1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 47616 bytes |
SHA-256: d0fd80101112335a99b5498fb4ae5f8ba7fc0d2a8553e8c0f1a6f9f572bec23b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.