MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains a VBA macro with an Auto_Open subroutine that references ShellExecute, indicating an attempt to execute arbitrary code. The macro is likely designed to download and execute a second-stage payload from one of the embedded URLs. The ClamAV detection 'Doc.Dropper.Agent-6342201-0' further supports its malicious nature as a dropper.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6342201-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6342201-0
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module1" Sub Auto_Open() Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://j-walk.com/ss In document text (OLE body)
- http://www.j-walk.com/ssIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3026 bytes |
SHA-256: f5c7a9278384d8d80534519319e60f7b50c38b785d97034b1da6a1a7484a8170 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14"
' If StartDay is blank, enter the next Monday
Set StartDay = Sheets("TimeSheet").Range("StartDay")
If IsEmpty(StartDay) Then
StartDay.Value = Date
Do Until WeekDay(StartDay) = 2
StartDay.Value = StartDay.Value + 1
Loop
End If
' If EmployeeName is blank, enter user's name
Set EmployeeName = Sheets("TimeSheet").Range("EmployeeName")
If IsEmpty(EmployeeName) Then
EmployeeName.Value = Application.UserName
End If
End Sub
Sub cbProtectSheet_Click()
Attribute cbProtectSheet_Click.VB_ProcData.VB_Invoke_Func = " \n14"
' Toggles sheet protection
If Sheets("TimeSheet").CheckBoxes("cbProtectSheet").Value = xlOn Then
ActiveSheet.Protect DrawingObjects:=True, Contents:=True
Else
ActiveSheet.Unprotect
End If
End Sub
Sub Clear_Click()
Attribute Clear_Click.VB_ProcData.VB_Invoke_Func = " \n14"
If ActiveSheet.ProtectContents Then
ActiveSheet.Unprotect
Range("Timedata").ClearContents
ActiveSheet.Protect _
DrawingObjects:=True, _
Contents:=True
Else
Range("Timedata").ClearContents
End If
End Sub
Sub Help_click()
Attribute Help_click.VB_ProcData.VB_Invoke_Func = " \n14"
UserForm1.Show
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub CheckBox1_Click()
Insert: Email
End Sub
Private Sub Email_Click()
End Sub
Private Sub TextBox1_Change()
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{F251FEAA-CE27-4D58-802E-05209C9844ED}{D5A1DFEC-F095-48F2-8364-5C6D62266B30}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
Private Sub CommandButton1_Click()
Unload Me
End Sub
Sub LabelWebSite_Click()
On Error Resume Next
Unload Me
ShellExecute 0&, vbNullString, "http://j-walk.com/ss", vbNullString, vbNullString, vbNormalFocus
On Error GoTo 0
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.