MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an OOXML file containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro attempts to modify the Excel ribbon and calls `CreateObject`, indicating an attempt to execute further actions, likely to download and run a second-stage payload. The presence of a VBA macro and the Workbook_Open event strongly suggests a malicious intent, likely delivered via spearphishing.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ie = CreateObject("InternetExplorer.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Private Sub Workbook_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://shinsei.e-gov.go.jp/Shinsei/main.jsp?egovparam=PK005E0001 In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12735 bytes |
SHA-256: 4f9a91cc495e5b9ffdff58fb4008c7b5d719f84f7fcb98d405373940d6c22b9e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Cancel = True
End Sub
Private Sub Workbook_Open()
Init
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Attribute VB_Name = "RibbonModule"
Option Explicit
Private RibbonUI As IRibbonUI
Public Sub OnLoad(ribbon As IRibbonUI)
Set RibbonUI = ribbon
ChangeTab
End Sub
Public Sub ChangeTab()
RibbonUI.ActivateTab "ApplyInfomationListTab"
End Sub
Public Sub ExitButton_onAction(ByVal control As IRibbonControl)
Application.Run "業務日誌.xlam!SelRibbonTAB", "Cellsドライブ"
ThisWorkbook.Close False
End Sub
Public Sub SearchButton_onAction(ByVal control As IRibbonControl)
MsgBox "Calling SearchButton_onAction TODO:"
End Sub
Public Sub PrintButton_onAction(ByVal control As IRibbonControl)
MsgBox "Calling PrintButton_onAction TODO:"
End Sub
Public Sub NormalApplyButton_onAction(ByVal control As IRibbonControl, pressed As Boolean)
MsgBox "CallingNormalApplyButton_onAction TODO:"
End Sub
Public Sub BundleApplyButton_onAction(ByVal control As IRibbonControl, pressed As Boolean)
MsgBox "BundleApplyButton_onAction TODO:"
End Sub
Public Sub CurrentMonthButton_onAction(ByVal control As IRibbonControl, pressed As Boolean)
MsgBox "CurrentMonthButton_onAction TODO:"
End Sub
Public Sub PreviousMonthButton_onAction(ByVal control As IRibbonControl, pressed As Boolean)
MsgBox "PreviousMonthButton_onAction TODO:"
End Sub
'
' 送信ボタン
'
Public Sub SendButton_onAction(ByVal control As IRibbonControl)
Application.Run ProcedureString("eGovSendFormShow")
Call DispSheet("status", vbNullString)
End Sub
'
' 更新ボタン
'
Public Sub UpdateButton_onAction(ByVal control As IRibbonControl)
Call DispSheet("status", vbNullString)
End Sub
Public Sub editBoxTo_onChange(ByRef control As IRibbonControl, ByRef text As String)
End Sub
Public Sub editBoxTo_getText(ByRef control As IRibbonControl, ByRef returnValue)
End Sub
Public Sub editBoxFrom_onChange(ByRef control As IRibbonControl, ByRef text As String)
End Sub
Public Sub editBoxFrom_getText(ByRef control As IRibbonControl, ByRef returnValue)
End Sub
Public Sub BesidesEndButton_onAction(ByVal control As IRibbonControl)
Call DispSheet("status", "-2")
End Sub
Public Sub RecentlyButton_onAction(ByVal control As IRibbonControl)
Call DispSheet("status", "-1")
End Sub
Public Sub NotSendButton_onAction(ByVal control As IRibbonControl)
Call DispSheet("status", "0")
End Sub
Public Sub NormalUpdateButton_onAction(ByVal control As IRibbonControl)
Application.Run ProcedureString("NormalUpdate")
Call DispSheet("status", vbNullString)
End Sub
Attribute VB_Name = "DisplayModule"
Option Explicit
'共通化アドインのモジュール名
Private Const EGovModuleName As String = "EAppCom.xla!eGovModule."
'表示用Range文字列
Private Const DisplayDataArea As String = "A2:AB" 'データ表示用範囲
Private Const DisplayDetailsButtonArea As String = "AC2:AC" '詳細ボタン表示用範囲
Private Const DisplayErrorButtonArea As String = "Q2:Q" 'エラーボタン表示用範
Private DisplayStatusOptions As String '表示用オプション
Public Sub Init()
If Not Application.Run("CellsDrive.xlam!MNMode", True, False) Then
MsgBox "セルズドライブが設定されてません。", vbInformation, "Cellsドライブ"
Exit Sub
End If
Dim UserObj As Object
Set UserObj = Application.Run("cellsdrive.xlam!UsingAuthenticateData")
If IsEmpty(UserObj.Ticket) Then
Application.Run "業務日誌.xlam!Ninsyo", "eGov外部連携"
End If
Call DispSheet("status", "-1")
End Sub
Public Sub DispSheet(ByVal ParameterName As String, ByVal Parameter As String)
Dim data As Variant
Dim col As Collection
If DisplayStatusOptions <> vbNullString And Parameter = vbNullString Then
Parameter = DisplayStatusOptions
Else
Parameter = -1
End If
Set col = Application.Run(ProcedureString("GetApplyList"), ParameterName, Parameter)
DisplayStatusOptions = Parameter
If col.Count = 0 Then
Exit Sub
End If
data = Col2Array(col)
Dim RangeString As String
RangeString = DisplayDataArea & (UBound(data) + 1)
Application.ScreenUpdating = False
Dim ws As Worksheet
Set ws = ThisWorkbook.Worksheets("List")
ws.Unprotect
'データやボタンのクリア
ws.Cells.CurrentRegion.Offset(1, 0).Interior.ColorIndex = 0
ws.Cells.CurrentRegion.Offset(1, 0).ClearContents
ClearButtons ws
'データと詳細ボタンを貼る
Range(RangeString) = data
Call EvenRowsColored(ws, UBound(data, 2), RGB(230, 230, 230))
'詳細
AddDetailButtons ws, ws.Range(DisplayDetailsButtonArea & (UBound(data) + 1))
Dim item As Variant
' 'エラーボタンを張る
' For Each item In ws.Range("Q2:Q" & (UBound(data) + 1))
' If item.Value = "エラー" Then
' AddButton ws.Range("Q" & item.Row), item.Value, "'DisplayErrorFile""" & item.Row & """'"
' End If
' Next
Call AddAnyButtons(ws.Range("Q2:Q" & (UBound(data) + 1)), "エラー", "DisplayErrorFile")
'コメントボタンを張る R
For Each item In ws.Range("R2:R" & (UBound(data) + 1))
If IsNumeric(Left(item.Value, 2)) Then
item.Font.Color = item.Interior.Color
If CLng(Left(item.Value, 2)) > 0 Then
AddButton ws.Range("R" & item.Row), "コメント", "'DisplayCommentFile""" & item.Row & """'", 1, 0
End If
End If
Next
'公文書ボタンを張る S
For Each item In ws.Range("R2:R" & (UBound(data) + 1))
If IsNumeric(Right(item.Value, 2)) Then
item.Font.Color = item.Interior.Color
If CLng(Right(item.Value, 2)) Then
AddButton ws.Range("R" & item.Row), "公文書", "'DisplayDocFile""" & item.Row & """'", 1, 1
End If
End If
Next
ws.Protect
ActiveWindow.ScrollRow = 1
Application.ScreenUpdating = True
End Sub
Private Sub EvenRowsColored(ByRef ws As Worksheet, ByVal ColumnCount As Long, ByVal ColorIndex As Long)
Dim i As Long
For i = 3 To ws.Cells(Rows.Count, 1).End(xlUp).Row Step 2
ws.Cells(i, 1).Resize(1, ColumnCount).Interior.Color = ColorIndex
Next i
End Sub
Private Sub AddAnyButtons(ByRef rng As Range, ByVal caption As String, ByVal FunctionName As String)
Dim item As Variant
For Each item In rng
If item.Value = "エラー" Then
Dim itemRange As Range
Set itemRange = item 'ダウンキャスト
item.Font.Color = item.Interior.Color
AddButton itemRange, caption, "'" & FunctionName & """" & item.Row & """'", 0, 0
End If
Next
End Sub
Private Function Col2Array(col As Collection) As Variant
Dim MinIndex As Long
Dim MaxIndex As Long
If col.Count = 0 Then Exit Function
MinIndex = LBound(col.item(1).items) + 1
MaxIndex = UBound(col.item(1).items) + 1
Dim ArrayData() As Variant
ReDim ArrayData(1 To col.Count, MinIndex To MaxIndex) As Variant
Dim i As Long, j As Long
For i = 1 To col.Count
Dim obj As Variant
Dim ItemArray() As Variant
Set obj = col.item(i)
ItemArray = obj.items
For j = LBound(ItemArray) To UBound(ItemArray)
ArrayData(i, j + 1) = ItemArray(j)
Next
Next
Col2Array = ArrayData
End Function
Private Sub AddDetailButtons(ByRef ws As Worksheet, ByRef rng As Range)
Dim item As Range
ws.Rows.RowHeight = 15 * 2
ws.Rows.VerticalAlignment = xlCenter
For Each item In rng
item.Font.Color = item.Interior.Color
AddButton item, "詳細", "'Click""" & item.Row & """'", 0, 0
Next
End Sub
'''
''' rng : 範囲
''' caption :ボタンのテキスト
''' ActionString : イベント
''' size : ボタンの高さ Full 0 :か Herf 1
''' Vertical : 上段 0 下段 1 size 1のときだけ有効
Private Sub AddButton(ByRef rng As Range, ByVal caption As String, ByVal ActionString As String, ByVal size As Long, ByVal Vertical As Long)
Dim btn As Variant
Dim Height As Long
Dim Top As Long
Dim Left As Long
Dim Width As Long
Dim flg As Boolean
flg = True ' True 横 False 縦
With rng
If size = 0 Then
Height = .Height - 4
Top = .Top + 2
Width = .Width - 4
Left = .Left + 2
Else
If flg Then
Height = .Height / 2 - 4
Top = .Top + 3 + (Height + 2) * Vertical
Width = .Width - 4
Left = .Left + 2
Else
Top = .Top + 2
Height = .Height - 4
Width = .Width / 2 - 4
Left = .Left + 2 + (Width + 2) * Vertical
End If
End If
Set btn = rng.Worksheet.Buttons.Add(Left, Top, Width, Height)
With btn
.caption = caption
.OnAction = ActionString
.Name = Format(rng.Row, "0000") & Format(rng.Column, "0000") & CStr(Vertical)
End With
End With
End Sub
Public Sub Click(ByVal index As Long)
'通常申請
If ThisWorkbook.Worksheets("List").Cells(index, 4).Value = 1 Then
Call Normal(index)
Exit Sub
End If
Call Application.Run(ProcedureString("EGovApiDetailsForm"), ThisWorkbook.Worksheets("List").Cells(index, 2).Value)
End Sub
Private Sub Normal(ByVal index As Long)
Dim url As String
url = "https://shinsei.e-gov.go.jp/Shinsei/main.jsp?egovparam=PK005E0001"
Dim ie As Object
Set ie = CreateObject("InternetExplorer.Application")
ie.Navigate2 url
ie.Visible = True
Do While ie.Busy = True Or ie.readyState <> 4
DoEvents
Loop
Dim ele As Object
Set ele = ie.Document.getElementById("arriveID")
ele.Value = ThisWorkbook.Worksheets("List").Cells(index, 15).Value
Set ele = ie.Document.getElementById("inqueryNumber")
ele.Value = ThisWorkbook.Worksheets("List").Cells(index, 14).Value
Set ie = Nothing
End Sub
Private Sub ClearButtons(ws As Worksheet)
Dim btn As Variant
For Each btn In ws.Buttons
btn.Delete
Next
End Sub
Private Function Contents(ByVal data As Variant) As String
Dim posS As Long
Dim posE As Long
Dim buf As String
posS = InStr(1, data, """Contents"":")
posE = InStr(posS, data, ",")
buf = mId(data, posS + Len("""Contents"":") + 1, posE - posS - Len("""Contents"":") - 2)
Contents = buf
End Function
Public Sub DisplayCommentFile(ByVal index As String)
Call Application.Run(ProcedureString("DisplayCommentFile"), ThisWorkbook.Worksheets("List").Cells(index, 2).Value)
End Sub
Public Sub DisplayDocFile(ByVal index As String)
Call Application.Run(ProcedureString("DisplayDocFile"), ThisWorkbook.Worksheets("List").Cells(index, 2).Value)
End Sub
Public Sub DisplayErrorFile(ByVal index As String)
Call Application.Run(ProcedureString("DisplayErrorFile"), ThisWorkbook.Worksheets("List").Cells(index, 2).Value)
End Sub
'
' 共通アドインを呼び出す文字列を返す
'
Public Function ProcedureString(ByVal ProcedureName As String) As String
ProcedureString = EGovModuleName & ProcedureName
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 41984 bytes |
SHA-256: 94ac3612e10672c493b9a5ac1ea9f616c52742b153c7363df46b91708b889eb3 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.