Malware Insights
The sample is an Excel document containing VBA macros that execute upon opening. The Auto_Open macro attempts to hide elements, unprotect the sheet, and then calls `checkFileName`. The `Get_Data` subroutine uses `WScript.Shell` and `MSXML2.XMLHTTP` to download a file from `http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/` and saves it as `Details.dat` in the temporary directory. It also attempts to create a `Win32_Process` object via WMI, indicating an intent to execute further payloads. The document body lists numerous email addresses with associated 'Password Leaked' and 'Hash Leaked' labels, suggesting a phishing or credential harvesting pretext.
Heuristics 14
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
-
ClamAV: Doc.Downloader.Valyria-10026858-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-10026858-0
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ec2-18-184-17-12.eu-central-1.compute.amazonaws.com/standardchartered/passleak/180821/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basb66d91c9d76e62338417118a85a76e25b9b7e381facea8e9c85197215d8afda4 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4717 bytes |
vbaProject_00.bina153369ef30949b1106937f9426b5f2874576916b5a6aa7dc9cb10ea5239c83e |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
|
Detection
ClamAV:
Doc.Downloader.Valyria-10026858-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.