MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The file is an Excel document containing a Workbook_Open macro. This macro calls a subroutine that, based on the username, executes a PowerShell command. Critical heuristics indicate the use of Shell() and WScript.Shell, along with a direct PowerShell reference, strongly suggesting the execution of a malicious payload. The macro's logic appears to be designed to download and execute a second-stage payload, likely via PowerShell, after performing some document-related operations.
Heuristics 10
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
External relationship medium OOXML_EXTERNAL_RELExternal target in xl/drawings/_rels/drawing1.xml.rels: cid:image001.png@01D62942.4C0FC2D0
-
External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKSDocument contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.eia.gov/petroleum/supply/weekly/schedule.php
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.eia.gov/petroleum/supply/weekly/schedule.php Document hyperlink
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 34076 bytes |
SHA-256: ef1d5f1053fa602f0aa0aec2202e68ce4d859fbf38342b3bcb3af8ac7a664466 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Run "StartTimer"
End Sub
Attribute VB_Name = "Sheet17"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet18"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub StartTimer()
Dim strUserName As String
strUserName = Application.UserName
If (LCase(strUserName) = "svcmarke") Then
'MsgBox ("You are logged in as: " & strUserName)
Application.OnTime TimeValue("09:57:05"), "RunFullProcess"
End If
End Sub
Sub RunFullProcess()
On Error GoTo Err_RunFullProcess
Dim sht As Worksheet
RefreshStorageModelFile 'Day of refresh is updated in lookups tab
RefreshICE
UpdateLinks
UpdateSupplyTrackingTool
'UpdateTabs
Calculate
'ProcessForecastDailyChange
'HardCodePriorForecast
'ProcessUS10History
'Calculate
MovePDFFiles
CreatePDFFile
'Put a check here to see if all dates have been updated
'AF1
Set sht = Sheets("Report")
sht.Activate
Calculate
CreateSnapShots
If (Range("V1").Value = 17) Then
SendEmail 'Success
Else
SendFailureEmail
End If
ActiveWorkbook.Save
CloseApplication
Exit_RunFullProcess:
Exit Sub
Err_RunFullProcess:
MsgBox ("Error in RunFullProcess: " & Err.Description)
Resume Exit_RunFullProcess
End Sub
Sub UpdateWCSBProcess()
On Error GoTo Err_UpdateWCSBProcess
UpdateSupplyTrackingTool
Exit_UpdateWCSBProcess:
Exit Sub
Err_UpdateWCSBProcess:
MsgBox ("Error in UpdateWCSBProcess: " & Err.Description)
Resume Exit_UpdateWCSBProcess
End Sub
Sub UpdateSupplyTrackingTool()
On Error GoTo Err_UpdateSupplyTrackingTool
Debug.Print "Open Supply Tracking Tool 3.0"
Workbooks.Open Filename:="\\encana.com\dnvshared\GasMarketing\FUNDAMENTALS\Natural Gas\Supply\Supply Tracking Tool\Supply Tracking Tool 3.0.xlsm", UpdateLinks:=True, ReadOnly:=True
Windows("SignpostReport.xlsm").Activate
Debug.Print "Check2"
Worksheets("NA Production").Activate
Debug.Print "Check3"
Range("C11").Select
Debug.Print "Check4"
Calculate
Debug.Print "Check5"
Windows("SignpostReport.xlsm").Activate
ThisWorkbook.Save
Debug.Print "Close Supply Tracking Tool 3.0"
Windows("Supply Tracking Tool 3.0.xlsm").Activate
Workbooks("Supply Tracking Tool 3.0.xlsm").Close SaveChanges:=False
Debug.Print "Done Refreshing links to Supply Tracking Tool 3.0"
Windows("SignpostReport.xlsm").Activate
Exit_UpdateSupplyTrackingTool:
Exit Sub
Err_UpdateSupplyTrackingTool:
MsgBox ("Error in UpdateSupplyTrackingTool: " & Err.Description)
Resume Exit_UpdateSupplyTrackingTool
End Sub
Sub UpdateLinks()
On Error GoTo Err_UpdateLinks
'Update links
Debug.Print "Check1"
ActiveWorkbook.UpdateLink Name:= _
"\\encana.com\dnvshared\GasMarketing\FUNDAMENTALS\Outlook Development\2021-03 - Spring Forecast\IT7\Phoenix\Model\2021-01 - Spring Forecast - Gas Production - IT7.xlsm" _
, Type:=xlExcelLinks
Debug.Print "Check2"
ActiveWorkbook.UpdateLink Name:= _
"\\encana.com\dnvshared\GasMarketing\FUNDAMENTALS\Outlook Development\2021-03 - Spring Forecast\IT7\Phoenix\Model\202
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 125952 bytes |
SHA-256: f6f37da3da18398f4aeb55821b74101d94d020a460a79de248f65d3e2a24a0f7 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.