MALICIOUS
378
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an Excel document containing a Workbook_Open macro that utilizes WScript.Shell and CreateObject to execute obfuscated VBA code. This code is designed to download and execute a second-stage payload from URLs such as http://ofernio.ru/rto_files_ofernio/24434.doc. The presence of obfuscated auto-exec loaders and shell calls indicates a malicious intent to compromise the user's system.
Heuristics 11
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKSDocument contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://www.ofernio.ru/
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.ofernio.ru/
- http://ofernio.ru/
- http://ofernio.ru/rto_files_ofernio/
- http://ExcelVBA.ru/
- http://ExcelVBA.ru/payments
- http://ofernio.ru/rto_files_ofernio/24434.doc
- https://www.cyberforum.ru/vba/thread1932480.html
- http://botik.ru
- https://vremya-ne-zhdet.ru/vba-excel/sozdaniye-tablits-v-dokumente-word/
- https://www.planetaexcel.ru/forum/index.php?PAGE_NAME=message&FID=1&TID=72043
- http://www.script-coding.com/WSH/Shell.html#3.26
- http://www.sql.ru/forum/740171/ubit-word-iz-excel-zakryt-vse-otkrytye-prilozheniya-word-makrosom-iz-excel
- http://www.script-coding.com/WSH/WshShell.html#3.4
- http://macros-vba.ru/makrosy/excel/159-kak-otkryt-word-iz-excel-makrosom-zapusk-word-iz-excel
- https://vremya-ne-zhdet.ru/vba-excel/sortirovka-tablitsy-diapazona/
- https://coderoad.ru/54159142/%D0%A3%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%B8%D1%82%D0%B5-%D1%88%D0%B8%D1%80%D0%B8%D0%BD%D1%83-%D1%81%D1%82%D0%BE%D0%BB%D0%B1%D1%86%D0%BE%D0%B2-%D1%82%D0%B0%D0%B1%D0%BB%D0%B8%D1%86%D1%8B-%D0%B2-%D0%BC%D0%B0%D0%BA%D1%80%D0%BE-Word-VBA
- https://forumvba.ru/index.php?topic=689.0
- https://www.cyberforum.ru/vba/thread1163102.html
- https://coderoad.ru/24515203/%D0%94%D0%BE%D0%B1%D0%B0%D0%B2%D1%8C%D1%82%D0%B5-%D0%BD%D0%BE%D0%BC%D0%B5%D1%80-%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D1%8B-%D0%B2-Word-%D1%81-%D0%BF%D0%BE%D0%BC%D0%BE%D1%89%D1%8C%D1%8E-VBA
- https://www.cyberforum.ru/vba/thread637207.html
- https://www.cyberforum.ru/vba/thread2175358.html
- http://scriptcoding.ru/2013/12/30/word-vba-selection-metody-1/#
- http://excelvba.ru/
- http://excelvba.ru/payments
- http://www.frez.co.uk
- https://@www.cy��f
- http://excelvba.ru/payments�
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/
- http://doi.org/10.12731/ofernio.2009.15064
- http://doi.org/
- https://docs.microsoft.com/ru-ru/office/vba/api/word.selection.insertfile
- https://docs.microsoft.com/en-us/previous-versions/office/developer/office-2003/aa211923(v=office.11
- https://docs.microsoft.com/ru-ru/office/vba/api/word.range.paragraphs
- https://docs.microsoft.com/ru-ru/office/vba/api/word.cell.verticalalignment
- http://wordmacroses.blogspot.com/2009/04/range.html
- http://doi.org/10.12731/ofernio.2009.15064�
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas2841b010299d099ae911b64c62c2a64b6c3bf88a38d525cd22f70332c276482b |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 888454 bytes |
vbaProject_00.bin713c43acf7594826acb10d25958e0714815143b0dc4a1caee131a0adf2019c4c |
vba-project | OOXML VBA project: xl/vbaProject.bin | 1426432 bytes |
emf_00.emf9798eb77dfec952d1531f0b6c4809f4b1cb544af0f8b6449bfbb3bda2375cc8b |
ooxml-emf | OOXML EMF part: xl/media/image27.emf | 2700 bytes |
emf_01.emf5047556ad73fed215b3d47892b835b81995217a1c790ec5b9941caab65344689 |
ooxml-emf | OOXML EMF part: xl/media/image26.emf | 2636 bytes |
emf_02.emf2a10168a2d0e371932b8a927ab17e1b180f79c57cd9cdd3a1f8810cb9cf3281e |
ooxml-emf | OOXML EMF part: xl/media/image25.emf | 2636 bytes |
emf_03.emfbae409e53a178eab3f07bee1f19dd103fafce49fa191ecb41682220cb35ba8b4 |
ooxml-emf | OOXML EMF part: xl/media/image24.emf | 2656 bytes |
emf_04.emfb47ebcc40118c5692fea17002d6156aa11dd76b2bfcd196511a271b9079ee3f4 |
ooxml-emf | OOXML EMF part: xl/media/image23.emf | 2528 bytes |
emf_05.emfe80f9eb714eb62d31bf8cb964fc081d5043727959eb37e0d5f0df6eb5cec7e8e |
ooxml-emf | OOXML EMF part: xl/media/image22.emf | 3280 bytes |
emf_06.emf5162479f74ba1d71cd044455ad6a49aec9d8f06c7f1bc971672d987db75d6841 |
ooxml-emf | OOXML EMF part: xl/media/image21.emf | 3184 bytes |
emf_07.emf1dadf959533e4722c395bac8d07529ee4c3cdf88719858c98c982864391cbc7a |
ooxml-emf | OOXML EMF part: xl/media/image20.emf | 3016 bytes |
emf_08.emf1a7c3b4164b156c7a47d66132ce0190b14f4e7e34caf6a212471e552a9e93d8c |
ooxml-emf | OOXML EMF part: xl/media/image19.emf | 3048 bytes |
emf_09.emf61bf9cd0198dd76c08ae0fc60605e897cbc75e3c9715b14a9375552dc85ff448 |
ooxml-emf | OOXML EMF part: xl/media/image28.emf | 2672 bytes |
emf_10.emfe7a8eba732247a8861dc0fa0b2610f4dfcdfe4d8ec117753083383d756412fed |
ooxml-emf | OOXML EMF part: xl/media/image29.emf | 2996 bytes |
emf_11.emf7600f0c753d9bc2d0d8bf3eed05a0355b24efc7caac6c25a77a6e81331d1d2c3 |
ooxml-emf | OOXML EMF part: xl/media/image30.emf | 2508 bytes |
emf_12.emfe51bb710b08eaf00cbf7405de11e057feb71d0bcd7f2826d3921db7ad18c9e93 |
ooxml-emf | OOXML EMF part: xl/media/image31.emf | 3936 bytes |
emf_13.emfd158e2a3d75ee0fe0203388042bac1e97f64c72ddb1ca389597d5fce4c709458 |
ooxml-emf | OOXML EMF part: xl/media/image18.emf | 1388 bytes |
emf_14.emfdc27a5b79e830c95b46fc39bf9f036e95fc91df9638f208ae174169f14341806 |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 2432 bytes |
emf_15.emf9d376dba4641203bfdbcf2cbc142649bac68993c52d72300e23c3a78f2ae8a7f |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 3232 bytes |
emf_16.emffa336d2a5daa1d108414f36e509a7706a6ca9e2151e0f032e1ccb5288a3c40f8 |
ooxml-emf | OOXML EMF part: xl/media/image6.emf | 3184 bytes |
emf_17.emfc3396bfa1782cd097b00d25157fcd08b2b36ee74831848390f3233eed18e55ca |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 2656 bytes |
emf_18.emf775a8dc036c8fbea92d34c1f55763e52d020bc433a41ea2eec88f35a3ec50773 |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 3332 bytes |
emf_19.emf38ef7eee616b86373065412ec0d84080b0db7b629dcff22d423db6a8ce615cd6 |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 3720 bytes |
emf_20.emf205fa04aa3215bc50bcbccd528516526d7fc1428da4e2f30b31838a7280cd665 |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 2448 bytes |
emf_21.emf63cbce7b8762f8ff08beb90ba6529e4871b645c9b7439aee112a4762c1db5f0f |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 1120 bytes |
emf_22.emf22d323531d1ff9c84e43a0d8256de95b1b20fb0f31af1085a3d2eb307a90a106 |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 3076 bytes |
emf_23.emfac7b9057da619f46f4b86c7d42094b3cabb88e9ec881e5f7e5aeeae7c758e7ac |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 1104 bytes |
emf_24.emf40795f458433d7c476a9064bc49e18a46db69a7dadc857090fcbc1b0ae126cea |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 1200 bytes |
emf_25.emf2abd08f070960f013bf123b963efa07bd78fa9c8de265c9fabbdfa711f7de013 |
ooxml-emf | OOXML EMF part: xl/media/image17.emf | 2516 bytes |
emf_26.emfbdb29c42e4b30bf77ffc56aebc8a3e08dfdf1d04b2dbd8065b2493c3cf25e335 |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 2448 bytes |
emf_27.emf3a85c5f5d1412e83f47a34705c303111b33792411b80bf44152696fbf7da02c9 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3376 bytes |
emf_28.emf3c2bba155cac8795a00024fa99bedca264abfd91a1b5fd262f39e889f66b57f5 |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 1392 bytes |
emf_29.emfef76bd7560f1d62e09987c6bc1e8b53a2583c6280aff2dfba7150537aaa9d8d7 |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 2276 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.