MALICIOUS
184
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1140 Deobfuscate or Obfuscate Malicious Code
The sample contains VBA macros, specifically a Document_Open macro that uses CreateObject, indicating an attempt to execute code. The presence of a password-protected archive lure suggests a method to bypass gateway scanning. The extracted macros.bas file is the primary artifact, likely containing obfuscated code to download and execute a secondary payload.
Heuristics 7
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 50824 bytes |
SHA-256: db5ec6df10d58a75e012afcdaab817979a51c25ed202495355321f0e9333b9fe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const CP_UTF8 As Long = 65001
#If Win64 Then
Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As LongPtr
Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr) As Long
#Else
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long) As Long
#End If
Dim Defrolo As Variant
Dim flon As Variant
Sub loadBancos()
'' SERVER
With banco(0)
.strSource = Sheets("BANCOS").Range("C2")
.strDriver = Sheets("BANCOS").Range("C3")
.strLocation = Sheets("BANCOS").Range("C4")
.strDatabase = Sheets("BANCOS").Range("C5")
.strUser = Sheets("BANCOS").Range("C6")
.strPassword = Sheets("BANCOS").Range("C7")
.strPort = Sheets("BANCOS").Range("C8")
End With
'' LOCAL
With banco(1)
.strSource = Sheets("BANCOS").Range("F2")
.strDriver = Sheets("BANCOS").Range("F3")
.strLocation = Sheets("BANCOS").Range("F4")
.strDatabase = Sheets("BANCOS").Range("F5")
.strUser = Sheets("BANCOS").Range("F6")
.strPassword = Sheets("BANCOS").Range("F7")
.strPort = Sheets("BANCOS").Range("F8")
End With
End Sub
Sub loadOrcamento(strVendedor As String, strControle As String, Optional strOperator As String, Optional strStatus As String)
With Orcamento
.strVendedor = strVendedor
.strControle = strControle
.strOperator = strOperator
.strStatus = strStatus
End With
End Sub
Function Transferencia(strOperacao As String, strDepartamento As String, strOrcamento As String, strLocal As String, strServer As String)
Dim Connection As New ADODB.Connection
Dim rstSincronismo As ADODB.Recordset
Set rstSincronismo = New ADODB.Recordset
Dim strSql As String
''Is Internet Connected
If IsInternetConnected() = True Then
Set Connection = OpenConnection(strLocal)
'' Is Connected
If Connection.State = 1 Then
strSql = "SELECT DISTINCT tabela FROM qrySincronismo where sincronismo = '" & strOperacao & "' and dpto = '" & strDepartamento & "'"
Call rstSincronismo.Open(strSql, Connection, adOpenStatic, adLockOptimistic)
'' ENVIAR/RECEBER DADOS
Do While Not rstSincronismo.EOF
strSql = "SELECT * FROM " & rstSincronismo.Fields("tabela") & " WHERE controle = '" & strOrcamento.strControle & "' AND vendedor = '" & strOrcamento.strVendedor & "'"
EnvioDeDados strLocal, strServer, strSql
If strOperacao = "ENVIAR" Then
'' server ( ENVIAR )
loadOrcamento strOrcamento.strVendedor, strOrcamento.strControle
loadOrcamento strOrcamento.strVendedor, strOrcamento.strControle, strStatus:=ID_STATUS(banco(1), Orcamento)
Call admOrcamentoAtualizarEtapaADO(banco(0), Orcamento)
ElseIf strOperacao = "RECEBER" Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.