MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro. This macro triggers the display of a user form ('Form1') with input fields such as 'txtDomain' and 'txtGroup'. The script attempts to construct an LDAP distinguished name, suggesting it may be designed to query Active Directory or collect domain-related information. The Workbook_Open execution and the presence of a user form strongly indicate a credential harvesting or information gathering attack.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3532 bytes |
SHA-256: ae26d0ccae8b3060746e3f717c6f3b6398669a217368957154edbca62d7afd02 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Form1.Show vbModal
End Sub
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Form1"
Attribute VB_Base = "0{B11AF574-D9BC-482D-87AD-47E8DC721978}{1DEFE8E2-7838-48F9-A705-3B4CCDCDC7D3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdExit_Click()
Unload Me
End Sub
Private Sub cmdOK_Click()
Start
End Sub
Private Sub TextBox3_Change()
End Sub
Attribute VB_Name = "Module1"
Sub Start()
On Error GoTo Err
Dim sDomain() As String
Dim sDom As String
sDomain = Split(Form1.txtDomain.Value, ".")
sDom = ""
For j = 0 To UBound(sDomain)
sDom = sDom & ", dc=" & sDomain(j)
Next j
If Form1.txtGroup.Value <> "" Then
strDomainDN = "ou=" & Form1.txtGroup.Value & sDom 'сюда же можно вложить логин и пароль соединения с доменом
Else
If Len(sDom) > 0 Then
strDomainDN = Right(sDom, Len(sDom) - 2)
End If
End If
'для поиска в локальном каталоге домена:
strBase = "<LDAP://" & strDomainDN & ">;"
'для поиска в глобальном каталоге:
' strBase = "<GC://" & strDomainDN & ">;"
'MsgBox (strBase)
strFilter = "(&(objectclass=user)(objectcategory=person));"
strAttrs = "sAMAccountName,name,department,description;"
strScope = "subtree"
Set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
'Stop
If Form1.txtLogin.Value <> "" Then
objConn.Properties("User ID") = sDomain(0) & "\" & Form1.txtLogin.Value
'objConn.Properties("User ID") = Form1.txtLogin.Value
objConn.Properties("Password") = Form1.txtPassword.Value
objConn.Properties("Encrypt Password") = False
objConn.Open "Active Directory Provider", sDomain(0) & "\" & Form1.txtLogin.Value, Form1.txtPassword.Value
Else
objConn.Open "Active Directory Provider"
End If
Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
Dim i As Long
i = 2
objRS.MoveFirst
While Not objRS.EOF
If Form1.chkAddDomain.Value = True Then
Worksheets(1).Cells(i, 1).Value = sDomain(0) & "\" & objRS.Fields(0)
Else
Worksheets(1).Cells(i, 1).Value = objRS.Fields(0)
End If
Worksheets(1).Cells(i, 2).Value = objRS.Fields(1)
Worksheets(1).Cells(i, 3).Value = objRS.Fields(2)
Worksheets(1).Cells(i, 4).Value = objRS.Fields(3)
objRS.MoveNext
i = i + 1
Wend
Unload Form1
Exit Sub
Err:
MsgBox ("Ошибка: " & Err.Description)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.