MALICIOUS
224
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This Excel file contains both Excel 4.0 macros and VBA code, with a Workbook_Open macro that triggers execution. The VBA code utilizes CreateObject and XMLHTTP, indicating it likely attempts to download and execute a second-stage payload from external URLs. The presence of multiple suspicious URLs, combined with the macro execution, strongly suggests a malicious document designed for payload delivery.
Heuristics 8
-
URL reconstructed from XLM cell array (6 URLs) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.support.eias.ru/* Referenced by macro
- http://www.fstrf.ru/regions/region/showlistLReferenced by macro
- http://eias.ru/files/shablon/manual_loading_through_monitoring.pdfReferenced by macro
- http://eias.ru/?page=show_distrsReferenced by macro
- http://support.eias.ru/…Referenced by macro
- http://www.imagemagick.orgw9yReferenced by macro
- http://www.imagemagick.org��Q�Referenced by macro
- http://support.eias.ru/�Referenced by macro
- https://eias.fstrf.ru/disclo/get_file?p_guid=Referenced by macro
- https://tariff.eias.ru/disclo/get_file?p_guid=�Referenced by macro
- https://eias.fstrf.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXReferenced by macro
- https://tariff.eias.ru/disclo/get_file?p_guid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXReferenced by macro
- https://tariff.eias.ru/procwsxls/�����#Referenced by macro
- https://appsrv02.eias.ru/procwsxls/���#Referenced by macro
- https://appsrv01.eias.ru/procwsxls/���Referenced by macro
- https://eias.fstrf.ru/procwsxls/������Referenced by macro
- https://tariff.eias.ru/procwsxls/Referenced by macro
- https://appsrv02.eias.ru/procwsxls/Referenced by macro
- https://appsrv01.eias.ru/procwsxls/Referenced by macro
- https://eias.fstrf.ru/procwsxls/�Referenced by macro
- http://www.fstrf.ru/regions/region/showlistReferenced by macro
- http://www.eias.ru/templates/Referenced by macro
- http://www.support.eias.ru/Referenced by macro
- http://support.eias.ru/Referenced by macro
- https://tariff.eias.ru/disclo/get_file?p_guid=Referenced by macro
- https://eias.fstrf.ru/procwsxls/Referenced by macro
- http://www.w.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/xap/1.0/rights/Referenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Bryansk_Oblast.png�v�rReferenced by macro
- http://www.imagemagick.orgReferenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Kursk_Oblast.png����Referenced by macro
- http://commons.wikimedia.org/wiki/File:Coat_of_Arms_of_Pskov_oblast.pngReferenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Ivanovo_Oblast.pngReferenced by macro
- http://commons.wikimedia.org/wiki/File:Baikonur_seal.png��vYReferenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Saratov_Oblast.pngReferenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Yaroslavl_Oblast.pngT�Referenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Kostroma_oblast.gif`+��Referenced by macro
- http://commons.wikimedia.org/wiki/File:TomskOblastFlag.png�Referenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Ryazan_Oblast.pngReferenced by macro
- http://commons.wikimedia.org/wiki/File:Flag_of_Moscow_Oblast.png/m8QReferenced by macro
- http://www.alrosa.ru/about/production/social/rikk/2012/Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1380080 bytes |
SHA-256: cfdeffd5c92549a1d8a98a77a74cb4e33871e1c9249f95fc5bfe84b647f1ebb5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Application.Calculate
modThisWorkbook.ThisWorkbook_Workbook_BeforeSave
On Error GoTo ErrHandler
Dim status As Integer
status = ThisWorkbook.CustomDocumentProperties("Status")
If status > 2 Then
MsgBox "Документ подписан ЭЦП и не может быть изменен", vbExclamation + vbOKOnly, ThisWorkbook.name
Cancel = True
GoTo CleanUp
End If
GoTo CleanUp
ErrHandler:
MsgBox Err.Description, vbOKOnly + vbExclamation, ThisWorkbook.name
CleanUp:
End Sub
Private Sub Workbook_Open()
modThisWorkbook.ThisWorkbook_Workbook_Open
End Sub
Private Sub Workbook_BeforePrint(Cancel As Boolean)
modThisWorkbook.ThisWorkbook_Workbook_BeforePrint
End Sub
Attribute VB_Name = "modChange"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Base 1
Option Explicit
' Инструкция
Public Sub WsInstrChange(Target As Range)
If Target.Interior.ColorIndex = colorYellow Then
Application.ThisWorkbook.Worksheets(gstrInstructionSheetName).cmdApplyContactChanges.Enabled = True
Application.ThisWorkbook.Worksheets(gstrInstructionSheetName).cmdApplyContactChanges.Visible = True
End If
End Sub
' для стандартных листов
Public Sub WsGeneralChange(Target As Range)
On Error GoTo ErrWsGeneralChange
Dim wbBook As Workbook
Dim wsSheet As Worksheet
Dim wsTehSheet As Worksheet
Dim intNRow As Integer
Dim intNColumn As Integer
Dim intRowHeight As Integer
Dim rngCell As Range
Dim rngRange As Range
Dim ISectTA
Dim blnValueEnableEventsLocal As Boolean
Dim blnValueScreenUpdatingLocal As Boolean
blnValueEnableEventsLocal = Application.EnableEvents
blnValueScreenUpdatingLocal = Application.ScreenUpdating
Application.EnableEvents = False
Application.ScreenUpdating = False
Set wbBook = Me.parent
Set wsSheet = Target.parent
modServiceModule.UNPROTECT_SHEET wsSheet
intNRow = Target.cells(1, 1).Row
intNColumn = Target.cells(1, 1).Column
' если лист "ХХ цены (2)", то необходимо проставить значение единицы измерения в зависимости от вида топлива
If InStr(1, wsSheet.name, "цены (2)") <> 0 Then
If modServiceModule.IsNameExists(ThisWorkbook, "TariffAllowanceApproved") = False Then
GoTo ErrWsGeneralChange
Else
Set ISectTA = Application.Intersect(Target, wsSheet.Range("TariffAllowanceApproved"))
End If
If Target.cells(1, 1).Interior.ColorIndex = colorCyan And _
(Not ISectTA Is Nothing) Then
modServiceModule.UNPROTECT_SHEET wsSheet
If Target.cells(1, 1).value = "да" Then
modServiceModule.RepaintCellsInRange Target.cells(1, 1).Row, 1, _
wsSheet.Range("colorIndexCellsPrice2")
Else
modServiceModule.RepaintCellsInRange Target.cells(1, 1).Row, 1, _
wsSheet.Range("colorIndexCellsPrice2").Offset(1, 0)
wsSheet.Range("colorIndexCellsPrice2").Offset(Target.cells(1, 1).Row - 1, 0).value = vbNullString
End If
modServiceModule.PROTECT_SHEET wsSheet, True
End If
End If
If Target.cells(1, 1).Row > 6 Then
If Target.MergeCells Then
modServiceModule.AutoFitMergedCellRowHeight Target
Else
Target.cells(1, 1).EntireRow.AutoFit
intRowHeight = Target.cells(1, 1).RowHeight
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.