MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, specifically a Workbook_Open event, which is a common technique for executing malicious code upon opening. The macro uses `CreateObject` and calls a function named 'М34', suggesting it's designed to perform an action, likely downloading and executing a payload. The document body contains prompts for user input related to product details and contact information, indicating a potential phishing or scam lure.
Heuristics 5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/cdo/configuration/sendusing In document text (OLE body)
- http://schemas.microsoft.com/cdo/configuration/smtpserverIn document text (OLE body)
- http://schemas.microsoft.com/cdo/configuration/smtpserverportIn document text (OLE body)
- http://schemas.microsoft.com/cdo/configuration/sendusernameIn document text (OLE body)
- http://schemas.microsoft.com/cdo/configuration/sendpasswordIn document text (OLE body)
- http://schemas.microsoft.com/cdo/configuration/smtpauthenticateIn document text (OLE body)
- http://schemas.microsoft.com/cdo/configuration/smtpusesslIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20064 bytes |
SHA-256: af292297c3a910d50b631de8999611bd51edb4bcada69d6e7639aee5c72d3647 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Image1_Click()
End Sub
Private Sub Worksheet_Change(ByVal Target As Range)
If Target.Address = "$E$2" Then
Application.Run "М34"
End If
If Target.Address = "$E$3" Then
Application.Run "М34"
End If
End Sub
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
If Target.Address = "$E$2" Then
If Cells(2, 5).Value = "введите название позиции. Например: моноблок" Then
Cells(2, 5).Value = ""
Range("E2").Font.FontStyle = "обычный"
Range("E2").Font.Superscript = False
End If
Else
If Cells(2, 5).Value = "" Then
Cells(2, 5).Value = "введите название позиции. Например: моноблок"
Range("E2").Font.FontStyle = "курсив"
Range("E2").Font.Superscript = True
End If
End If
If Target.Address = "$E$3" Then
If Cells(3, 5).Value = "введите текст доп.параметр. Например 20" Then
Cells(3, 5).Value = ""
Range("E3").Font.FontStyle = "обычный"
Range("E3").Font.Superscript = False
End If
Else
If Cells(3, 5).Value = "" Then
Cells(3, 5).Value = "введите текст доп.параметр. Например 20"
Range("E3").Font.FontStyle = "курсив"
Range("E3").Font.Superscript = True
End If
End If
End Sub
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
If Target.Address = "$A$3:$C$3" Then
If Cells(3, 1).Value = "Укажите e-мail для отправки менеджеру" Then
Cells(3, 1).Value = ""
Range("a3").Font.FontStyle = "обычный"
Range("a3").Font.Superscript = False
End If
Else
If Cells(3, 1).Value = "Укажите e-мail для отправки менеджеру" Then
Else
If InStr(Cells(3, 1).Value, "@") = 0 Then
Cells(3, 1).Value = "Укажите e-мail для отправки менеджеру"
Range("a3").Font.FontStyle = "курсив"
Range("a3").Font.Superscript = False
End If
If InStr(Cells(3, 1).Value, ".") = 0 Then
Cells(3, 1).Value = "Укажите e-мail для отправки менеджеру"
Range("a3").Font.FontStyle = "курсив"
Range("a3").Font.Superscript = False
End If
End If
End If
End Sub
Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Sheets("Лист 1").Select
If Cells(9, 1).Value = "" Then
Else
ActiveSheet.Shapes("Image1").Visible = False
Columns("B:D").EntireColumn.Hidden = T
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.