MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file contains both Excel 4.0 macros and VBA macros, with a Workbook_Open event and CreateObject calls indicating execution intent. The presence of an embedded URL within an XLM cell array suggests the macro is designed to download and execute a second-stage payload. The document body's content related to invoices and tax rates serves as a lure to encourage user interaction with the malicious macros.
Heuristics 7
-
URL reconstructed from XLM cell array (1 URL) critical OLE_XLM_CELL_ARRAY_URLExcel 4.0 macro sheet stages its payload URL across the BIFF8 Shared String Table (one quoted-char SST entry concatenated with & at runtime), across individual numeric cells (one ASCII charcode per cell), or split across multi-char fragment cells a download formula concatenates by reference (=A1&A2&… / CONCATENATE(...)). The reconstructed URL is invisible to literal-bytes URL extraction because it is never contiguous in the workbook stream. URLs were recovered by walking the BIFF8 record stream and decoding SST entries, LABELSST/RK/NUMBER cells, and FORMULA cell-reference concatenation in token order.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://github.com/VBA-tools/VBA-JSON Referenced by macro
- http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.aspReferenced by macro
- https://github.com/VBA-tools/VBA-UtcConverterReferenced by macro
- https://www.gst.gov.in/download/returnsReferenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://www.opensource.org/licenses/mit-license.php)�Referenced by macro
- http://code.google.com/p/vba-json/Referenced by macro
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspxReferenced by macro
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspxReferenced by macro
- http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspxReferenced by macro
- http://support.microsoft.com/kb/269370Referenced by macro
- http://www.ietf.org/rfc/rfc4627.txtReferenced by macro
- https://support.microsoft.com/en-us/kb/272138Referenced by macro
- http://www.opensource.org/licenses/mit-license.phpReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 373725 bytes |
SHA-256: 6ad4b1044092f0ce5748c1f20509eca5c2065d05b26407c6f3c09ecf337164c5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Sub Workbook_Activate()
Call CommonUtil.ToggleCutCopyAndPaste(False) 'Disable Crtl + X
'Call CommonUtil.HideorShowErrorSheets
End Sub
Private Sub Workbook_Open()
Call CommonUtil.ToggleCutCopyAndPaste(False) 'Disable Ctrl + X
'Call CommonUtil.HideorShowErrorSheets
End Sub
Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "B2BURMod"
Option Explicit
Public Sub loadB2BURData(jsonData As Object)
Dim invoiceList As Dictionary, invoice As Dictionary, Item As Dictionary
Dim i As Integer: i = START_ROW
Do Until Trim(Sheets("4C(B2BUR)").Cells(i, 2).Value & vbNullString) = vbNullString
i = i + 1
Loop
If jsonData.Exists("b2bur") Then
For Each invoice In jsonData("b2bur")
' For Each invoice In invoiceList("inv")
For Each Item In invoice("itms")
Sheets("4C(B2BUR)").Cells(i, 2).Value = invoice("inum")
Sheets("4C(B2BUR)").Cells(i, 3).Value = invoice("idt")
Sheets("4C(B2BUR)").Cells(i, 4).Value = invoice("val")
If Trim(invoice("pos") & vbNullString) <> vbNullString Then
Sheets("4C(B2BUR)").Cells(i, 5).Value = Application.VLookup(invoice("pos") & "C", Worksheets("master").Range("pos_map"), 2, False)
End If
If Trim(invoice("sply_ty") & vbNullString) <> vbNullString Then
Sheets("4C(B2BUR)").Cells(i, 6).Value = Application.VLookup(invoice("sply_ty"), Worksheets("master").Range("sply_ty_map"), 2, False)
End If
Sheets("4C(B2BUR)").Cells(i, 7).Value = Item("itm_det")("rt")
Sheets("4C(B2BUR)").Cells(i, 8).Value = Item("itm_det")("txval")
'Sheets("4C(B2BUR)").Cells(i, 9).Value = Item("itm_det")("iamt")
'Sheets("4C(B2BUR)").Cells(i, 10).Value = Item("itm_det")("camt")
'Sheets("4C(B2BUR)").Cells(i, 11).Value = Item("itm_det")("samt")
Sheets("4C(B2BUR)").Cells(i, 12).Value = Item("itm_det")("csamt")
Sheets("4C(B2BUR)").Cells(i, 14).Value = "Added"
i = i + 1
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.