MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV heuristic and the presence of VBA macros, specifically a Workbook_Open event, indicate malicious intent. The VBA script attempts to create a file named "send.scr" in the root of the C drive, likely to execute a second-stage payload. The obfuscated document body and lack of clear user-facing text suggest a lure document.
Heuristics 4
-
ClamAV: Doc.Trojan.Marker-13 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-13
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() Dim tb1 As Integer
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9330 bytes |
SHA-256: 59d3c950c87940e3450ea9ec73c3c0952731b5e0870e97932a8f71ad1e13b4e2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
Dim tb1 As Integer
UserForm1.Show
End Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{B304144F-D08F-4D49-A9CE-E004DAB599C0}{0050E641-90AF-42AD-B6F6-D1D4C3E0710C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
Dim x As Double, y As Double
On Error GoTo ErrorHandler
'エクセルのセルデータをAutoCAD 2000 へ送信
fnb = "C:\send.scr"
Close
Open fnb For Output As #1
tb1 = TextBox1.Value '縮尺
Set WS1 = Worksheets("XY座標入力")
jj = 0
kk = 0
If ComboBox1.ListIndex = 0 Then
br = "9001"
ElseIf ComboBox1.ListIndex = 1 Then
br = "9002"
ElseIf ComboBox1.ListIndex = 2 Then
br = "9003"
ElseIf ComboBox1.ListIndex = 3 Then
br = "9004"
ElseIf ComboBox1.ListIndex = 4 Then
br = "9007"
ElseIf ComboBox1.ListIndex = 5 Then
br = "9011"
ElseIf ComboBox1.ListIndex = 6 Then
br = "9012"
ElseIf ComboBox1.ListIndex = 7 Then
br = "9014"
ElseIf ComboBox1.ListIndex = 8 Then
br = "9019"
ElseIf ComboBox1.ListIndex = 9 Then
br = "9020"
End If
dr = Worksheets("XY座標入力").Cells(1, 6).Value
dd = Chr(34) & dr & "\" & br & Chr(34)
SC = 1000 / tb1
PD = RTrim(Str(SC * 0.5))
'念のためファイル ダイアログ ボックスを表示
Print #1, "filedia 1"
If OptionButton2.Value = True Then
Print #1, "PDMODE 34 PDSIZE"; PD
End If
Do
'セルが空白なら中止
If WS1.Cells(5, jj + 2).Value = "" Then Exit Do
'ポリラインの場合
If OptionButton1.Value = True Then
Print #1, "-LAYER M PLOT_LINE C 2 "
Print #1, "PLINE"
End If
ii = 4
Do
ii = ii + 1
cc = 0
'点の場合
If OptionButton2.Value = True Then
For j = jj + 2 To jj + 3
If WS1.Cells(ii, j).Value = "" Then cc = 1 Else Print #1, "-LAYER M PLOT_MARK C 3 ": Print #1, "POINT": Exit For
Next j
'円の場合
ElseIf OptionButton3.Value = True Then
For j = jj + 2 To jj + 3
If WS1.Cells(ii, j).Value = "" Then cc = 1 Else Print #1, "-LAYER M PLOT_MARK C 3 ": Print #1, "CIRCLE": Exit For
Next j
'ブロックの場合
ElseIf OptionButton4.Value = True Then
For j = jj + 2 To jj + 3
If WS1.Cells(ii, j).Value = "" Then cc = 1 Else Print #1, "-LAYER M PLOT_MARK C 3 ": Print #1, "INSERT": Exit For
Next j
End If
For j = jj + 2 To jj + 3
If WS1.Cells(ii, j).Value = "" Then cc = 1: Exit For
If j = jj + 2 Then x = WS1.Cells(ii, j).Value
If j = jj + 3 Then y = WS1.Cells(ii, j).Value
Next j
If cc = 1 Then Exit Do
ts = SC
y = y * SC
x = x * SC
' 先頭と末尾の両方のスペース (Trim) を削除、数式の値を文字列、#1データを書き込む
'noneスナップ モードを解除
If OptionButton1.Value = True Then
'ポリラインの場合
Print #1, "none "; Trim(Str(y)); ","; Trim(Str(x))
ElseIf OptionButton2.Value = True Then
'点の場合
Print #1, "none"
Print #1, Trim(Str(y)); ","; Trim(Str(x))
For j = jj + 1 To jj + 1
If j = jj + 1 Then s = WS1.Cells(ii, j).Value
If WS1.Cells(ii, j).Value = "" Then
's = "点名なし"
Else
'測点名プロット
Print #1, "-LAYER M PLOT_NAME C 4 "
Print #1, "TEXT"
Print #1, "none"
Print #1, Trim(Str(y + SC)); ","; Trim(Str(x)); ts; "0 "; s
End If
Next j
'円の場合
ElseIf OptionButton3.Value = True Then
Print #1, "none"
Print #1, Trim(Str(y)); ","; Trim(Str(x)); PD
For j = jj + 1 To jj + 1
If j = jj + 1 Then s = WS1.Cells(ii, j).Value
If WS1.Cells(ii, j).Value = "" Then
's = "点名なし"
Else
'測点名プロット
Print #1, "-LAYER M PLOT_NAME C 4 "
Print #1, "TEXT"
Print #1, "none"
Print #1, Trim(Str(y + SC)); ","; Trim(Str(x)); ts; "0 "; s
End If
Next j
'ブロックの場合
ElseIf OptionButton4.Value = True Then
Print #1, dd
Print #1, "none"
Print #1, Trim(Str(y)); ","; Trim(Str(x)); PD; PD; " 0"
For j = jj + 1 To jj + 1
If j = jj + 1 Then s = WS1.Cells(ii, j).Value
If WS1.Cells(ii, j).Value = "" Then
's = "点名なし"
Else
'測点名プロット
Print #1, "-LAYER M PLOT_NAME C 4 "
Print #1, "TEXT"
Print #1, "none"
Print #1, Trim(Str(y + SC)); ","; Trim(Str(x)); ts; "0 "; s
End If
Next j
End If
Loop Until ii > 1001
If OptionButton1.Value = True Then
Print #1, ""
End If
jj = jj + 3
Loop Until jj > 1000
Print #1, "filedia 1 zoom e"
Close
' アクティブにします。
AppActivate "Auto"
'AppActivate "AutoCAD"
SendKeys "filedia 0 " & "script" & Chr$(13) & fnb & Chr$(13), True
Exit Sub
ErrorHandler:
Close
Exit Sub
End Sub
Private Sub CommandButton2_Click()
UserForm1.CommandButton2.HelpContextID = 1
Application.Help "XY座標_SEND.HLP"
End Sub
Private Sub OptionButton1_Click()
ComboBox1.Enabled = fales
End Sub
Private Sub OptionButton2_Click()
ComboBox1.Enabled = fales
End Sub
Private Sub OptionButton3_Click()
ComboBox1.Enabled = False
End Sub
Private Sub OptionButton4_Click()
ComboBox1.Enabled = True
ComboBox1.SetFocus
End Sub
Private Sub UserForm_Initialize()
With ComboBox1
.AddItem "No.1"
.AddItem "No.2"
.AddItem "No.3"
.AddItem "No.4"
.AddItem "No.7"
.AddItem "No.11"
.AddItem "No.12"
.AddItem "No.14"
.AddItem "No.19"
.AddItem "No.20"
End With
ComboBox1.Text = "No.4"
ComboBox1.Enabled = fales
End Sub
Attribute VB_Name = "Module1"
Sub CLEAR_XY()
Range("A5:ET1004").Select
Selection.ClearContents
Sheets("XY座標入力").Select
Application.CutCopyMode = False
Range("A5").Select
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Sub CLEAR_SIM()
Range("A11:F50010").Select
Selection.ClearContents
Sheets("SIMA入力").Select
Application.CutCopyMode = False
Range("A11").Select
End Sub
Sub SIMCOPY()
Set WS1 = Worksheets("XY座標入力")
Set WS2 = Worksheets("SIMA入力")
n = 0
h = 1
For i = 11 To 50010 Step 1000
j = i + 999
If WS2.Cells(i, 3).Value = "" Then Exit For
WS2.Range(Cells(i, 3), Cells(j, 5)).Copy
n = n + 1
For k = 1 To 1
ActiveSheet.Paste Destination:=WS1.Cells(5, h)
h = n * 3 + 1
Next k
Next i
Application.CutCopyMode = False
'ワークシートをアクティブにする
ThisWorkbook.Worksheets(1).Activate
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.