MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is an Excel document containing VBA macros that utilize WScript.Shell and Shell() calls. The macros appear to manipulate stock data, potentially as a lure. The presence of these functions suggests an attempt to execute arbitrary commands or download additional payloads, although no direct download URLs were found in the provided script. The external relationship points to a local file path, which may be part of the lure or a dropped component.
Heuristics 6
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set vbs = CreateObject("Wscript.Shell") vbs.Run """" & vbsFileName & """" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
DoEvents Set HTMLsourcecode = CreateObject("htmlfile") Set GetXml = CreateObject("msxml2.xmlhttp") -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
vbscript = "" vbscript = "Set ExcelObj = GetObject(, ""Excel.Application"")" & vbCrLf vbscript = vbscript & "Dim HTMLsource, XML, URL, table, temparray(10),checkerror" & vbCrLf -
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///E:\第一層\Documents and Settings\XP\桌面\Fund-v3_0-by-ilaru.xls
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://tw.stock.yahoo.com/q/q?s= OOXML external relationship
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 15213 bytes |
SHA-256: 820f7573174bcffefb764d02f667b8d75bdaaf8130c77f139dddda9fbc1de2ef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Global temparray()
Sub fake_Multiplex3()
t = Timer
lastrow = Sheets("stock").Range("a1").CurrentRegion.Rows.Count
Sheets("stock").Range("b2:l" & lastrow).Clear: Range("n1") = ""
ReDim temparray(lastrow - 2, 10)
If lastrow Mod 5 > 0 Then j = Int(lastrow / 5) + 1 Else j = Int(lastrow / 5)
For i = 1 To j
DoEvents
If i = 1 Then firstdata = 2 Else firstdata = (i - 1) * 5 + 1
If i = j Then
lastdata = lastrow
' Sheets("stock").Range("n1") = lastrow - 1 & " stock loading ok"
Else
lastdata = (i - 1) * 5 + 5
' Sheets("stock").Range("n1") = "Loading " & Round((i / j) * 100) & "%"
End If
Call getstock(firstdata, lastdata)
Next i
Cells.Select
Cells.EntireColumn.AutoFit
Columns("A:M").Select
With Selection
.HorizontalAlignment = xlGeneral
.VerticalAlignment = xlCenter
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
End With
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlCenter
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
.Cells(1, 1).Select
End With
Sheets("stock").Range("b2:l" & lastrow).Value = temparray()
Erase temparray()
Sheets("stock").Cells.EntireColumn.AutoFit
Debug.Print Timer - t
End Sub
Sub getstock(firstdata, lastdata)
Dim URL, HTMLsourcecode, GetXml
For k = firstdata To lastdata
DoEvents
Set HTMLsourcecode = CreateObject("htmlfile")
Set GetXml = CreateObject("msxml2.xmlhttp")
URL = "https://tw.stock.yahoo.com/q/q?s=" & Sheets("stock").Cells(k, 1)
With GetXml
.Open "GET", URL, False
.setRequestHeader "Cache-Control", "no-cache"
.setRequestHeader "Pragma", "no-cache"
.setRequestHeader "If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT"
.send
Do Until .readyState = 4: DoEvents: Loop
HTMLsourcecode.body.innerhtml = .responsetext
'網站有亂碼時,把上面這一行刪掉,改用下面這一行
'HTMLsourcecode.body.innerhtml = convertraw(.ResponseBody)
Set Table = HTMLsourcecode.all.tags("table")(2).Rows
For i = 1 To Table.Length - 1
For j = 0 To Table(i).Cells.Length - 2
If i = 1 And j = 0 Then
temparray(k - 2, j) = Mid(Split(Table(i).Cells(j).innertext, Chr(13) & Chr(10))(0), 5, Len(Split(Table(i).Cells(j).innertext, Chr(13) & Chr(10))(0)))
Else
temparray(k - 2, j) = Trim(Table(i).Cells(j).innertext)
If InStr(temparray(k - 2, j), "▽") > 0 Or InStr(temparray(k - 2, j), "▼") > 0 Then Sheets("stock").Cells(i + (k - 1), j + 2).Font.Color = -11489280
If InStr(temparray(k - 2, j), "△") > 0 Or InStr(temparray(k - 2, j), "▲") > 0 Then Sheets("stock").Cells(i + (k - 1), j + 2).Font.Color = -16776961
End If
Next j
Next i
End With
Set HTMLsourcecode = Nothing
Set GetXml = Nothing
Next k
End Sub
Function convertraw(rawdata)
Dim rawstr
Set rawstr = CreateObject("adodb.stream")
With rawstr
.Type = 1
.Mode = 3
.Open
.Write rawdata
.Position = 0
.Type = 2
.Charset = "big5"
convertraw = .ReadText
.Close
End With
Set rawstr = Nothing
End Function
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module2"
Global temparray()
Sub fake_Multiplex2()
t = Timer
lastrow = Sheets("stock2").Range("a1").CurrentRegion.Rows.Count
Sheets("stock2").Range("b2:l" & lastrow).Clear: Range("n1") = ""
ReDim temparray(lastrow - 2, 10)
If lastrow Mod 5 > 0 Then j = Int(lastrow / 5) + 1 Else j = Int(lastrow / 5)
For i = 1 To j
DoEvents
If i = 1 Then firstdata = 2 Else firstdata = (i - 1) * 5 + 1
If i = j Then
lastdata = lastrow
' Sheets("stock2").Range("n1") = lastrow - 1 & " stock loading ok"
Else
lastdata = (i - 1) * 5 + 5
' Sheets("stock2").Range("n1") = "Loading " & Round((i / j) * 100) & "%"
End If
Call getstock(firstdata, lastdata)
Next i
Cells.Select
Cells.EntireColumn.AutoFit
Columns("A:M").Select
With Selection
.HorizontalAlignment = xlGeneral
.VerticalAlignment = xlCenter
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
End With
With Selection
.HorizontalAlignment = xlCenter
.VerticalAlignment = xlCenter
.Orientation = 0
.AddIndent = False
.IndentLevel = 0
.ShrinkToFit = False
.ReadingOrder = xlContext
.MergeCells = False
.Cells(1, 1).Select
End With
Sheets("stock2").Range("b2:l" & lastrow).Value = temparray()
Erase temparray()
Sheets("stock2").Cells.EntireColumn.AutoFit
Debug.Print Timer - t
End Sub
Sub getstock(firstdata, lastdata)
Dim URL, HTMLsourcecode, GetXml
For k = firstdata To lastdata
DoEvents
Set HTMLsourcecode = CreateObject("htmlfile")
Set GetXml = CreateObject("msxml2.xmlhttp")
URL = "https://tw.stock.yahoo.com/q/q?s=" & Sheets("stock2").Cells(k, 1)
With GetXml
.Open "GET", URL, False
.setRequestHeader "Cache-Control", "no-cache"
.setRequestHeader "Pragma", "no-cache"
.setRequestHeader "If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT"
.send
Do Until .readyState = 4: DoEvents: Loop
HTMLsourcecode.body.innerhtml = .responsetext
'網站有亂碼時,把上面這一行刪掉,改用下面這一行
'HTMLsourcecode.body.innerhtml = convertraw(.ResponseBody)
Set Table = HTMLsourcecode.all.tags("table")(2).Rows
For i = 1 To Table.Length - 1
For j = 0 To Table(i).Cells.Length - 2
If i = 1 And j = 0 Then
temparray(k - 2, j) = Mid(Split(Table(i).Cells(j).innertext, Chr(13) & Chr(10))(0), 5, Len(Split(Table(i).Cells(j).innertext, Chr(13) & Chr(10))(0)))
Else
temparray(k - 2, j) = Trim(Table(i).Cells(j).innertext)
If InStr(temparray(k - 2, j), "▽") > 0 Or InStr(temparray(k - 2, j), "▼") > 0 Then Sheets("stock2").Cells(i + (k - 1), j + 2).Font.Color = -11489280
If InStr(temparray(k - 2, j), "△") > 0 Or InStr(temparray(k - 2, j), "▲") > 0 Then Sheets("stock2").Cells(i + (k - 1), j + 2).Font.Color = -16776961
End If
Next j
Next i
End With
Set HTMLsourcecode = Nothing
Set GetXml = Nothing
Next k
End Sub
Function convertraw(rawdata)
Dim rawstr
Set rawstr = CreateObject("adodb.stream")
With rawstr
.Type = 1
.Mode = 3
.Open
.Write rawdata
.Position = 0
.Type = 2
.Charset = "big5"
convertraw = .ReadText
.Close
End With
Set rawstr = Nothing
End Function
Attribute VB_Name = "Module3"
Sub fake_Multiplex()
lastrow = Sheets("股票").Range("a1").CurrentRegion.Rows.Count
Sheets("股票").Range("b2:l" & lastrow).Clear: Range("n1") = ""
For i = 2 To lastrow
DoEvents
Call getstock(Sheets("股票").Cells(i, 1), i)
If i = lastrow Then
Sheets("股票").Range("n1") = lastrow - 1 & " stock loading ok"
Else
Sheets("股票").Range("n1") = "Loading " & Round((i / lastrow) * 100) & "%"
End If
Next i
Sheets("股票").Cells.EntireColumn.AutoFit
End Sub
Sub getstock(stocknumber, i)
vbscript = ""
vbscript = "Set ExcelObj = GetObject(, ""Excel.Application"")" & vbCrLf
vbscript = vbscript & "Dim HTMLsource, XML, URL, table, temparray(10),checkerror" & vbCrLf
vbscript = vbscript & "URL = ""https://tw.stock.yahoo.com/q/q?s=" & stocknumber & """" & vbCrLf
vbscript = vbscript & "Set HTMLsource = CreateObject(""HTMLFile"")" & vbCrLf
vbscript = vbscript & "Set XML = CreateObject(""MSXML2.XMLHTTP"")" & vbCrLf
vbscript = vbscript & "With XML" & vbCrLf
vbscript = vbscript & ".Open ""GET"", URL, False" & vbCrLf
vbscript = vbscript & "On Error Resume Next" & vbCrLf
vbscript = vbscript & "checkerror = Array(Err.Number, Err.Description)" & vbCrLf
vbscript = vbscript & "If checkerror(0) = 0 Then" & vbCrLf
vbscript = vbscript & ".Send" & vbCrLf
vbscript = vbscript & "On Error Resume Next" & vbCrLf
vbscript = vbscript & "checkerror = Array(Err.Number, Err.Description)" & vbCrLf
vbscript = vbscript & "Select Case True" & vbCrLf
vbscript = vbscript & "Case 0 <> checkerror(0)" & vbCrLf
vbscript = vbscript & "wscript.Quit" & vbCrLf
'
vbscript = vbscript & "Case 200 = .Status" & vbCrLf
'
vbscript = vbscript & "Case Else" & vbCrLf
'
vbscript = vbscript & "wscript.Quit" & vbCrLf
vbscript = vbscript & "End Select" & vbCrLf
vbscript = vbscript & "Else" & vbCrLf
'
vbscript = vbscript & "End If" & vbCrLf
vbscript = vbscript & "While .readyState <> 4 and .status<>200" & vbCrLf
vbscript = vbscript & "DoEvents" & vbCrLf
vbscript = vbscript & "Wscript.Sleep 200" & vbCrLf
vbscript = vbscript & "Wend" & vbCrLf
vbscript = vbscript & "HTMLsource.Write .responseText" & vbCrLf
vbscript = vbscript & "HTMLsource.Close" & vbCrLf
vbscript = vbscript & "End With" & vbCrLf
vbscript = vbscript & "Set table = HTMLsource.all.tags(""table"")(2).Rows" & vbCrLf
vbscript = vbscript & "On Error Resume Next" & vbCrLf
vbscript = vbscript & "For j = 0 To table(1).Cells.Length - 2" & vbCrLf
vbscript = vbscript & "If j = 0 Then" & vbCrLf
vbscript = vbscript & "temparray(j) = Mid(Split(table(1).Cells(j).innertext, Chr(13) & Chr(10))(0), 5, Len(Split(table(1).Cells(j).innertext, Chr(13) & Chr(10))(0)))" & vbCrLf
vbscript = vbscript & "Else" & vbCrLf
vbscript = vbscript & "temparray(j) = Trim(table(1).Cells(j).innertext)" & vbCrLf
vbscript = vbscript & "If InStr(temparray(j), ""▽"") > 0 Or InStr(temparray(j), ""▼"") > 0 Then ExcelObj.Workbooks(""" & ThisWorkbook.Name & """).Sheets(""股票"").Cells(" & i & ", j + 2).Font.Color = -11489280" & vbCrLf
vbscript = vbscript & "If InStr(temparray(j), ""△"") > 0 Or InStr(temparray(j), ""▲"") > 0 Then ExcelObj.Workbooks(""" & ThisWorkbook.Name & """).Sheets(""股票"").Cells(" & i & ", j + 2).Font.Color = -16776961" & vbCrLf
vbscript = vbscript & "End If" & vbCrLf
vbscript = vbscript & "Next" & vbCrLf
vbscript = vbscript & "ExcelObj.Workbooks(""" & ThisWorkbook.Name & """).Sheets(""股票"").Range(""b" & i & ":l" & i & """) = temparray" & vbCrLf
vbscript = vbscript & "Set ExcelObj = Nothing" & vbCrLf
vbscript = vbscript & "Set HTMLsource = Nothing" & vbCrLf
vbscript = vbscript & "Set XML = Nothing" & vbCrLf
vbsFileName = "c:\windows\temp\stock_" & stocknumber & ".vbs"
outputfilenumber = FreeFile
Open vbsFileName For Output As outputfilenumber
Print #outputfilenumber, vbscript
Close outputfilenumber
DoEvents
Set vbs = CreateObject("Wscript.Shell")
vbs.Run """" & vbsFileName & """"
DoEvents
Set vbs = Nothing
End Sub
Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "工作表6"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "工作表1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module4"
Sub 巨集1()
Attribute 巨集1.VB_ProcData.VB_Invoke_Func = " \n14"
'
' 巨集1 巨集
'
'
End Sub
Attribute VB_Name = "工作表7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 76800 bytes |
SHA-256: e524eaa62014e71b303105ec48972e41dc3bdb78cf20fa75428ebdbb1ebd3141 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.