Results 1 to 6 of 6

Thread: Excel with suspected VBA code

  1. #1
    Neophyte uri's Avatar
    Join Date
    Aug 2015
    Location
    Tel Aviv
    Posts
    4
    Articles
    0

    Question Excel with suspected VBA code



    Register for a FREE account, and/
    or Log in to avoid these ads!

    Hello,
    I hope someone can help on this VBA issue I have.
    I received email with excel attachment (was Allegedly "empty"). the anti virus scan didn't find anything. but i still suspected something wrong. after second scan i uploaded the file to gmail, and then it was refused because of virus detection. in th running PC all "seems" to be ok. but i am still worry what is underneath . i open the file on ubuntu vm (libreoffice ) and copied the VBA code of the 3 Modules and the open workbook sub.
    i worked a bit with VBA in MS Access. but this one is in excel and out of my league.
    any help understanding what it's doing (hope not a big mess) will be very grateful.

    I have attached 4 text file with the Modules vba code

    <removed by admin>

    Thanks!
    Udi

  2. #2
    Super Moderator p45cal's Avatar
    Join Date
    Dec 2012
    Posts
    1,512
    Articles
    0
    Excel Version
    365
    I think you're quite right to be very concerned. I'm no expert in this, but clearly in the file there is obfuscated code, which obfuscation is enough to be highly worried.
    There is a workbook_open event which will run if macros are enabled.
    It seems in a hidden way, to create an object wscript.shell with environment("Process") which returns where your (the user's) local settings temp folder is.
    I then seems to open an Adodb.stream.
    It refers (in a roundabout way with "\rue" & Chr(98) + "fo." & "e" & Chr(120) & Chr(101) ) to ruebfo . exe in that folder. Do a google on that file and see that it's part of many trojans.

    I got logged off here while composing this message because I spent too much time doing it and so lost some of it, so from what I can remember the code also seems to try to fetch and run ht¬tp:/¬/pal`ochu¬svet.s¬zm.c¬om/4¬3t¬3f/45y¬4g
    I missed off the .exe at the end that was there, and inserted a liberal sprinkling of '¬' characters so that it doesn't get interpreted as a link and no-one accidentally clicks on it.

    So if you did allow macros to run when you opened this file I'd be almost certain you got infected unless antivirus software saves you.

    I got Windows Defender alerts as I was examining your documents; I'l be doing a scan later.
    Last edited by p45cal; 2015-08-31 at 01:03 AM.

  3. #3
    Neophyte uri's Avatar
    Join Date
    Aug 2015
    Location
    Tel Aviv
    Posts
    4
    Articles
    0
    Thank You p45cal! for your time and help. I'll go on checking where it hit.
    Regards
    Udi

  4. #4
    Neophyte uri's Avatar
    Join Date
    Aug 2015
    Location
    Tel Aviv
    Posts
    4
    Articles
    0
    after investigation. I found what hit us.
    all the details regarding the infected excel file ("20131030164403.xls"), are here:
    https:// www(.)hybrid-analysis(.)com/sample/684285fd3d51f9e22104b8c343953f5946690bba03a48bf107377878532bb703?environmentId=1

  5. #5
    Administrator Ken Puls's Avatar
    Join Date
    Mar 2011
    Location
    Nanaimo, BC, Canada
    Posts
    2,306
    Articles
    57
    Blog Entries
    14
    Excel Version
    Excel Office 365 Insider
    Hey Udi,

    I've removed the attachment from the site. Glad you got your thread worked out, but I'd rather not leave examples of malicious code lying around for someone to modify/improve.
    Ken Puls, FCPA, FCMA, MS MVP

    Learn to Master Your Data at the Power Query Academy (the world's most comprehensive online Power Query training), with my book M is for Data Monkey, or our new Power Query Recipe cards!

    Main Site: http://www.excelguru.ca -||- Blog: http://www.excelguru.ca/blog -||- Forums: http://www.excelguru.ca/forums
    Check out the Excelguru Facebook Fan Page -||- Follow Me on Twitter

    If you've been given VBA code (a macro) for your solution, but don't know where to put it, CLICK HERE.

  6. #6
    Neophyte uri's Avatar
    Join Date
    Aug 2015
    Location
    Tel Aviv
    Posts
    4
    Articles
    0
    Thank You!
    Udi

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •