Excel with suspected VBA code

U

uri

New member
Joined
Aug 30, 2015
Messages
4
Reaction score
0
Points
0
Location
Tel Aviv
Hello,
I hope someone can help on this VBA issue I have.
I received email with excel attachment (was Allegedly "empty"). the anti virus scan didn't find anything. but i still suspected something wrong. after second scan i uploaded the file to gmail, and then it was refused because of virus detection. in th running PC all "seems" to be ok. but i am still worry what is underneath . i open the file on ubuntu vm (libreoffice ) and copied the VBA code of the 3 Modules and the open workbook sub.
i worked a bit with VBA in MS Access. but this one is in excel and out of my league.
any help understanding what it's doing (hope not a big mess) will be very grateful.

I have attached 4 text file with the Modules vba code

<removed by admin>

Thanks!
Udi
 
I think you're quite right to be very concerned. I'm no expert in this, but clearly in the file there is obfuscated code, which obfuscation is enough to be highly worried.
There is a workbook_open event which will run if macros are enabled.
It seems in a hidden way, to create an object wscript.shell with environment("Process") which returns where your (the user's) local settings temp folder is.
I then seems to open an Adodb.stream.
It refers (in a roundabout way with "\rue" & Chr(98) + "fo." & "e" & Chr(120) & Chr(101) ) to ruebfo . exe in that folder. Do a google on that file and see that it's part of many trojans.

I got logged off here while composing this message because I spent too much time doing it and so lost some of it, so from what I can remember the code also seems to try to fetch and run ht¬tp:/¬/pal`ochu¬svet.s¬zm.c¬om/4¬3t¬3f/45y¬4g
I missed off the .exe at the end that was there, and inserted a liberal sprinkling of '¬' characters so that it doesn't get interpreted as a link and no-one accidentally clicks on it.

So if you did allow macros to run when you opened this file I'd be almost certain you got infected unless antivirus software saves you.

I got Windows Defender alerts as I was examining your documents; I'l be doing a scan later.
 
Last edited:
Thank You p45cal! for your time and help. I'll go on checking where it hit.
Regards
Udi
 
after investigation. I found what hit us.
all the details regarding the infected excel file ("20131030164403.xls"), are here:
https:// www(.)hybrid-analysis(.)com/sample/684285fd3d51f9e22104b8c343953f5946690bba03a48bf107377878532bb703?environmentId=1
 
Hey Udi,

I've removed the attachment from the site. Glad you got your thread worked out, but I'd rather not leave examples of malicious code lying around for someone to modify/improve.
 
You must log in or register to reply here.
Back
Top