0

i just recieved an e-mail with a virus embeded in xlsm format. So how i'm curious i wanted to check the code. Enabled everything of security on Excel to avoid events starting and other stuffs after opening the contamined file.

Kaspersky flagged the file instantly so i had to disable it.

So i opened the file, and excel showed me a prompt that i had to need disable some security features for the macro run normally. Well, i just ignored it and i went to the vba area to check the code and i found some modules, but every was empty.

Someone can explain me how is it possibile and if there's a way for me check the code?

Thank you.

Eugene Astafiev
  • 47,483
  • 3
  • 24
  • 45
Black Mamba
  • 247
  • 1
  • 12
  • I hope you're doing this on an air-gapped machine you can immediately wipe. – Warcupine Mar 14 '22 at 17:34
  • 6
    Don't mess with this, either get a professional or don't play. – Solar Mike Mar 14 '22 at 17:36
  • Did you open it with Macro Enabled? If not, you can see the modules content, disabling macros, too. Now, did you try scrolling down how much it allows? Sometimes, they place the code in the bottom part of the module. If they did not make the VBA project unviewable, they do not look to be so skilled.. – FaneDuru Mar 14 '22 at 17:43
  • Just to give you a [starting point](https://bettersolutions.com/vba/visual-basic-editor/extensibility-sample-code.htm) on why the code seems to do not have anything and asks you for the permissions to write itself, but I agree with Solar Mike statement – Sgdva Mar 14 '22 at 17:44
  • @FaneDuru This is the curious...i disabled the macros, but i can't check it. Tried everything, there's no code written in any module. If you want i can send you the file to check it. – Black Mamba Mar 14 '22 at 17:45
  • @Sgdva so...maybe there's an event that 'write' the code after the file is opened? – Black Mamba Mar 14 '22 at 17:48
  • @BlackMamba that's likely the case, the real code may be hidden from the interface, if you decompress the excel and look over the files I'm pretty sure you'll find it and there are two things that come to my mind: either it connects to a DB to keep the virus updated or just writes it locally. Either way, the base for this is the starting point that I linked to. – Sgdva Mar 14 '22 at 17:50
  • @Sgdva do you think is safe for me decompress the excel file in a virtual machine? – Black Mamba Mar 14 '22 at 17:53
  • @BlackMamba yes to be safe: by being decompressed not action can be executed (unless they found a security hole there and most likley would be a [zero day one](https://en.wikipedia.org/wiki/Zero-day_(computing))). Beware, the coding for it may be encrypted somehow too, but since they did it at excel, I think should be pretty simple to spot and not that complex. However, there may be a hidden embedded file within the Excel file, that's another topic and here it's a silly example on [how to do so](https://www.youtube.com/watch?v=joXzfU1KGWc) – Sgdva Mar 14 '22 at 18:04
  • @Sgdva Got it. Thanks for your uesuful information. Let me ask if you can check the file for me and show me the code...anyway if you can't i will try it in a virtual machine. – Black Mamba Mar 14 '22 at 18:08
  • @BlackMamba I wouldn't risk it myself: totally up to you, I just gave you the directions if you really need to do so. – Sgdva Mar 14 '22 at 18:22
  • This solution worked for me: [How to inspect / view an Excel macro before "enabling macros" for a sheet?](https://superuser.com/a/1260477/972506). – TinMan Mar 14 '22 at 19:01
  • @Sgdva I extracted the file in a virtual machine and found some code. Throwed on google and found the malwaree analysis: https://github.com/pr0xylife/Emotet/blob/main/e5_emotet_07.03.2022.txt Can you say me what exactly this phishing malwaree does? – Black Mamba Mar 15 '22 at 01:04
  • @BlackMamba Since it's targeting web addresses, I'm unsure; most likely they can execute malicious scripts as well so it's unknown, however, in the txt attached, I can see that it's editing system dlls and seems like adding hosts, so my guess it's that it will likely be adding phishing sites (mostly bank phony sites). This means that whenever you type www.amex.com or sensitive info sites it will detect it and redirect you to a fake site, then again, those sites can be injecting malicious scripts too (like mining software for crypto) – Sgdva Mar 15 '22 at 17:34
  • Thanks a lot everyone! It was very interesting. – Black Mamba Mar 15 '22 at 23:10

0 Answers0