Trojan Detection Blocks Access to Excel.

[Felipe osorio 0]

Hi!, I hope you are doing well.

We have the following alert generated for the path C:\Windows\Temp\q.vbs, attached is an image. The issue now is that the antivirus product (ESET Endpoint Antivirus) appears to block this path because it detects the Trojan, and it does not allow the execution of an Excel file with macros. I have attached an image of the error that appears.

Text in English from excel error:
Script: C:\Windows\Temp\q.vbs

Line: 5

Character: 1

Error: This script contains malicious elements, and the antivirus software has blocked it: 'Send'

Code: 800A802D

Source: Microsoft VBScript Runtime Error

[itman 1,667]

Is q.vbs a legit script you created? If so, why is it running from C:\Windows\Temp directory?

[Marcos 5,085]

Are you positive that the heavily obfuscated script is legitimate?

[Marcos 5,085]

I've analyzed the script and at the final stage it downloads malware detected by ESET as Win32/Rescoms.B trojan.

Please provide the Excel file with macro in an archive encrypted with the password "infected" to make sure that the macro is detected prior to execution.

[itman 1,667]

16 minutes ago, Marcos said:

Are you positive that the heavily obfuscated script is legitimate?

My vote is it's malicious since its running PowerShell hidden in bypass mode.

Edited December 26, 2023 by itman

[Felipe osorio 0]

Greetings!
Here is the file compresed as you asked.

And regarding itmans question, the computer where this alert was found belongs to a client who has told me that it appears that the Excel being used is cracked, but we do not have further information on this matter.

RENTA 2022.rar

[Marcos 5,085]

The Excel file doesn't seem to contain a macro. Couldn't it be that it was detected and removed by ESET?

[itman 1,667]

25 minutes ago, Felipe osorio said:

the computer where this alert was found belongs to a client who has told me that it appears that the Excel being used is cracked

Assumed here is its a cracked version of MS Office. The computer needs to be thoroughly examined since the crack obviously has made system modifications. It goes without saying that the cracked software needs to be removed.

[itman 1,667]

11 minutes ago, Marcos said:

The Excel file doesn't seem to contain a macro

Macro's can be hidden: https://smallbusiness.chron.com/estimate-cash-flow-project-65327.html

[Marcos 5,085]

8 hours ago, itman said:

Macro's can be hidden: https://smallbusiness.chron.com/estimate-cash-flow-project-65327.html

I assume the file would still contain vbaproject.bin inside but this was missing in the above xlsx file. I'll pass it to our researchers for a check though.

[Nightowl 205]

It is indeed a virus and the location of it indicates it more WINDOWS/TEMP , And the file name is more weird ,I doubt some of your colleagues have to work on a file named q.vbs and store in TEMP

Remove that file after you send it to ESET , and inform the place where it came from that they are sending malicious files , and if there is no response / action from their side , block them.

If your client doesn't use macros inside Word or Excel files , its recommended to disable them by default even from trusted locations.

Edited December 27, 2023 by Nightowl