URLDownloadtoFile library causing Malwarebytes Malware.Exploit.Agent.Generic Error

[inxlsplot]

Hello,
I've researched this and I was wondering if I'm the only one going through this error. Eveyrone seems to have success with this library but me because I've been searching for anyone else having the problem to no avail.


I posted on Malwarebytes forum. I haven't had an answer back from MBAM support.

Here's the problem:

I'm using the library:

  Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" _
    Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, _
    ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long

And I'll be looping through a range in an Excel sheet, but thought I might try it with just one to make sure it works:

Sub DownloadFilefromWeb()
    Dim strSavePath As String
    Dim URL As String, ext As String
    Dim buf, ret As Long
    URL = Worksheets("SheetName").Range("H3").Value 'Getting the URL from here at this point
    buf = Split(URL, ".")
    ext = buf(UBound(buf))
    strSavePath = "C:\loremipsumfilepath" & "DownloadedFile." & ext
    ret = URLDownloadToFile(0, URL, strSavePath, 0, 0)

End Sub

And EACH and everytime it opens the window to the directory to save the file in the designated directory, MalwareBytes blocks an Exploit:


-Log Details-
Protection Event Date: 3/8/21
Protection Event Time: 3:59 PM
Log File: 172cc7b8-8051-11eb-b2c6-841b7727a569.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37885
License: Trial

-System Information-
OS: Windows 10 (Build 19041.610)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Malicious Memory Protection
Protection Technique: Exploit code executing from Heap memory blocked
File Name:
URL: - URL - (I took it out for privacy purposes)

And Excel closes. (no crash indicated by Windows 64 Pro)

• Yes, file name is blank as listed by the MBAM error.
• The URL DOES have '?' and '&' in it. It is an aspx page that refers to a PDF document. looks something like: list.aspx/GetSomeFile?derpy_id=546516565484844848441&year=2020. Unsure if that's tripping up MBAM.
• This machine is new as of yesterday (03.07.21)

I want the user to be able to use their default browser. I'm using Chrome right now.

Please advise.

Much appreciated, community.

 

[CompComp]

Hi also I am a programmer in VBA. I see no one is responding to you, so I don't know if this will console you but yesterday I had the same experience of error with exploits. I have installed the same version of Malwerbytes on my PC. I assume it is a false positive but it is rather annoying and you do not understand why since it is a very normal automation function. It also aborts the entire understood Excel process in a brutal way (with possible data loss). To solve this problem I am looking for workarounds in VBA but so far I have not found any. In the meantime if you have solved it please let me know how. Thanks and greetings

 

[Dan_W]

Hi - I also get dinged by my antivirus software - all the time. It's very annoying, but to be fair, a lot of malware is circulated by way of Office Documents, and they're coded in VBA, so it's not an unreasonable assumption that an Excel spreadsheet that is downloading something from the web could be suspicious. As the output states, no malicious code found, so I expect that it is a false positive.

As an alternative, the following code also downloads files from the web - this version below can download and write binary data (pictures, etc.) I've adapted it to your code above. Hope this helps, but let me know if you have any problems:

Sub DownloadFileFromWeb()

    Dim strSavePath As String
    Dim URL As String, ext As String
    Dim buf, ret As Long
    URL = Worksheets("SheetName").Range("H3").value 'Getting the URL from here at this point
    buf = Split(URL, ".")
    ext = buf(UBound(buf))
    strSavePath = "F:\loremipsumfilepath" & "DownloadedFile." & ext

    Dim objXMLHTTP As Object
    Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP")
    objXMLHTTP.Open "GET", URL, False
    objXMLHTTP.send

    If objXMLHTTP.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write objXMLHTTP.responseBody
        oStream.SaveToFile strSavePath, 2 ' 1 = no overwrite, 2 = overwrite
        oStream.Close
    End If

End Sub

 

[Dan_W]

Apologies, I forgot to Dim the oStream variable. Revised code below, along with two other options for modes to download files - MSXML2.serverXMLHTTP and MSXML2.XMLHTTP. It is just a matter of uncommenting the relevant line and replace it with the current line.

Sub DownloadFileFromWeb()

    Dim strSavePath As String
    Dim URL As String, ext As String
    Dim buf, ret As Long
    URL = Worksheets("SheetName").Range("H3").value 'Getting the URL from here at this point
    buf = Split(URL, ".")
    ext = buf(UBound(buf))
    strSavePath = "F:\loremipsumfilepath" & "DownloadedFile." & ext

    Dim objXMLHTTP As Object, oStream As Object
    Set objXMLHTTP = CreateObject("Microsoft.XMLHTTP")
    'Set objXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP")
    'Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
    objXMLHTTP.Open "GET", URL, False
    objXMLHTTP.send

    If objXMLHTTP.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write objXMLHTTP.responseBody
        oStream.SaveToFile strSavePath, 2 ' 1 = no overwrite, 2 = overwrite
        oStream.Close
    End If

End Sub