MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros, specifically an Auto_Open macro that utilizes GetObject to execute code. The script constructs a URL by concatenating strings: "a http://" + "bitly.com/asdkjasdhsudiqowiudqw". This URL is then passed to the ExEc method of an object obtained via GetObject, indicating a likely download and execution of a second-stage payload. The renaming of the VBA project part and the use of Auto_Open are common evasion and execution techniques.
Heuristics 5
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/Javar.b)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas1350c9bd2cf26ab077eed7942144475e7eb0da643708be5a2a67398e10a642d0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2085 bytes |
vbaProject_00.binf2e89a95e779892d446557904d4fa0e93869662e26d6dcfd1c1baf9db333edc5 |
vba-project | OOXML VBA project: ppt/Javar.b | 30720 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.