{
	"id": "717b2baf-aef4-497d-a185-feb2eb22f850",
	"created_at": "2026-04-06T00:07:02.910289Z",
	"updated_at": "2026-04-10T03:20:21.61055Z",
	"deleted_at": null,
	"sha1_hash": "c0ad619c2a45c6587da13b39cc29a4a09b1de841",
	"title": "Analysis of njRAT PowerPoint Macros",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 830021,
	"plain_text": "Analysis of njRAT PowerPoint Macros\r\nPublished: 2022-01-12 · Archived: 2026-04-05 22:51:31 UTC\r\nI wanted to do a quick write-up on an interesting PowerPoint macro document that contains njRAT. njRAT is a\r\n.NET trojan first identified in 2013 that has largely targeted countries in the Middle East as well as South America.\r\nThe malicious document can be found via MalwareBazaar:\r\nhttps://bazaar.abuse.ch/sample/edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0\r\nInformation Gathering\r\nWhen triaging a suspected malicious file, running one of the many scripts from OLETools is a must. The\r\nmalicious PowerPoint has the extension .ppm, so we will run Olevba and see what it outputs.\r\nFigure 1 Olevba output\r\nOur suspicions are confirmed that this document not only contains macro code (Auto_Open), but also spawns\r\nWScript.exe, creates and drops files, communicates with a URL.\r\nThe output from Olevba provides a roadmap of where to start our analysis methods. Let’s first take a look at\r\nx.vbs:\r\nhttps://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/\r\nPage 1 of 5\n\nFigure 2\r\nBefore we dive into the VBS code, I had to start off with the image above in Figure 2. The document starts with\r\nalmost 100 lines of colons but has this helpful string identifying a recent update to the njRAT malware.\r\nMuch of the script is obfuscated, however, this does not prevent us from gaining an understanding of what the\r\ndocument is capable of.\r\nFigure 3 x.vbs\r\nIn Figure 3, we can clearly make out the word “Startup” reversed at the DiUwd variable. A few lines down, we see\r\nsome string concatenation, an if-else block, as well as a call to WScript.Shell.\r\nForgive me for skipping around, but much of what comes after the code in Figure 3 is more concatenation and\r\nreversed letters I would rather not waste time on. Scrolling down further, we finally see some interesting calls to\r\nreplace and references to PowerShell.\r\nhttps://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/\r\nPage 2 of 5\n\nFigure 4\r\nIf you have analyzed malicious macro documents before the above is likely familiar. We have Base64 data to\r\ndecode as well as a few items to replace: the ‘££’ is replaced with ‘A’, and ‘%HVDiHGRjuC%’ is replaced with an\r\nempty string.\r\nAt the very top of the image, we can see that WScript.exe will make a request to hxxps://wtools.io/code/raw/b833.\r\nFigure 5: Before replacing characters\r\nFigure 6:\r\nOnce all characters are replaced and combined, we can throw the Base64 encoded data in CyberChef to see what’s\r\nbehind the curtain (the ‘TVqQ’ maybe a giveaway).\r\nFigure 7 Decoded output\r\nIn figure 7 we can see all the replacing and reversing was done to cloak an executable file.\r\nhttps://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/\r\nPage 3 of 5\n\nScrolling down some in CyberChef an additional URL and PDB path are visible in the CyberChef output.\r\nFigure 8\r\nPowershell is once again used to download and convert the text file above into another VBS file.\r\nThe above URL is hxxps://ia904600.us.archive.org/4/items/rumpe-03/Rumpe03.txt.\r\nThe PDB path is\r\nC:\\Users\\pjoao\\Desktop\\UpCry\\MetodoDF\\CLassLibrary3\\obj\\Release\\ClassLibrary3.pdb\r\nViewing a memory dump of the executed malware produces the configuration that includes identifiers that may\r\nassist defenders in hunting this remote access trojan.\r\nFigure 9\r\nRegAsm.exe, the .NET framework Assembly Registration tool makes two DNS requests for the above domain,\r\nfidapeste2[.]duckdns[.]org. No additional network traffic to that domain was identified.\r\nThe .NET assembly is loaded utilizing PowerShell’s [AppDomain]::CurrentDomain.Load() method.\r\nAt the end of the output in figure 9 is a base64 encoded string, ‘TllBTiBDQVQ=, which decodes to NYAN\r\nCAT.\r\nThe 0.7NC signifies the version of njRAT, as well as the identifier for NYAN CAT, ‘NC”.\r\nhttps://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/\r\nPage 4 of 5\n\n‘a918117a6dc84b8a’ is utilized as a mutex to prevent a second infection of the victim.\r\nLast but not least, ‘@!#\u0026^%$’ acts as a delimiter for information siphoned to the attacker command and\r\ncontrol infrastructure.\r\nThis was a pretty quick analysis but served as a great learning experience. I hope to make more quick posts like\r\nthis in the future. Thanks for reading!\r\nSource: https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/\r\nhttps://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/"
	],
	"report_names": [
		"analysis-of-njrat-powerpoint-macros"
	],
	"threat_actors": [],
	"ts_created_at": 1775434022,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0ad619c2a45c6587da13b39cc29a4a09b1de841.pdf",
		"text": "https://archive.orkl.eu/c0ad619c2a45c6587da13b39cc29a4a09b1de841.txt",
		"img": "https://archive.orkl.eu/c0ad619c2a45c6587da13b39cc29a4a09b1de841.jpg"
	}
}