Analysis of njRAT PowerPoint Macros
Published: 2022-01-12 · Archived: 2026-04-05 22:51:31 UTC
I wanted to do a quick write-up on an interesting PowerPoint macro document that contains njRAT. njRAT is a
.NET trojan first identified in 2013 that has largely targeted countries in the Middle East as well as South America.
The malicious document can be found via MalwareBazaar:
https://bazaar.abuse.ch/sample/edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0
Information Gathering
When triaging a suspected malicious file, running one of the many scripts from OLETools is a must. The
malicious PowerPoint has the extension .ppm, so we will run Olevba and see what it outputs.
Figure 1 Olevba output
Our suspicions are confirmed that this document not only contains macro code (Auto_Open), but also spawns
WScript.exe, creates and drops files, communicates with a URL.
The output from Olevba provides a roadmap of where to start our analysis methods. Let’s first take a look at
x.vbs:
https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/
Page 1 of 5

Figure 2
Before we dive into the VBS code, I had to start off with the image above in Figure 2. The document starts with
almost 100 lines of colons but has this helpful string identifying a recent update to the njRAT malware.
Much of the script is obfuscated, however, this does not prevent us from gaining an understanding of what the
document is capable of.
Figure 3 x.vbs
In Figure 3, we can clearly make out the word “Startup” reversed at the DiUwd variable. A few lines down, we see
some string concatenation, an if-else block, as well as a call to WScript.Shell.
Forgive me for skipping around, but much of what comes after the code in Figure 3 is more concatenation and
reversed letters I would rather not waste time on. Scrolling down further, we finally see some interesting calls to
replace and references to PowerShell.
https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/
Page 2 of 5

Figure 4
If you have analyzed malicious macro documents before the above is likely familiar. We have Base64 data to
decode as well as a few items to replace: the ‘££’ is replaced with ‘A’, and ‘%HVDiHGRjuC%’ is replaced with an
empty string.
At the very top of the image, we can see that WScript.exe will make a request to hxxps://wtools.io/code/raw/b833.
Figure 5: Before replacing characters
Figure 6:
Once all characters are replaced and combined, we can throw the Base64 encoded data in CyberChef to see what’s
behind the curtain (the ‘TVqQ’ maybe a giveaway).
Figure 7 Decoded output
In figure 7 we can see all the replacing and reversing was done to cloak an executable file.
https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/
Page 3 of 5

Scrolling down some in CyberChef an additional URL and PDB path are visible in the CyberChef output.
Figure 8
Powershell is once again used to download and convert the text file above into another VBS file.
The above URL is hxxps://ia904600.us.archive.org/4/items/rumpe-03/Rumpe03.txt.
The PDB path is
C:\Users\pjoao\Desktop\UpCry\MetodoDF\CLassLibrary3\obj\Release\ClassLibrary3.pdb
Viewing a memory dump of the executed malware produces the configuration that includes identifiers that may
assist defenders in hunting this remote access trojan.
Figure 9
RegAsm.exe, the .NET framework Assembly Registration tool makes two DNS requests for the above domain,
fidapeste2[.]duckdns[.]org. No additional network traffic to that domain was identified.
The .NET assembly is loaded utilizing PowerShell’s [AppDomain]::CurrentDomain.Load() method.
At the end of the output in figure 9 is a base64 encoded string, ‘TllBTiBDQVQ=, which decodes to NYAN
CAT.
The 0.7NC signifies the version of njRAT, as well as the identifier for NYAN CAT, ‘NC”.
https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/
Page 4 of 5

‘a918117a6dc84b8a’ is utilized as a mutex to prevent a second infection of the victim.
Last but not least, ‘@!#&^%$’ acts as a delimiter for information siphoned to the attacker command and
control infrastructure.
This was a pretty quick analysis but served as a great learning experience. I hope to make more quick posts like
this in the future. Thanks for reading!
Source: https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/
https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/
Page 5 of 5