#Is there a way to find out if an AutoHotKey (Macro) download is malicious without downloading it.

Is there any way to find out if an autohotkey script is a token logger without downloading the script itself?

My friend is using a macro which I also used for 9 hours but then got token logged, so I want to find out if what he sent me is what caused it or if it was something else. Just want to have peace of mind to know if it was or wasnt him 😂

He's using the script himself to macro a game and hasn't had the same experience as I have, I tried to google if there's a way to view the code to see if the script itself has anything that caused it. Or if the download itself was the logger, but I haven't really got a clue when it comes to this shit so hoping someone else has more brains than I do

If they're using the same AHK program but haven't experienced issues, it's unlikely the AHK program that got you, assuming you were given the EXACT same UNMODIFIED script.

I suppose, although I don't know him irl. Just on discord for a little over a year now and hrs a pretty solid guy.

As mentioned in thr post though, between downloading and using the script I wasn't logged out of my account for about 8 to 9 hours (which I don't think is normal)? But u didn't press any links between them times as I was using the macro

But regardless of being hacked snd losing all my stuff in the game, he hasn't blocked me and offered to give me some stuff to help out.

My irl friend asked his mate if he could check out the scripts themselves as he does coding, to see if there's anything that flags them being suspicious or to be the cause of what my issue was and he couldn't find anything related to discord, api, cookies, tokens, but I was still skeptical on using the script after just incase..

Token stealers (if that's what it was) don't always cause you to be logged out of your account. Also, things don't always happen the moment you run malware, if it was malicious. Some malware collects information, then sits around doing nothing until instructed to do something. Some malware acts immediately. It's entirely dependent on how it's written.

If you don't know them IRL, they could be lying about all of this. In fact, they could be lying even if you know them. Fact is: they might only be telling you what you want to hear. Social engineering knows no boundaries. Anywho...

token stealers would very likely not log you out. malware is designed to be invisible, to keep you hooked for as long as possible

Whatever caused your accounts to be stolen is still unknown. Could've been this thing you ran, could've been something else later. If you want to spend time investigating, sure, go ham! But it may be a frivolous endeavor, especially if you didn't keep a forensic copy of your system prior to reinstalling. Plus... Investigating such things is no small task. See video I linked.
https://youtube.com/watch?v=PM-yWmlrZYA

couldve also been something earlier that sat dormant for who knows how long

What would it have been then?

Or could it have been, rather.

Because I've got 2fa on my accounts, and phone linked but had no emails or 2fa codes come through

session stealers and token stealers completely bypass 2FA

because the token is your authentication saying that you've done the 2FA and you're really who you say that you are

same with the session cookie from the browser

I know IP Geo databases aren't accurate, but also... It's 2025. You'd think most services would at least get suspicious if they see a session token that was given to a client device using an IP from CountryA is suddenly being used 6000km away on a device connected to an IP from CountryB. But no - they just go "ah, yes, it must be the same user. We should definitely trust that their device wasn't hacked and token stolen. Yup. This is how you do security in 2025."

yeah

because if they dont do anything, it wont cost them any more money

i think 2FA should also be required for changing passwords or usernames/emails if you have it set up

becasue thats literally the point of 2FA. to have an extra step to make sure you are who you say you are BESIDES just a password (which is all that's required to change a password, your old password)

Is there any way to safely find out if the macro is what got me hacked though?

I did research and it said to use a VM but not sure how that works so didnt wanna risk it

If the AHK script was compiled using a version of AHK made in the last 10 years, it's likely not decryptable, so indeed you'd have to be skilled in active malware analysis and/or debugging to see what it's doing.

John Hammond has a great playlist where he analyzes and explains various malware content.
https://www.youtube.com/playlist?list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv