MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample is identified as Win.Trojan.Tristate-2 by ClamAV, indicating malicious intent. The VBA macros contain logic to manipulate Windows registry keys related to Excel startup behavior, likely to establish persistence or facilitate payload execution. The script also attempts to add code to the NormalTemplate and ActiveDocument, suggesting it aims to infect the user's Word environment and potentially download and execute further stages.
Heuristics 6
-
ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Tristate-2
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 59,392 bytes but its declared streams total only 23,585 bytes — 35,807 bytes (60%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basdd5bf08a8a746fe7c35b6e4f371807dc0b644c7f39dffba3c4eab1b35339f2fe |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9421 bytes |
|
Detection
ClamAV:
Doc.Trojan.Tristate-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.