MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Win.Trojan.Tristate-2. Static analysis revealed VBA macros that utilize CreateObject and GetObject, indicative of malicious intent. The macro code attempts to modify registry keys related to Excel startup behavior, likely to establish persistence or facilitate payload execution. The presence of VBA macros strongly suggests this file was delivered as a spearphishing attachment.
Heuristics 6
-
ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Tristate-2
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 30,720 bytes but its declared streams total only 8,173 bytes — 22,547 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basde99fe02810b2a5012800dc26094bcc7470b40691e63498db300df04769ba8df |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9704 bytes |
|
Detection
ClamAV:
Doc.Trojan.Tristate-1
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.