MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that an ActiveX event triggers a deobfuscated Excel 4.0 macro. The VBA script contains functions for string manipulation and execution of Excel 4.0 macros via 'ExecuteExcel4Macro'. This suggests the primary purpose is to download and execute a secondary payload, characteristic of a dropper.
Heuristics 3
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
-
ClamAV: Doc.Dropper.Agent-8012317-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-8012317-0
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.base5475b53af7c7f7eae694fdf76ad54a4843f35599fac9907ae8a6c0b6f485604 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1645 bytes |
vbaProject_00.bin27594ecce3e22f33005e3d254de2438bbc01fa92aa0c8328b3327b2cf409de79 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
emf_00.emf8cd5911e059629ad27f3e6f7ffaa9947ac75b5a3a39d30ffeeceaf7ee9e8829d |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 3408 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.