MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature Win.Trojan.Tristate-2. Although the VBA project contains no executable statements according to static analysis, the presence of a VBA macro suggests an attempt to leverage macro execution for malicious purposes, likely as a downloader for a secondary payload. The file's origin as an Office document implies it was likely delivered via spearphishing.
Heuristics 2
-
ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Tristate-2
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 248 bytes |
SHA-256: 75702493909463bf8093aec8b508fcc96c561fa55dfe899fecd271624a111a7a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.