MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is an Excel spreadsheet containing VBA macros. The macros utilize WScript.Shell and the Shell() function, indicating an attempt to execute arbitrary commands. The ClamAV detection 'Doc.Dropper.Agent-7863714-0' suggests this dropper functionality is intended to download and execute a secondary payload. The VBA code appears to construct a command string from constants within the document, which is then executed.
Heuristics 5
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
ClamAV: Doc.Dropper.Agent-7863714-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-7863714-0
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas6cd89edc222496ec4d16f4c22cb6a60f1eb3b28a5fa0e362898332e6bd288921 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1274 bytes |
vbaProject_00.bin2853d0207b1a8a0ebc20537518581eae67b0882f453d645aa86995bfe0f37903 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
emf_00.emf765ef826e4c0f85a4b7d1bb4d529403984a4a3edafb147897d9544801de2e9ae |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2796 bytes |
emf_01.emf1ba28807701f1477cac770c3cc12a7164ebb0db67f3a65a37e43271a037a86bd |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 1408 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.