Malware Insights
The file is an Office OLE executable containing both VBA and Excel 4.0 macros, indicated by multiple high and critical heuristic firings including OLE_XLM_AUTOOPEN, OLE_VBA_MACROS, and OLE_VBA_PCODE_AUTOEXEC_EXEC. The presence of Auto_Open macros suggests an attempt to automatically execute malicious code upon opening. The VBA code includes calls to CreateObject, often used to instantiate malicious objects or execute further stages. While the exact payload is not clear due to truncation, the combination of macro types and auto-execution features points to a malicious document designed to be delivered via spearphishing.
Heuristics 6
-
Excel 4.0 (XLM) Auto_Open + macro sheet critical OLE_XLM_AUTOOPENWorkbook contains an Auto_Open / Auto_Close defined name together with an Excel 4.0 macro sheet — the canonical XLM auto-execution shape used by malware families such as Emotet and QakBot.
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas5756813f23d3d29770834e58a914e113f22acaa4db2df4f96686e90360a904ef |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24930 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.