MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that VBA macros are used to launch decoded Excel 4.0 macros. The VBA script contains obfuscated logic that appears to construct and execute commands, likely to download and execute a second-stage payload. The presence of 'seller' in the document body and as a control name suggests a potential lure related to online marketplaces.
Heuristics 3
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an auto-firing ActiveX/UserForm control event (e.g. _Layout/_Change/_Painted) decodes a string with Replace/Split/Join/StrReverse/Chr and passes the recovered formula text to ExecuteExcel4Macro. This bridges VBA event activation into XLM formula execution to call Win32 APIs / drop payloads while evading AutoOpen and Shell keyword detection — a high-confidence macro stager, not a specific Office parser CVE.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas5c4734a75372bd0c102f2ac5cd5923e4742d5a9370c49b3d6c2875a78d45aa54 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1571 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.