MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The file is an Excel spreadsheet containing VBA macros, including Auto_Open and Auto_Close functions. Critical heuristics indicate the use of obfuscated API names, specifically 'URLDownloadToFile', which is commonly used by malware to download and execute additional payloads. The presence of multiple embedded URLs further supports this finding, suggesting the macro attempts to fetch a second-stage payload from one of these locations.
Heuristics 6
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
ClamAV: Doc.Downloader.Docusign112100-9908075-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Docusign112100-9908075-0
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://5.196.247.6/�
- http://94.140.112.149/
- http://84.246.85.196//
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas57dbf314ba8d8e0cd5ae01430a1b3452bf5356fd0c3f739414504ecdf5e48acc |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3568 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.