Malicious Office (OOXML) — malware analysis report

Heuristics 8

• VBA project inside OOXML medium 5 related findings OOXML_VBA
  Document contains a VBA project — VBA macros present
• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
  Matched line in script

  Set WshShell = CreateObject("WScript.Shell")

• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
  Matched line in script

  Set BinaryStream = CreateObject("adodb.stream")

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• VBA project signed with a self-signed certificate low OLE_VBA_SIGNATURE_SELF_SIGNED
  The VBA project is signed, but the signing certificate is self-signed (issuer equals subject) — no certificate authority vouches for the signer. Self-signed VBA signing is the common trick to make a macro project appear signed/trusted without a real publisher identity.
• Workbook_Open macro low OLE_VBA_WBOPEN
  Workbook_Open macro
  Matched line in script

  Private Sub Workbook_Open()

• Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEET
  Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
• Large OOXML part skipped info SCAN_INCOMPLETE
  One or more high-value OOXML parts exceeded the scanner's per-entry size cap and may not have been fully inspected.

Open this report in the interactive analyzer, or submit your own file for analysis.