MALICIOUS
190
Risk Score
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6334612-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6334612-0
-
External relationship high OOXML_EXTERNAL_RELExternal target in word/_rels/settings.xml.rels: file:///G:\Templates\Steering Board templates\SB Document.dotm
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKSDocument contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://www.eda.europa.eu
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
- http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
- http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
- http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship
- http://www.eda.europa.euDocument hyperlink
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 320 bytes |
SHA-256: 42bca1ea71067a4ac0f136efc08a661ef9bc6bf36fd54f8b4fdb61ddc6869fee |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" |
|||
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/Microsoft_Word_Document1.docx | 16142 bytes |
SHA-256: 9a4c5ab14951faf158c15a0892cce318abfbe8546cd3e33ec06c4feb9623dbf6 |
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 31744 bytes |
SHA-256: 0b42322a126a69efb5734a41b1a8b6746225462dd0d06e6680d924ca51ffe4c9 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: word/media/image1.emf | 100212 bytes |
SHA-256: 2a70b395de77141f2fa4962d604771c1e6ca0775a01781f74930db91862ad864 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.