MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.005 Visual Basic
T1059.001 PowerShell
T1140 Deobfuscate or Obfuscate Malicious Code
T1027 Obfuscated Files or Information
The sample is an OOXML document containing a VBA macro that is obfuscated and uses a Document_Open macro to execute. The macro employs techniques like VirtualProtect, SetTimer, and CallByName, suggesting it's designed to load and execute shellcode. The document body explicitly instructs the user to 'Enable editing' and 'Enable content', a common lure for macro-based malware.
Heuristics 9
-
VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADERVBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA reads reversed config from document properties high OLE_VBA_REVERSED_DOCPROP_CONFIGVBA applies StrReverse to values read from the document's custom/built-in properties. Storing reversed configuration (URLs, CLSIDs, env-var names, payload names) in document properties keeps indicators out of the macro source — an obfuscation technique used by the SVCReady loader.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/lCCKNICvlK.bin)
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas28d5128d7a45005935517c30c97ab63a039f8207e655695f632b20f77e46f9ed |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 19494 bytes |
vbaProject_00.binaa43d55825882bae73bef9c8cdf4636ace88d9774c5edcdc9b05f6938b3f0fea |
vba-project | OOXML VBA project: word/lCCKNICvlK.bin | 14848 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.