MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a Document_Open VBA macro that uses CreateObject and Shell() calls, indicating it attempts to execute arbitrary code. This macro likely downloads and executes a second-stage payload from one of the embedded URLs. The presence of an appended OLE payload further supports this malicious behavior.
Heuristics 9
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.URL https://tkswift.com/wbP*Kg
- https://brandvoxtech.cogI3Gi\qm/wp-contegI3Gi\qnt/plugins/premium-agI3Gi\qddgI3Gi\qons-for-elementgI3Gi\qor/widgets/dep/DPOySTqLqjmhG.php
- https://reachmedical.in/zB0Cj
- https://pillsdDuXmZJaddy.com/a|KAVv
- https://rockconsultllc.com/Malik2/wp-content/plugins/bluehost-wordpress-plugin/build/KhPxqrfzEA.PGqU&14php
- https://reachmedical.in/zB0Cjhchanges/uploads/file_formatzB0CjhzB0Cjh/5vixzB0CjhBSDMmITU.php
- https://marcoLtSIcferriarchitectLtSIc.com/wp-content/pLtSIclugins/wp-optimize/css/tLtSIcablesorter/zjTG2uJlLtSIcKEev.phLtSIcp
- https://resaltokU0,VdigitakU0,Vl.com/wp-kU0,VcontentkU0,V/uploads/jupitekU0,Vrx/compiler/kU0,Vjupiterx/qwrSrMZN.php
- https://stskleen.com^m3u*P.au/wp-content/plugins/w^m3u*Poocommerce^m3u*P-services^m3u*P/d^m3u*Pist/chunks/CaUGJzgC.php
- https://pillsdDuXmZJaddy.com/wp-includes/js/tinymcDuXmZJe/themeDuXmZJs/inlite/vyQ9DuXmZJP2Q9.php
- https://braFTPessilvioleiro.cFTPesom.br/wp-content/cache/objectFTPes/e3c/9ab/rSpBh8UFTPesHQFTPesx8r.pFTPeshp
- http://schemas.openxmlformats.org/drawingml/2006/main
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.base9ba52b6a1ec2db43fdc360b7cd0f3ee2e180bfc6a9007fd19a39a900dbb71a5 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 141483 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.