MALICIOUS
168
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The critical heuristic 'OLE_VBA_HTTP_DROP_EXEC' indicates that the VBA macros are designed to download a file from an HTTP URL and save it to disk, likely for execution. The script attempts to construct a URL by concatenating strings, and although obfuscated, it appears to be downloading a payload. The presence of 'CreateObject' and 'GetObject' calls further suggests complex macro execution. The reconstructed URL is 'http://192.168.1.100/payload.exe' and a persistence registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy' was identified.
Heuristics 5
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas2d36ac25e4b933a673ef064fdd92c4bee7e6c5a1314ac49e62b40997d89f7ef1 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3753 bytes |
vbaProject_00.bin1180379219b2ac551e5a802f2dbd9e4ca5b3f28a89f127a1fbe761383ad49174 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 36352 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.