MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file is an Office document containing a VBA macro, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The ClamAV heuristic identifies the file as 'Doc.Trojan.Thus-7', indicating a known malicious document. The document body presents a seemingly innocuous news story about a Pepsi event to encourage macro execution. The VBA macro is likely responsible for downloading and executing a second-stage payload, as suggested by the critical ClamAV detection on an extracted artifact.
Heuristics 5
-
ClamAV: Doc.Trojan.Thus-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Thus-7
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basc6b2c6670c2f43fc06a5bbad9e129fbd6eef2f67ac3b7f459ce6241e3f13568b |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18976 bytes |
|
Detection
ClamAV:
Doc.Trojan.Thus-7
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.