Malware Insights
The file is a Microsoft Word document containing a large VBA macro, indicated by the OLE_VBA_MACROS heuristic. The presence of AutoOpen and Auto_Close macros suggests that the VBA code is designed to execute automatically when the document is opened or closed, a common technique for initiating malicious actions. The document body itself is a technical guide for setting up a project in SmartPlant Materials, likely intended to trick the user into enabling macros. While no specific malicious URLs or scripts were extracted, the presence of the large VBA macro strongly suggests it is a downloader or dropper for a secondary payload. The IOC is the embedded macro file itself.
Heuristics 4
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.apple.com/DTDs/PropertyList-1.0.dtd
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.iec.ch
- http://schemas.openxmlformats.org/drawingml/2006/main
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas12fb1db6cb67b980cdf43c518bb5090febbc2b2ab96c2ad3989514a2f005a757 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 196585 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.