MALICIOUS
290
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1566.002 Spearphishing Attachment
The sample is an Excel file containing a Workbook_Open VBA macro that utilizes WScript.Shell and CreateObject to execute commands. This macro is designed to download and execute a second-stage payload from one of the embedded URLs. The presence of an appended OLE payload further indicates malicious intent.
Heuristics 9
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.URL https://goodie������HX�����^
- https://mobile3&k�X���|��h[-�SN�O���f�%[\j���r���b
- https://ptti.dexsandbox.com/w�O
- https://zankzakartig
- https://event.cyberwoodz.site/wp-includes/js/tinymce/plugins/charmap/sWefpNQap.phpUYNqMfa&cENQ
- https://goodiesmariage.e-m2.net/wp-contenp.\!Jrt/themes/a-one/woocommerce/global/pV8mYVETWrj.php
- https://dev1.naturalgraphic.hu/wp-content/plugins/contact-form-7/includes/css/AelYw0GmG44Zz.php4\Y$3Yb&\
- https://mobile-landing.ishr.co.in/wp-content/pEK!=qlugins/widgetkit-for-elementor/vendor/appsero/4vab4JkBLp.php
- https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php0.L8;cCAx59:96U2
- https://zankzakartigosesportivos.com.br/loja/wp-includes/SimplePie/Content/Type/3sLExhiYtVuTS.php5cxg
- https://indusautomobile.com/products/products_files/cyHU7pVS.php3
- https://highend.pk/wp-content/plugins/goodlayers-core-twitter/twitteroauth/src/cCNoEJ4wXkpJ.phpi%M2M!f
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basfdf1639ad8ab2c0146910f6c4b7712c48b5942b3a045b37c9429e0505a550ecc |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 116688 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.