MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
The critical heuristic 'OLE_VBA_PS' indicates that VBA code within the document references PowerShell. The 'macros.bas' file contains obfuscated VBA code, including a Base64 decoding function, which likely decodes and executes a payload. The presence of 'cmd.exe' and 'GetObject' calls further suggests execution of external commands or scripts. The primary intent appears to be downloading and executing a second-stage payload via PowerShell, as indicated by the heuristics and the nature of the VBA code.
Heuristics 5
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBA
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas863ac75e64fe9ab21afa0b415d798e9e8827655f28f702167a90ae5591d1979d |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 35036 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
vbaProject_00.bin44fb7cb21ba1f9294239e38a754190d03a880eedfa2f39ff8179c247c823e289 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 11264 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.