MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is an OLE document with a high-severity heuristic indicating VBA p-code auto-execution via CreateObject. Although VBA macros could not be extracted due to an unsupported format, the presence of auto-execution tokens strongly suggests an attempt to run malicious code. The document body contains text that appears to be a Russian leave request form, which is likely a lure to trick the user into opening the malicious document.
Heuristics 3
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA project contains no executable statements info 1 related finding OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Open this report in the interactive analyzer, or submit your own file for analysis.