MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with a specific detection name (Ppt.Exploit.Apptom-10029459-0). High-severity heuristics indicate the presence of VBA macros, specifically an AutoOpen macro and CreateObject calls, which are commonly used to execute malicious code. References to VirtualProtect, LoadLibrary, and GetProcAddress APIs suggest dynamic code execution or unpacking. The extracted artifact 'macros.bas' is a VBA macro, likely responsible for the malicious behavior. The document body contains garbled text, offering no clear lure.
Heuristics 8
-
ClamAV: Ppt.Exploit.Apptom-10029459-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Ppt.Exploit.Apptom-10029459-0
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas7403e4728955600b20e1b11715dae9328df16f95bc7db40bf64d8dfe55835d1d |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1005 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.