MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059.001 PowerShell
T1140 Deobfuscate or Obfuscate
The sample contains VBA macros, specifically a Document_Open macro, which is designed to execute automatically. Critical heuristics indicate the use of a VBA property-stored shellcode loader that instantiates the dangerous COM class WScript.Shell. The macro attempts to read shellcode from document properties and execute it in memory, likely to download and run a second-stage payload.
Heuristics 5
-
VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADERVBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas00b1f503c667c218cead69a73db0fa0c1e9a2337861a96a8d0fb13852f7612f6 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3114 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.