MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains VBA macros that use the Shell() function and obfuscated PowerShell commands to download and execute a second-stage payload. The script reconstructs the PowerShell command to download 'audio.exe' from 'http://13.92.100.208/toks/audio.exe' and saves it as 'Brznatqyjaodlncwtvecpod.bat' before execution. The document body presents a fake purchase order to lure the user into enabling macros.
Heuristics 4
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas4ac5c67d2f12de4cab70cb49d7442f610d17b3cf65ee82b1790ce65b94d517ad |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 2188 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
vbaProject_00.bin27bf4b1c68b7a53323962fd8daaf03c8d65dfe1db1584884d5fd08f421973588 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 6144 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.