MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1027 Obfuscated Files or Information
T1071.001 Web Protocols
T1105 Ingress Tool Transfer
The file is an Excel spreadsheet containing VBA macros. Heuristics indicate the presence of obfuscated strings and API hash resolution, suggesting the macro attempts to hide its functionality. The 'OLE_VBA_MACROS' heuristic firing with 'no executable statements' is misleading, as the other heuristics point to malicious activity. The likely intent is to download and execute a second-stage payload, but no specific URLs or commands were extracted.
Heuristics 5
-
XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODEDFound 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'ADVAPI32.DLL'
-
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EBX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 606 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.