MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The file contains VBA macros that utilize Shell() and CreateObject() functions, indicative of malicious intent. Specifically, the macros are designed to download and save a file to disk using HTTP, which is a common technique for delivering second-stage payloads. The ClamAV detection further supports its malicious classification.
Heuristics 8
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
-
ClamAV: Doc.Downloader.00536d-6923444-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6923444-0
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas8c7dce294e98eea6f32b108b60657aa238b973e7ca538060da2c96be1ae99487 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4864 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.