MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a DOCM file containing a VBA project with a Document_Open macro. This macro is designed to execute automatically when the document is opened after macros are enabled. The macro attempts to remove personal information and update tables of contents, likely as a cleanup or obfuscation step before potentially downloading additional payloads. The presence of a fake invoice lure heuristic further supports a social engineering attack vector.
Heuristics 4
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.microsoft.com/office/2019/extlst
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2023/wordml/word16du
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
- http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlock
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas05297c3a27714939c1bcf8a114e541d5233f94d6b97cdc29128aec47bbc81aa4 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1705 bytes |
vbaProject_00.bin0ceb9b19dfaa3eb5ab58ba4c363b9c2fc7a145de7bae65fad484d288bd768f29 |
vba-project | OOXML VBA project: word/vbaProject.bin | 20992 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.