MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
The critical heuristic 'OLE_VBA_PROPERTY_SHELLCODE_LOADER' indicates that the VBA macro is designed to load and execute shellcode stored within a document property. The 'OLE_VBA_GETOBJECT_CLSID_DANGEROUS' heuristic further confirms the use of 'WScript.Shell' to facilitate this execution. The 'Document_Open' macro is triggered automatically, suggesting an attempt to immediately run the malicious payload upon opening the document. The shellcode likely acts as a downloader for a second-stage payload.
Heuristics 5
-
VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADERVBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basd0b1c607d130dd9ea378f347ee405dca0bd6af2ce39240378d3358ee32c2dc7b |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3114 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.