MALICIOUS
88
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The OLE document contains VBA macros that are configured to execute automatically upon opening the workbook. The heuristic 'OLE_VBA_PCODE_AUTOEXEC_EXEC' specifically indicates that a 'Shell' execution token is present, suggesting the macro attempts to run an external command. While the VBA code itself is minimal and does not contain explicit download or execution logic, the presence of an auto-executing shell command is highly suspicious and indicative of a malicious macro-based document, likely delivered via spearphishing.
Heuristics 3
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 141,824 bytes but its declared streams total only 83,960 bytes — 57,864 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1206 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.