MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing both legacy WordBasic and Excel 4.0 macros. The presence of 'OLE_VBA_PCODE_AUTOEXEC_EXEC' with 'GetObject' indicates an attempt to execute code via VBA. The legacy macro markers suggest an older, but still functional, execution chain. No specific family could be identified, and no network IOCs were extracted.
Heuristics 5
-
VBA project contains no executable statements low 1 related finding OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPENWorkbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 124552 bytes |
SHA-256: 70d8b0225cb7a30a6a5b0a95e9b90656b7fda58873b319533751de5860275203 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "M___9_17" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' Processing file: /opt/analyzer/scan_staging/5bd75d24e6f64b0fa51f27358deaaf13.bin ' =============================================================================== ' Module streams: ' Macros/VBA/M___9_17 - 1106 bytes ' Macros/VBA/R279943 - 115539 bytes ' Line #0: ' Imp ' Imp ' Imp ' Line #1: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #2: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #3: ' Imp ' Imp ' Imp ' Line #4: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #5: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #6: ' Imp ' Imp ' Imp ' Imp ' Line #7: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #8: ' Imp ' Imp ' Imp ' Imp ' Line #9: ' Imp ' Imp ' Imp ' Imp ' Line #10: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #11: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #12: ' Imp ' Imp ' Imp ' Imp ' Line #13: ' Imp ' Line #14: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #15: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #16: ' Imp ' Imp ' Imp ' Line #17: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #18: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #19: ' Imp ' Imp ' Imp ' Imp ' Line #20: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #21: ' Imp ' Imp ' Imp ' Imp ' Line #22: ' Imp ' Imp ' Imp ' Imp ' Line #23: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #24: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #25: ' Imp ' Imp ' Imp ' Imp ' Line #26: ' Imp ' Line #27: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #28: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #29: ' Imp ' Imp ' Imp ' Line #30: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #31: ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #32: ' Imp ' Imp ' Imp ' Imp ' Line #33: ' Imp ' Imp ' Imp ' Imp ' Imp ' Line #34: ' Ld p45_97_ ' St H_3__865 ' Line #35: ' Ld s__729_ ' St W9840__7 ' Line #36: ' LitDI4 0xAEA5 0x0C1D ' Case ' CaseDone ' Line #37: ' LitDI4 0x9BAF 0x3822 ' St n69100 ' Line #38: ' Ld i82_270 ' St M0777_ ' Line #39: ' EndSelect ' Line #40: ' LitDI4 0xD7E0 0x1879 ' LitDI4 0x50A7 0x0D7B ' Sub ' St U_27__4 ' Line #41: ' LitDI4 0x5FE1 0x1636 ' Ld X5_6101 ' Add ' St m1312204 ' Line #42: ' Ld q_46__ ' SelectCase ' Line #43: ' LitDI4 0x1FE8 0x3674 ' Case ' CaseDone ' Line #44: ' LitDI4 0x4B43 0x0942 ' Ld m5_7_7 ' ArgsLd Tan 0x0001 ' Mul ' ArgsLd Chr 0x0001 ' St o_557_21 ' Line #45: ' Ld H53079_5 ' St R096062_ ' Line #46: ' LitDI4 0x8E70 0x0789 ' Case ' CaseDone ' Line #47: ' Ld V249239 ' St P1897571 ' Line #48: ' Ld X75__1 ' St S25412_1 ' Line #49: ' LitDI4 0x0B95 0x27F0 ' Case ' CaseDone ' Line #50: ' LitDI4 0x4DB1 0x3A3E ' St M20__3_3 ' Line #51: ' Ld a8758_62 ' St X6937_ ' Line #52: ' EndSelect ' Line #53: ' LitDI4 0x2E5C 0x2646 ' LitDI4 0x1614 0x187A ' Sub ' St b87701 ' Line #54: ' LitDI4 0xB9B8 0x1A84 ' Ld f_736037 ' Add ' St f_5707 ' Line #55: ' Ld P_035_5_ ' SelectCase ' Line #56: ' LitDI4 0xEB36 0x0718 ' Case ' CaseDone ' Line #57: ' LitDI4 0x59C2 0x0B95 ' Ld b_9348 ' ArgsLd Tan 0x0001 ' Mul ' ArgsLd Chr 0x0001 ' St H__000 ' Line #58: ' Ld n_767528 ' St E_79867 ' Line #59: ' LitDI4 0x3C54 0x1BE3 ' Case ' CaseDone ' Line #60: ' Ld c_____ ' St c__18_7 ' Line #61: ' Ld V_1880 ' St h8867_ ' Line #62: ' LitDI4 0xAEF3 0x2DB6 ' Case ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.