SUSPICIOUS
40
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The VBA macro within the document is configured to execute automatically upon opening, leveraging the Document_Open subroutine. This macro constructs a batch file named 'god.bat' in the public documents directory. The batch file then downloads a second-stage executable from a Discord CDN URL and saves it as 'imagehigh.exe', subsequently executing it. This indicates a downloader or droppper functionality.
Heuristics 6
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.gov.uk/government/publications/draft-european-regional-development-fund-operational-programme-2014-to-2020
- https://www.gov.uk/government/publications/annual-implementation-report-2020
- https://www.gov.uk/guidance/arab-partnership-participation-fund
- https://www.gov.uk/guidance/capital-markets-climate-initiative
- https://www.gov.uk/guidance/collective-switching-and-purchasing
- https://www.gov.uk/guidance/contestable-policy-fund
- https://www.gov.uk/guidance/domestic-programme-fund-bidding-process
- https://www.gov.uk/government/publications/esf-action-notes-2014-to-2020-programme
- https://www.gov.uk/government/publications/esf-claim-applications-and-self-declared-adjustments
- https://www.gov.uk/government/publications/european-social-fund-online-full-applications
- https://www.gov.uk/government/publications/european-structural-and-investment-funds-procurement-documents
- https://www.gov.uk/government/publications/european-structural-and-investment-funds-coronavirus-covid-19-response
- https://www.gov.uk/government/collections/european-structural-and-investment-funds-documents-and-guidance
- https://www.gov.uk/government/publications/european-structural-and-investment-funds-technical-assistance
- https://www.gov.uk/government/publications/european-structural-and-investment-funds-useful-resources
- https://www.gov.uk/government/publications/evaluation-of-the-european-social-fund-2014-to-2020
- https://www.gov.uk/guidance/innovation-funding-for-low-carbon-technologies-opportunities-for-bidders
- https://www.gov.uk/guidance/promotion-schemes-for-agricultural-products
- https://www.gov.uk/government/publications/prosperity-fund-fco-programme-summaries-countries
- https://www.gov.uk/government/publications/prosperity-fund-evaluation-and-learning-inception-reports
- https://www.gov.uk/guidance/science-and-society-community-challenge-grant-scheme
- https://www.gov.uk/guidance/defence-and-security-accelerator-how-to-submit-a-proposal
- http://schemas.openxmlformats.org/drawingml/2006/main
-
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATEDThe document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basd9df2a24da2096509d39bd3b9970b038bb0b3620272294d8d5fabf7b2578838c |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1064 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.