MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OLE file with VBA macros. A high-severity heuristic indicates a heap-spray pattern, and another indicates auto-execution of VBA p-code with execution tokens, specifically using the 'Shell' function. The VBA macro code itself is heavily obfuscated and truncated, but it contains declarations for Windows API functions like CreateFile, CloseHandle, and WriteFile, suggesting it attempts to write or manipulate files. The presence of these indicators points to a macro-based downloader attempting to execute a second-stage payload.
Heuristics 4
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas064062453d25b45178f86f1adaa39c4dedc709b2010349822306d9903db13d3c |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 74663 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 103 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.