SUSPICIOUS
40
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that executes upon opening the document. This macro, specifically the Document_Open subroutine, appears to construct a URL by concatenating strings to form 'http://p://help.doc'. It then attempts to open this constructed document. The benign URLs extracted are likely unrelated to the malicious activity. The presence of a Document_Open macro and the construction of a URL strongly suggest a malicious intent to download and execute a secondary payload.
Heuristics 4
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/officeDocument/2006/customXml
-
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATEDThe document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas1b1ff1ba75d6b65562566a8fa69bda05952242689edb4f74a03ddf491ca2209e |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1033 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.