SUSPICIOUS
40
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel spreadsheet containing a Workbook_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro's structure suggests it is designed to process commands for creating or modifying other files, potentially downloading and executing a second-stage payload. The presence of a Workbook_Open macro and the general structure of the VBA code strongly indicate a malicious intent, likely delivered as a spearphishing attachment.
Heuristics 3
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATEDThe document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas0afbd649eac346c499802602b288e766546f891a59aed4a97088899e3bcb6d4e |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 113407 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.