SUSPICIOUS
40
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an Excel document containing a Workbook_Open VBA macro, which is a common technique for executing malicious code when the document is opened. The macro attempts to run other procedures like 'Report_OnOpen', 'GenerierenMain', 'DruckenMain', and 'ParameterauswahlMain', suggesting it's designed to initiate a multi-stage attack. The presence of the Environ() call indicates it may be attempting to gather system information or locate specific paths for payload execution.
Heuristics 5
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch
-
Macro capabilities present but unconfirmed info MACRO_CAPABILITY_UNCORROBORATEDThe document's VBA exposes execution capabilities (Shell/WScript/CreateObject/auto-exec) but nothing corroborates malicious intent — no obfuscation, memory-exec primitive, download+exec chain, encoded payload, LOLBin, DDE, AV hit, or suspicious URL. The verdict was capped at 'suspicious' so legitimate macro-heavy business documents are not flagged malicious on capability presence alone.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basdceaa02701ab1e1d48f7ea425c0aa64bce5d8f79025da29d44b1fe9e82d7d1de |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 33398 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.