MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample contains VBA macros that leverage the AutoOpen function to trigger an exploit. The heuristics indicate a critical vulnerability (CVE-2007-3899) that uses VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of shellcode. The VBA script explicitly calls LoadLibrary and GetProcAddress, confirming its role in loading and executing further malicious code.
Heuristics 8
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
ClamAV: Doc.Dropper.Agent-6899166-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6899166-0
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas0af58e0a153f0cbadfea17dd63e61e353b80066327564f4c4c24e6fb76d3f4de |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22163 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.