MALICIOUS
108
Risk Score
Malware Insights
MITRE ATT&CK
T1559 Component Object Model Hijacking
The critical heuristic firing for an embedded SWF file within an OLE document strongly suggests an attempt to leverage Flash Player vulnerabilities. While the VBA macros themselves contain no executable statements, the presence of the SWF is the primary indicator of malicious intent. The embedded URL, though confirmed benign, was present in the document.
Heuristics 4
-
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWFDocument contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 163,772 bytes but its declared streams total only 83,289 bytes — 80,483 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://adobe.com/AS3/2006/builtin
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas56845bb35fdf791b2d2b0ce90d464da9f81eef6f5c9562346451e8a85cc26aca |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 987 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.