MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.005 Visual Basic
T1059.005 Visual Basic
T1059.005 Visual Basic
T1059.005 Visual Basic
T1059.005 Visual Basic
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_STAGER' indicates that VBA code is used to decode and execute Excel 4.0 macros. The VBA script contains functions that appear to obfuscate strings and execute them, likely to download and run a second-stage payload. The document body content is heavily obfuscated and unreadable, providing no direct clues to the user-facing lure.
Heuristics 2
-
VBA ActiveX event launches decoded Excel4 macro critical OLE_VBA_ACTIVEX_XLM_STAGERVBA code attached to an ActiveX/UserForm event decodes strings from worksheet cells through a Mid/Asc/Chr character-shift loop and passes the recovered formula text to ExecuteExcel4Macro. This is a high-confidence macro stager that bridges VBA event activation into XLM formula execution rather than a specific Office parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas8f8e045ad179562fed2d3be02f901a88305e7cbddf9d8f9b752891e89bbade00 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1887 bytes |
vbaProject_00.bin9cb9110f06321a2f8c220c282c488d1972f20ce5f8daa2ed2ad9e2fbf4682bdb |
vba-project | OOXML VBA project: xl/vbaProject.bin | 18432 bytes |
emf_00.emf289f5a4af0055ab9abbe8cf110fe4e3827407560145dba39aa21028b266662a2 |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.