MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
The Excel document contains VBA macros, as indicated by the OOXML_VBA heuristic. The macros reference PowerShell and cmd.exe, suggesting an attempt to execute arbitrary commands. The GetObject call is also suspicious. While the VBA code is heavily obfuscated and truncated, the presence of these indicators strongly suggests a malicious intent to download and execute a secondary payload. No specific family could be identified due to the obfuscation and lack of concrete IOCs.
Heuristics 5
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBA
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas3734699ad6b1c1480faa9530e8cbee8ffb6463440963f3178cf826c43b4b3a5d |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 35036 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
vbaProject_00.bina39a3014052e09610f05c23e21e5c0504dd7812e01fb98d6b1bb6a657ab15865 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 11264 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.