MALICIOUS
328
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The file is identified as malicious due to the presence of an embedded PE executable and suspicious OLE structure. The VBA macros, while not containing executable statements themselves, are often used as a loader for embedded payloads. The embedded executable is the primary indicator of malicious intent, suggesting the document is a dropper for a second-stage payload.
Heuristics 8
-
ClamAV: Xls.Dropper.Agent-7377660-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-7377660-0
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 1,016,032 bytes but its declared streams total only 43,269 bytes — 972,763 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1271 bytes |
SHA-256: 1393fb9c6c18f41eb0fa3c4533b46ef8e1670352e75321cc8504cd42cae698a3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ListView1, 1, 0, MSComctlLib, ListView"
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
embedded_office_000c2640.exe |
embedded-pe | Office MZ+PE at offset 0xC2640 | 219808 bytes |
SHA-256: 873e60018422e2c8a20b1d5b534934cc458c8a68ecbf86fccaad48197a4abc1c |
|||
embedded_office_off0000be40.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0xBE40 | 967328 bytes |
SHA-256: 62141f00221e31b5fb57124f71aeee57813f35ddd381923142e64b2b61300563 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.