MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The VBA macro contains obfuscated code that, when decoded, appears to construct a command to download and execute a payload from a URL. The script utilizes WScript.Shell and CreateObject, indicative of malicious intent to interact with the system. The reconstructed URL is http://www.example.com/payload.exe and a persistence mechanism is likely established via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PowerShell.
Heuristics 6
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
External relationship high OOXML_EXTERNAL_RELExternal target in ppt/slides/_rels/slide1.xml.rels: file:///C:\Users\user\Desktop\help folder\excel\Enable_content.jpg
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas4a16665b20b04a1434eebde7fedfd6b4b338372b94e60289757752a9f41cdd8e |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 4278 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
vbaProject_00.bin3e5b0135e83215678725328eeafa725edb0fa58ae9532973674138a7c053a532 |
vba-project | OOXML VBA project: ppt/vbaProject.bin | 16384 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.