MALICIOUS
104
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Malware.Sload-6794694-0'. A critical heuristic indicates that VBA p-code auto-execution is present, specifically triggering an execution token via the 'Document_Open' auto-macro and the 'Shell' command. Although VBA macros could not be directly extracted due to an unsupported format, the presence of these indicators strongly suggests the document is designed to run a malicious payload upon opening, likely delivered as a spearphishing attachment.
Heuristics 4
-
ClamAV: Doc.Malware.Sload-6794694-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sload-6794694-0
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Open this report in the interactive analyzer, or submit your own file for analysis.