MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059.001 PowerShell
T1105 Ingress Tool Transfer
T1027 Obfuscated Files or Information
The sample contains VBA macros that are automatically executed upon opening the document, as indicated by the Document_Open heuristic. The critical heuristic 'OLE_VBA_PROPERTY_SHELLCODE_LOADER' suggests the macro reads shellcode from a document property and executes it in memory. Furthermore, the instantiation of 'WScript.Shell' by CLSID points to the use of system scripting capabilities for malicious purposes. The macro appears to be a loader for shellcode, likely to download and execute a second-stage payload.
Heuristics 5
-
VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADERVBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.base0d5920c1341e0ca84bb5dd59aef6f0a4ba2792f88190c10aaa4c2fa1b758b2d |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3114 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.