MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is a DOT template containing a high-severity AutoOpen VBA macro, indicating malicious intent. The macro source is obfuscated, but the presence of AutoOpen and AutoClose macros strongly suggests an attempt to execute arbitrary code. The embedded URL, though currently benign, is a common indicator for droppers. The VBA Chr string obfuscation heuristic further supports the malicious nature of the macros.
Heuristics 5
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://edoc.hu-berlin.de/e_autoren/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas169b3144cebd06f7a741ef29726ff1598745494d1620e472fa4f64358a4c1d9e |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 68287 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 30 Chr/ChrW string-construction calls.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.