MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1055 Process Injection
The sample is an Office document with a VBA macro that references the WriteProcessMemory API, a common technique for process injection. While the VBA project itself contains no executable statements, the presence of this API call is highly suspicious and indicates a potential attempt to load a second-stage payload. No other malicious indicators were found.
Heuristics 3
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 342 bytes |
SHA-256: eedcb9d8be0d9552cb4230115740a34c223533c4e7bba0cabfc18fd7e7b9a438 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "avenging"
Attribute VB_Base = "0{93548FC1-0ECA-460A-B15C-20073731C159}{A7D40A76-5C41-448F-A4F6-696D9477A262}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.