MALICIOUS
370
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1140 Deobfuscate or Obfuscate
The sample is an Office document containing VBA macros. The AutoOpen macro displays a fake error message to lure the user into enabling macros. Once enabled, it constructs and writes a VBScript payload to disk at '%userprofile%\82911ae6-ea27-4996-a664-2322e89da9ae.vbs'. It also creates a batch file at '%userprofile%\82911ae6-ea27-4996-a664-2322e89da9ae.bat' which appears to clean up downloaded files. The VBScript itself is obfuscated by concatenating string literals to form the 'WScript.shell' object and its 'Run' method, indicating it likely downloads and executes a second-stage payload.
Heuristics 12
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACONDocument references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/document.xml.rels: http://webhook.site/c29905ab-e5fa-446c-8958-4eab15d8fb80/docopened.jpg
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://webhook.site/c29905ab-e5fa-446c-8958-4eab15d8fb80/docopened.jpg
- https://webhook.site/a3f4e990-0b2a-4f6a-a02e-c573005de3ee
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.microsoft.com/office/2019/extlst
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2023/wordml/word16du
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
- http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlock
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
- http://schemas.microsoft.com/windows/2004/02/mit/task^
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas28a03d2ede8ff850aff70608109a66787fa9af4b8c3d12e70c22f4a0bb59f13f |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8867 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
vbaProject_00.binb2e969af7713b1850519ac047e9541368eb0192a44b62782b2c20dbef97b6acb |
vba-project | OOXML VBA project: word/vbaProject.bin | 22016 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.