MALICIOUS
278
Risk Score
Heuristics 9
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
'' ' Prepare text for shell ' - Wrap in "..." -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set web_Http = CreateObject("WinHttp.WinHttpRequest.5.1") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set web_Http = CreateObject("WinHttp.WinHttpRequest.5.1") -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
If web_Converter("ParseType") = "Binary" Then Set ParseByFormat = VBA.CallByName(web_Instance, web_Callback, VBA.vbMethod, Bytes) Else -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open() On Error Resume Next -
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Large OOXML part skipped info SCAN_INCOMPLETEOne or more high-value OOXML parts exceeded the scanner's per-entry size cap and may not have been fully inspected.
Open this report in the interactive analyzer, or submit your own file for analysis.