MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
The file is an OLE document containing VBA macros, indicated by the 'OLE_VBA_MACROS' heuristic. The 'SC_XOR_ENCODED' heuristic suggests that strings within the macros are obfuscated using XOR encoding with a key of 0xFF. The 'SC_GETPC_CALL' heuristic is a common indicator of shellcode. The document body content, appearing to be an IMF report, is likely a lure to encourage the user to open the malicious file. The presence of VBA macros and obfuscated strings points towards a downloader or droppper functionality, though the specific payload could not be determined.
Heuristics 4
-
XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'ADVAPI32.DLL', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'CreateProcessA'
-
x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP ECX)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 109,743 bytes but its declared streams total only 54,248 bytes — 55,495 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas2a758fcc03dd3cd254ef2047dfa75b30c478ff6a2f15e171b66b4521c04fa715 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 559 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.