MALICIOUS
456
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1059.003 Windows Command Shell
The file is an Excel XLA file containing VBA macros. The Workbook_Open macro is configured to execute automatically, and it utilizes the Shell() function and references cmd.exe, indicating it attempts to run external commands. Crucially, it also contains a URLDownloadToFile API call, strongly suggesting it downloads and executes a second-stage payload from a remote source. The extracted document body content appears to be related to data analysis and gene expression, which is likely a lure.
Heuristics 13
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBA
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://linus.nci.nih.gov�
- http://source.stanford.edu�
- http://www.godatabase.org/cgi-bin/go.cgi?view=details&query=
- http://www.geneontology.org/ontology/component.ontology
- http://www.geneontology.org/ontology/function.ontology�
- http://www.geneontology.org/ontology/process.ontology
- http://www.geneontology.org
- http://wpww.g��@�B�.�org
- https://www.affymetrix.com/LinkServlet?probeset=
- http://j-walk.com/ss
- http://www.j-walk.com/ss/
- http://light.emmes.com/help
- http://light1.emmes.com
- http://www.bmsltd.co.uk/excel/SBXLPage.asp((�
- http://www.bmsltd.co.uk/DLCount/DLCount.asp?file=Comdlg32.zip
- http://p2p.wrox.com/archive/pro_vb/2003-02/42.asp�
- http://www.braju.com/R/hbLite.R
- http://bioinf.wehi.edu.au/folders/mrobinson/CDF/HuGene-1_0-st-v1,r3.cdf
- http://bioinf.wehi.edu.au/folders/mrobinson/CDF/MoGene-1_0-st-v1,r3.cdf
- http://bioinf.wehi.edu.au/folders/mrobinson/CDF/RaGene-1_0-st-v1,r3.cdf
- http://www.bmsltd.co.uk/MVP/Default.htm
- http://www.yahoo.com�
- http://www.j-walk.com/ss/excel/tips/
- http://chrisrae.com/vba/routines/clrfilesearch.html
- http://source.stanford.edu$
- http://www.vb2themax.com/Item.asp?PageID=CodeBank&ID=411���
- http://www.bioinfo.de/
- http://www.bioconductor.org/biocLite.R
- http://genome-www5.stanford.edu
- http://smd.stanford.edu/cgi-bin/source/sourceBatchSearch
- http://cgap.nci.nih.gov/Pathways/
- http://www.devx.com/premier/mgznarch/vbpj/1997/07jul97/qanda.pdf
- http://www.bioconductor.org
- http://linus.nci.nih.gov/cgi-bin/brb/board1.cgi
- http://www.ncbi.nlm.nih.gov/$
- http://www.ncbi.nlm.nih.gov/
- http://nciarray.nci.nih.gov/cgi-bin/clone_report.cgi?CRITERIA=clone&PARAMETER=
- http://www.ncbi.nlm.nih.gov/UniGene/query.cgi?TEXT=
- http://www.ncbi.nlm.nih.gov/htbin-post/Entrez/query?db=2&form=1&term=
- http://nciarray.nci.nih.gov/cgi-bin/clone_report.cgi?CRITERIA=acc&PARAMETER=
- http://www.ncbi.nlm.nih.gov/UniGene/query.cgi?TEXT=Hs.7476&ORG=Hs
- http://nciarray.nci.nih.gov/cgi-bin/clone_report.cgi?CRITERIA=acc&PARAMETER=AI567477
- http://nciarray.nci.nih.gov/cgi-bin/clone_report.cgi?CLONE=
- http://nciarray.nci.nih.gov/cgi-bin/clone_report.cgi?CRITERIA=clone&PARAMETER=IMAGE
- http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?db=Nucleotide&term=
- http://microrna.sanger.ac.uk/cgi-bin/sequences/mirna_entry.pl?id=
- http://www.ncbi.nlm.nih.gov/sites/entrez?db=gene&cmd=search&term=
- http://www.ncbi.nlm.nih.gov/UniGene/clust.cgi?ORG=
- http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?db=unigene&term=
- http://cran.r-project.org
+31 more URL(s)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas7c896e9e5f10fd47b3c35a86f52e4d0bf8f7d5e1fae7e85a16766e7927675ffb |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8388608 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 15 eval/decoder/string-building token(s). Carved artifact contains 2086 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.