MALICIOUS
280
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
T1059 Command and Scripting Interpreter
The sample contains VBA macros that are triggered by the Document_Open event. These macros utilize the GetObject function to instantiate the dangerous COM class 'Shell.Application' (CLSID {13709620-C279-11CE-A49E-444553540000}). The script then uses the ShellExecute method of this object to execute a command, likely a second-stage payload, based on the value of the 'Comments' document property. This indicates a macro-based execution chain designed to download and run further malicious content.
Heuristics 7
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basc8d5435da7c4c8850ea23b3649733fe7d6596d8db07e78c3dd69ff9406b761b8 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1178 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.