MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an Office document containing a Workbook_Open VBA macro, which is a common technique for initial execution. The macro uses CreateObject to interact with the file system and potentially download a second-stage payload, indicated by the creation of a file named 'qDialogSeriesAxes.xsl' in the ALLUSERSPROFILE directory. The VBA code is heavily obfuscated, making it difficult to determine the exact payload or its destination, but the overall intent appears to be downloading and executing further malicious content.
Heuristics 6
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basa6a58c0253506b87105be30dd3a24653ee425be44300b5870e30929f5e646214 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3627 bytes |
vbaProject_00.bin81fdcbed4e4ccafec28d16090d46159fb001e7f2512c34426f70ece74f3004a7 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.