MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is an Office file (Excel) containing VBA macros and an embedded PE executable. The VBA macros reference Windows API functions such as VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, which are commonly used by malware to allocate memory, load code, and execute payloads. The presence of an embedded executable strongly suggests a downloader or droppper functionality, where the embedded file is the primary malicious payload. The document body content appears to be standard spreadsheet data, offering no direct clues to the lure.
Heuristics 6
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basfa43e073e8ff3b0333d0dacccd1b068c94e101923837ba3e1f8fee5694e2cd61 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2049 bytes |
embedded_office_00009000.exe9861123be40e058d68bebbff833c8786b8ea7ef7eba23f5505eaa74b734a12a0 |
embedded-pe | Office MZ+PE at offset 0x9000 | 10397 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.