MALICIOUS
338
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic for Applications
T1059.001 PowerShell
T1105 Ingress Tool Transfer
The sample contains a Workbook_Open VBA macro that utilizes Shell() and CreateObject() calls, indicating it attempts to execute arbitrary code. This macro is likely designed to download and execute a secondary payload from one of the embedded URLs. The presence of an appended payload and high entropy further supports this malicious intent.
Heuristics 11
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 222,208 bytes but its declared streams total only 106,951 bytes — 115,257 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.URL https://galaxybrindes
- https://kapraywala.ga/website/w�E`I�/�����
- https://www.vidroboxbirigui.com.br/posts/GqlwMINB3GC.php-ixtJCKc&-LNr
- https://EsteticaCanina.gruporampant.com/wp-content/themes/twentysiq-
- https://hartlepooltaxi.co.uk/Taxif:QPCeCShop/modulf:QPCeCes/coreupdf:QPCeCaf:QPCeCter/views/js/f:QPCeCbbKt3OpktVRAFni.php
- https://cryptoexpert.work/core/vendor/doctrine/lexer/lib/cpf9PlDnI8yT4tE.phpXk=aHulp
- https://games.mobileadsit.com/__MACOSX/paper-panel-all-files/paper-panel/WT3nZjIP.phpWT
- https://galaxybrindes.com.br/wp-content/plugins/elementor/data/base/F43npljSP.phpRI_85UE
- https://kapraywala.ga/website/wp-includes/js/jquery/ui/kk919Q3Ead7kgFQ.phpndCq
- https://www.eloyfestas.com.br/posts/EwyU0Hv3aBAST.phppl_8CDGBSkx9R|g
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas39b8012d6995228812a85cad2df5521caa7eee78e2e39334ab3b4eee56de21de |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14610 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.