MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1071.001 Web Protocols
The sample is an XLSM file containing VBA macros. A critical heuristic firing indicates the use of URLDownloadToFile, which is commonly used by malware to download and execute second-stage payloads. The VBA script also contains API calls related to process creation and manipulation, suggesting it is designed to download and run a malicious executable. No specific family could be identified, but the behavior is consistent with a downloader.
Heuristics 4
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBA
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas76b5fb7363b0c8774103bfbe152ecec894e13699ab92f517a686dff9c2e01254 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 10494 bytes |
vbaProject_00.bin72f7180f8291bf6518712b4bea7d37d370fde8b18c72f4b313a8cabe000aa2be |
vba-project | OOXML VBA project: xl/vbaProject.bin | 37376 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.