MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.005 Visual Basic
The OOXML file contains VBA macros, indicated by the 'OOXML_VBA' heuristic. The 'SE_ENABLE_LURE' heuristic confirms the presence of a social engineering tactic to trick the user into enabling macros by promising a Starbucks e-Coupon. The 'OLE_VBA_CREATEOBJ' heuristic suggests the macro likely attempts to execute arbitrary code. No specific URLs or executable payloads were extracted, but the presence of VBA macros and the lure strongly suggest a malicious intent to download and execute a secondary payload.
Heuristics 5
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 19
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas3fe10a35e5e4358d197fcbcb7cb38cabd715ff3c7e6d70be6a0a354561371e16 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 69248 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 378 long base64-like blob(s).
|
|||
vbaProject_00.bin197349fc2635ad50f9a03d9f492ebed80660fa281cf11f6919a61bc1186760d7 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 244224 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 378 long base64-like blob(s).
|
|||
emf_00.emf0291cc9d820753111fd3ceb5030a76d5b34a206571fa4671325591455a4457a7 |
ooxml-emf | OOXML EMF part: xl/media/image14.emf | 3744 bytes |
emf_01.emfdc2fc7de511b434d07fc2119cdb06238bc3b9372699bafc73c6ede7a3e70198a |
ooxml-emf | OOXML EMF part: xl/media/image13.emf | 3648 bytes |
emf_02.emfeb30dfb565592c574988e44ed02478c29f3fcd2b227a9d8fd16e3b793fea4cae |
ooxml-emf | OOXML EMF part: xl/media/image12.emf | 3764 bytes |
emf_03.emfd02d2791cad3014f6c8333591b6c2fc770135fc2120f9b0d8e447d2f2e684bb7 |
ooxml-emf | OOXML EMF part: xl/media/image11.emf | 3632 bytes |
emf_04.emfb81dc1f1599a1ac1440240b7bb4855d2b49be2662ea23955af8c1b779289ba1b |
ooxml-emf | OOXML EMF part: xl/media/image10.emf | 3656 bytes |
emf_05.emfefb18401b2397be03bc7273c329ea4ed4518e08f3fc5865a294a2253affa23b9 |
ooxml-emf | OOXML EMF part: xl/media/image9.emf | 3656 bytes |
emf_06.emf5b59d4926338651c4d3f9b4e88ba6ffb0a4d257fe53f670f6a86f515b1a8c484 |
ooxml-emf | OOXML EMF part: xl/media/image8.emf | 3280 bytes |
emf_07.emf917de0ebb6a8f6f6ccb0a0d189e88ee55b0b8904c6980de5c57ae0e66256d6fc |
ooxml-emf | OOXML EMF part: xl/media/image7.emf | 3740 bytes |
emf_08.emf90cfe9e4aef427258659fdb525473d3dafd1bc059cf8c3bad420856076d322a5 |
ooxml-emf | OOXML EMF part: xl/media/image15.emf | 3704 bytes |
emf_09.emf887a302339363c574e109f078f15810e082c0a7dc9366730ab4c1325b83988b2 |
ooxml-emf | OOXML EMF part: xl/media/image16.emf | 3704 bytes |
emf_10.emf60bf470f283ffbe44a8a015b33409b92c01f1c3b91d227d360b112da72200bbd |
ooxml-emf | OOXML EMF part: xl/media/image17.emf | 3636 bytes |
emf_11.emf3de1ec46fdd88bd644dc772d769dff308b16b49c67d05716ce3f2d716de82864 |
ooxml-emf | OOXML EMF part: xl/media/image6.emf | 3656 bytes |
emf_12.emf3b20e9c3bbbe0f6048470cbbc1b160a06fc848f4cf010582785e2c445dc1f818 |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 3708 bytes |
emf_13.emfb93b693d590a77332f103a1fe43afa3edb5e879cd18e6fe51237ea5f172042ae |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 2676 bytes |
emf_14.emf19a4466b2c4cf05ae9729d55c31587a821cbbc86c36c6a58f69243fb3f118075 |
ooxml-emf | OOXML EMF part: xl/media/image5.emf | 3668 bytes |
emf_15.emfa41908bad0203098823ccdc40a64f98b9da04549684b2bf1db9b192aeed042b2 |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 3656 bytes |
emf_16.emf40dccb72d6f8365fb3828003d8ecfbeb9c6906a37cc48abf2f1748d31fb3c443 |
ooxml-emf | OOXML EMF part: xl/media/image4.emf | 3632 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.