MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 User Execution: Malicious File
T1059.005 Command and Scripting Interpreter: Visual Basic for Applications
T1059.001 Command and Scripting Interpreter: PowerShell
T1105 Ingress Tool Transfer
T1059.003 Command and Scripting Interpreter: Windows Command Shell
The sample is an OOXML file containing a VBA project with a Workbook_Open macro that triggers execution. The extracted script is heavily obfuscated with randomized variable names and error-handling tricks to hide its true intent, but the heuristic firings for WScript.Shell and CreateObject indicate it likely downloads and executes a second-stage payload from one of the embedded URLs. Due to the high level of obfuscation in the VBA, the exact execution flow is not fully transparent, which lowers the confidence score.
Heuristics 7
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://gayatriautbaj.iXv\,ngsoftwiXv\,eb.in/images/bg/IxcyF3v00CiXv\,ybVh.php
- https://emshipservices.com/wp-content/plugins/maintenance/load/css/mHJfcb7FpE.php*U!3AmtWz4
- https://morefitness.com.ng/wp-content/plugins/fo|y
- https://mosaicuschinR^V3Na.com/wp-content/plugins/wpml-sR^V3Ntring-translation/locale/orig/afFzHwIPlCs5b.php
- https://coisas.com.pt/wp-content/plugins/simple-download-monitor/css/images/2cAwMgDOoJ.php;6w:Df
- https://hameedfaree-z\MFLfdgul.com/wp-includes/sodium_c-z\MFLfom-z\MFLfpat/src/Core/Base64/F-z\MFLfoix-z\MFLfayx6.php
- https://sistema.macayayo=q&.w5waak.cl/documentos/PHPExcel/PHPExcel/Sho=q&.w5ao=q&.w5red/Escher/WbWwDoRKDnnlwd.php
- https://mmtpgroups.co.za/Inqolobane/images/made/images/uploads/ADSd9iKejY8Y4.phpFtY!GHk)ab
- https://gayatriautbaj.iXv\,ngsoftwiXv\,eb.in/images/bg/IxcyF3v00CiXv\,ybVh.php�
- https://emshipservices.com/wp-content/plugins/maintenance/load/css/mHJfcb7FpE.php*U!3AmtWz4�
- https://mosaicuschinR^V3Na.com/wp-content/plugins/wpml-sR^V3Ntring-translation/locale/orig/afFzHwIPlCs5b.php�
- https://coisas.com.pt/wp-content/plugins/simple-download-monitor/css/images/2cAwMgDOoJ.php;6w:Df�
- https://mmtpgroups.co.za/Inqolobane/images/made/images/uploads/ADSd9iKejY8Y4.phpFtY!GHk)ab;�
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basae59cab4940e9e423076eabcc08cdd0aff0a233f0cc4f3043fa2d90b90f59fb4 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 514161 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
vbaProject_00.bin413a3e3ddbb834ffc37354b6d89606d94c728d0ef97fa2a865c4609af617bb6e |
vba-project | OOXML VBA project: xl/vbaProject.bin | 1061888 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s). Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.