MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
T1140 Deobfuscate or Obfuscate
The sample contains a VBA macro that is triggered by the Document_Open event. This macro utilizes GetObject to instantiate the dangerous COM class WScript.Shell, and employs a shellcode loader technique by reading content from a document property. The script's intent is to execute arbitrary code, likely downloading and running a secondary payload, which is a common initial access or execution technique for malware.
Heuristics 5
-
VBA property-stored shellcode loader critical OLE_VBA_PROPERTY_SHELLCODE_LOADERVBA auto-exec macro takes the address (VarPtr) of a byte buffer decoded from a document property, marks memory executable (VirtualProtect/VirtualAlloc), and transfers control through a callback API (e.g. SetTimer/EnumWindows). The payload is hidden in the document properties rather than the macro source — the SVCReady loader pattern, a native shellcode runner rather than a parser CVE.
-
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUSVBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.base5c488e43b87a8b9e37048c66ff722e9cc35f73444ca6934e6e0a03f9957499a |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3114 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.