MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document containing VBA macros, indicated by the OOXML_VBA heuristic. The OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic specifically points to an auto-execution routine within the VBA project, likely to run malicious code upon opening. The presence of a Dropbox URL suggests a potential download location for a secondary payload. The document body contains a large list of names and phone numbers, which is likely a lure or obfuscation.
Heuristics 4
-
VBA project inside OOXML medium 1 related finding OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download� In document text (OOXML body / shared strings)
- https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1�In document text (OOXML body / shared strings)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 24576 bytes |
SHA-256: 74020830d45b4a465a1b53aba66ee325e9f59c05a0069c1d851de47d5526770f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.