MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1027 Obfuscated Files or Information
T1105 Ingress Tool Transfer
The sample is an Excel file with a verdict of malicious. High-severity heuristics indicate the presence of API hash resolvers and PEB access, suggesting the macro attempts to dynamically resolve API functions. A critical heuristic also flags XOR-encoded strings with a key of 0xFF, indicating obfuscation. Although the VBA project contains no executable statements according to the OLE_VBA_MACROS heuristic, the other heuristics strongly suggest that the macro is designed to download and execute a second-stage payload, likely using the XOR-encoded strings for obfuscation.
Heuristics 5
-
XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'advapi32.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'ExitProcess�', 'ExitProcess�'
-
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EBX)
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas481031c20227961d1e7d207d0bb17c79a9001efbdb37ac509a4ff93acb047bf0 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 606 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.