MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059.001 PowerShell
The file is a malicious DOC document containing VBA macros, specifically an AutoOpen macro. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the macro is involved in loading and executing code. The ClamAV detection as 'Doc.Dropper.Agent-6899166-0' further supports its role as a dropper. The embedded URL, though marked as benign, is listed as an IOC due to its presence in the document.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6899166-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6899166-0
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas88cf24a0c0fb2f9b416b3620e853538b0df9f3da603f160b73e90baf42c014ab |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 21801 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.