MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1105 Ingress Tool Transfer
The sample is a malicious Excel document containing a Workbook_Open VBA macro. This macro utilizes CreateObject to interact with the file system and potentially schedule tasks. The VBA code attempts to write a file to the user profile directory and appears to be setting up persistence. The obfuscated nature of the script and the use of CreateObject suggest it's designed to download and execute a secondary payload, likely leveraging PowerShell.
Heuristics 6
-
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basa9341321ac931579406eb286491face4a66602eaa4f355e91042fa7b8476108f |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3737 bytes |
vbaProject_00.bin52e845636b8ff53ed06ca5494e6075d668426965f12dec082822677d8111133f |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16896 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.