MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.003 Windows Command Shell
T1204.002 Malicious File
The document contains a "Document_Open" VBA macro that utilizes WScript.Shell and CreateObject, indicating it attempts to execute commands or scripts. The "macros.bas" file is identified as a VBA macro. The document body explicitly instructs the user to "ACTIVER CONTENU" (enable content), which is a common lure for macro-based malware delivery. The macro likely downloads and executes a second-stage payload.
Heuristics 9
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usage
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA macros detected medium OLE_VBA_MACROSDocument contains VBA macro code
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.URL https://github.com/krijnsent/crypto_vba
- https://github.com/BitMEX/api-connectors/tree/master/official-http/vba
- https://github.com/binance-exchange/binance-official-api-docs/blob/master/rest-api.md
- http://allenbrowne.com/bug-16.html
- http://www.rondebruin.nl/win/s1/outlook/saveatt.htm
- https://excel-malin.com
- http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/officeDocument/2006/customXml
- https://www.bitmex.com/app/restAPI
- https://www.bitmex.com/api/explorer/
- https://docs.bitfinex.com/docs/rest-auth
- https://docs.bitvavo.com/
- https://api.bittrex.com
- https://api.bittrex.com/v3/
- https://bittrex.com/home/api
- https://bittrex.github.io/api/v3
- https://www.bitmex.com/api/explorer/D
- https://www.bitmex.com/api/explorer/.Add�
- https://www.bitmex.com/api/explorer/ult
- https://www.bitmex.com/api/explorer/ET
- https://www.bitmex.com/api/explorer/i
- https://www.bitmex.com/api/explorer/n
- https://www.bitmex.com/api/explorer/a
- https://www.bitmex.com/api/explorer/�����
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basb64f7ffff251106bf645e8b5410e820cafbf958342af133bcbf48ded6f9bf718 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1813072 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 shell/COM execution token(s). Carved artifact contains 212 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.