MALICIOUS
68
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1055 Process Injection
The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the use of the WriteProcessMemory API, which is commonly used for process injection. Although the VBA project itself contains no executable statements, the presence of the WriteProcessMemory API reference strongly suggests that the macro is designed to download and execute a second-stage payload, likely through process injection. No specific family could be identified.
Heuristics 2
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 341 bytes |
SHA-256: 9b98e7a7f71521853f6572e28af0ef2db44555d7389b26db15c6fcb5aae0965b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "montana"
Attribute VB_Base = "0{0CAD1601-648B-4505-95F2-2DFC6D5DB687}{DEE098BA-24D6-4122-BA87-999B4E52D169}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.