MALICIOUS
372
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
T1204.002 Malicious File
T1059.003 Windows Command Shell
The sample is a macro-enabled Word document (DOCM) containing a Document_Open macro. This macro uses CreateObject to instantiate MSXML2.XMLHTTP and ADODB.Stream objects to download a VBScript from the URL "https://raw.githubusercontent.com/RomanMus-bit/vbssss/main/update3.vbs". The downloaded script is saved to the temporary directory as "update3.vbs" and then executed using wscript.exe, indicating a downloader or initial access stage.
Heuristics 11
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
-
VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMEDThe VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: word/vbaProjectSignatureAgile.bin)
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
VBA project is signed but not by a recognised publisher info VBA_SIGNED_UNTRUSTEDThe VBA project carries a digital signature, but the signer does not chain to a recognised code-signing publisher/CA (self-signed, unknown issuer, or unparseable). A signature alone is not evidence of benignity — malware is routinely self-signed or signed with stolen certificates.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://raw.githubusercontent.com/RomanMus-bit/vbssss/main/update3.vbs
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2016/ink
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.microsoft.com/office/2019/extlst
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2018/wordml/cex
- http://schemas.microsoft.com/office/word/2016/wordml/cid
- http://schemas.microsoft.com/office/word/2018/wordml
- http://schemas.microsoft.com/office/word/2023/wordml/word16du
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahash
- http://schemas.microsoft.com/office/word/2024/wordml/sdtformatlock
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas8a6ab0d7ea2b8914e557234e2203dc88ae425dea5cd19cc94bf939967cf9a7e9 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1047 bytes |
vbaProject_00.bin745ffe69ced604e6aafebd7d2bd947b8cc45d91fb2425b81ca05c5b54cc99854 |
vba-project | OOXML VBA project: word/vbaProject.bin | 16896 bytes |
vbaProject_01.binb403793b43efdbe39295d0727d5517d6de2df2e376ccc3acaa5a95d1948dce57 |
vba-project | OOXML VBA project: word/vbaProjectSignatureAgile.bin | 1669 bytes |
vbaProject_02.bin9dfd9f20842f2994782d3317831fb072c95f49e3d9f1184ec364a22c8b2a58c1 |
vba-project | OOXML VBA project: word/vbaProjectSignature.bin | 1615 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.