MALICIOUS
324
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The sample contains a VBA macro with a Document_Open auto-execute subroutine. This macro uses GetObject and CreateObject to interact with WMI (specifically 'winmgmts') to launch a process, indicating an attempt to execute arbitrary code. The presence of obfuscation techniques like splitting keywords further suggests malicious intent, likely to download and execute a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-7611954-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7611954-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13664 bytes |
SHA-256: 413f36734d8696e1c82a5b3472bc635831309e4f47b635fff71212c450911a22 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub UserForm_Initialize()
Call PopulaCombos
Call EventosCampos
Call BuscaRegistros
End Sub
Private Sub UserForm_Terminate()
Set oLoja = Nothing
Set myRst = Nothing
Call Desconecta
End Sub
Private Sub btnIncluir_Click()
Call PosDecisaoTomada("Inclusao")
End Sub
Private Sub btnAlterar_Click()
Call PosDecisaoTomada("Alteracao")
End Sub
Private Sub btnExcluir_Click()
Call PosDecisaoTomada("Exclusao")
End Sub
Private Sub PosDecisaoTomada(Decisao As String)
btnCancelar.Visible = True: btnConfirmar.Visible = True
btnConfirmar.Caption = "Confirmar " & Decisao
btnCancelar.Caption = "Cancelar " & Decisao
btnIncluir.Visible = False: btnAlterar.Visible = False: btnExcluir.Visible = False
MultiPage1.Value = 1
If Decisao <> "Exclusao" Then
If Decisao = "Inclusao" Then
Call Campos("Limpar")
End If
Call Campos("Habilitar")
txbLoja.SetFocus
End If
MultiPage1.Pages(0).Enabled = False
End Sub
Private Sub btnConfirmar_Click()
Call Gravar(Replace(btnConfirmar.Caption, "Confirmar ", ""))
End Sub
Private Sub btnCancelar_Click()
btnIncluir.Visible = True: btnAlterar.Visible = True: btnExcluir.Visible = True
btnConfirmar.Visible = False: btnCancelar.Visible = False
Call Campos("Limpar")
Call Campos("Desabilitar")
btnAlterar.Enabled = False
btnExcluir.Enabled = False
btnIncluir.SetFocus
MultiPage1.Value = 0
lstPrincipal.ListIndex = -1 ' Tira a selecao
End Sub
Private Sub lstPrincipal_Change()
Dim n As Long
If lstPrincipal.ListIndex >= 0 Then
btnAlterar.Enabled = True
btnExcluir.Enabled = True
With oLoja
.CRUD eCrud.Read, (CLng(lstPrincipal.List(lstPrincipal.ListIndex, 1)))
lblCabID.Caption = IIf(.ID = 0, "", Format(.ID, "000000"))
lblCabLoja.Caption = .Loja
txbLoja.Text = .Loja
End With
End If
End Sub
Private Sub Campos(Acao As String)
Dim sDecisao As String
Dim b As Boolean
sDecisao = Replace(btnConfirmar.Caption, "Confirmar ", "")
If Acao <> "Limpar" Then
If Acao = "Desabilitar" Then
b = False
ElseIf Acao = "Habilitar" Then
b = True
End If
MultiPage1.Pages(0).Enabled = Not b
txbLoja.Enabled = b: lblLoja.Enabled = b
Else
lblCabID.Caption = ""
lblCabLoja.Caption = ""
txbLoja.Text = Empty
End If
End Sub
Private Sub lstPrincipalPopular(Pagina As Long)
Dim n As Byte
Dim vNascimento As Variant
Dim vSalario As Variant
Dim oLegenda As Control
' Limpa cores da legenda
For n = 1 To myRst.PageSize
Set oLegenda = Controls("l" & Format(n, "00")): oLegenda.BackColor = &H8000000F
Next n
' Define pagina que sera exibida do Recordset
myRst.AbsolutePage = Pagina
With lstPrincipal
.Clear ' Limpa conteudo
.ColumnCount = 2 ' Define numero de colunas
.ColumnWidths = "180 pt; 0pt;" ' Configura largura das colunas
.Font = "Consolas" ' Configura fonte
n = 1
While Not myRst.EOF = True And n <= myRst.PageSize
' Preenche L
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.