MALICIOUS
322
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains an obfuscated VBA macro with an AutoOpen subroutine, a common technique for malicious documents. The macro uses CreateObject to instantiate a scripting shell and attempts to write values to registry Run keys, indicating an attempt to establish persistence and likely download a second-stage payload. The ClamAV detection 'Doc.Malware.Valyria-6923224-0' further supports its malicious nature.
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-6923224-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6923224-0
-
VBA project inside OOXML medium 4 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1582 bytes |
SHA-256: f99d4d776295d70c0bcab4e9f62f5c687d9f9bc0c4195210b66b8ac4d7163fab |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim faxiudxf As String
Dim ijmdlzxykuey As Variant
Dim gaofeykyhwijb As Variant
Dim ppudwdgweq As Integer
Dim wimfpfbolsxlruhhm As String
Dim ghgipaqrieqvnkplfv As Object
On Error Resume Next
Set ghgipaqrieqvnkplfv = CreateObject(argxwonwyipe("57") & argxwonwyipe("5363726970742e5368656c6c"))
xRegMainKey = argxwonwyipe("484b4559") & argxwonwyipe("5f43555252454e545f555345525c536f6674776172655c")
xRegKey = Array(argxwonwyipe("4b65794f") & argxwonwyipe("6e65"), argxwonwyipe("4b") & argxwonwyipe("657954776f"), argxwonwyipe("4b") & argxwonwyipe("65795468726565"), argxwonwyipe("4b6579466f") & argxwonwyipe("7572"))
xRegValue = Array(argxwonwyipe("7878"), argxwonwyipe("7979"), argxwonwyipe("56616c756554") & argxwonwyipe("68726565"), argxwonwyipe("56616c7565466f75") & argxwonwyipe("72"))
For ppudwdgweq = 0 To UBound(ijmdlzxykuey)
ghgipaqrieqvnkplfv.RegWrite faxiudxf + ijmdlzxykuey(ppudwdgweq), gaofeykyhwijb(ppudwdgweq)
Next
MsgBox argxwonwyipe("57") & argxwonwyipe("72697465206f6b21")
End Sub
Private Function argxwonwyipe(ByVal amuqacsajpbq As String) As String
Dim xxbsexbjkmtm As Long
For xxbsexbjkmtm = 1 To Len(amuqacsajpbq) Step 2
argxwonwyipe = argxwonwyipe & Chr$(Val("&H" & Mid$(amuqacsajpbq, xxbsexbjkmtm, 2)))
Next xxbsexbjkmtm
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 9728 bytes |
SHA-256: 69f1e3d6d7c31165a64c49a8698a84960a86e7ac4373bfde61dedf827728d037 |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-6923224-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.