Valyria Office (OLE) malware analysis — malicious · 1017a2def298bcf5

MALICIOUS

Office (OLE)

37.5 KB Created: 2021-07-06 04:33:00 Authoring application: Microsoft Office Word

MD5: 015cd5ef0b28e66649a77db9cf73d8b5 SHA-1: 82972dc8470acd6141f7d1d8e9d6153836371e6d SHA-256: 1017a2def298bcf5c39c7664a4228164a0719196c4a4364d2286a9724ab78b87

162 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize CreateObject and CallByName functions, indicative of malicious activity. The ClamAV detection 'Doc.Downloader.Valyria-10033997-0' strongly suggests the Valyria family. The VBA script is designed to download and execute a second-stage payload from the URL 'https://feedbackportal.download/ecm/ibm/1626875104/feedback'.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-10033997-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-10033997-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://feedbackportal.download/ecm/ibm/1626875104/feedback
- http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `18e58ca9644ad789397b9183a606ed6c65314d90f1948337aade13175b902f8a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.