Valyria Office (OLE) / .DOC malware analysis — malicious · 1469b1b33aa7feb7

MALICIOUS

Office (OLE) / .DOC

37.5 KB Created: 2021-07-06 04:33:00 Authoring application: Microsoft Office Word

MD5: 31322a0941dc6c40c40e6ae817954e48 SHA-1: 5912fef7d9116e7c41dc4dfe0a33874df687d49a SHA-256: 1469b1b33aa7feb7c0cdf521ec0ca75d55f6f9d82d5b4dbcd542b84493b8630f

162 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a Microsoft Word document containing VBA macros. The macros utilize CreateObject and CallByName functions, indicative of malicious activity. The ClamAV heuristic identifies it as 'Doc.Downloader.Valyria-10033997-0', suggesting a downloader functionality. The script attempts to send data to and process responses from the URL 'https://bigben-soft-down.com/ecm/ibm/1628604723/feedback', likely to download and execute a second-stage payload.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-10033997-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-10033997-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://bigben-soft-down.com/ecm/ibm/1628604723/feedback
- http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `18e58ca9644ad789397b9183a606ed6c65314d90f1948337aade13175b902f8a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.