{ "id": "0be2061d-b4ac-405f-b1cb-9dcb080a6ca7", "created_at": "2026-04-06T00:12:00.686405Z", "updated_at": "2026-04-10T03:28:47.325813Z", "deleted_at": null, "sha1_hash": "f1a8323e3670f5d330da0204b309dd36595b15ec", "title": "Analysis of Valak Maldoc", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 975850, "plain_text": "Analysis of Valak Maldoc\r\nPublished: 2020-06-08 · Archived: 2026-04-05 16:36:22 UTC\r\nSummary\r\nThe Valak malware variant appears to be an emerging threat due to an increased volume of campaign activity by its\r\noperators. Besides its relative newness, Valak is also noteworthy for a few of its other operational aspects such as an\r\ninteresting execution chain and some unconventional tactics leveraged in the VB macro script of its maldoc downloader.\r\nOne of these interesting samples of the Valak malware came across my desk earlier this week, so I wanted to share some\r\nadditional details that may help others in their own analysis and perhaps provide some insight into how to approach its\r\ndetection, response, and remediation.\r\nIn this blog, I will briefly share a Python script I developed to crack the password protected maldocs in the event an\r\nanalyst does not have access to the original email message containing the password. Next, I will cover a few different\r\nmethods that can be utilized to extract the VBA macros from the document. Finally, I will show a quick how-to with\r\nsome basic static analysis techniques to de-obfuscate the macro script, and review the anti-analysis/evasion tactics\r\nwithin the document, and extract the indicators of compromise (IOCs) therein. Let’s go!\r\nValak Overview\r\nThe Valak malware was first discovered around December 2019. It appears to be generally used as a downloader to\r\ndeliver secondary malware payloads for other eCrime actors. In particular, it appears that Lunar Spider‘s Bokbot\r\n(IcedID) is a common follow-up malware in recent campaigns. However, Valak is a modular framework that has the\r\ncapability to download additional plugins to facilitate infostealing and reconnaissance. Security researchers at\r\nCybereason recently produced a great write up detailing these additional capabilities and its overall execution chain so I\r\nwould recommend checking out this resource for more technical details.\r\nCracking the ZIP Archive\r\nThe recent Valak campaigns that I have observed have all been delivered via zipped email attachments that are password\r\nprotected. The ZIP archive contains a Microsoft Word document that is weaponized with macros. The password is\r\nprovided in the body of the email. This tactic serves a dual purpose for the threat actor as it enables some basic sandbox\r\nevasion, but also supports the social engineering pretext by building trust with the intended victim and appearing more\r\nsecure.\r\nMany analysts are likely to have access to the original email and thus can easily recover the password. However, in\r\nsome cases analysts may encounter scenarios where they obtain the ZIP archive containing the maldoc, but do not have\r\naccess to the email for a variety of reasons whether due to privacy limitations or simply sourcing issues from an online\r\nrepository or similar. I found myself in this same spot earlier this week as I was looking into Valak samples. I had\r\nobtained the ZIP from , but I did not have access to the original email. I needed to get inside to get a peek at those sweet\r\nIOCs.\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 1 of 11\n\nFigure 1. Eric Andre\r\nUltimately, my solution was to write a quick program in Python to brute-force the password and extract the archive’s\r\ncontents. The password cracking portion is based on a regex of the known password naming convention, so it should be\r\nnoted that if/when the actors change this convention this script would need to be updated. In future revisions I also plan\r\nto add the capability to pass a dictionary file to the program as an argument that will help extend its functionality. I’m\r\ncertainly no Pythonista, so YMMV, but this does get the job done. Please feel free to use and/or suggest changes on the\r\ngithub:\r\nFigure 2. valak-cracker.py\r\nUsing the program is very simple as you can see below. Just invoke the Python interpreter and then the script’s name\r\nwith the argument “-f” followed by the name of the ZIP archive. It will extract the file to your working directory and\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 2 of 11\n\nprint “extraction succeeded” when the correct password is found. This is compatible with Python3 and you will also\r\nneed a couple dependencies such as pyzipper and exrex.\r\nFigure 3. Extraction Succeeded\r\nExtracting the VBA Macro\r\nA Microsoft Office document weaponized with macros is nothing new. These VBA macros are executed when an\r\nunsuspecting user clicks “Enable Content,” kicking off the infection chain and leading to the download of next-stage\r\npayloads.\r\nWhether opening this particular maldoc with a known password or using my tool, the next step is focused on extracting\r\nthe VBA macro code from the Word DOC itself, which is the downloader for the initial Valak DLL payload. The\r\nfollowing document is what I recovered after running the script:\r\nFilename: dictate.06.20.doc\r\nSHA256: a4f1ea5dd434deee93bdf312f658a7a26f767c7683601fa8b23ef096392eef17\r\nUsually, analysts can quickly review these macros by simply opening up the onboard VBA project editor within the MS\r\nWord Program. I’ve shown how to do this before, so I won’t go into much detail here. Suffice to say that you can hold\r\ndown SHIFT while stepping through the macro to disable the auto open function or simply search through the modules\r\ncontained within the project and copy out the VBA code. This approach is fairly straightforward, but can often be slow\r\ndue to its manual nature, and if the macro is heavily obfuscated, can unnecessarily complicate analysis. We can do better\r\nwith tools.\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 3 of 11\n\nFigure 4. The Tool Man\r\nThere are lots of tools available that can help out with macro analysis, but I tend to always gravitate to either oledump or\r\nolevba. Both work great for this type of task and I will briefly compare/contrast how to use these to extract the macros\r\nand also provide a little insight into their pros and cons and maybe why in certain situations you would want to use one\r\nover the other. I will also give an honorable mention to ViperMonkey. This is is a powerful tool that includes similar\r\nfunctionality to dump OLE steams and parse the VBA macro, but also includes a VBA emulation engine that can\r\nautomatically de-obfuscate the code as well — saving a ton of time. Unfortunately, I kept getting errors on this sample\r\nso I had to do that bit by hand. More on this later in the next section.\r\noledump.py\r\nAnyways, oledump is a program written by security researcher, Didier Stevens. As you might have guessed, it dumps\r\nthe streams from OLE files (DOC, XLS, PPT, etc…) and has wide variety of plugins that you can use to further\r\nmanipulate the dumped streams. The basic usage for oledump.py is very simple and and will print the document\r\nstreams.\r\nFigure 5. The Dumped Streams\r\nAs highlighted in Figure 5 above, the basic command dumps the streams and highlights those that contain VBA macro\r\ncode. Based on this output we now know that streams A3, A4, A5, A12, and A13 all contain macros. I like oledump for\r\nits plugin flexibility and additional analysis capabilities, but it also has many options that come onboard that can be\r\npassed as arguments. Possibly the two most important that analysts will need to use is the “decompress” option which is\r\nused with the “-v” argument and the “select” option used with “-s”. The raw dump of the OLE streams are compressed,\r\nso using this option combo to select streams of interest is the best way to get the code human readable on the quick.\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 4 of 11\n\nFigure 6. Select and decompress\r\nHere we have our first look at the obfuscated code contained within the functions of the macro. An analyst could choose\r\nto select all of the streams and dump them out at once, but here they are shown separately. Most of the streams can be\r\nskipped over because they are comprised of garbage code. Once we get to stream A13, we finally find something pretty\r\ninteresting.\r\nFigure 7. Obfuscated Array\r\nI gotta tell ya, bad guys just love arrays for obfuscating their macros. Rarely do I stumble across a sample that doesn’t\r\ncontain some sort of array declaration and then subsequent operations on the indices of that array to scramble the code.\r\nFor now, we can just copy out the dumped macros or write them to a file for future analysis. We have one more tool to\r\ndiscuss before getting into the de-obfuscation .\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 5 of 11\n\nolevba\r\nNext up is olevba, a tool written by security researcher, Philippe Lagadec. It has similar functionality as oledump, but its\r\noutput is slightly different and comparatively less flexible as it does not have an extensive list of plugins. However, a\r\nnoteworthy feature of oledump is its default triage mode that performs an initial analysis of the macro and provides a\r\nsummary of suspicious strings and operations that are identified in the document. This may give analysts a quick boost\r\nto speed up an investigation when time constraints are critical. This program can also be ran against multiple files if\r\nthere is a use-case for a high volume of analyses that require automated workloads. Usage of olevba is also quite simple\r\nand can be executed via the command line or used as a python module.\r\nFigure 8. Default olevba output\r\nThe output is for both tools is generally similar, although olevba does include a feature that highlights potentially\r\nsuspicious keywords in the dumped macro. For example, it will highlight the “AutoOpen()” function in bright yellow,\r\nwhich is typically the initial indicator an analyst will seek out as this function is what will immediately execute when a\r\nvictim opens the document. Keep in mind that macros are often obfuscated and not necessarily linear in operation.\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 6 of 11\n\nFigure 9. Highlight AutoOpen()\r\nIn the next example from the olevba output, we can see suspicious keywords highlighted in red. Here, we see a declare\r\nstatement that includes what appears to be capability to download files from via the URLDownloadToFile function,\r\nwhich is part of the urlmon library built in to Windows. The Lib clause is a required statement in the declaration syntax\r\nand indicates the macro will be loading a DLL or some other code resource (urlmon in this case).\r\nFigure 10. Highlight suspicious keywords\r\nFinally, we get to the end of the dumped macro. We can see here that olevba has extracted the same obfuscated array as\r\nwe observed previously. At the end of the output, is the triage summary, which summarized all of the suspicious\r\nkeywords that were highlighted in the automated analysis.\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 7 of 11\n\nFigure 11. Array (again) and Summary\r\nSo, that’s a quick look at two different tools that have similar capability to dump and analyze macros. Both are easy to\r\nuse and have broad functionality. I use both tools frequently, depending on the task at hand. I would recommend\r\ndownloading both and keeping them as a part of your kit.\r\nDe-obfuscating the Macro\r\nNow that the macro code has been obtained, the final analysis step here is to de-obfuscate the macro. Obfuscation and\r\nanti-analysis techniques are commonly employed to evade detection and avoid complete analysis by automated\r\nsandboxes. This particular macro for the Valak malware sample is not that complicated and so it can be decoded fairly\r\neasily. The tools covered above include several options that can aid in this type of de-obfuscation such as manipulating\r\nand decoding strings, but it isn’t really necessary in this situation. Compared to some of the bizarrely extensive\r\nobfuscation in a lot of other eCrime downloaders, this example is downright simple. It’s about 200 lines of mostly junk\r\ncode. After removing about 75% of the code, we are left with the only lines that perform some operations.\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 8 of 11\n\nFigure 12.Macro after junk removal\r\nDespite the relative simplicity of the macro obfuscation, this macro code is pretty interesting for a few of its features\r\nrelated to evading detection. The operators have used a few sneaky tricks that diverge from a lot of classic TTPs that are\r\nobserved in similar eCrime downloaders. Notably, here we see a complete absence of PowerShell and/or the WebClent\r\nclass to download the payload from the URL. Instead we see the usage of the URLDownloadToFile, which is a VBA\r\nfunction along with the urlmon Windows library. We also see a command shell opened via an interesting usage of the\r\nExec method with a WshShell object. Let me repeat that: the adversary just got shell and downloaded a file without\r\nusing CMD or PowerShell. I’m no detection engineer, but I think that might cause some problems. Nice.\r\nFinally, the script launches regsvr32 and loads the downloaded DLL payload into the process. The last block is the\r\nencoded array that was covered in the previous section. Decoding this block is easy as long as we pay attention to the\r\nsplit/join functions and do a simple string replacement using the two keys “love” and “xxxxxxx”. The array ultimately\r\ndecodes into the URL where the actors have stashed the Valak DLL. It also includes an argument to write that\r\ndownloaded file into the “C:\\ProgramData” directory as a randomly named .dat file. Here’s what the final pieces look\r\nlike all cleaned up:\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 9 of 11\n\nFigure 13. Final code\r\nConclusion\r\nSo that’s it, my take on conducting analysis on a recent Valak sample. I’ve shared a few resources and tools that can\r\nhopefully enable analysts to improve the velocity and fidelity of their data gathering for triage and investigations. This\r\nvariant of Valak is deceptively simple in its obfuscation, but definitely has some intriguing evasion and anti-analysis\r\ntricks up its sleeve. This is a newer threat that is just now emerging into the landscape so it remains to be seen what its\r\nultimate impact may be going forward. Its association with other high profile eCrime threats could indicate a continuing\r\ntrend towards collaboration on high volume campaigns, sophisticated development cycles, and devastating post-intrusion action. ATT\u0026CK tagging is provided below, and I’ve included only the IOCs from this specific maldoc, but\r\nothers from the overall campaign are available thanks to Brad Duncan.\r\nIOCs\r\nhxxp[:]//nwwgbluv65j6g0xgr-xk[.]com/czwih/fxla[.]php?l=gap6[.]cab\r\nATT\u0026CK Tagging\r\nInitial Access\r\nPhishing attachment (ATT\u0026CK ID: T1193)\r\nExecution\r\nUser Execution (ATT\u0026CK ID: T1204)\r\nScripting (ATT\u0026CK ID: T1064) \r\nRegsvr32 (ATT\u0026CK ID: ID: T1117)\r\nDefense Evasion\r\nDeobfuscate/Decode Files or Information (ATT\u0026CK ID: T1140)\r\nMasquerading (ATT\u0026CK ID: T1036)\r\nProcess Injection (ATT\u0026CK ID: T1055)\r\nCommand and Control\r\nRemote File Copy (ATT\u0026CK ID: T1105)\r\nReferences\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 10 of 11\n\n[1] https://www.malware-traffic-analysis.net/2020/06/03/index2.html\r\n[2] https://malpedia.caad.fkie.fraunhofer.de/actor/lunar_spider\r\n[3] https://www.cybereason.com/blog/valak-more-than-meets-the-eye\r\n[4] https://github.com/Sec-Soup/valak-cracker\r\n[5] https://github.com/danifus/pyzipper\r\n[6] https://github.com/asciimoo/exrex\r\n[7] https://www.virustotal.com/gui/file/a4f1ea5dd434deee93bdf312f658a7a26f767c7683601fa8b23ef096392eef17/detection\r\n[8] https://github.com/Sec-Soup/Array-Decoder/blob/master/arrayDecoder.py\r\n[9] https://security-soup.net/how-to-extract-network-indicators-of-compromise-iocs-from-maldoc-macros-part-3/ \r\n[10] https://blog.didierstevens.com/programs/oledump-py/\r\n[11] https://github.com/decalage2/oletools/wiki/olevba\r\n[12] https://github.com/decalage2/ViperMonkey\r\n[13] https://wellsr.com/vba/2018/excel/download-files-with-vba-urldownloadtofile/\r\n[14] https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/declare-statement\r\n[15] https://www.vbsedit.com/html/5593b353-ef4b-4c99-8ae1-f963bac48929.asp\r\n[16] https://www.vbsedit.com/html/7b956233-c1aa-4b59-b36d-f3e97a9b02f0.asp\r\n[17] https://pastebin.com/WmAWQQ06\r\n[10] https://attack.mitre.org/techniques/T1204/\r\n[11] https://attack.mitre.org/techniques/T1117/\r\n[12] https://attack.mitre.org/techniques/T1047/\r\n[14] https://attack.mitre.org/techniques/T1140/\r\n[15] https://attack.mitre.org/techniques/T1036/\r\n[16] https://attack.mitre.org/techniques/T1055/\r\n[17] https://attack.mitre.org/techniques/T1105/\r\nSource: https://security-soup.net/analysis-of-valak-maldoc/\r\nhttps://security-soup.net/analysis-of-valak-maldoc/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://security-soup.net/analysis-of-valak-maldoc/" ], "report_names": [ "analysis-of-valak-maldoc" ], "threat_actors": [ { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434320, "ts_updated_at": 1775791727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1a8323e3670f5d330da0204b309dd36595b15ec.pdf", "text": "https://archive.orkl.eu/f1a8323e3670f5d330da0204b309dd36595b15ec.txt", "img": "https://archive.orkl.eu/f1a8323e3670f5d330da0204b309dd36595b15ec.jpg" } }